Home >Database >Mysql Tutorial >A brief analysis of MysqlDoor function creation

A brief analysis of MysqlDoor function creation

高洛峰
高洛峰Original
2016-12-02 14:11:051208browse

Many times, we use mysqldoor to retain our server permissions, and sometimes we often use udf to escalate privileges. We often encounter this situation, Can’t open shared library ‘mysqlDll_1278197415.dll’.
The UDF privilege escalation tool written by Gushui Raocheng is used here. Figure 1.

A brief analysis of MysqlDoor function creation

First rule out several possibilities.

1. Killed by server-side anti-virus software.

2. The file is not written.

3. Because the file name generated by the script in the system32 directory is random, the program cannot find the file name.

1. I tested it locally and turned off the anti-virus software, so this situation does not exist and is ruled out.

2. Open the system32 directory, and the generated program lies quietly in the directory. Figure 2

A brief analysis of MysqlDoor function creation

1. Making the third assumption already eliminates the first two possibilities. Since we are afraid that the program is the problem, let's create it manually. (mysql5.0 or above does not support absolute paths, so it is generated under system32) Figure 3

A brief analysis of MysqlDoor function creation

Figure: 4

I went to Google for a while, but there is still no final answer on the Internet. It is better to just find one The article is the one about creating functions written by ninty. But after thinking about it for a while, I still didn’t understand it. Finally, I saw Wuming online. He has been in the PHP environment all year round and has a good understanding of MySQL.

After discussing with him, he gave the solution to the problem by placing the udf in the data directory in mysql. As shown in the picture: 5

A brief analysis of MysqlDoor function creation

He can succeed on his machine, but I just can't pass it. Finally, I used QQ to assist and let him operate my computer. In the end, I still couldn't get the answer, so I had to end it with a miracle.

In desperation, I went to the BK group for help. Ninty said it was a path problem. Later, I added Q and went remote, and it was solved. Finally, I finally understood his article, haha, don’t blame me here, I’ll sort out the information.


Before elevating privileges, confirm the mysql permissions. If it is version 4.0, use the path directly; if it is version 5.0, if it is not enough to put it in the system32 directory, just put it in data. If it is version 5.1, the operation will be more troublesome. Use


show variables like %plugin%;

A brief analysis of MysqlDoor function creation

as long as you put the file under this path, it can be executed successfully! But the prerequisite is that you must have directory creation permissions under the mysql directory.

A brief analysis of MysqlDoor function creation

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn