I am doing this small experiment on SQL Injection, and appearantly, I was asked to do the shutdown thing, which I have read about, but don't have a single idea how how to start.
Well, basically, I am still confused about a few things:
1. Do I need to create a stored procedure first, before I start hacking (shutting down the SQL Server)? Or can I just use a normal User Table?
2. I understand that the clause "shutdown with nowait" only allows the sysadmin and serveradmin to do so, so is there anyway a hacker makes himself a sysadmin or serveradmin?
3. And I read that only with the login user: "sa", you can perform that action. But in my company, its sql login is not "sa", it's something else, so can I do anything about it?
Well, that's all for now. So, actually, I have a project that first requires the user to login and must provide password. (Since I am doing experiment on SQL Injection, thus, it is vunerable). It connects to the sql server to match if the user name entered exists on the table.
I hope this information is enough to help anyone to help me hahahahaha... crossed my finger, though.
Thanks in advance.
I'm not aware of any elevation vulnerabilities in SQL Server2000. I think the most common problem is sites that use adminaccounts for everything instead of going with best practices andlocking things down.
Note that you don't need permissions to run SHUTDOWN to shut down aserver. There are various overflows that can be exploited thatwill take down the entire service. I know of at least one thathas not been fixed, but I don't want it used on my servers so I willnot share it with you, sorry!
The best defense is to avoid using SQL Server logins -- instead, usetrusted connections to very low privileged domain accounts. Lockdown everything. Do a security sweep and make sure no account hasaccess to anything other than what it needs. And get rid of thexp_cmdshell and sp_OA* procedures if you don't need them.
|||HI AdamMachanic:
It's cool that you don't wanna share it with me. I, too, am afraid that once I knew all that, I would do silly things.
AdamMachanic wrote:
Note that you don't need permissions to run SHUTDOWN to shut down a server.
However, when I tried to exec "shutdown with nowait" statement on my sql server, which is not logged in as "sa", it showed: "User does not have permission to perform this action." So... how? I mean, do I need to do something first before executing that statement?
use trusted connections to very low privileged domain accounts. Lock down everything. Do a security sweep and make sure no account has access to anything other than what it needs. And get rid of the xp_cmdshell and sp_OA* procedures if you don't need them.
I don't really understand what you're trying to tell me. Although, it sounds really promising that I can do the shutdown sql server. Okay, so firstly, how do I set my trusted connections to lower the privileged domain accounts. Then, how to lock? And security sweep?
I am so sorry about all these questions, cause I am still very very new to this...
Thanks.
|||I think I phrased that badly -- what I meant was, you don't need thepermission for the SHUTDOWN statement in order to shut down the server,because you can crash the server using the overflows I know about.
For the trusted logins, simply don't give them access to anything elseon the domain -- they should only have access to the SQL Server, andpossibly resources on the web server (assuming this is a web-basedapplication.) You can use those logins as the IIS logins -- thiswill make IIS trusted for the SQL Server. Locking the rest downis application-specific. What permissions are required by eachlogin? Do any logins hold permissions they don't require? Remove them.
Finally, a sweep -- this can mean many things, including you or someoneelse trying to get access to unsecured data, and/or someone else simplyreviewing everything you've done. A second set of eyes can revealholes you missed.
|||Hello, AdamMachanic,
Thanks for explaning. I 'think' I understand better, but yesterday and this morning, I read about this SQL Injection article, when shutdown with nowait statement is being carried out.
Okay, first of all, I wanna explain, what is actually going on on my code. I have a login page where user has to enter his username and pwd. So my code is:
Dim userNameAsString = txtUserName.Text
Dim pwdAsString = txtPwd.Text
Dim strSQLAsString = "select * from testing where userName = '" & userName & "' and pwd = '" & pwd & "'"
Dim comAsNew SqlCommand(strSQL, con)
And so on...
So if the unauthorized user entered:' or 1=1 --, he will be directed to a page. So far so good?
Alright, this is what I found from the Internet yesterday. Something like this:
sp_addlogin 'username','pwd', a message would say that the username is added, and sp_addsrvrolemember 'username','sysadmin' , a message would say that that username hassysadmin role. When then he could shutdown the SQL server.
I tried to enter this on my username textfield:' sp_addlogin 'redice','redice1234', but there's an error saying that there's somet error neaar sp_addlogin. So, I try my luck enter directly from SQL Server, just to test if that statement really works, and it did! After I assigned the sysadmin role to redice, he could shutdown the SQL Server successfully.
Okay, so do you see what's happening here? The statement can't be written on my textbox, where an attacker is supposed to attack from.
There are many more about creating stored procedure and set identity_insert blah blah blah...
Give me your input about this, okay? Anyone, too.
Thank you so much.
Also, how does the user get redirected if or when they enter ' or 1=1 -- ?
Do you have some logic that takes care of that?
|||Hi.
Yes, I know I have to assign the user the permission of sysadmin rights, but the problem is, I am playing as the attacker here. I am supposed to create a user (redice), that first ain't have any permission, later on, he then use SQL Injection to grant himself the sysadmin permisson. Hmmmm...Clear?
This is actually the rest of the code:
Dim strSQLAsString = "select * from testing where userName = '" & userName & "' and pwd = '" & pwd & "'"
Dim comAsNew OleDbCommand(strSQL, con)
Dim readerAs OleDbDataReader
If pwd = ""Or userName = ""Then
lblMsg.Text = "Please enter user name and password."
Else
Try
con.Open()
reader = com.ExecuteReader
If reader.HasRowsThen
Response.Redirect("Welcome.aspx?" & "name" & "=" & userName)lblMsg.Text = "welcome"
Else
lblMsg.Text = "You are not authorized to enter this page."
EndIf
con.Close()
Catch exAs OleDbException
lblMsg.Text = ex.Message
EndTry
EndIf
Thanks for your help.
|||
Hi AdamMachanic:
Thanks for your kind help.
Cheers.
