Security risks caused by weak SA passwords

 

Computers with the Microsoft SQL Server SA Weak Password vulnerability have always been one of the favored targets of network attackers. With this vulnerability, you can easily obtain Server management permissions, thereby threatening network and data security. As a network administrator, we have to find out the causes, processes, and results of these attacks to make them more effective. I will introduce them in detail.

Microsoft SQLServer is a powerful relational database management system in the c/s mode. It has a wide range of applications, from website back-end databases to some MIS (Management Information Systems) you can see it everywhere. In the network, Microsoft SQLServer SA's weak password intrusion core is to use the stored procedures in Microsoft SQLServer to obtain system administrator privileges. What is a stored procedure?

A stored procedure is a set of pre-written SQL statements stored in SQLServer. The most dangerous extended stored procedure is xp_mongoshell, which can execute any commands of the operating system, SA is the administrator account of Microsoft SQLServer and has the highest permissions. It can execute extended stored procedures and obtain returned values, such as execute exec master .. xp_mongoshell net user test 1234/add and exec master .. xp_mongoshell net localgroup administrators test/add. In this way, the peer system is added with the user name test, password 1234, and administrator permission, as shown in figure 1.

Now you should understand why you have obtained the SA password and the highest permissions of the system. Many network administrators often do not know this situation, and have started some simple passwords for their SA users, such as 1234,4321, or even no password, in this way, network intruders can use some hacking tools to easily scan the SA password and then control the computer.

In addition to xp_mongoshell, some stored procedures may also be exploited by intruders:

1. xp_regread (this extended stored procedure can read the specified value in the key specified in the registry). usage (obtain the machine name ):

DECLARE @test varchar(50) EXEC master..xp_regread @rootkey=HKEY_LOCAL_MACHINE, @key=systemcontrolset001controlcomputernamecomputername, @value_name=computername, @value=@test OUTPUT SELECT @test

2. xp_regwrite (this extended stored procedure can be written to the specified value in the key specified in the registry). usage (write bbb in the key hkey_local_machinesoftwareaaaavalue ):

EXEC master..xp_regwrite @rootkey=HKEY_LOCAL_MACHINE, @key=SOFTWAREaaa, @value_name=aaaValue, @type=REG_SZ, @value=bbb

If the administrator user of the compromised computer can browse the HKEY_LOCAL_MACHINESAMSAM information in the registry, use the xp_regread and xp_regwrite stored procedures to clone the administrator user and obtain administrator privileges. Xp_regdeletekey and xp_regdeletevalue also pose security risks to the system.

3. A series of OLE-related stored procedures, including sp_OACreate, sp_OADestroy, sp_OAGetErrorInfo, sp_OAGetProperty, sp_OAMethod, sp_OASetProperty, and sp_OAStop. Usage:

DECLARE @shell INT EXEC SP_OACREATE wscript.shell, @shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, c:WINNTsystem32cmd.exe /c net user test 1234 /add--

In this way, a user with the username test and password 1234 is added to the other system, and then execute:

DECLARE @shell INT EXEC SP_OACREATE wscript.shell, @shell OUTPUT EXEC SP_OAMETHOD @shell,run,null, c:WINNTsystem32cmd.exe /c net localgroup administrators test /add --

User test is added to the Administrator group.

Solution: Give SA a complex enough password to make it difficult for network attackers to crack it. To ensure security, we also need to use the Stored Procedure sp_dropextendedproc in the SQL Server Query analyzer to delete stored procedures such as xp_mongoshell. We can use sp_addextendedproc to recover the stored procedure when necessary, for specific operations, you can query the help of sp_dropextendedproc and sp_addextendedproc in SQLServer. Note that deleting the stored procedures of the OLE series may cause some functions in the Enterprise Manager to become unavailable, we do not recommend that you delete it here.

Delete these three files and delete all the users they can access in "attribute"-"security". In this way, SP_OACREATE cannot be used to add system users, when we need to access these files, we can add access users.