MySQL之登陸密碼加密認證腳本
日常操作,經常明文指定了MySQL密碼來登錄MySQL服務,在登錄成功之後就會拋出下面的警告:
[root@git-server ~]# mysql -uroot -p‘wujianwei‘
Warning: Using a password on the command line interface can be insecure. Welcome to the MySQL monitor. Commands end with ; or \g. Your MySQL connection id is 510 Server version: 5.6.36-log Source distribution Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Other names may be trademarks of their respective owners. Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement. mysql>
對於要求嚴格的業務生產場景不允許出現Warning的,所以可能需要自己定制一下這個錯誤的邏輯。
當然如果不需要知道密碼,能不能換個方式來做呢,其實也行,在5.6中開始有了loginpath,和Oracle中的錢包的功能差不多,其實就是一種認證,做了授權,你不需要知道這些信息,loginpath就是一道橋梁為你做了認證。
如果你是5.5的版本,沒了loginpath,有沒有其他的方案來滿足需求呢。
有的人可能這個時候開始問,需求是什麽?
我們設想一下,命令行的方式中,輸入明文密碼,那還要密碼幹嘛,幹脆我輸入密碼的時候你別看,但是history命令裏面有啊。
所以這也算是一個風險點的入口,如果因為一些意外的情況登錄,那麽這種情況就很尷尬了。這是需求一。
那我們寫腳本,但是腳本裏面的密碼還是可見的,調用的明文密碼問題解決了,但是內容中的密碼還是可讀的。
所以這種情況下,一個很自然的方法就是加密。
其中一種是對密碼加密,比如我們得到一個密碼加密後的串,在需要調用的時候做一下解密,得到真實的密碼。這個過程是在腳本裏的邏輯來實現,所以我們得到明文密碼的概率要低一些。
如果要調用腳本的時候,其實就是先解密文件,然後調用解密邏輯,得到真正的密碼,然後開啟訪問的請求。
比如我得到了一個加密後的密碼串。調用的解密邏輯是decrypt_passwd,當然這個是可讀還可逆的。
二、Linux下用base64命令加解密字符串
base64加密解密站長工具:
https://base64.supfree.net/
2.1加密:
[root@git-server ~]# echo wujianwei|base64
d3VqaWFud2VpCg==2.2解密:
[root@git-server ~]# echo d3VqaWFud2VpCg==|base64 -d
wujianwei2.3下面對MySQL數據庫備份的賬戶密碼加密的方式來源於base64加密
腳本內容如下:
[root@git-server ~]# cat test03.sh
#!/bin/sh
Pass=‘d3VqaWFud2VpCg==‘
sock=/tmp/mysql.sock
function decrypt_passwd
{
tmp_pass=$1
dec_pass=`echo $tmp_pass|base64 -d`
}
decrypt_passwd $Pass
port=$1
#if [ ! -n "$port" ]; then
#echo ‘############################################‘
#echo ‘Please input correct MySQL Port and try again.‘
#echo ‘############################################‘
#ps -ef|grep mysqld|grep -v grep |grep -v mysqld_safe
#exit
#fi
/usr/local/mysql/bin/mysql -uroot -p$dec_pass -P$1 -S$sock通過此腳本登陸MySQL服務,到此處已經實現了腳本密碼轉換方式登陸MySQL服務
[root@git-server ~]# sh test03.sh.sh 3306
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 513
Server version: 5.6.36-log Source distribution
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql> 三、Linux Shell 加密解密方法gzexe
參考地址:
http://www.isays.cn/7336.html
gzexe無需安裝任何軟件是linux自帶的功能使用只需要執行命令即可
3.1、加密方法:
假如說我們這個腳本名字叫test03.sh
那我們就在linux服務器命令執行gzexe test03.sh即可
[root@git-server ~]# gzexe test03.sh
test03.sh: 51.3%原來的文件就加密了之後會在目錄產生一個test03.sh~的文件這個就是原來文件的備份
[root@git-server ~]# ll test03.sh*
-rwxr-xr-x 1 root root 1122 Jul 20 16:57 test03.sh
-rwxr-xr-x 1 root root 587 Jul 20 16:55 test03.sh~發現test03.sh腳本已經變成二進制文件
如下圖:
[root@git-server ~]# chmod +x test03.sh
[root@git-server ~]# ll test03.sh
-rwxr-xr-x 1 root root 1128 Jul 20 22:56 test03.sh
[root@git-server ~]# cp test03.sh /usr/local/sbin/登陸MySQL:
[root@git-server ~]# test03.sh 3306
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 517
Server version: 5.6.36-log Source distribution
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql> 3.2、解密方法:
假如說我們這個腳本名字叫test03.sh
那我們就執行
gzexe -d test03.sh
原來的文件就加解密了放在目錄裏面
查看test03.sh內容,事實證明文件內容已經解密了
[root@git-server ~]# cat test03.sh
#!/bin/sh
sock=/tmp/mysql.sock
Pass="d3VqaWFud2VpCg=="
