# 第三十三课:攻击Mysql服务 msf 内置关于mysql插件如下(部分非测试mysql 插件)\ ![](/files/-LZJx7bsgoTIeB6IVSah) 关于msf常用攻击mysql插件如下:\ 1\. auxiliary/scanner/mysql/mysql\_login\ 2\. exploit/multi/mysql/mysql\_udf\_payload\ 3\. exploit/windows/mysql/mysql\_mof\ 4\. exploit/windows/mysql/scrutinizer\_upload\_exec\ 5\. auxiliary/scanner/mysql/mysql\_hashdump\ 6\. auxiliary/admin/mysql/mysql\_sql\ 7\. auxiliary/scanner/mysql/mysql\_version 以下本地靶机测试: 靶机1:x86 Windows7 ![](/files/-LZJx7bxMbtcMB4P2kcE) 靶机2 :\ x86 windows 2003 ip:192.168.1.115\ ![](/files/-LZJx7bzsK9gYtUn6kAE) ## 1、auxiliary/scanner/mysql/mysql\_login 常用于内网中的批量以及单主机的登录测试。\ ![](/files/-LZJx7c2hpp6jertLP-u) ## 2、exploit/multi/mysql/mysql\_udf\_payload 常用于root启动的mysql 并root的udf提权。\ ![](/files/-LZJx7c5VrGgLE5ZYehB) ![](/files/-LZJx7cSLoER-xT4u9T7) ![](/files/-LZJx7cXWoi9fHTTaN_J) ## 3、exploit/windows/mysql/mysql\_mof 以上类似,提权。\ ![](/files/-LZJx7cecYtwSUVUmrXv) ## 4、exploit/windows/mysql/scrutinizer\_upload\_exec 上传文件执行。 ![](/files/-LZJx7cplgHLlhHoU1Ea) ## 5、auxiliary/scanner/mysql/mysql\_hashdump mysql的mysql.user表的hash\ ![](/files/-LZJx7czxbLnp_YD3O-H) 而在实战中,mysql\_hashdump这个插件相对其他较为少用。一般情况建议使用sql语句: 更直观,更定制化 ![](/files/-LZJx7d3x9Bz5BvrM0Ym) ## 6、auxiliary/admin/mysql/mysql\_sql 执行sql语句。尤其是在目标机没有web界面等无法用脚本执行的环境。\ ![](/files/-LZJx7d8LzsT_uenQAEb) ![](/files/-LZJx7dA7Q2kR2d85qRP) ## 7、auxiliary/scanner/mysql/mysql\_version 常用于内网中的批量mysql主机发现。 ![](/files/-LZJx7dCGh8UpilFHXyH) > 后者的话: 在内网横向渗透中,需要大量的主机发现来保证渗透的过程。而以上的插件,在内网横向或者mysql主机发现的过程中,尤为重要。 > > Micropoor --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://micro8.gitbook.io/micro8/contents-1/31-40/33-gong-ji-mysql-fu-wu.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.