ASP SQL injection Get permissions for a server

1.1 Asp SQLinject to get a server permission

For ASP type Web site SQL injection, if the current database is MSSQL, and the permission is SA, you can directly execute the command by restoring the xp_cmdshell method, and possibly even the system permissions directly. You can execute commands to add accounts and passwords directly, and if you turn on 3389, you can log in directly to the server. Of course there is a site SQL injection, but its lower permissions, such as public permissions, you can get their administrator table by SQL injection account and password, through the login background to find Webshell, this article is a SQLMAP Defense series column of a supplement, With Sqlmap you can easily get data and view feedback, but sometimes you need to use some other tool to implement penetration and get Webshell.

1.1.1 Vulnerability Scanning and analysis

1. Using Jsky for vulnerability scanning

Use the Jsky Vulnerability Scanning Tool to scan the target site, as shown in 1, where there is a major source code leak and four SQL injection vulnerabilities, there is a real SQL injection point of two addresses.

Figure 1 Scanning for vulnerabilities using Jsky

2.SQL Injection Vulnerability Utilization

Select the vulnerability SQL injection address, using Jsky's own SQL Injection Vulnerability analysis Tool Pagonlin for injection testing, tested, the injection point database type is MSSQL, database user account type is public. Analysis of the database table, found that there is an employee table, guessing, in the guessing process, found that only a single field can be obtained by multiple guesses to the UserID value and password value.

3. Generate reports

Use the tool to export the scan results to local, 2, and two times to export the scan results as UserID and password files.

Figure 2 Getting the worker password and user name values

1.1.2ASP SQL Injection Vulnerability Utilization

1. User name and password collation

The userid and corresponding password values are collated, 3, a single value, and through the www.cmd5.com and www.somd5.com Web site to the MD5 encryption to crack, get admin password is 850627.

Figure 3 Organizing user names and passwords

2. Read local files

Unable to read local file because the SQL injection point has too low permissions

3. Login background

Through the previous scan know its background address for http://www.xxx.org.cn/manage/login.asp, using the password and account to obtain login, 4, successfully into the background, in the background module has personal management, column management, download management, information management, Customer management and system functions.

Figure 4 Login Background

1.1.3 Get Webshell Permissions

1. Analyze and view each function module in the background of the website

In the background management page according to its link address to each function module to view, analyze and test, in its download management has the file upload function.

2. direct file Upload Vulnerability

5, under the Resources Download-System Analysis module, click Upload to select an ASA's Webshell file, after the upload succeeds, its system returns a value that is the real address of Webshell.

Figure 5 Uploading Webshell directly

3. Get Webshell

Access the Url+webshell address in the browser, enter the shell login password, as shown in 6, to obtain the Webshell successfully.

Figure 6 Getting Webshell

1.1.4 Server power and password acquisition

1. Server information collection

A serv-u program is installed on this server by viewing and analyzing the list of Webshell directories.

2. Use Serv-u for server power

In Webshell directly using the Serv-u power-up function, add a user wang$ password 188, 7 shows that the command execution is successful, note that sometimes the command appears successful, but it may not be true on the power server to execute successfully.

Figure 7serv-u the right to lift

3. Remote Terminal login test

Use the Add to user log on to the remote server, as shown in 8, to successfully log on to the site server using the wang$ account.

Figure 8 Logging in to a remote terminal

4. Get the hash value and hack the password

by Gethash and other software to obtain the system hash value, and then the hash value in the ophcrack to crack, 9, the successful cracker password is [email protected], you can see its password is divided into LMpwd1 and LMpwd2 parts.

Figure 8 Cracking the server login password

1.1.5.ASP MSSQL Database SQL injection Vulnerability Penetration Summary

1. The database permissions are SA, you can test the injection point with the injection tool, and if you can execute the command, you can execute exec master. xp_cmdshell ' net user wang$ 123456qaw/add ' added, and some tools can execute DOS commands directly. The PID value for remote Terminal Services is obtained through TASKLIST/SVC, and the port corresponding to the PID value is obtained through Netstat–ano, which is port 3389.

2. Database permissions are not SA and can be obtained through a database backup Webshell

3. Unable to get Webshell through database backup, you can view the contents of the database table, get the administrator and password in the Administrator table, look for available vulnerabilities through the login background, such as get the real path of the website, get the database backup, get the file upload and so on.

4. You can use SQLMAP for vulnerability testing and Webshell direct access.

5. In the previous column, we introduced some methods and means of using sqlmap, which need to be used flexibly in the process of actual infiltration, SQLMAP is developed abroad, and the specific scene needs special treatment. In the case of db_owner permissions, the--os-shell command through Sqlmap can attempt to test through Sqltools, Pagonlin injection attacks if Webshell cannot be obtained.

Off topic:I have my own column on the 51CTO blog"Sqlmap infiltration attack introduction to Combat", welcome network security colleagues Exchange

ASP SQL injection Get permissions for a server