SQL Server database dangerous extension deletion and recovery code _mssql

Source: Internet
Author: User
Tags call shell mssql sql injection
Once met, almost crazy, there is a friend of MSSQL, just try it and delete the following components. Of course, the premise is that you have to do your own database after the deletion, or the component removed many functions can not be used, in order to be safe, you have to sacrifice some features, of course, like me, I, in addition to the MSSQL import, Basically less than two times a year, so I will not hesitate to delete, hey.

First, delete the SQL procedure with security issues. More comprehensive. Everything for safety!

Delete the call shell, registry, COM component's corrupted permissions

MS SQL SERVER2000
Log in to Query Analyzer with System account
Run the following script
Copy Code code as follows:

Use master
Exec sp_dropextendedproc ' xp_cmdshell '
exec sp_dropexte Ndedproc ' xp_enumgroups '
exec sp_dropextendedproc ' xp_loginconfig '
exec sp_dropextendedproc ' xp_enumerrorlogs '
exec sp_dropextendedproc ' xp_getfiledetails '
exec sp_dropextendedproc ' sp_oacreate '
exec sp_dropextend Edproc ' sp_OADestroy '
exec sp_dropextendedproc ' sp_OAGetErrorInfo '
exec sp_dropextendedproc ' sp_OAGetProperty '
exec sp_dropextendedproc ' sp_OAMethod '
exec sp_dropextendedproc ' sp_OASetProperty '
exec Sp_dropextende Dproc ' sp_oastop '
exec sp_dropextendedproc ' xp_regaddmultistring '
exec sp_dropextendedproc ' Xp_regdeletekey '
Exec sp_dropextendedproc ' xp_regdeletevalue '
exec sp_dropextendedproc ' xp_regenumvalues '
exec sp_dropexte Ndedproc ' xp_regremovemultistring '
exec sp_dropextendedproc ' xp_regwrite '
drop procedure sp_makewebtask
Go

Remove all dangerous extensions.
exec sp_dropextendedproc ' xp_cmdshell ' [will not be able to connect to the database remotely after this extension is removed]
The following 3 stored procedures are used when SQL Server restores a backup, not necessary do not delete
#exec sp_dropextendedproc ' xp_dirtree ' [delete this extension, you will not be able to create a new or additional database]
#exec sp_dropextendedproc ' xp_regread ' [restore database assist after removing this extension]
#exec sp_dropextendedproc ' xp_fixeddrives ' [the database cannot be restored after this extension is deleted]

Recovery Scripts
Copy Code code as follows:

Use master
EXEC sp_addextendedproc xp_cmdshell, @dllname = ' Xplog70.dll '
EXEC sp_addextendedproc xp_enumgroups, @dllname = ' Xplog70.dll '
EXEC sp_addextendedproc xp_loginconfig, @dllname = ' Xplog70.dll '
EXEC sp_addextendedproc xp_enumerrorlogs, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_getfiledetails, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc sp_oacreate, @dllname = ' Odsole70.dll '
EXEC sp_addextendedproc sp_OADestroy, @dllname = ' Odsole70.dll '
EXEC sp_addextendedproc sp_OAGetErrorInfo, @dllname = ' Odsole70.dll '
EXEC sp_addextendedproc sp_oagetproperty, @dllname = ' Odsole70.dll '
EXEC sp_addextendedproc sp_OAMethod, @dllname = ' Odsole70.dll '
EXEC sp_addextendedproc sp_OASetProperty, @dllname = ' Odsole70.dll '
EXEC sp_addextendedproc sp_oastop, @dllname = ' Odsole70.dll '
EXEC sp_addextendedproc xp_regaddmultistring, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_regdeletekey, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_regdeletevalue, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_regenumvalues, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_regremovemultistring, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_regwrite, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_dirtree, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_regread, @dllname = ' Xpstar.dll '
EXEC sp_addextendedproc xp_fixeddrives, @dllname = ' Xpstar.dll '
Go

Copy all to SQL Query Analyzer

Clicking on the menu-"Query"-"execute" will remove the SQL process with security issues


two, SQL Server 2000 vulnerability has been a lot
Some time ago my own server has a SQL temporary storage process Vulnerability
Vulnerability extension: Xp_dirtree storage process

Beforehand: A vulnerability was recently found to be caused by SQL Server
Just a few days ago, there is nothing to use a SQL injection tool for the server to inject their own servers, accidentally found the use of MSSQL Web site can be used in the form of SQL injection of the entire server directory (my server security settings) can still be seen, Then a grab tool is installed on the server to grab the SQL Server, use the tool to connect SQL vulnerabilities Xp_dirtree read the directory, you can get the entire server directory, such as listing the C disk directory He will list all the directories under your C-disk, which is very unsafe, At present is only able to investigate the catalogue to wear things, we can imagine, if I arbitrarily modify a Boot.ini cover the C-disk boot.ini is a concept, OH first can cause service its paralysis, unable to read the system
Solution: Delete xp_dirtree, command is Sp_dropextendedproc ' Xp_dirtree '
Delete the above build you are using a D or any of the SQL injection tools are in vain

Here also to provide you with some other SQL dangerous storage process
Suggested deletion

[Note: All operations that delete SQL stored procedures must be operated in the MSSQL Query Analyzer, which is preceded by the name of the stored procedure and the command to delete the stored procedure]

First, list the dangerous built-in stored procedures:
xp_cmdshell Sp_dropextendedproc ' xp_cmdshell '
Xp_regaddmultistring Sp_dropextendedproc ' xp_regaddmultistring '
Xp_regdeletekey Sp_dropextendedproc ' Xp_regdeletekey '
Xp_regdeletevalue Sp_dropextendedproc ' Xp_regdeletevalue '
Xp_regenumkeys Sp_dropextendedproc ' Xp_regenumkeys '
Xp_regenumvalues Sp_dropextendedproc ' Xp_regenumvalues '
Xp_regread Sp_dropextendedproc ' Xp_regread '
Xp_regremovemultistring Sp_dropextendedproc ' xp_regremovemultistring '
Xp_regwrite Sp_dropextendedproc ' Xp_regwrite '


ActiveX Scripts:

sp_OACreate Sp_dropextendedproc ' sp_OACreate '
sp_OADestroy Sp_dropextendedproc ' sp_OADestroy '
sp_OAMethod Sp_dropextendedproc ' sp_OAMethod '
sp_OAGetProperty Sp_dropextendedproc ' sp_OAGetProperty '
sp_OAGetErrorInfo Sp_dropextendedproc ' sp_OAGetErrorInfo '
sp_OAStop Sp_dropextendedproc ' sp_OAStop '

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.