First MSSQL Elevation of Privilege

Reprinted please note
Article by enterer
Blog


The test results are very good. Support for aspx



By the way, you can see if you can run CMD. Sometimes you still have to upload the command, but you can also run it well.



By the way, if you are lucky, it is "system". The Province has raised the privilege.



Then you can check the port. It is better to have 43958 and then the SU privilege is successfully raised, in YY... The result is cruel.



Check out what software is installed on the server and whether the software has been released.



Check out what programs are available at the beginning, both MSSQL and MYSQL. Please try Brazilian barbecue first.



Khan... It's hard to raise the right because SU and Brazilian barbecue are the most commonly used, and there are other webshells on the website. There are no users other than administrator in the query management, it can be judged that the hacker failed to escalate the privilege, but let's try again the SQL privilege that has never been used.



In iis spy, I slowly searched for files like conn and finally found the mssql password in a certain conn. asp. I will not disclose the specific password.

Try to connect. What should I say by mistake?
SQL Server blocks access to sys. xp_mongoshell during xp_mongoshell, because this component has been disabled as part of the Server's security configuration. The system administrator can use sp_configure to enable xp_cmdshell. For more information about enabling xp_cmdshell, see "peripheral application configurator" in SQL Server books online ".



I searched by google and found the command; EXEC sp_configure show advanced options, 1; RECONFIGURE; EXEC sp_configure xp_cmdshell, 1; RECONFIGURE ;--
There is a syntax error near Khan show. (Later I thought that this webshell could only use CMD commands, instead of SQL commands, and I entered the SQL commands... Token)



After several failed attempts, I used aspx's webshell to run the SQL command. Khan indirectly prevented me from going to the dead end and the connection was successful.



Run the unknown SQL statement first, and then restore xp_mongoshell. This is not echo, but at most one error is returned.







Now, it's an exciting moment. Add a user (because the server is Intranet, I am also Intranet (tears), so it's not a remote desktop, and port forwarding is too troublesome, and damn rising)



Haha, it's successful. You can see it already exists.



The next step is to upload a Trojan and then upload and run it. The server goes online. Now, the article is here. The first article in this blog does not know how everyone thinks about it. It is not easy to write. Forgive me a lot. I am a newbie myself. Blogs will be updated frequently. You can write your own hacker experience and animation games.