Create time: 2001-11-05 Article properties: Original article Source:
REFDOM@263.net
Article submission:
Refdom
(REFDOM_AT_263.NET) Wen: RefDomemail: refDom@263.net From Codered to Nimda, a large pile of harvested the loopholes that originally used artificial uses into procedures, everyone still wants to manually do these IIS vulnerabilities? ? Let us adjust the center of gravity and go to see the database commonly used by the server. The general website is based on a database, especially the database, in particular ASP, PHP, and JSP to dynamically display. Many websites may pay more attention to the vulnerability of the operating system, but the security of the database and these scripts is always ignored, and there is not much attention. Starting from the most common script problem, these are old topics. You can refer to Hectic's "Simple Invasion and Rolling Destruction of Database, Take An Example of Tianshi", which is very concerned from the SQL script problem. detailed. For script security solutions, you can also implement it by filtering, you can refer to me before. For ASP, you can use the following filter function: Function filter_sql (strdata) DIM STRFILTER DIM BLNFLAG DIM I STRFILTER = "',;, //, @, _, exec, declare" requires filtering characters, You can add itself, "," is a separator blnflag = flash 'filter flag, if it produces filter, then true DIM ArrayFilter ArrayFilter = split (strfilter, ") for i = 0 to Ubound (arrayfilter) if INSTR (strdata, ArrayFilter (i))> 0 THEN BLNFLAG = True EXIT for end if next if blnflag the response.redirect "Wrong.asp" When there is a filtering operation, the predetermined page is directed. Anyway, proper access to the connection request is not a good thing. Else Filter_SQL = STRDATA END IFEND FUNCTION For MS SQL Server database, security issues are not only limited to the script. "The Microsoft of the Trummer" is very systematic, and the entire Windows-based application has a strong correlation. For SQL Server, it is basically able to combine database management and system management. SQL Server default administrator account "sa" password is empty, which gives a security vulnerability to most NT servers. Xiao Yan's "SQLRCMD" can execute system commands using the obtained database administrator account. There are many system stored procedures in SQL Server, some are internally used, and some are to call the system command by performing a stored procedure. The system stored procedure: XP_cmdshell is performed in a manner in which a given system command line interpreter performs a given command string. It is: xp_cmdshell {'command_string'} [, no_output] XP_cmdshell is by default, only Sysadmin members can execute. However, sysadmin can also grant other users of this execution permission. In earlier versions, the user who gets XP_cmdshell execute permission runs commands in the user account of the SQL Server service.
SQL Server can be configured by configuring options to run xp_cmdshell in the SQLECUTIVECMDEXEC Windows NT account for users with SQL Server SA access. In SQL Server 7.0, the account is called SQLAGENTCMDEXEC. Now for SQL Server2000, you can run the command directly as long as you have an account that can perform the stored procedure. For NT and Win2000, XP_cmdshell will simulate an agent account specified by XP_sqLagent_Proxy_account when the user is not a member of the SYSADMIN group. If the agent account cannot be used, XP_cmdshell will fail. So even if there is a account is the DB_OWNER of the Master database, this stored procedure cannot be executed. If we have a database account that can perform XP_cmdshell, such as the SA account of the empty password. Then we can do such a command: exec Xp_cmdshell 'net user refdom 123456 / add'exec xp_cmdshell' net localgroup administratrs refDom / add 'The above two calls Add a user in the system administrator group: Refdom When we get database After the SA administrator account, you should fully control the machine. It is important to see the importance of database security. Below these stored procedures are: xp_fileexist to PUBLIC, to determine if a file exists. Xp_GetFileDetails, you can get file details. XP_dirtree, you can expand the directory you need to know, get all directory depths. Xp_getNetName, you can get the server name. There are stored procedures can operate the registry, these are not on the Public can perform, required system administrator or authorized to perform: Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalueXp_regenumvalues Xp_regread (can perform on the Public) Xp_regremovemultistring Xp_regwriteSQL Server security configuration In addition to playing in all patches followed by Microsoft outside And you also need to strengthen the security of the database. First, you need to strengthen the password of the account like SA, similar to the system account, the usual operation database does not use the account of the highest authority like SA, and use the general account that can meet your requirements. Then, the extension stored procedure began to massacre, first of all, XP_cmdshell, and a large stack of stored procedures above, DROP, usually not used. Execute: Use mastersp_dropextendedProc 'xp_cmdshell' Remove the guest account to prevent unauthorized users from accessing. Remove unnecessary network protocols. Enhance logging to log in to the database, it is best to record all login events.