110. Network security penetration test - [privilege promotion 8] - [windows sqlserver xp_cmdshell stored procedure authorization]

In my submission , Whether studying safety or engaging in safety , More or less, I have some feelings and sense of mission ！！！

One 、Windows Sqlserver xp_cmdshell Stored procedure Authorization

1、XP_CMDSHELL Background of power raising ：

        If the database used in the website is sqlserver So if you find sa Password , Can be opened xp_cmdshell stored procedure , With sqlserver Execute system commands as . But not necessarily the system permissions , It also depends on the administrator installing at the beginning sqlserver Permission settings for .

2、XP_CMDSHELL Relevant concepts ：

（1）xp_cmdshell stored procedure 【 The stored procedure is : One or more that have been precompiled into an executable procedure SQL Collection of statements 】, It is used to execute this machine cmd Ordered , System login required sa jurisdiction . By default ,sql server2005/2008 After installation ,xp_cmdshell Stored procedures are disabled , If you want to use it , You can turn on ：Exec sp_configure ‘show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;`

（2） Execute system command format ：

（3） Disable it after use ：Exec sp_configure 'show advanced options',1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell',0;RECONFIGURE;

3、XP_CMDSHELL The actual battle of raising power ：

（1） Experimental environment ：

1. Target environment ：
（1） virtual machine Windows2008【target_sys.com】【192.168.97.131】
（2） Scripting language environment ：php/asp The language environment exists 

2. attack ：
（1） virtual machine Win7【192.168.97.130】
（2）Firefox+Burpsuite+ Ant sword + Malaysia 

3. The network environment ：
（1）VMware Built NAT The Internet 

（3） Target link ：

URL：http://target_sys.com/upload.php

（3） Experimental process ：

First step ： Visit the target link , utilize MIME Break through the type limit of the white list , Upload up.aspx Malaysia

【 The above process is a little 】 The following is the right raising process ：

The second step ： Connect up.aspx Malaysia 【 The password for admin】, And click [File Manager] File management module , Search for sqlserver The account number and password of

Connecting Malaysia ：

sqlserver The general storage location of the connection data ：web.config、config.asp、conn.aspx、database.aspx, But the environment is really sidelined (www.demo1.com) Under the index.aspx Memory stores as User password ：123456

The third step ： Click on [DataBase] Database module , Use the just obtained sa Account connection mssql, Simultaneous discovery SQL SERVER Version is 2008

xp_cmdshell Stored procedures are used to execute native cmd Ordered , System login required sa jurisdiction

Step four ：SQLExec Select from the drop-down box Add xp_cmdshell(SQL2005) This option , Turn on xp_cmdshell stored procedure


Step five ： Use the just launched xp_cmdshell stored procedure , With sqlserver To execute some system commands as

Because viewing the current permission is also an ordinary user , So you can only execute some basic commands , You can also upload the overflow right lifting tool Then improve the permissions of the current user .