function decrypt_passwd
{
tmp_pass=$1
dec_pass=`echo $tmp_pass|base64 -d`
}
decrypt_passwd $Pass
port=$1
#if [ ! -n "$port" ]; then
#echo ‘############################################‘
#echo ‘Please input correct MySQL Port and try again.‘
#echo ‘############################################‘
#ps -ef|grep mysqld|grep -v grep |grep -v mysqld_safe
#exit
#fi
/usr/local/mysql/bin/mysql -uroot -p$dec_pass -P$1 -S$sock四、加密軟件shc
shc是linux的一款加密腳本的插件東西比較安全我們可以利用
4.1、shc軟件安裝
shc官網:https://github.com/yanncam/UnSHc
wget -q http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.9.tgz
tar zxvf shc-3.8.9.tgz
cd shc-3.8.9
make[root@git-server shc-3.8.9]# make
cc -Wall shc.c -o shc
*** Do you want to probe shc with a test script?
*** Please try... make test
[root@git-server shc-3.8.9]# make install
*** Installing shc and shc.1 on /usr/local
*** Do you want to continue? yes
install -c -s shc /usr/local/bin/
install -c -m 644 shc.1 /usr/local/man/man1/
install: target `/usr/local/man/man1/‘ is not a directory: No such file or directory
make: *** [install] Error 1
請創建 mkdir -p /usr/local/man/man1/ ,然後運行make install4.2、常用參數介紹
-e date (指定過期日期)
-m message (指定過期提示的信息)
-f script_name(指定要編譯的shell的路徑及文件名)
-r Relax security. (可以相同操作系統的不同系統中執行)
-v Verbose compilation(編譯的詳細情況)
4.3、shc軟件加密使用
假如說我們這個腳本名字叫test03.sh
那我們就執行
shc -v -f test03.sh
-v 是現實加密過程
-f 後面跟需要加密的文件
[root@git-server ~]# shc -v -f test03.sh
shc shll=sh
shc [-i]=-c
shc [-x]=exec ‘%s‘ "$@"
shc [-l]=
shc opts=
shc: cc test03.sh.x.c -o test03.sh.x
shc: strip test03.sh.x
shc: chmod go-r test03.sh.x
[root@git-server ~]# ll test03.sh*
-rwxr-xr-x 1 root root 598 Jul 20 17:36 test03.sh
-rwx--x--x 1 root root 12376 Jul 20 17:36 test03.sh.x
-rw-r--r-- 1 root root 12805 Jul 20 17:36 test03.sh.x.ctest03.sh.x為二進制文件,賦予執行權限後,可直接執行。更改名字mv test03.sh.x test03.sh
test03.sh.x.c 是c源文件。基本沒用,可以刪除
[root@git-server ~]# mv test03.sh.x test03.sh
驗證文件是否為二進制文件:
登陸MySQL服務:
[root@git-server ~]# ./test03.sh 3306
Warning: Using a password on the command line interface can be insecure.
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 518
Server version: 5.6.36-log Source distribution
Copyright (c) 2000, 2017, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type ‘help;‘ or ‘\h‘ for help. Type ‘\c‘ to clear the current input statement.
mysql> 4.4、shc過期加密法
另shc還提供了一種設定有效執行期限的方法,過期時間,如:
#shc -e 14/09/2016 -m -f test03.sh
選項“-e”指定過期時間,格式為“日/月/年”;選項“-m”指定過期後執行此shell程序的提示信息。
如果在過期後執行,則會有如下提示:
#./test03.sh.x
./test03.sh.x: has expired!(文件已經過期)
使用以上方法要註意,需防止用戶更改系統時間,可以通過在程序中加入自動更新系統時間的命令來解決此問題。
4.5、shc加密過的文件的解密方法
利用這個腳本來解密
https://github.com/yanncam/UnSHc
[root@git-server ~]# wget https://github.com/yanncam/UnSHc/archive/master.zip
[root@git-server ~]# unzip master.zip
Archive: master.zip
202e5c200005a1b8e474fbfccfb983a582708da1
creating: UnSHc-master/
inflating: UnSHc-master/README.md
creating: UnSHc-master/latest/
inflating: UnSHc-master/latest/unshc.sh
creating: UnSHc-master/release/
creating: UnSHc-master/release/0.2/
inflating: UnSHc-master/release/0.2/unshc-v0.2.sh
inflating: UnSHc-master/release/0.2/unshc-v0.2b.sh
creating: UnSHc-master/release/0.3/
inflating: UnSHc-master/release/0.3/unshc-v0.3.sh
creating: UnSHc-master/release/0.4/
inflating: UnSHc-master/release/0.4/unshc-v0.4.sh
creating: UnSHc-master/release/0.5/
inflating: UnSHc-master/release/0.5/unshc-v0.5.sh
creating: UnSHc-master/release/0.6/
inflating: UnSHc-master/release/0.6/unshc-v0.6.sh
creating: UnSHc-master/release/0.7/
inflating: UnSHc-master/release/0.7/unshc-v0.7.sh
creating: UnSHc-master/release/0.8/
inflating: UnSHc-master/release/0.8/unshc-v0.8.sh
creating: UnSHc-master/sample/
inflating: UnSHc-master/sample/test.sh
inflating: UnSHc-master/sample/test.sh.x
inflating: UnSHc-master/sample/test.sh.x.c [root@git-server latest]# cd /root/UnSHc-master/latest;
[root@git-server latest]# ./unshc.sh -h
_ _ _____ _ _
| | | | / ___| | | |
| | | |_ __ \ `--.| |_| | ___
| | | | ‘_ \ `--. \ _ |/ __|
| |_| | | | /\__/ / | | | (__
\___/|_| |_\____/\_| |_/\___|
--- UnSHc - The shc decrypter.
