Mysql database authorization (I)


1、 Obtain MySQL login account and password

1. Database authorization needs to know the account and password of the database and its configuration files. Generally, the configuration files are in the root directory of the website. The names of these configuration files have distinctive characteristics, such as Conn, config, data, SQL, common, Inc, etc









The above files contain information about connecting to the database, including connection account, password, database name, etc,

2. If you can’t find the information to connect to the database in these files, you can find it in the installation directory of the database. The default directory is C: \ phpstudy2016 \ MySQL \ data \ mysql. You can find user in this directory MyD file, which records the login account and password


3. It is more troublesome to get the account and password through brute force cracking. Another step is that MySQL does not allow remote connection by default, so to brute force cracking, you can only crack it through script, obtain the account and password, run a script file, and use weak password Plus Dictionary scanning to crack the database user and password




The user name and password are displayed on the top. In addition, tools can be used for brute force cracking, such as hscan, bruter, Hydra, etc., but the premise of using these tools is to open the external remote connection of the database,

Log in to MySQL, grant permissions for root remote access, and execute the following statement:

mysql>GRANT ALL PRIVILEGES ON *.* TO [email protected]”%” IDENTIFIED BY “root”;

mysql>flush privileges;


Access MySQL database through remote machine:




The version information of the database can be seen through telnet remote connection,

In addition to the statement to open the remote connection, you can also use the PHP script to open it:




After successful startup, use professional database connection tools to connect remotely

For example, Navicat for MySQL visualization tool


In addition, connect by script:


You can select a database, export it in the upper left corner, or export it locally. This process is also called a repository,

In addition, use the brute tool to mount the dictionary to crack it


2、 Database authorization

1. UDF rights

It should be noted that MySQL version is less than 5.1, and the UDF file is placed in: C: \ \ windows \ \ UDF DLL or C: \ \ windows \ \ system32 \ \ UDF dll,

When MySQL is equal to version 5.1, the UDF file is in:% MySQL% \ \ plugin \ \ UDF DLL, use Select @ @ plugin dir to query the plugin file path. The default is C: / program file / MySQL / MySQL server5 1/lib/plugin/udf. DLL. If phpstudy is installed, the directory may be C: \ PHP \ mysql-5.1.50 \ lib \ plugin \ UDF DLL, in the above steps, the remote connection has been opened, and the right lifting tool is directly used to connect


When you see that the current version is 5.5.53, which is greater than 5.1, you will be prompted to import the UDF file into the Lib \ plugin directory

Connect to the target host using the kitchen knife tool,


Create the plugin directory under phpstudy / MySQL / lib, and then go back to the MySQL authorization tool to import UDF DLL file


After the new number is created, return to the MySQL authorization tool


It is found that the import failed. One of the reasons may be in the configuration file of the database: secure_ file_ priv=””;


After the setting is empty, exit and restart MySQL service, and then import the tool


It is found that it can be imported successfully, and UDF can also be seen in the real directory DLL file


Now you can execute the database command in the tool: Create function cmdshell returns string soname ‘UDF dll’; Statement means to create a cmdshell function through the UDF file. After the creation, you can use it (cmdshell) to operate other commands in the database,


2. Execute the “ver” command:


3. Execute the “net user” command:


4. Open port 3389 remotely. Since executing 3389 is a function, you should first create a 3389 () function similar to cmdshell,




At this time, the target machine does not have 3389 remote port open,


Execute the 3389 () function command,




Let’s look at the status of remote desktop


Port 3389 has been opened. We can remotely connect to its server for subsequent operations,

The reason why it is called killing script (UDF. UDF) when it is not allowed to connect remotely is that it can kill script (UDF) when it is not allowed to connect remotely




First set moonudf DLL file export




Successfully exported,

5. Similar to the right raising tool, you must first create a command execution function to execute the command before executing the command


After execution


If there is no error in the statement, it indicates that the creation is successful. Execute the view user command:


If the execution is successful, you can also create a user manually (normal):


The biggest advantage of this script is that if the other party’s 3306 port is not open at all, we can use a kitchen knife to transfer this script to the other party’s host, access the script through the web, create functions, execute commands, and remotely open some ports of the other party,

To sum up, this is all the steps of database UDF authorization.


Recommended Today

(C#) Listening to the clipboard

public partial class Form1 : Form { public Form1() { InitializeComponent(); AddClipboardFormatListener(this.Handle); } protected override void WndProc(ref Message m) { if (m.Msg == WM_CLIPBOARDUPDATE) { Console.WriteLine("Clipboard content changed"); } base.WndProc(ref m); } //——————— public const int WM_CLIPBOARDUPDATE = 0x031D; [DllImport(“user32.dll”, SetLastError = true)] public static extern bool AddClipboardFormatListener(IntPtr hWnd); [DllImport(“user32.dll”, SetLastError = true)] public static […]