0x00 前言

参考Micro8系列第七课:https://micro8.gitbook.io/micro8/contents-1/1-10/7sqlserver-chang-yong-cao-zuo-yuan-cheng-zhuo-mian-yu-ju

0x01 是否开启远程桌面

1
2
3
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE',
'SYSTEM\CurrentControlSet\Control\Terminal Server',
'fDenyTSConnections'
  • 1:表示关闭
  • 0:表示开启

0x02 读取远程桌面端口

1
2
3
EXEC master..xp_regread 'HKEY_LOCAL_MACHINE',
'SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp',
'PortNumber'

本地的注册表位置中TerminalServer中间是需要加个空格的,看具体情况而定:

0x03 开启远程桌面

1
2
3
EXEC master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE',
'SYSTEM\CurrentControlSet\Control\TerminalServer',
'fDenyTSConnections','REG_DWORD',0;

reg文件开启远程桌面,保存以下内容为mi1k7ea.reg

1
2
3
Windows Registry Editor Version 5.00HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer]
"fDenyTSConnections"=dword:00000000[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp]
"PortNumber"=dword:00000d3d

然后执行regedit /s mi1k7ea.reg

注意:如果是第一次开启远程桌面,部分需要配置防火墙规则允许远程端口。

1
netsh advfirewall firewall add rule name="Remote Desktop" protocol=TCP dir=in localport=3389 action=allow

0x04 关闭远程桌面

1
2
3
EXEC master.dbo.xp_regwrite'HKEY_LOCAL_MACHINE',
'SYSTEM\CurrentControlSet\Control\TerminalServer',
'fDenyTSConnections','REG_DWORD',1;