I have been on vacation recently. I have not written a blog, but I still have the last day in my eye. The time is really fast. Today I want to talk about database security.
For database security issues, first of all, important generated databases must not be stored on the public network. Once hacked, data will be lost if the consequences are unimaginable, if the user's password is stored in plain text, it is terrible, last year, the user data leaks on several large websites were caused by plaintext storage of users' passwords.
Second, a large number of weak Database Password problems exist. The cause of this problem is that sa or dba is negligent in security issues for convenience only.
I have no intention of scanning a mysql database with a weak password today. My topic also begins with this weak password mysql database. First, log on to the database remotely. It is still a weak password of the root user in the mysql database. You are welcome to enter the database and execute an SQL statement to view the IP address and the content of the/etc/passwd file.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/2014563045-0.jpg "title =" mysql.jpg "alt =" 214703298.jpg"/>
The load_file () function is used here. Of course, this function can be disabled. You can easily see the information and IP address of the/etc/passwd file. Of course, the content of other files can be seen.
Because the load_file () Function can only implement the File Viewing Function similar to the system command cat, but to execute the system command Function, you can only use the UDF, that is, the User-defined Function.
View the plugin of mysql. The plugin_dir path is/usr/lib/mysql/plugin.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/20145A0U-1.jpg "title =" p1.jpg "alt =" 21520.309.jpg"/>
If the path of plugin_dir is empty like I have encountered this database server, it doesn't matter.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/2014561522-2.jpg "title =" p2.jpg "alt =" 215626835.jpg"/>
Execute the following SQL statement to export the hexadecimal File Content in udf.txt to/usr/lib/mysqludf. so.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/2014562M2-3.jpg "title =" udf.jpg "alt =" 220017342.jpg"/>
View the functions supported by this udf library.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/2014564638-4.jpg "title =" pp.jpg "alt =" 220728793.jpg"/>
Create a function and check whether it is successfully created. You can see that a UDF named sys_eval is successfully created.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/20145642Z-5.jpg "title =" 33.jpg" alt = "2212342.16.jpg"/>
Finally, use UDF to execute functions with higher Permissions
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/2014561493-6.jpg "title =" ha.jpg "alt =" 221403716.jpg"/>
The rest is to use this UDF to obtain system permissions, prompting that you can use nc to bounce back, execute nc-vv-l-p 12345 on your host, and execute SQL statements on the database.
650) this. width = 650; "src =" http://www.bkjia.com/uploads/allimg/131229/20145632X-7.jpg "title =" nc.jpg "alt =" 222020.29.jpg"/>
Then, the linux shell will be displayed. However, the usage of udfs also has limitations. You need to have operation permissions for the mysql database. You must have func tables in the mysql database. When skipgranttables is enabled, udfs will be disabled.
PS: mysqludf.sois an existing database file, which generates udf.txt with the help of the statement. Execute the following SQL statement.
mysql> select hex(load_file('/usr/lib/mysqludf.so')) into outfile '/tmp/udf.txt';Query OK, 1 row affected (0.04 sec)
This article is from the "Old Xu's Private food" blog and will not be reposted!