Windows 2000 Vulnerability Highlights 5

zhaozj2021-02-11  166

MS SQL Server SA Empty Check

In Windows2000, enterprise-class users generally use another Microsoft product, which is the database management software MS SQL Server, but we have discovered a lot of problems in the use of MS SQL Server. Finally, we will simply talk about the security issues that have been universally facing the WINDOWS2000 network operating system installed in MS SQL Server.

After installing MS SQL Server, MS SQL Server will generate a default SA user, and the initial password is empty when the administrator is not set. But SA is a very important security module member in SQL Server. This hacker can be connected remotely through SQL Server client, and then use SQL remote database management command xp_cmdshell stored procedure (extended stored procedure) Command operation:

XP_cmdshell "Net User ID Password / Add" xp_cmdshell "net localgroup administrators id / add"

For the two simple command invaders, they will now create a user from the Administrator-level administrators group on the MS SQL Server server. So we remind you to the NMS, the first thing you need to do in installation of SQL Server is to modify the empty password of the SA. Don't tell you where this question should you change?

And in general, some functions are not necessary for administrators. If you don't need MS SQL Server XP_CMDShell (Use sp_dropextendedproc "xp_cmdshell") This feature does not leave the XP_CMDSHELL Extended Stored Proc (Extension) command function. We only need to enter: use mastersp_dropextendedProc 'xp_cmdshell' and then put it on Service Pack 3, here remind the administrator, you must pay attention to Microsoft's patch package file, and pay attention to timely system and software to the latest patch .

In this article, we tell a few recent versions and attack methods. They have the invasion to be so convenient. There are many netizens that will think that Windows2000 is an unsafe operating system, but if you think that It is said that my article has not been written yet, so I have to emphasize in the end, as long as we often make the ding package, the correct to add a password to the system, our safety rate is around 85%.

转载请注明原文地址:https://www.9cbs.com/read-4729.html

New Post(0)