Preface

undrop It's about mysql innodb Data recovery tools , By scanning files or disk devices , And then parse innodb The data page then recovers the lost data , about drop、truncate And file corruption are very helpful . In this paper, drop The recovery process of table structure after operation .

innodb Data dictionary Introduction
Before the recovery demonstration , First of all, I'll insert a paragraph innodb Introduction to data dictionary .

innodb The data dictionary is stored in the system table space , It is mainly used for recording innodb Core object information , Such as table 、 Indexes 、 Field etc. . The essence of a dictionary is REDUNDANT Row formatted innodb surface , And invisible to users .

For the convenience of users ,innodb Provides a series of dictionary views , The information provided by the view is exactly the same as the dictionary table , This part can be found in information_schema Find . as follows ,

mysql> use information_schema -A;
Database changed
mysql> show tables where Tables_in_information_schema like '%innodb_sys%';
+------------------------------+
| Tables_in_information_schema |
+------------------------------+
| INNODB_SYS_DATAFILES         |
| INNODB_SYS_VIRTUAL           |
| INNODB_SYS_INDEXES           |
| INNODB_SYS_TABLES            |
| INNODB_SYS_FIELDS            |
| INNODB_SYS_TABLESPACES       |
| INNODB_SYS_FOREIGN_COLS      |
| INNODB_SYS_COLUMNS           |
| INNODB_SYS_FOREIGN           |
| INNODB_SYS_TABLESTATS        |
+------------------------------+
10 rows in set (0.00 sec)

One 、mysql

Topic link ：https://adworld.xctf.org.cn/task/task_list?type=misc&number=1&grade=1&page=5

Title Description ： We are Mysql The database contains flag, But hackers have removed it . You can find it back flag Do you ？

Two 、 How to answer questions

1. Download the attachment

Find out mysql and sql Script

2. How to solve the problem

2.1 strings solution

strings ib_logfile0 | grep "flag"

Find out flag：71e55075163d5c6410c0d9eae499c977

2.2 Undrop for InnoDB solution

2.2.1 install

undrop-for-innodb stay github There are , The website is :https://github.com/twindb/undrop-for-innodb

Carry out orders

sudo apt install -y make gcc flex bison

perform make install ：

make

Here the deployment process is over , Here are some important files and directories ：

1. dictionary Catalog . Store the dictionary sql Script , Several core dictionary tables used to restore the table structure DDL sentence
2. sakila Catalog . test schema
3. stream_parser. Executable file , Used to scan files or disk devices , The purpose is to find out the conformity innodb Format data page , according to index_id To organize
4. c_parser. Executable file , For parsing innodb Data pages , Get row record
5. sys_parser. Executable file , Recover the table structure of the target table through dictionary table records

2.2.2 Restore the necessary conditions

One copy ibdata1 Data files , A table structure of the database to be restored

1. Table structure

stay structure.sql See the structure of the table ：

CREATE TABLE `user` (
  `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,
  `name` varchar(10) NOT NULL,
  `password` varchar(32) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB AUTO_INCREMENT=5 DEFAULT CHARSET=utf8;

2.ibdata1 Data files

2.2.3 Parse data file

./stream_parser -f 01/ibdata1

After parsing , You can see that a pages-ibdata1 Catalog , It contains two subdirectories , One is a directory containing data pages sorted by index , The other is a data directory containing related types ：

Next, we will mainly focus on the first subdirectory, that is, the indexed data page directory , Because the data we want to recover is in it , The first page file （0000000000000001.page） It contains all database table information and related table index information , Similar to a data dictionary , You can use a script provided by the project recover_dictionary.sh Put its contents in a test Check the database in detail .

2.2.4 Parse page file

Since the first page file contains the index information of all database tables , We need to parse it first , To simulate mysql The process of querying data , Finally, the data to be recovered can be found .c_parser Tools can be used to parse page files , However, you need to provide an internal structure of the page file （ Table structure ）.

There is a... Under the root directory of the project dictionary Catalog , It contains data dictionary and related table structure , For example, the table structure used to parse the first page file is SYS_TABLES.sql file

./c_parser -4Df pages-ibdata1/FIL_PAGE_INDEX/0000000000000001.page -t dictionary/SYS_TABLES.sql  | grep ctf

The command uses c_parser The tool parses the index information of the database table and filters out the relevant information we want to recover ctf The file of

We see user The index value of this table is 13, Through this index value , Go to another table to check the user All index information of the table

The structure of this table is "dictionary/SYS_INDEXES.sql" You can see it in the file , The data page file corresponding to this table is the third data page 0000000000000003.page

./c_parser -4Df pages-ibdata1/FIL_PAGE_INDEX/0000000000000003.page -t dictionary/SYS_INDEXES.sql | grep 13

Here is one user Index information of , Its presence mysql The index value in the storage is 15, In the data page file corresponding to this index value number , That is, all the data of the index is stored

Here we choose to parse the data page file corresponding to the primary key index （ Another index key should also work , But the method may need to be different ）, Finally, I successfully analyzed and saw exciting data ：

./c_parser -5f pages-ibdata1/FIL_PAGE_INDEX/0000000000000015.page -t 01/structure.sql | more

Find out flag：71e55075163d5c6410c0d9eae499c977

summary

1. mysql
2. strings
3. Undrop for InnoDB