Shulou(Shulou.com)05/31 Report--

This article shows you how to achieve Microsoft SQL Server loophole analysis, the content is concise and easy to understand, absolutely can make your eyes bright, through the detailed introduction of this article, I hope you can get something.

Preface

Microsoft SQL Server is a relational database management system developed by Microsoft, which is widely used because of its advantages such as easy to use, good scalability and high degree of integration with related software. The Microsoft SQL Server database engine provides more secure and reliable storage capabilities for relational and structured data, and can build and manage business scenarios that require high availability and high performance.

Brief introduction of 0x01 Microsoft SQL Server Database

At present, the application of Microsoft SQL Server database in the world is also relatively high. According to statistics, there are as many as 237065 assets that open Microsoft SQL Server database services to the Internet worldwide. It is found that the number of Microsoft SQL Server database services opened to the outside world in China ranks first, with 75793, close to 30% of the global total. The second and third places are the United States and the Netherlands, with 35965 and 33664 Microsoft SQL Server database services open to the public, respectively. From this point of view, there are a wide range of domestic users who use Microsoft SQL Server database, so it is particularly important to prevent the loopholes of Microsoft SQL Server database.

(statistics are only assets open to the Internet, this data is from FOFA)

Overview of 0x02 Microsoft SQL Server vulnerabilities

Compared with other types of databases, the number of vulnerabilities that broke out in Microsoft SQL Server database in recent years is relatively small. Here, two highly available and representative vulnerabilities are selected for analysis, and the analysis list is as follows:

Vulnerability name vulnerability type risk level CVE number Microsoft SQL Server sp_replwritetovarbin remote heap overflow buffer overflow high CVE-2008-5416Lyris ListManager MSDE SA weak password vulnerability CVE-2005-41450x03 Microsoft SQL Server vulnerability analysis in weak passwords 1. CVE-2008-5416 vulnerability analysis

1. Vulnerability information:

Vulnerability name: Microsoft SQL Server sp_replwritetovarbin Stored Procedure Buffer Overflow Vulnerability

Vulnerability number: CVE-2008-5416

Vulnerability type: Buffer Overflow Vulnerability

2. Overview of vulnerabilities:

Microsoft SQL Server is a popular SQL database system. There is a heap overflow vulnerability in Microsoft SQL Server's sp_replwritetovarbin extended stored procedure, which can be triggered by a remote attacker if an uninitialized variable is provided in the parameter, writing memory to a controllable location, causing the privileges of the existing vulnerable SQL Server process to execute arbitrary code. In the default configuration, any user can access the sp_replwritetovarbin process. Authenticated users can exploit this vulnerability through a direct database connection or SQL injection.

3. Impact of vulnerabilities:

The versions of Microsoft SQL Server affected by the CVE-2008-5416 vulnerability are as follows:

4. Vulnerability analysis:

1) CVE-2008-5416 vulnerability PoC exploits code analysis:

We found the CVE-2008-5416 vulnerability PoC from the Internet. The following is the exploit code snippet of the vulnerability PoC:

As can be seen from the PoC code, first define the uninitialized custom variable, then pass in the ultra-long data segment (the malicious attack code can be constructed in the data segment), carry out heap overflow in the stored procedure through sp_replwritetovarbin extension, and write the constructed attack code to memory and execute.

2) Traffic analysis of CVE-2008-5416 vulnerability attacks:

The attacker TDS protocol initiates a remote login authentication request to the target, because this vulnerability can only be further exploited after the remote authentication is successful. As follows:

When the login request authentication is successful, the version information of the database server is further queried. As follows:

After determining the version information of the database system, the corresponding attack PayLoad load is further selected to carry out stored procedure overflow attacks. As follows:

5. Vulnerability verification:

The target machine with CVE-2008-5416 vulnerability is tested by Metasploit penetration testing framework, and it is found that it can be successfully exploited. As shown in the following figure:

6. Bug repair recommendations:

Microsoft has issued a security bulletin (MS09-004) and patches for this purpose. Links are as follows:

Https://docs.microsoft.com/zh-cn/security-updates/Securitybulletins/2009/ms09-004

Second, CVE-2005-4145 vulnerability analysis:

1. Vulnerability information:

Vulnerability name: Lyris ListManager MSDE Weak SA Password Vulnerability

Vulnerability number: CVE-2005-4145

Vulnerability type: Weak Password Vulnerability

2. Overview of vulnerabilities:

Lyris_technologies_inc Listmanager is an important component of Microsoft SQL ServerMSDE. Due to a design flaw in Lyris_technologies_inc Listmanager5.0-8.9b that configures the SA account of the database to use a password with a small search space, an attacker can remotely gain access to the Microsoft SQL Server database through brute force cracking attacks.

3. Impact of vulnerabilities:

The versions of Lyris_technologies_inc Listmanager affected by the CVE-2005-4145 vulnerability are as follows:

4. Vulnerability analysis:

1) vulnerability PoC code analysis:

We found the CVE-2005-4145 vulnerability PoC from the Internet. The following is the exploit code snippet of the vulnerability PoC:

As can be seen from the vulnerability PoC code above, first try to use the account SA and password lminstall to attempt to log in. If successful, execute the following SQL utilization code, otherwise, further enumerate the process PID violence on the SA account to obtain login permissions. If the login is successful, execute the following SQL utilization code.

2) PoC packet analysis of CVE-2005-4145 vulnerability:

The attacker constantly initiates remote login authentication requests to the target through the TDS protocol, the user name is SA, and the passwords are constantly enumerated.

5. Vulnerability verification:

The target machine with CVE-2005-4145 vulnerability is tested by Metasploit penetration testing framework, and it is found that it can be successfully exploited. As shown in the following figure:

Tip: CVE-2005-4145 vulnerability PoC through the default account or the way to specify the account to enumerate testing, because the code implementation is relatively simple, but also more chicken ribs. After enumerating successfully through tools such as Hydra, we can fill in the values of successful enumeration in the Password field, and then make further rapid and deep use.

6. Bug repair recommendations:

At present, the official has fixed this vulnerability in Lyris_technologies_inc Listmanager version 8.9b, which can be upgraded to version 8.9b or above.

0x04 conclusion

By combing and analyzing some columns of Microsoft SQL Server, it can be summarized and summarized from the following dimensions:

1. High-risk vulnerabilities are mainly distributed in three versions: Microsoft SQL Server7, Microsoft SQL Server2000 and Microsoft SQL Server2005.

2. There are four types of vulnerabilities with a wide range of influence: buffer overflow vulnerabilities, weak passwords, privilege escalation, denial of service and so on.

3. The trigger conditions of Microsoft SQL Server high-risk vulnerabilities are relatively harsh, which basically need to be logged in through the account before they can be further exploited.

4. The period of concentrated outbreak of Microsoft SQL Server vulnerabilities is from 1997 to 2005. As Microsoft pays more and more attention to security, there are fewer and fewer high-risk security issues in subsequent releases of Microsoft SQL Server2008 and later versions.

The above content is how to achieve Microsoft SQL Server vulnerability analysis, have you learned the knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.