Today, we will understand the IIS vulnerability. There are many system stored procedures in SQL Server, some of which are used inside the database, and some are called by executing the stored procedure. System stored procedure: xp_mongoshell
Is to execute the given command string in the way of the operating system command line interpreter. The specific syntax is: xp_mongoshell {'COMMAND _ string'} [, no_output]
Xp_mongoshell
Compared with the IIS vulnerability, by default, only sysadmin members can execute the vulnerability. However, sysadmin can also grant this execution permission to other users. In earlier versions, users who obtained the xp_cmdshell Execution permission run commands in the user account of SQL Server. Exercise caution when learning about IIS vulnerabilities.
You can configure SQL Server by configuring options so that users who do not have sa access permissions on SQL Server can run xp_cmdshell IN THE SQLExecutiveCmdExec Windows NT account. In SQL Server 7.0, this account is called SQLAgentCmdExec. For SQL Server2000, you can run commands directly if you have an account that can execute the stored procedure.
For NT and WIN2000, when the user is not a member of the sysadmin group, xp_mongoshell simulates the Proxy account that uses the SQL Server Agent specified by xp_sqlagent_proxy_account. If the Proxy account cannot be used, xp_mongoshell fails. Therefore, even if an account is the db_owner of the master database, the stored procedure cannot be executed.
If we have a database account that can execute xp_mongoshell, such as a sa account with a blank password. Then we can execute the following command:
- exec xp_cmdshell 'net user refdom 123456 /add'
- exec xp_cmdshell 'net localgroup administrators refdom /add'
The above two calls Add a user in the system administrator group: refdom
After obtaining the sa Administrator Account of the database, we should be able to fully control the machine. We can see the importance of IIS vulnerabilities on database security.