PHP injection MYSQL = SYSTEM permission

After studying the mysql Privilege Escalation problem, we can easily think of what if there is no password? Brute force cracking? You need luck! In fact, it is easy to combine php injection ~ Next, I will use php injection to demonstrate how to get started!

Find a site and its software download has the php injection vulnerability. Add a quotation mark to another vulnerability, and an error is reported. 1:

The website path is obtained ~, But our goal is to get the mysql password, which is usually in config. php. So we just need to expose the config. php content! The content of the php injection burst file is of course load_file (). However, load_file needs to know the complete path. Should we guess? Of course not. Let's first try to get an error in Figure 1, because these files generally have this statement: require ("Path of the included PHP file"), which generally includes config. php. Well, let me do it:

In the introduction location, good, we start reporting global. the php path first converts the absolute path to the hex format, and considers that the php file content is cracked. To avoid the failure to display all the file content after php Execution, we set <? Php……?> "?" Replace it with "@" to display all! How to replace it? We use this: replace (load_file (0x absolute path hexadecimal value), 0x 3F, 0x40)

Note: 0x3F corresponds to "?", 0x40 corresponds to "@". We submit:

Http://xxx.xxx.edu.cn/study/show.php? Id = 244% 20and % 201 = 2% 20 union % 20 select %, 11, replace (load_file (0x 443A 5C ...... Absolute path), 0x 3F, 0x40), 13,14, 15,16, 17,18, 19

We can see the path ~ of config. php ~. Okay, let's continue with the content, 4

See it ~, We get the mysql password!

Use tools in mysqlto connect to the other Party:

E: mysql> mysql-u root-h ip address of the other party-p

Upload the token script:

Mysql>. E: mysqlsysudf.dll.txt

Note that the paths of different systems are different. If it is a 2003 system, you 'd better export it to the c: windows directory. Otherwise, an error may occur ~

Here, as long as your dll file path is consistent with the previous one. However, note that because mysql escapes some characters, "\" must be used for all paths; otherwise, the export will fail!

Javascript: Resizepic (this) border = 0>

Javascript: Resizepic (this) border = 0>

Well, we have obtained the shell with the system permission (if you have any wrong command input, this sys_name function can be executed repeatedly, so don't worry, just try again !). However, the task has not been completed yet ~ Don't rush! We have not erased any trace! We have created two temporary tables for sysudf.dlland nc.exe: temp1 and temp3. We use drop table name to delete the table. Then we create the sys_name function. We use: drop function sys_name; to delete the function! Finally, show tables; to check whether all functions in mysql are cleaned up, and select * from func.