MYSQL Privilege Escalation method ROOT Password search

From ice source s blog

I remember yesterday I intruded into a website named PHP + MYSQL.

The main site cannot go in! OK. Next to the next day, there is a next station. Of course, I think of Elevation of Privilege.

I have carefully read the following permissions: Only one E:/MYSQL5 and the website directory [supports PHP] can be viewed.

None of the other permissions are available. [I may not find a dish]

There is no way to think of my SQL data storage process when I was doing the website! Knowing'

Go to the E:/MYSQL5/DATA file and find the MYSQL folder.

[3] USER tables in the table are downloaded to the local device.

Install PHPMYADMIN in a local PHP + MYSQL Environment

In the local MYSQL directory, find the DATA/MYSQL directory and create a new directory: ICE

Put the downloaded USER in the MYSQL directory DATA/MYSQL/ICE directory [This is the directory we created]

Then, use the phpmyadmin root account to log on to the local my SQL management system so that we can see an additional database.

This is ICE. We can find in the ICE database that a USER is the name of the data we downloaded.

Then, enter and find the password of the ROOT account.

In this way, I can easily find the password of the ROOT account.

Then upload MYSQLbacldoor to the website directory to access/mysql. php

Write the password of the ROOT account and install BACKDOOR directly.

Haha success!

TIPS:

When we get the data, if PHP + MYSQL cannot escalate the permission, we can try the above method.

Any DATA can be downloaded locally and saved to the DATA directory under the MYSQL directory. Use the ROOT account to go To the MYSQL Management Console.

You can browse the data! In this way, security will not be managed and discovered!

You can also use this method to [directly copy the MYSQL/DATA/database you want to back up] During database backup.

Then paste the DATA to our backup directory and copy the backup DATA to MYSQL/DATA /.

When MYSQL is running, do not try to modify or delete the files in MYSQL/DATA/because they are in use!

Because it is not convenient to operate in Internet cafes, I will go home and give you a tutorial!

[As long as we find the MYSQL directory and MYSQL directory readable, we can find the ROOT account! If it is a virtual machine, it can be said that the harvest is huge.