UDF Elevation of Privilege + serv-u + character without webshell

========================================================== ============
Prerequisites: weak mysql root Password
Objective: To obtain system Permissions
==========
1. Import the udf For Elevation of Privilege.
Because it is already the root of mysql, you must consider using udf to directly escalate permissions. Now the local virtual machine test is successful and then run to test the target machine. This is a security point. First, build the wamp environment on the virtual machine, and import the dll file to the windows directory by using a network horse that can successfully execute udf Elevation of Privilege. Copy the dll file. Of course, it is confirmed that this dll file can run normally.
Use the local client navicat to connect to the VM and enter the command line mode.
Select hex (load_file (0x433A5C6D7973716C444C4C2E646C6C) into dumpfile 'C: \ udf.txt ';
The hex in the middle is my dll path, that is, C: \ mysqlDLL. dll, (by the way, the difference between dumpfile and outfile. the outfile function will write a new line at the end of the row and escape the line break, causing the binary executable file to be damaged, the dumpfile function does not terminate any columns or rows, and does not execute any escape operations. Therefore, a complete executable file can be obtained. In this way, the dll can be converted into a hexadecimal system,

 



 

Then, import it to the windows directory.
Select Unhex ('xxxx') into dumpfile 'C: \ windows \ udf. dll ';
Xxxx is the one in udf. dll.

 

Then, create a function,

 

Error. 1124-No paths allowed for shared library
Baidu added google for a while and found that it was because the absolute path cannot be used after mysql5. the prompt also said that the dll does not allow the directory. I read the udf. the source code of the php net Trojan finds that no absolute path is used. After all, it is under the windows directory. dll can be recognized. Okay. Continue:

Another tragedy, 1126-Can't open shared library 'U. dll '(errno: 2)
Once again, I ran to Baidu and google, and finally found that after mysql 5.1, it was impossible to import the dll to the lib/plugin directory under the mysql installation directory, the execution of user-defined functions is allowed only in that directory. However, the installation directory of mysql does not have the lib directory. You need to create this directory by yourself. However, there are functions in mysql that allow us to create a directory. No matter what it is, try it locally. Create the/lib/plugin directory under the mysql installation directory.
Run show variables like '% plugin %' to obtain the installation directory.

 

Then:

OK. Create a function,

 

I found Nima succeeded.
Then, what do you do?

 
 

System permission,

However, this is all in the local YY. Although the target server is similar to the local server, Nima is still different. After all, it is hard to say whether there is a lib \ plugin directory.
When I followed the steps above to build the target machine, I found the directory, but it was a tragedy to execute the new function ..
Can't initialize function 'your shell'; UDFs are unavailable with the -- skip-grant-tables option
This error occurs when I found that the function was not initialized at a low level and the custom function was not supported at all. So, tragedy.

1. Export shell.
Since the permission cannot be directly raised, a webshell should be imported and the permission should be raised normally. By the way, the target is win2003 IIS6.0, which is supported by the php extension of IIS.
The first problem is the root directory. First, I used into outfile to import a pony into the C: \ inetpub \ wwwroot \ directory, and then accessed it directly by IP + pony, 404. tragedy, it seems not so good to guess,
Then, read the IIS configuration file to see if the directory can be found. Run loadfile to read c: \ windows \ system32 \ inetsrv \ MetaBase. xml. However, because the file is too long, it is stuck there and the execution is complete. Nothing. Give up. Www.2cto.com
I guess I tried to import D: \ www \ shell. php and found it was successful again. I was excited, but Nima still could not access it. It seems that this is not the main directory. Then import it to D: \ wwwroot \ shell. php. Nima succeeded again. I am confused, but I still cannot access it!

2. No way. You can't find the directory. If there is a serv-u 6.4 on the server, read the configuration file. The default configuration file is c: \ Program Files \ RhinoSoft.com \ Serv-U \ ServUDaemon. ini. If load_file fails, the returned result is null, that is, this file is not found. Then, replace c: \ Program Files \ Serv-U \ ServUDaemon. ini. Read the account and password of serv-u.
As for serv-u's encryption algorithms, we can use md5 to crack it. The attack broke out and the attack was successful. In load_file, ftp manages the website directory. Directly upload a pony and connect it with a kitchen knife. The access error is 403 forbidden. There are no more than 403 accesses in the browser. I don't know what's going on. I suspect the firewall has killed me. Because there is a dog on the server, a web firewall.
Then, upload the package to the next directory. OK. You can access it and cannot execute commands. You cannot customize the cmd path.

3. Elevation of Privilege: Now webshell has been obtained. The first thing to think of is the Local Elevation of Privilege of serv-u. This operation is simple and works well. After one click, check the package and prompt that the request is successfully revoked. The returned values are also correct. Next, I found that I couldn't connect to the server. I didn't know the user name. It seems that I was dumb and I didn't succeed. On another shell, it still does not work.
This cannot be achieved. Then I uploaded a sentence by using a Trojan, or prohibited access. You can't execute commands. Oh, tragedy. The Elevation of Privilege caused by local overflow cannot be used. Finally, let's go back to serv-u and suddenly think about whether the account we cracked has high permissions? Can I directly add a user using that account ?, Then run cmd to directly ftp xxx. xxx. xxx. xxx. After you enter your account and password to log in successfully, quote site exec net user admintest admin/add. Nima returns that the execution is successful, and it's a bit of fun. Continue to add management. And then 3389.

Okay. That's all.