The perception of SA permission intrusion in MS SQL database

We must all know what SA privilege is in MSSQL, which is paramount. Today I talk about its harm, I am talking about with NBSI upload function to get Webshell. It is difficult to get a shell before you say a few things before speaking. 1. There is a SQL injection and the database type is MSSQL. 2. The permissions to connect to the database must be SA. 3. Background must have file upload program. Well, we found a Web site hxxp://www.6x36x.com/fangchan/listpro.asp?id=53, with NBSI a glance at the. Well, the database type is MSSQL, the permission is SA, and then the third condition is not satisfied. Find the article in the page (news) and see what the address of the picture inside is. Good! I can see it hxxp://www.6x36x.com/admin/uploadpic/2xx5042823082994329.gif, do you understand? Especially 2xx5042823082994329.gif we are sure that the backstage has the function of uploading files. What's next? Halo, find out the path of the site. This is all depends on Nbsi nb Commander (NB tree_list) function (here I recommend you to use NB Commander, why?) Read the article will know), but find out the real path of the site will take a certain amount of time, it depends on your patience. I dare say that if you have the patience, you can definitely find the real path to the site. Here I found the site where the path D:\9x3x9, and then is backstage, and soon get admin/login.asp, then the account and password to guess the solution. But I have a problem with the puzzle. Said nothing can not get his account number and password, is it empty? I didn't believe it, I tried to log in and failed. So from this beginning, NB Commander function is very important (because everyone knows that the column directory NB command and NB Tree_list can be implemented), I found the file conn.asp, with type D:\9x3x9\admin\ The logining.asp command looked at the source code. Tough Enough! Read the code is no problem! The Admin table field is the same, no more, who can tell the reason? Please tell me, also let me this rookie out of confusion. How to upload pictures in the background? Here I use NBSI upload function, I tried, did not succeed. Because I passed it on, I saw the code repeat three times each line, also do not know why, is the Getwebshell with smelly beggar is the same result. I want to have, see how it's session is validated, is also a type D:\9x3x9\admin\quanxian.asp. Through the analysis soon understood that it gave the session ("WSL") assigned a value of 1, haha! I wrote a very simple program. With the NBSI upload function, I think no matter how many times it is true (what do you think?) If the password is MD5, we do not need to explode, get a session on the OK), passed up to save for 1.asp, and then I visited Hxxp://www.6x36x.com/admin/1.asp, then visit hxxp://www.6x36x.com /admin/admin_index.asp, so into the background, the local test. Tip: The session variable and the cookie are the same type. If a user sets the browser to be incompatible with any cookies, the user cannot use the session variable! When a user accesses a page, the running environment of each session variable is generated automatically, and the session variables remain for 20 minutes after the user leaves the page! (In fact, these variables can always be kept to "timeout".) The duration of the "timeout" is set by the Web server administrator. The variables on some sites only last 3 minutes, some 10 minutes, and others remain to the default value of 20 minutes. So, if you place a larger object in the session (such as ADO recordsets,connections, etc.), then there is trouble! As site traffic increases, the server will not function properly! Because the creation of session variables is very arbitrary, can be invoked at any time, do not require the developer to do accurate processing. Therefore, overuse of the session variable will cause the code to be unreadable and difficult to maintain. So I find the place to upload pictures, the ASP Trojan changed into. gif passed up, remember the upload name, here is uploadpic\2xx56171430123.gif, then what do you think? Haha, I remember, copy the picture into. asp, or Rename to. asp. Well, here our horse even went up, as for the future things will not mention. Summary: SA does bring us a lot of harm, so the programmer when connecting the MSSQL database must not use it, otherwise the server becomes the possibility of chicken is very very large. Also, the expansion of MSSQL storage function, not to use it to delete, keep the hacker is a sharp weapon. (responsible for the fire Phoenix sunsj@51cto.com qq:34067741 TEL: (010) 68476636-8007) to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 votes) passing by(0 Votes) Original: An insight into MS SQL database SA permission intrusion back to network security home