System safety SA weak passwords bring security risks-vulnerability warning-the black bar safety net

ID MYHACK58:62200713843
Type myhack58
Reporter 佚名
Modified 2007-01-19T00:00:00


The presence of the Microsoft SQL Server SA of the weak password vulnerability of the computer has been cyber attackers favor of one of the objects, through this loophole, you can easily get the Server Management permission, and thus a threat to network and data security. As a network administrator, we can't leave you unattended, be sure to figure out which of the causes, after and as a result, can be targeted to achieve more effective prevention, below I will detailed to introduce.

Microsoft SQLServer is a C/S mode, powerful relational database management system, application field is very wide, from the website back-end database to some MIS(Management Information System)everywhere can see its shadow. Network using Microsoft SQLServer SA weak passwords intrusion of the core content is the use of Microsoft SQLServer stored procedure to get system administrator rights, then what exactly is the storage process?

The stored procedure is stored in the SQLServer in the pre-written SQL statement collection, which are most at risk of extended stored procedures is xp_cmdshell, it can perform theoperating systemany instruction, and the SA is a Microsoft SQLServer the administrator account, with Highest privileges, it can execute the extended stored procedure and get the return value, such as to perform:


exec master..xp_cmdshell 'net user test 1 2 3 4 /add'and exec master..xp_cmdshell 'net localgroup administrators test /add'

So the other system is to add a user name is test, password is 1 2 3 4, have administrator rights of the user, as shown in Figure.


Now you should understand why get the SA password, you can give the system the highest authority. And often a lot of network administrators is unclear this is the case, for your own SA user from a number such as 1 2 3 4 and 4 3 2 1 Simple password, don't even set a password so that network intruders can use some of the hack tool easily scan to the SA password, and then control the computer.

In addition to xp_cmdshell, there are some stored procedures may also be utilised by intruders to:

1, The xp_regread(this extended stored procedure can read from the registry the specified key in the specified value), using the method(get machine name):

DECLARE @test varchar(5 0) EXEC master..xp_regread @rootkey='HKEY_LOCAL_MACHINE', @key='system\controlset001\control\computername\computername', @value_name='computername', @value=@test OUTPUT SELECT @test

2, the xp_regwrite(this extended stored procedure can be written to the registry for the specified key in the specified value), using the method(in the key HKEY_LOCAL_MACHINE\SOFTWARE\aaa\aaaValue write bbb): the

EXEC master..xp_regwrite @rootkey='HKEY_LOCAL_MACHINE', @key='SOFTWARE\aaa', @value_name='aaaValue', @type='REG_SZ', @value='bbb'

If the compromised computer's administrator user can browse the registry at HKEY_LOCAL_MACHINE\SAM\SAM\information, using xp_regread, and xp_regwrite these two stored procedures may be implemented to clone the administrator user to give administrator privileges. xp_regdeletekey and xp_regdeletevalue also of the system will bring security risks.

3, OLE a series of related stored procedures, which series of stored procedures with the sp_OACreate and sp_OADestroy, the sp_OAGetErrorInfo, the sp_OAGetProperty, the sp_OAMethod and sp_OASetProperty, the sp_OAStop, use the method:

DECLARE @shell INT EXEC SP_OACREATE 'wscript. shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'c:\WINNT\system32\cmd.exe /c net user test 1 2 3 4 /add'--

So the other system adds a user name is test, password is 1 2 3 4 The user, and then execute:

DECLARE @shell INT EXEC SP_OACREATE 'wscript. shell',@shell OUTPUT EXEC SP_OAMETHOD @shell,'run',null, 'c:\WINNT\system32\cmd.exe /c net localgroup administrators test /add '--

The user test is added to the Administrators group.

Solution: give SA a complex enough password, the network the attacker is very difficult to crack out. In order to insurance, we also want to in the SQLServer Query Analyzer using stored procedure sp_dropextendedproc to remove the xp_cmdshell and the like stored procedure, when you need to use sp_addextendedproc to recover, specific operations can be performed on the SQLServer query sp_dropextendedproc and sp_addextendedproc to use help, note that the point is to remove the OLE-related series of stored procedure, may cause the Enterprise Manager in a certain function cannot be used, here the author does not recommend deletion. Now that we know the SP_OACREATE method of using 那 我们 就 可以 到 \WINNT\system32 下 找到 cmd.exe net. exe and net1. exe three files, in the“properties”—“security”in the can they access the user delete all off, so you can not use SP_OACREATE to increase the users of the system, we need access to these files plus access to the user.