--- Version: 0.8
------------------------------
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
------------------------------
[*] Usage : ./unshc.sh [OPTIONS] <file.sh.x>
-h | --help : print this help message
-a OFFSET | --arc4 OFFSET : specify the arc4() offset arbitrarily (without 0x prefix)
-d DUMPFILE | --dumpfile DUMPFILE : provide an object dump file (objdump -D script.sh.x > DUMPFILE)
-s STRFILE | --stringfile STRFILE : provide a string dump file (objdump -s script.sh.x > STRFILE)
-o OUTFILE | --outputfile OUTFILE : indicate the output file name
[*] e.g :
./unshc.sh script.sh.x
./unshc.sh script.sh.x -o script_decrypted.sh
./unshc.sh script.sh.x -a 400f9b
./unshc.sh script.sh.x -d /tmp/dumpfile -s /tmp/strfile
./unshc.sh script.sh.x -a 400f9b -d /tmp/dumpfile -s /tmp/strfile -o script_decrypted.sh
[root@git-server latest]# [root@git-server ~]# /root/UnSHc-master/latest/unshc.sh test03.sh
_ _ _____ _ _
| | | | / ___| | | |
| | | |_ __ \ `--.| |_| | ___
| | | | ‘_ \ `--. \ _ |/ __|
| |_| | | | /\__/ / | | | (__
\___/|_| |_\____/\_| |_/\___|
--- UnSHc - The shc decrypter.
--- Version: 0.8
------------------------------
UnSHc is used to decrypt script encrypted with SHc
Original idea from Luiz Octavio Duarte (LOD)
Updated and modernized by Yann CAM
- SHc : [http://www.datsi.fi.upm.es/~frosal/]
- UnSHc : [https://www.asafety.fr/unshc-the-shc-decrypter/]
------------------------------
[*] Input file name to decrypt [test03.sh]
[+] ARC4 address call candidate : [0x400ea0]
[*] Extracting each args address and size for the 14 arc4() calls with address [0x400ea0]...
[0] Working with var address at offset [0x6022e4] (0x2a bytes)
[1] Working with var address at offset [0x6026af] (0x1 bytes)
[2] Working with var address at offset [0x6026b1] (0x8 bytes)
[3] Working with var address at offset [0x6026bb] (0x3 bytes)
[4] Working with var address at offset [0x6027f7] (0xf bytes)
[5] Working with var address at offset [0x602693] (0x1 bytes)
[6] Working with var address at offset [0x60280a] (0x16 bytes)
[7] Working with var address at offset [0x602695] (0x16 bytes)
[8] Working with var address at offset [0x602825] (0x13 bytes)
[9] Working with var address at offset [0x6026b0] (0x1 bytes)
[10] Working with var address at offset [0x602838] (0x1 bytes)
[11] Working with var address at offset [0x60239c] (0x257 bytes)
[12] Working with var address at offset [0x60267d] (0x13 bytes)
[13] Working with var address at offset [0x602668] (0x13 bytes)
[*] Extracting password...
[+] PWD address found : [0x6026e2]
[+] PWD size found : [0x100]
[*] Executing [/tmp/0Kq6m3] to decrypt [test03.sh]
[*] Retrieving initial source code in [test03.sh.sh]
[*] All done!
[root@git-server ~]# [root@git-server ~]# ll test03.sh*
-rwx--x--x 1 root root 12184 Jul 20 23:36 test03.sh
-rw-r--r-- 1 root root 597 Jul 20 23:43 test03.sh.sh
-rw-r--r-- 1 root root 11964 Jul 20 23:36 test03.sh.x.c
[root@git-server ~]# 此時test03.sh.sh 這個文件就是原來的文件
[root@git-server ~]# cat test03.sh.sh
#!/bin/sh
sock=/tmp/mysql.sock
Pass="d3VqaWFud2VpCg=="
function decrypt_passwd
{
tmp_pass=$1
dec_pass=`echo $tmp_pass|base64 -d`
}
decrypt_passwd $Pass
port=$1
#if [ ! -n "$port" ]; then
#echo ‘############################################‘
#echo ‘Please input correct MySQL Port and try again.‘
#echo ‘############################################‘
#ps -ef|grep mysqld|grep -v grep |grep -v mysqld_safe
#exit
#fi
/usr/local/mysql/bin/mysql -uroot -p$dec_pass -P$1 -S$sock到此處MySQL的登陸密碼的加密演示完畢。歡迎同學們一起交流學習
MySQL之登陸密碼加密認證腳本