Python windows 权限提升
Python windows privilege escalation
所以,我想运行一个管理员模式(UAC)的程序
经过一番挖掘,我发现了这个:
import os
import types
from traceback import print_exc
from sys import argv, executable
def isUserAdmin():
if os.name == 'nt':
import ctypes
# WARNING: requires Windows XP SP2 or higher!
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
print_exc()
print "Admin check failed, assuming not an admin."
return False
elif os.name == 'posix':
# Check for root on Posix
return os.getuid() == 0
else:
raise RuntimeError, "Unsupported operating system for this module: %s" % (os.name,)
def runAsAdmin(cmdLine=None, wait=True):
if os.name != 'nt':
raise RuntimeError, "This function is only implemented on Windows."
import win32api, win32con, win32event, win32process
from win32com.shell.shell import ShellExecuteEx
from win32com.shell import shellcon
python_exe = executable
if cmdLine is None:
cmdLine = [python_exe] + argv
elif type(cmdLine) not in (types.TupleType,types.ListType):
raise ValueError, "cmdLine is not a sequence."
cmd = '"%s"' % (cmdLine[0],)
# XXX TODO: isn't there a function or something we can call to massage command line params?
params = " ".join(['"%s"' % (x,) for x in cmdLine[1:]])
cmdDir = ''
showCmd = win32con.SW_SHOWNORMAL
#showCmd = win32con.SW_HIDE
lpVerb = 'runas' # causes UAC elevation prompt.
# print "Running", cmd, params
# ShellExecute() doesn't seem to allow us to fetch the PID or handle
# of the process, so we can't get anything useful from it. Therefore
# the more complex ShellExecuteEx() must be used.
# procHandle = win32api.ShellExecute(0, lpVerb, cmd, params, cmdDir, showCmd)
procInfo = ShellExecuteEx(nShow=showCmd,
fMask=shellcon.SEE_MASK_NOCLOSEPROCESS,
lpVerb=lpVerb,
lpFile=cmd,
lpParameters=params)
if wait:
procHandle = procInfo['hProcess']
obj = win32event.WaitForSingleObject(procHandle, win32event.INFINITE)
rc = win32process.GetExitCodeProcess(procHandle)
#print "Process handle %s returned code %s" % (procHandle, rc)
else:
rc = None
return rc
def test():
rc = 0
if not isUserAdmin():
print "You're not an admin.", os.getpid(), "params: ", argv
#rc = runAsAdmin(["c:\Windows\notepad.exe"])
rc = runAsAdmin()
else:
print "You are an admin!", os.getpid(), "params: ", argv
rc = 0
x = raw_input('Press Enter to exit.')
return rc
if __name__ == "__main__":
if not isUserAdmin():
runAsAdmin()
要求用户提供管理员权限。许可,但我有两个主要问题:
1.The 用户需要给程序权限。(渗透测试有问题)
2.每次程序都是运行用户需要给程序权限。(这很可疑)
有没有办法绕过这个?
ps。 windows 7 且无法直接访问
假设您可以访问此脚本 运行正在运行的计算机,那么您可以按照此 link...
中的说明进行操作
它将允许标准用户 运行 作为管理员的特定应用程序。我已经在其他应用程序上成功使用了本指南,但从未在 python 脚本上使用过。可能对你有用。
所以,我想运行一个管理员模式(UAC)的程序
经过一番挖掘,我发现了这个:
import os
import types
from traceback import print_exc
from sys import argv, executable
def isUserAdmin():
if os.name == 'nt':
import ctypes
# WARNING: requires Windows XP SP2 or higher!
try:
return ctypes.windll.shell32.IsUserAnAdmin()
except:
print_exc()
print "Admin check failed, assuming not an admin."
return False
elif os.name == 'posix':
# Check for root on Posix
return os.getuid() == 0
else:
raise RuntimeError, "Unsupported operating system for this module: %s" % (os.name,)
def runAsAdmin(cmdLine=None, wait=True):
if os.name != 'nt':
raise RuntimeError, "This function is only implemented on Windows."
import win32api, win32con, win32event, win32process
from win32com.shell.shell import ShellExecuteEx
from win32com.shell import shellcon
python_exe = executable
if cmdLine is None:
cmdLine = [python_exe] + argv
elif type(cmdLine) not in (types.TupleType,types.ListType):
raise ValueError, "cmdLine is not a sequence."
cmd = '"%s"' % (cmdLine[0],)
# XXX TODO: isn't there a function or something we can call to massage command line params?
params = " ".join(['"%s"' % (x,) for x in cmdLine[1:]])
cmdDir = ''
showCmd = win32con.SW_SHOWNORMAL
#showCmd = win32con.SW_HIDE
lpVerb = 'runas' # causes UAC elevation prompt.
# print "Running", cmd, params
# ShellExecute() doesn't seem to allow us to fetch the PID or handle
# of the process, so we can't get anything useful from it. Therefore
# the more complex ShellExecuteEx() must be used.
# procHandle = win32api.ShellExecute(0, lpVerb, cmd, params, cmdDir, showCmd)
procInfo = ShellExecuteEx(nShow=showCmd,
fMask=shellcon.SEE_MASK_NOCLOSEPROCESS,
lpVerb=lpVerb,
lpFile=cmd,
lpParameters=params)
if wait:
procHandle = procInfo['hProcess']
obj = win32event.WaitForSingleObject(procHandle, win32event.INFINITE)
rc = win32process.GetExitCodeProcess(procHandle)
#print "Process handle %s returned code %s" % (procHandle, rc)
else:
rc = None
return rc
def test():
rc = 0
if not isUserAdmin():
print "You're not an admin.", os.getpid(), "params: ", argv
#rc = runAsAdmin(["c:\Windows\notepad.exe"])
rc = runAsAdmin()
else:
print "You are an admin!", os.getpid(), "params: ", argv
rc = 0
x = raw_input('Press Enter to exit.')
return rc
if __name__ == "__main__":
if not isUserAdmin():
runAsAdmin()
要求用户提供管理员权限。许可,但我有两个主要问题:
1.The 用户需要给程序权限。(渗透测试有问题)
2.每次程序都是运行用户需要给程序权限。(这很可疑)
有没有办法绕过这个?
ps。 windows 7 且无法直接访问
假设您可以访问此脚本 运行正在运行的计算机,那么您可以按照此 link...
中的说明进行操作它将允许标准用户 运行 作为管理员的特定应用程序。我已经在其他应用程序上成功使用了本指南,但从未在 python 脚本上使用过。可能对你有用。