Explore security issues MSSQL Server 2000 network connection original: refdom (refdom) Source: refdom Author: refdom (refdom@263.net)
Below we have to say, it is not a vulnerability in SQL Server, but only some security defects, there are some problems, of course, these problems exist when SQL Server is generated.
1, MS SQL Server password express delivery defect
Very unlucky, I didn't do the following analysis when Microsoft released SQL Server. When I was surprised to find that SQL Server actually used a clear text to transfer password transmission, I immediately went to see if there were these information. It is a pity that someone has filed a password that can get SQL Server with SNIFFER. However, since Microsoft is so bold, we still go see and analyze this defect.
Of course, the connection process of SQL Server is the three handshakes of TCP connections, and after the server is connected, the TDS (Tabular Data Stream) agreement is then communicated, but unfortunately I have not found specific descriptions of the TDS protocol, only some The fragment, so it can only be analyzed by the data report. Who has a specific description of the TDS protocol (SQL Sevrer) must give me a copy.
Go directly to the login package, you will find that your username is entirely clear, but the password is not. When you change your password, you can see that the same character's encoding is the same, and the password character is used as a separated "A5". Ha ha. So, the fooling method is what I did, a character changed the password a character, then get the corresponding encoding of all characters (I won't decrypt). I am using SQL Server 2000. I will list some of the corresponding codes here. Everyone can easily get complete character encoding. "A" - b3 "a" - b1 "b" - 83 "b" - 81 "c" - 93 "c" - 91 "d" - e3 "d" - e1 "e "- F3" E "- F1, etc.
Yes, in SQL Server does not support with ', "and other symbols as a password. If you use these characters as a password, then it is bad, you will never go to it, unless you change your password. Details in TDS Details A byte is specified in the head to indicate the datagram, I detected 0x10, and the information I got is to use 0x02 to represent the login's datagram, which may be MS SQL Server has some changes on the protocol, because Sybase is also using the TDS protocol, then Sybase may also use the express delivery, I have no sybase in my hand. Unfortunately, there is no TDS protocol, so I also lazy, I don't write a Sniffer program that dedicated to the SQL Server account and password. Who can give me a detailed description of the TDS protocol, please email: Refdom@263.net.
However, MS is also available to SQL Server or an encryption, you can use SSL to encrypt. So I also tried it, I can select the forced protocol encryption in the network configuration of the instance attribute, and then ask you to restart SQL Server, huh, then, do you start it? Haha, I have a loss. Because there is no SSL certificate, you start the error, the event log is not provided with a valid certificate. Reinstall it. The dead MS is not reminded when I choose.
What does the sniffing database account mean? What can I get a SA account? Haha, you are interested to see "From IIS to SQL Database Security". 2, clear data transmission defects If there is no encrypted protocol, the network data of the entire database is not encrypted, and it is explicitly transmitted. Whether you send a command from the client or from the server to the server, it is transfed. It seems that if you use an encrypted agreement, Microsoft will not do any safety protection for you. I think, the SQL Server database currently used in China is almost not encrypted by SSL, it seems that there is a lot of things on the network.
3, mysterious 1434 port and server information clear text transmission defect
For SQL Server 2000, open the SQL Server client ready to connect, when the server list is turned off, the SQL Server server all of the LAN is listed. So I found out that from the 1434 port broadcast from my own machine (192.168.0.1) (192.168.0.255) this UDP package, then the SQL Server server in the entire local area network began to respond to this UDP packet, then I The client can get all server information.
This is the process of the client to connect: When the client is connected to the server, the application requests the remote computer, and DBNetLib.dll will open the connection of the UDP port 1434 on the computer network name specified in the connection. All computers running SQL Server 2000 listens to this port. When a client DBNetLib.dll is connected to this port, the server will return a packet of all instances running on the listener server. For each instance, the packet reports the server NET-Library and network addresses that the instance is listening. After the DBNetLib.dll on the application computer receives the packet, select Net-library enabled on the application computer and SQL Server instance, and then connect to the address listed for NET-Library in this packet.
Transmit specific UDP packets through the 1434 port, then the server starts to respond, all of which are clearly transmitted, we can easily detect an IP address 1434 port to get the relevant information of the SQL Server running on the IP address. This information includes: host name, instance name, version, pipe name, and port used. This port is Microsoft's own use, and it can be changed like the default 1433 port, 1434 can't change, huh, then we can change this 1433 port for security?
