runassystem bat实现

  • A+
所属分类:安全博客

该工具仅用作拥有administrator帐户以及非交互环境
交互环境下有多种方式获取system权限 如nircmd.exe psexec wimi sc …

runassystem bat实现
runassystem bat实现

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
@echo off
ver|findstr "5.[0-9].[0-9][0-9]*" >NUL 2>NUL && (echo [-] Not Working for winxpwin2k3 &&goto :EOF)
del /f /q %result_file% >NUL 2>NUL
Rd "%WinDir%system32test_permissions" >NUL 2>NUL
Md "%WinDir%System32test_permissions" 2>NUL||(Echo.& [-] Echo Run as administrator user. &&goto :EOF)

set comands=%*
if not defined comands (
echo.
echo Run as SYSTEM Account Tool
echo.
echo [-] error: The syntax of the command is incorrect.
echo.
echo Help:
echo %~n0 command
goto :EOF
)

set result_file=%tmp%command_result.txt

schtasks.exe /create /ru "SYSTEM" /tn "runAsSystem" /sc DAILY /tr "cmd.exe /c chcp 437>NUL 2>NUL&&%comands%>> %result_file%" /F >NUL 2>NUL
schtasks.exe /run /tn runAsSystem /i >NUL 2>NUL
chcp 437>NUL 2>NUL&& schtasks.exe /query /tn runAsSystem /fo list| findstr /i "Running" >NUL 2>NUL && (goto :Running ) || ( goto :Ready)

:Ready
type %result_file%
schtasks.exe /delete /tn runAsSystem /f >NUL 2>NUL
del /f /q %result_file% >NUL 2>NUL
goto :EOF

:Running
TIMEOUT /T 1 >NUL 2>NUL
chcp 437>NUL 2>NUL&& schtasks.exe /query /tn runAsSystem /fo list| findstr /i "Running" >NUL 2>NUL && (goto :Running ) || ( goto :Ready)
goto :EOF

:EOF

场景:
当前为本地administrator 本地帐号想查看域帐号信息(需域帐号权限或system帐号) 但当前shell非交互也无法反弹找了几款发现仅支持 Vista以下系统psexec倒是可以非交互下使用 但是目标系统执行出错,利用wmi也不行
nircmd.exe elevatecmd runassystem cmd.exe 非交互环境下不行

所以利用schtasks命令写一个批处理来实现非交互环境下 administrator 转 system用户

Source:wolvez.club | Author:wolvez

相关推荐: ArchLinux 2011.8 基于grub的硬盘安装简易指南

本文论述在有grub的前提下,通过grub直接载入iso映像安装archlinux的先行步骤。 参考文献: Boot an iso via Grub2 GNU Grub2 mannual Arch-wiki 首先,找到通过grub的ls命令找到iso文件所在分…

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: