Microsoft SQL Server sa Weak Password Attack and Defense practices

Source: Internet
Author: User
Tags comparison table strong password
Microsoft sqlserver is a powerful relational database in C/S mode. ManagementThe system is widely used in many fields. It can be seen everywhere from the back-end database of the website to some MIS (Management Information System. We all know that NetworkMicrosoft sqlserver's most common intrusion is the use of weak SA passwords, and the core content is the use of Microsoft sqlserver's StorageWhat is a stored procedure if the process has system administrator privileges? Why can I use it to gain system administrator privileges?

Stored procedures are a set of SQL statements pre-written in sqlserver. They are divided into three types: stored procedures provided by the system, user-defined stored procedures, and extended stored procedures.
The stored procedure provided by the system is the stored procedure created when sqlserver is installed. The name starts with "SP.
A user-defined stored procedure is a stored procedure written by a user of sqlserver.
The extended stored procedure is a call to the Dynamic Linked library (DLL) function. It is mainly used by clients andServerCommunication between the client and the client is different from the general dynamic link library, that is, they run directly in the memory address allocated by sqlserver. The most dangerous extended stored procedure is xp_mongoshell, it can execute any commands of the operating system.

Sa is an administrator account of Microsoft sqlserver and has the highest permissions. It can execute extended stored procedures and obtain returned values, such:

Exec master .. xp_mongoshell 'net user test 12345/add' and exec master .. xp_cmd shell 'net localgroup administrators test/add'

In this way, the peer system is added with the user name test,PasswordFor 12345 users with administrator permissions, you should now understand why you get the SA password and get the highest permissions of the system. The following is a detailed description of the attacks against weak SA passwords in Microsoft sqlserver andPrevention.

Generally, when we scan a machine with a weak Microsoft sqlserver SA password, some specialized attack tools will be used,

These three software are relatively more powerful than SQL, because they can exploit the vulnerability to upload files, so that we can upload and execute the trojan program.

However, in practice, the situation is not as simple as ours. After we upload the trojan program, it is usually killed by the other side's anti-virus software. In addition, the SQL statement submitted by SQL comprehensive exploitation tool is captured by using the SQL event probe (which can be obtained by installing Microsoft sqlserver), so that the SQL comprehensive exploitation tool upload function can be completed successfully, there is a precondition that the Stored Procedure xp_mongoshell in Microsoft sqlserver is not deleted, as shown in X.4. Otherwise, it cannot be executed successfully. That is to say, even if our Trojan can not be killed, it is useless to fail to execute the upload function.

 

The statement for deleting xp_cmdshell is exec sp_dropextendedproc 'xp _ cmdshell'. You can also use the query analyzer in Microsoft sqlserver to connect to the Microsoft sqlserver to restore xp_cmdshell. The statement is: exec sp_addextendedproc 'xp _ external shell', 'xp log70. dll '. After the restoration, we can use SQL to comprehensively utilize the upload function of the tool and execute the uploaded files.

 

However, if the other party deletes the xplog70.dll file in Microsoft sqlserver or places it elsewhere, xp_mongoshell will not be able to execute the commands we issued.

Is there no other way? Of course not. There are a series of OLE-related stored procedures in Microsoft sqlserver. These stored procedures are as dangerous as xp_mongoshell and the stored procedures for reading the Registry series, however, they are not used as many stored procedures as they are described on the Internet, so they are less likely to be deleted. The stored procedures of this series include sp_oacreate, sp_oadestroy, sp_oageterrorinfo, sp_oagetproperty, sp_oamethod, sp_oasetproperty, and sp_oastop.

Use the query analyzer to connect to the target Microsoft sqlserver, and run the following command in the query Analyzer:

Declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/C net user test 12345/add' -- run: declare @ shell int exec sp_oacreate 'wscript. shell ', @ shell output exec sp_oamethod @ shell, 'run', null, 'c: \ winnt \ system32 \ cmd.exe/C net localgroup administrators test/add '--

You can add a user named test, password 12345, and administrator privilege to the target system.

If the other party deletes the stored procedures of executable system commands, such as xp_mongoshell and sp_oacreate, and the dynamic connection library files corresponding to them, we have another method, it is to clone the administrator user of the opposite system by using the stored procedure that can read and modify the registry. Run the following statement in the query Analyzer:

Xp_regread 'HKEY _ LOCAL_MACHINE ', 'Sam \ SAM \ Domains \ ACCOUNT \ Users \ 000001f4', 'F ',

You can obtain the encrypted password of the system administrator of the other party, and then copy

Then execute:

Xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Sam \ SAM \ Domains \ ACCOUNT \ Users \ 000001f5', 'F', 'reg _ binary ', 0x (the string copied above ),

If the other party has a remote terminal service, we can use the guest user to log on. The password is blank, and the guest desktop is exactly the same as that of administrator.

There are many ways to get the Microsoft sqlserver SA password, such as the encrypted password from sniffer to SA, and then get the SA plaintext password through the password comparison table (which can be found online, for example, you can use SQL injection to obtain the SA password or use sp_password (the Stored Procedure for modifying the Database User Password) to modify the SA password. You can also use the password dictionary to perform brute force cracking. Once the SA password is obtained by intrudersSecuritySo we sorted outSolutionSolutionProvided to you:

1. delete stored procedures such as xp_cmdshell, xp_dirtree, xp_regread, primary, primary, xp_regwrite, sp_oacreate, sp_oadestroy, primary, sp_oagetproperty, primary, sp_oasetproperty, and sp_oastop if you are not sure about, remove the related dynamic connection library files and copy them to the original location as needed.
2. When connecting applications and websites to the Microsoft sqlserver database in the background, do not connect to users with high permissions such as SA.
3. Give a strong password to users with high permissions such as SA.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.