We can capture these datagrams, which can be found that the data through 1434 port is very simple, and the client only simply sends 02 bytes. But multiple captures, I found that sometimes I sent 03. So I use a test with the following program to send other data. However, it is finally only 02,03,04 to respond. It seems that these three bytes are used to do SQL Server probes. And you can send 02 00 00, or you can send 02 00 00 00 00, etc., you can get the response of SQL Server, but it is not possible to send 02 03.
Below is a program that uses 1434 to detect, you can detect a single IP or to detect the database server of the entire local area network. /// sqlping by refdom // // Author: refDom. From chip andrews // email: refDom@263.net //
#include "stdafx.h" #include #include #include
Void Decode_Recv (CHAR * BUF, INT Size) {INDEX; INT Counter = 0; for (INDEX = 3; Index Printf ("/ n"); Void listen (void * v) {static const unsigned int buffersize = 64000; static char buffer [buffersize]; Socket s = (socket) V; for (;;) {struct sockaddr_in udpfrom; int udpfromlen = sizeof (udpfrom); int n = recvfrom (s, buffer, sizeof (buffer), 0, (struct sockaddr *) & udpfrom, & udpfromlen); int e = WSAGetLastError () ; IF (N> 0 && E == 0) Decode_Recv (Buffer, N); } Void useage () {printf ("***************************************************** / N "); Printf (" SQLPING / N "); Printf (" / T Written By Refdom / N); Printf ("/ T Email: Refdom@263.net/N"); Printf ("Useage: Sqlping .exe target_ip / n "); Printf (" ******************************************** **** / n "); INT Main (int Argc, char * argv []) {Wsadata Wsadata; socket Sock; SockAddr_in Addr_in; char buf [5] = {'/ x02'}; handle listener Useage (); IF (argc <2) {returnaf false;} IF (WsaStartup (Makeword (2,0), & WSADATA! = 0) {Printf ("WsaStartup Error.Error:% D / N", WsageTlasterror ()); Return False;} IF ((SOCK = Socket, Sock_DGRAM, IPPROTO_UDP)) == invalid_socket) {Printf ("socket failed.error:% d / n", wsagetlasterror ()); return false;} addr_in.sin_family = AF_INET; addr_in. SIN_PORT = HTONS (1434); addr_in.sin_addr.s_un.s_addr = inet_addr (Argv [1]); Const int SNDBUF = 0; const Int tcpnodelay = true; const Int broadecast = true; IF (SETSOCKOPT (SOCK, SOL_SOCKET, SO_SNDBUF, (Const Char *) & Sndbuf, SIZEOF (SNDBUF)) == SOCKET_ERROR) {Printf ("SET SO_SNDBUF FAILED.Error:% D", wsagetlasterror (); Return False;} IF (setsockopt (sock, SOL_SOCKET, TCP_NODELAY, (const char *) & tCPNODELAY, sizeof (tCPNODELAY)) == SOCKET_ERROR) {printf ( "Set TCP_NODELAY failed.Error:% d", WSAGetLastError ()); return false;} if ( setsockopt (sock, SOL_SOCKET, SO_BROADCAST, (const char *) & BROADCAST, sizeof (BROADCAST)) == SOCKET_ERROR) {printf ( "Set SO_BROADCAST failed.Error:% d", WSAGetLastError ()); return false;} Listener = (Handle )_Beginthread (Listen, 0, (Void *) SOCK); // E = Sendto (S, "/ 08", 1, 0, (sockaddr *) & hostdr, sizeof (hostaddr)); IF (SENDTO (SOCK, BUF, SIZEOF (BUF), 0, (SockAddr *) & addr_in, SizeOf (addr_in)) == Socket_ERROR) {Printf ("Send Failed.Error:% D / N", Wsagetlasterror ()); Return False;} Printf ("Listening .... / N / N"); // Wait a little while for listener Thread WaitforsingleObject (Listener, 5000); WSACLEANUP (); Printf ("Sqlping Complete./N"); Return 0;} The above procedure only has detecting, no destructive. Ha ha Thanks to HECTIC to give me the help. Limited to my own level, it is inevitable that there is a mistake, please refer to you. If you have a specific description manual with a TDS protocol (applied in SQL Server), please email me, thank you. Email: Refdom@263.net
