Directly Elevation of Privilege using mysql injection points

From: 90 sacret Team Information Security Team
 
The method I provided is relatively harsh, but it is a way of thinking that may help you when your intrusion is blocked. Let's take a look at the requirements of this injection point:
 
 
 
1. magic_quote is off
2. You can write files. It is best to have the write permission for any directory.
3. It is best to have the permission to read files, but if you do not have the permission
4. the injection point must be POST (in this way, a post128KB file can be created at a time)
I will explain in detail why these conditions are required. Let's talk about my ideas first. We all know that mysql can also write files, however, you may want to write a shell. In fact, you can also consider writing a file of other types, such as exe and dll, here, my idea is to raise the right through dll. First, we will introduce a Rices Writing Tool: T00ls Lpk Sethc. Simply put, the dll file generated by this tool is placed in a directory with an exe file. After the exe file is executed, the system will be installed with the sethc backdoor, for the specific usage of this tool, you can Baidu. I just want to write this lpk. dll file to a directory with an exe through the dumpfile method of mysql. After this exe is executed, we will be able to escalate the permission. This is why we need to set magic_quote_gpc to OFF, because we can write files, and the more directories that can be written, the higher the success rate naturally. Why read permission? Because we do not know the structure of the target website or where the exe file exists, we can first read sensitive files in the installation directories of some common programs, for example, default in localization of Navicat. loc file. If we read this file, we can basically determine the Navicat directory, and then write the dll file, the probability of success will be higher. Why is POST required? Although this dll is not large, it is much larger than the GET size, so it must be a POST injection point. Now, let's get started with the basic information. -
First, construct an injection point locally. The first thing we need to do is to get the hexadecimal form of the dll file. This can be done locally. I use navicat with mysql, first open navicat, connect to mysql, open any database, and then select "query
 
Then we enter the command: "select hex (load_file ('f:/lpk. dll ') into outfile 'f:/xxoo.txt'; "f:/lpk. dll is the location of the dll file, followed by the file output in hexadecimal mode. After the installation is complete, go to disk F and check that a xxoo text file is generated, which is kb in size. Although it has increased a lot, it is still in the security range (KB). Let's continue, the following is the injection point. The injection point of the local structure is:
Http: // www.2cto.com/1.php? Id = 1
Try it in Pangolin.
 
POST injection. The value of magic_quote_gpc is off. Let's take a look at the number of fields. We can use order by to obtain them. For example, if I am a lazy person, I will directly look at the source code. Here is the sentence: "$ SQL =" select username, password from admin where id = $ id ";" The number of fields is 2. The next step is injection. here we need to write a simple html file for submission. After all, the hexadecimal character file contains kb. The written html code is:
<Form action = http://www.bkjia.com/1.php method = post>
<Textarea name = id cols = 120 rows = 10 width = 45> binary code of the lpk </textarea> <BR> <center> <br>
<Input type = submit value = submit
 
The following code is written:
1 and 1 = 2 union select unhex ('********'), "into dumpfile 'f:/Navicat Premium V8.2.19/Navicat 8.2.12/Navicat 8.2.12
In Unhex, The hexadecimal format of the lpk is used. Note that there are two single quotation marks after unhex to avoid extra characters and damage the dll file. Then we click submit and go to the directory to view it. We found that the lpk was already quietly lying there. In this way, we can run Navicat without any operation. Let's call up sethc, press A + B, and then enter 123
 
At this point, our backdoor is successfully installed.
The Elevation of Privilege in this method requires more stringent conditions and a little luck. However, intrusion is like this. Learning more than one method will lead to an intrusion.