Break through xpsql. cpp: Error 5 Privilege Escalation

By: isosky

Today, a group of friends are sending shell requests for Elevation of Privilege. I saw him send it several times. Listening to the temptation (SAROOT password is all there), in line with the YD mentality of more than one server, put down the bananas, Fire ~~~

Directly connect to MSSQL to raise the permission. Xpsql. cpp: Error 5 is from CreateProcess (row 737th), and it almost becomes blind. The decisive UDF goes up. The old man is gone forever .... Shell cannot be started. So Baidu and google are simultaneously deployed.

I just entered xpsql. cpp: This is the first matching keyword, and there are still many thieves in the result... I am chilling. I haven't found a way to use it for half an hour.

So I want to take the root banana and try another way to get the server permission to the server to see what the problem is.

PR fails. You have no permission to use shell. users. The CMD system permission is also deleted.

Then upload a CMD to the website directory. Attackers can execute commands with low permissions. Access to the directory below drive C is still denied. It seems that you still have to start with the database.

Now, in CMD, you can upload a file to a directory. You can do anything else. Therefore, upload a notebook at will. After the execution, check the process. So I had a thought. Copy the CMD in the permission directory to drive C using SQL statements.

And after a flip test. All of the following C disks are access denied by SYSTEM. So I thought of the legendary Three doors (SHIFT magnifier \ screen keyboard) because I tried to connect to the Remote Desktop and found that these three can still run.

The following statement is used:

The following is a reference clip:

Declare @ o int exec sp_oacreate scripting. filesystemobject, @ o out exec sp_oamethod @ o, copyfile, null, c: windowsexplorer.exe, c: windowssystem32sethc.exe;
Declare @ oo int exec sp_oacreate scripting. filesystemobject, @ oo out exec sp_oamethod @ oo, copyfile, null, c: windowssystem32sethc.exe, c: windowssystem32dllcachesethc.exe;

 

Then a shift backdoor is created. Then try. failed, the process is there, but the explorer interface is not displayed.

Then I tried other programs and it was fruitless. So I wondered if I had no permission to copy the file. So I uploaded an explorer to the website directory locally and modified the above statement, if sethc is replaced by the explorer in the website directory, the result is still invalid ~ It will happen if it is executed. I really don't understand this ~

But the process does. Then, you can add an account directly without using the interface.

Then immediately write a new user (not directly net user... instead, e: wwwrootcmd.exe net user ...) and then use the preceding statement to replace sethc. Decisive success ~~~

Then... Naturally, I went to the group to show off. As a result, one of my classmates told me that the unblocking of those bots was just like this, and they could sell for several hundred. Ah, this technology is not as good as it is to capture chickens ~

Ninty:... upload a newbie. exeand net1.exe use spoacreate to call it.