udf. dll in the php mention the right of the specific application-vulnerability warning-the black bar safety net

ID MYHACK58:62200925457
Type myhack58
Reporter 佚名
Modified 2009-11-30T00:00:00


A, function: using MYSQL custom function-again statement: the use of MYSQL UDFS providing the right to not be overflow, but MYSQL itself a function of the MYSQL account into the system with system privileges.

Second, applicable occasions: 1. The target system is a Windows(Win2000,XP,Win2003); 2.the You already have MYSQL a user account, this account must have the mysql insert, and delete privileges to create and discard functions(MYSQL documentation of the primitive) is.

Third, the use of help: The first step: the PHP file is uploaded to the target machine on, fill in your MYSQL account via the line connection.


Second step: after a successful connection, the export DLL file, when you export do not pay attention to the export path is generally the case for any directory writable, regardless of the permissions issues for MYSQL5. 0 or above version, you must move the DLL to export to the target machine's system directory(win or system32), otherwise in the next step you will see"No paths allowed for shared library"error.


Third step: use SQL statements to create the function function. Syntax: Create Function function name the function name can only be in the list below one of the returns string soname 'export DLL path'; for MYSQL5. 0 version above, the statement in the DLL is not allowed with the full path, if your in the second step has to be exported by the DLL to the system directory, then you can omit the path and the mission that often, otherwise you will see"Can't open shared library"error, then you must move the DLL to re-export to the system directory.


Fourth step: correct the CREATE FUNCTION, you can use SQL statement to use these functions. Syntax: select Create Function Name('parameter list'); each function has different parameters, you can use the select to create the function name('help'); to get the specified function's parameter list information.


Fourth, the function of the Function Description: cmdshell execute cmd; downloader Downloader,to Internet to download the specified file and saved to the specified directory; open3389 General open 3 3 8 9 Terminal Services,you can specify the port(do not change the port without restart); backshell bounce the Shell; ProcessView enumeration system processes; KillProcess terminates the specified process; regread to read registry; regwrite to write registry; shut shutdown,logoff,reboot; about Description with the help function;

Write registry function. select regwrite("HKEY_LOCAL_MACHINE","SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\the\Image File Execution Options\\sethc.exe","Debugger","REG_SZ","E:\\web\\170stock\\admin\\include\\explorer.exe");