Stored procedures are a collection of pre-written SQL statements stored in SQLServer, among which the most dangerous extended stored procedures are xp_cmdshell, which can execute any instructions of the operating system, and SA is the administrator account of Microsoft SQLServer, with the highest privileges, it can execute extended stored procedures, and obtain return values, such as execution:
exec master.. xp_cmdshell 'net user test 1234 /add' and exec master: xp_cmdshell 'net localgroup administrators test /add'
In this way, a user named test, password 1234, and administrator privileges are added to the other party's system, as shown in Figure 1.
Now you should understand why you get the SA password and get the highest privileges of the system. Often many network administrators do not know this situation, and have some simple passwords such as 1234 and 4321 for their SA users, or even do not set passwords at all, so that network intruders can easily scan the SA password with some hacking tools and then control the computer.
In addition to xp_cmdshell, there are also stored procedures that can be exploited by intruders:
1. xp_regread (this extended stored procedure can read the value specified in the key specified in the registry), how to use it (get the machine name):
DECLARE@testvarchar(50) EXEC master.. xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='system\controlset001\control\computername\computername', @value_name='computername', @value=@test OUTPUT SELECT @test
2. xp_regwrite (this extended stored procedure can write the value specified in the key specified in the registry), and how to use it (write bbb in the key HKEY_LOCAL_MACHINE\SOFTWARE\aaa\aaaValue):
EXEC master.. xp_regwrite @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\aaa', @value_name='aaaValue', @type='REG_SZ', @value='bbb'
If the administrator user of the compromised computer can browse the HKEY_LOCAL_MACHINE\SAM\SAM\ information in the registry, then the two stored procedures of xp_regread and xp_regwrite can be used to clone the administrator user and obtain administrator privileges. xp_regdeletekey. xp_regdeletevalue will also bring security risks to the system. 3. A series of OLE-related storage procedures, this series of storage procedures have sp_OACreate, sp_OADestroy, sp_OAGetErrorInfo, sp_OAGetProperty, sp_OAMethod, sp_OASetProperty, sp_OAStop, usage:
DECLARE @shell INT EXEC SP_OACREATE 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'c:\WINNT\system32\cmd.exe /c net user test 1234 /add'--
In this way, the other system adds a user named test and a user with a password of 1234, and then executes:
DECLARE @shell INT EXEC SP_OACREATE 'wscript.shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'c:\WINNT\system32\cmd.exe /c net localgroup administrators test /add '--
User test, added to the Administrators group. Solution: Give SA a password that is complex enough to make it difficult for cyber attackers to crack. For safety, we also need to use stored procedures in SQLS sp_addextendedproc sp_dropextendedproc erver's query analyzer sp_dropextendedproc delete stored procedures such as xp_cmdshell, and then use sp_addextendedproc recovery when needed. It should be noted that deleting stored procedures related to OLE may cause some functions in Enterprise Manager to be unusable, and the author does not recommend deleting them here.
Now that we know how to use SP_OACREATE, we can go to \WINNT \system32 to find the cmd.exe, net.exe and net1.exe three files, and delete all the users who can access them in the "Properties" - "Security", so that we can't use SP_OACREATE to increase the number of system users, and we can add access users when we need to access these files.
|
Posted on 11/26/2014 3:48:23 PM
|
|
|
