# 第三十三课：攻击Mysql服务

msf 内置关于mysql插件如下（部分非测试mysql 插件）\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7bsgoTIeB6IVSah%2F876ad30bffd3f57b961ecb2781f888fc.jpg?generation=1551060435891763\&alt=media)

关于msf常用攻击mysql插件如下：\
1\. auxiliary/scanner/mysql/mysql\_login\
2\. exploit/multi/mysql/mysql\_udf\_payload\
3\. exploit/windows/mysql/mysql\_mof\
4\. exploit/windows/mysql/scrutinizer\_upload\_exec\
5\. auxiliary/scanner/mysql/mysql\_hashdump\
6\. auxiliary/admin/mysql/mysql\_sql\
7\. auxiliary/scanner/mysql/mysql\_version

以下本地靶机测试： 靶机1：x86 Windows7

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7bxMbtcMB4P2kcE%2Fff8b69c7beb814d667497bbc433cfaaa.jpg?generation=1551060441439282\&alt=media)

靶机2 ：\
x86 windows 2003 ip:192.168.1.115\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7bzsK9gYtUn6kAE%2F5692738d486e9997fe0752e7e6be1c9f.jpg?generation=1551060434837075\&alt=media)

## 1、auxiliary/scanner/mysql/mysql\_login

常用于内网中的批量以及单主机的登录测试。\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7c2hpp6jertLP-u%2Fc9f16b174fa0a7b4f67c75b3ed9f2492.jpg?generation=1551060433334829\&alt=media)

## 2、exploit/multi/mysql/mysql\_udf\_payload

常用于root启动的mysql 并root的udf提权。\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7c5VrGgLE5ZYehB%2F9b06e9685123fd026cb108f9d281c05f.jpg?generation=1551060457630745\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7cSLoER-xT4u9T7%2F8569841b55b9fd3bf0ed467eb4f9daf3.jpg?generation=1551060456446833\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7cXWoi9fHTTaN_J%2F0a4ac046fdc3e4d1f7d713ef14f1651c.jpg?generation=1551060444629112\&alt=media)

## 3、exploit/windows/mysql/mysql\_mof

以上类似，提权。\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7cecYtwSUVUmrXv%2Fcc563fb9d228e4c7adaf7b284925dbf4.jpg?generation=1551060440760489\&alt=media)

## 4、exploit/windows/mysql/scrutinizer\_upload\_exec

上传文件执行。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7cplgHLlhHoU1Ea%2F904116076e8cc90398e6769b4a8f0492.jpg?generation=1551060450949228\&alt=media)

## 5、auxiliary/scanner/mysql/mysql\_hashdump

mysql的mysql.user表的hash\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7czxbLnp_YD3O-H%2F0ccc9d7da3cbd464b35662a431824eea.jpg?generation=1551060447151195\&alt=media)

而在实战中，mysql\_hashdump这个插件相对其他较为少用。一般情况建议使用sql语句： 更直观，更定制化

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7d3x9Bz5BvrM0Ym%2F8e1d6085009d34a2afbbab9f4bddd95f.jpg?generation=1551060451670159\&alt=media)

## 6、auxiliary/admin/mysql/mysql\_sql

执行sql语句。尤其是在目标机没有web界面等无法用脚本执行的环境。\
![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7d8LzsT_uenQAEb%2F42b5a61ec763f6c6dbd725650188e5ad.jpg?generation=1551060425865550\&alt=media)

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7dA7Q2kR2d85qRP%2Ff1fb35b04225b40e571c5e61f8516886.jpg?generation=1551060434672127\&alt=media)

## 7、auxiliary/scanner/mysql/mysql\_version

常用于内网中的批量mysql主机发现。

![](https://1465213733-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-LZJtlFN7NOR8zMCiJsm%2F-LZXOtmCj3pT3_pYH1dV%2F-LZJx7dCGh8UpilFHXyH%2Fe9bfe12061674c64cdee00c7056173f1.jpg?generation=1551060455110265\&alt=media)

> 后者的话： 在内网横向渗透中，需要大量的主机发现来保证渗透的过程。而以上的插件，在内网横向或者mysql主机发现的过程中，尤为重要。
>
> Micropoor