MSSQL db_owner injection to obtain system Permissions

 

I believe you have read "MSSQL db_owner role injection directly grants system permissions" written by LCX prawns. I am also writing a method for using MSSQL db_owner role injection to directly obtain system permissions. When LCX is used to obtain system permissions, you can read the password of vnc in the registry using the xp_regread stored procedure in MSSQL, and then crack the password to obtain administrator permissions. However, after all, there are a few vnc servers installed on the Internet. If a server you want to access is not equipped with vnc, that is to say, there is no port 5900. Despite the injection vulnerability on this website, you break the administrator password, find the background (assuming the website has no database backup and file upload and upload vulnerabilities), but you have no way to get a shell, just a dry-eyed copy. Fortunately, when SQL provides xp_regread, it also provides us with xp_regwrite. I will use xp_regwrite to obtain system permissions. The following is my experience of using xp_regwrite to obtain system permissions.

Http: // www. ***. com is a relatively large integrated portal website, with ALEXA ranking in the top 100. Well, today's goal is to pull it. We should make better use of it before doing so, that is, to find the injection point, which is the basis for today's intrusion. On the home page, you can view all the static Web pages. There is no possibility of injection. You may say that he may generate htm in the background, but after entering the file, I realized that it was not at all), and no asp was found in the source file? Look at the rest. Well, there's no time to pull an injection point in his animation network. Haha, Start copying the guy. Well, if you don't have to pay a lot of traffic, you can use the password of the Administrator to pull the website, manage the background, and find the absolute path of the website. I thought it would be easy to get a webshell, who knows is much harder than I think, even if there is no Upload Vulnerability, even if there is no database backup function, the asp Trojan is changed to a suffix of jpg, I can't even upload a gif file. I don't know how to stop pulling it. I'm not the kind of person who gives up on it. But for now, I don't have any good solutions. I have to attend classes tomorrow, I had to give up temporarily.

The next day, I couldn't even feel at school. All I thought was how to get webshell or system permissions. It's hard to wait until the class is over. Hurry to the computer room on the runway and find out if there is any information about this, huang Tian was at last able to show me How to obtain administrator permissions in the "How to execute system command in MSSQL" written by CZY prawns, however, my situation is slightly different from that in the czy article. the user who connects to the database on that website does not have the server sysadmin permission and only has the database db_owner permission. Many stored procedures are not easy to use, but it's okay that xp_regread and xp_regwrite are well utilized, so long as db_owner is good luck. Okay, just do it. Open the website and enter it at the injection point.

xp_regwrite HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftWindowscurrentversionun,xwq1,REG_SZ,net user xwq xwq /add

A normal page is returned, indicating that the pull is successfully completed and then entered at the injection point.

xp_regwrite HKEY_LOCAL_MACHINE,SOFTWAREMicrosoftWindowscurrentversionun,xwq2,REG_SZ,net localgroup administrators xwq /add

Well, as long as the server is restarted, the Administrator account xwq will be added to the system. As for how to restart the server, it depends on the capabilities of all of you. I can't wait to pull the server, so we need to hurry up with ddos attacks, in a short time, the server will be pulled up again and connected immediately using Remote Desktop Connection (haha, maybe the administrator Thinks 3389 is better). Enter xwq, xwq, yeah !!! Let's pull it in. What's next is to leave a backdoor rootkit + dll to insert Trojans + asp, delete logs, clone accounts, delete xwq accounts, and Flash people.

Note: In fact, adding an administrator account directly is very risky. If the Administrator is right next to the computer, he will be suspicious and reveal his whereabouts. You can also use xp_regwrite to write a Trojan horse in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowscurrentversionun after you know the absolute path of the website, and use asp Trojan to escalate permissions.