-Obtain access to a MySQL database
-Database user has privileges (including File privileges)
-MySQL database is running on a windows server 2003 OS
-Cannot compile a UDF (User Defined Function) to allow command execution via MySQL, as we have no shell access, only access to the database
What do we need to do? We need to move from the database to the OS. We need to compromise Windows accounts...
How are we going to do this?
Using the help from a Chinese site, that no longer seems to be up(...weird?), and quite a bit of googling, I found a way to pull binary files (most importantly SAM and SYSTEM backup files) from the underlying OS using MySQL's built-in load_file() function.
Here are the steps:
-Convert the binary file to hex
-Pull it off the machine using the database's load_file function
-Save it to a local file
-Convert the hex back into binary
-Yank hashes out of your perfectly good SAM file
First we need to verify that we have FILE privileges on the target machine:
Now lets see if the machine has the backups of the SAM and SYSTEM files. On windows XP/2003, the backup files are in C:\windows\repair\.
If you can get to these files, you will see a bunch of junk output to the screen. Once the query finishes, it will look something like this:
So what? We can load the garbled data of the binary file into mysql right? Wrong.
First we need to modify our select statement to put the file contents into hex, we will do this with mysql's hex() function:
We also need to dump the results to a text file on our local system to that we can work with it. After some basic googling I made a quick python script to do this for me. You can find it here. *Note you will need to edit my script.
Now that we have our hex-encoded SAM and SYSTEM files on our attacking machine we need to convert the file contents back into binary. I found an awesome perl script to do exactly that here (thanks Dr. Herong Yang :) ).
perl hex2bin.pl SAM.txt SAM
perl hex2bin.pl SYSTEM.txt SYSTEM
We should now have a perfectly usable SAM and SYSTEM binary file. We can now try to pull the hashes with bkhive and samdump2 (there are other tools like cain, etc to do this as well)
Now pass that hash, and if the admin has been lazy, you will be able to login.