Why Does sa fail to execute the net command?

In the past, I often saw a sentence. It is said that SA injection cannot obtain system permissions, which is a level problem! The situation I encountered a few days ago is enough to overturn this so-called famous saying! SA injection points are relatively easy to get in many cases, but it does not mean that SA has system permissions. In fact, it is not! There are also many situations in which SA cannot obtain system permissions. I will briefly describe the situation I encountered a few days ago. As for other aspects, we will propose joint research.

A friend sent a SA injection point to the Group a few days ago, saying that he really could not get the system permission. I asked him what environment he said he could execute some commands, display back, or list directories. The WEB and DATA servers are not separated. In this case, it is easy to get the shell. If the component is not deleted. I asked him if he got webshell, but the kid said he didn't get it ...... Only wanting system permissions ...... You only want to enter 3389! I also thought it was indeed a horizontal problem that SA could not take the server, so I promised to help him see this injection point! NBSI detection shows that the permission is indeed SA, and the execution command has echo. I thought I could not add a user, but the problem was not as simple as I thought! All users are displayed when the net user command is executed, but access is denied when the net user hackest/add command is executed! Net1 user hackest/add also prompts that access is denied! The situation does seem complicated ...... The object access attribute of the deny command also prompts that access is denied! In this case, upload a local net.exe file and then add the user. However, the VBS file cannot be downloaded, And the encrypted file cannot be downloaded ...... The server uses rising! If you want to upload files, you should first honestly get the webshell, and then confirm the WEB path in the column directory, and then upload a Haiyang eval version of ASP horse. A sentence is enough. With webshell, you can view the files with the injection vulnerability, find the database connection file, and obtain the username and password that MSSQL has the SA permission, because mssql on the target server does not allow external connections, so I got a sqlrootkit. use the obtained username and password to connect to asp and execute some commands. First, let's take a look at the access properties of the net.exe file. The default permission is displayed as normal. It seems that the permission has not been changed! Execute cacls.exe c: windowssystem32et.exe in sqlrootkit.aspand return the following results:
Use xp_mongoshellextension to execute cacls.exe C: windowssystem32et.exe
C: windowssystem32et.exe nt authorityinteractive: R
Nt authorityservice: R
Nt authoritybatch: R
BUILTINAdministrators: F
Nt authoritysystem: F
BUILTINAdministrators: F

It can be seen that the permission is normal, and no abnormal settings have been made. The size of the net.exe file in the c: windowssystem32directory is also normal, but it is not replaced with anything else. The situation of net1.exeis the same as that of net.exe. Both the file size and access permission are normal, but why does the SA injection point have no permission to add users! When all the objects in this file are restored to the permission setting state, you can decide whether net.exe has performed permission setting on the server )!

After two days, I had no progress and could not bear it. I invited my friends to participate in the discussion. The four people, who have discussed the problem for one night, haven't even figured out why this problem happened! In addition, I posted a post to the Public Forum on EST. Hey (post address: html "> ghost ). In fact, the main problem is that I cannot use this injection point to execute arbitrary exe files I uploaded! To execute mt.exe, clone the slave and use pspasswd.exe to change the password. However, the clone and password change mentioned above require sufficient permissions! However, for this injection point, We can slowly determine that the injection point does not have the system permission at all! According to the posts posted by EST friends, I finally understood why SA still cannot get server permissions!

First, execute whoami and return:
Execute whoami using xp_mongoshell Extension
Ctnt-ct17854sqlsqlsql
This means to ask the system "Who am I". The system replied "I am sqlsqlsql" and found that the current user running MSSQL is sqlsqlsql. At first glance, this is not like a user with system permission! Therefore, we will continue to determine the identity of sqlsqlsql and execute net user sqlsqlsql to return the following information:
Net user sqlsqlsql
Username sqlsqlsql
Full name sqlsqlsql
Note newccc
User comments
Country (region) code 000 (default)
Yes enabled for account
Account never expires
Last password set
Password Never Expires
The password can be changed from
Password required Yes
You can change password No
Workstation All
Logon script
User Configuration File
Main directory
Last login
Allowed logon hours All
Local Group members * Users
Global Group member * None
The command is successfully completed.

Now it seems clear that MSSQL is started as a user of sqlsqlsql, which is only a common user and belongs to the Users group. In other words, the highest level of SA in MSSQL can only be the permissions of Users members, that is, the permissions of a common user. Ordinary users naturally do not have the permission to add system users, so the problems they encountered are basically solved! In fact, it is easy for you to understand a lot when operating as a common user locally. Many things cannot be done, and the permissions of common users are limited, at least one thing, that is, it cannot be used to add system users, unless excessive Elevation of Privilege!

I don't know if you understand it. Now there seems to be a lot of such cases. In a day, we can encounter three of these kinds of SA, which cannot win server injection points, therefore, it is wrong to say "SA injection cannot obtain system permissions, which is a level problem! We recommend that you read this article with the post of EST to make it easier to understand.