Shulou(Shulou.com)05/31 Report--

Xiaobian to share with you how to use SQL SERVER triggers to make backdoors, I believe most people still do not know how to share this article for your reference, I hope you have a lot of harvest after reading this article, let us go to understand it together!

Trigger permissions and ownership

CREATE TRIGGER permission is granted by default to the table owner who defines the trigger, members of the sysadmin fixed server role, and members of the db_owner and db_ddladmin fixed database roles, and is non-transferable.

desired environment

This article requires an environment that has acquired one of the above permissions on sql server in order to leave a hidden backdoor undetected by administrators. Even if it is found, it is encrypted (it can be cracked, but some administrators do not understand it and will not pay attention to it, and the relevant information is under Google).

Text:

Triggers are stored procedures that automatically execute when an insert, update, or delete operation is performed on a table. Most commonly used to make history when performing sensitive data operations.

In this article, we take dvbbs as an example. We have already obtained db_owner permission (note: not that dvbbs itself has it). Because it is only db_owner permission, so readers want to execute "xp_cmdshell", it is no longer the scope of this article, believe that after reading this article, as long as there is system permission, as a system backdoor is also simple. Think back to what we usually do and care about when we use databases.

Why use triggers as backdoors

Administrators will first execute sql files, and then import the contents of mdb, usually using at most backup, restore. Triggers are usually not viewed by anyone, either by using the command "exec sp_helper trigger 'dv_admin'," or by selecting "Manage Triggers" in Enterprise Administrator. Because the trigger is not used at all, there is no mention of triggers, so the administrator of the network will not look at it. So what we write inside is relatively safe.

ideas

Trigger is mainly used to do history, of course, you can change the administrator password and add the user's history records. Put it in a place that administrators don't usually notice and that ordinary users can see.

Mobile network password has md5 encrypted, encrypted operation is the program on the server to complete, and so on when the data has been encrypted. But moving the net at the same time password to plaintext way into the dv_log table, it gives us convenience. As long as you get the contents of the l_content field in the dv_log table and then determine whether the administrator is performing sensitive operations, the backdoor idea is formed.

Use process-code parsing

Code snippet: Create a trigger.

create trigger dv_admin_history

on Dv_log

with encryption

for insertas

as

The trigger needs to be created on the Dv_log table, where the plaintext password is placed. We don't know how long the administrator password is set, so we can only take out all the fields with passwords. The trigger had better be encrypted, so the administrator wouldn't know what it was even if he saw it. Executes a trigger when inserting data.

The value taken should be placed in a place where ordinary users can see it, so that as long as they have the permissions of ordinary users, they can see the password. In a dynamic database, the largest fields that can hold data are usually seen by the administrator. So you have to find a place where administrators won't look and other users won't notice.

I choose to put it in the user information of a new user (hereinafter referred to as "Wang Cai", friendly point), so that we can see it when we log in (note: log in, record the last landing ip, we solve it ourselves).

There are several fields suitable for storage:

Userphoto, field type: varchar(255). Wang Cai's photo address was recorded. It can store data smaller than 255.

User sign, field type: varchar(255). If Wang Cai's signature was placed here, Wang Cai would not be able to post it. Otherwise, he would have to bear the consequences (posting it would show his signature, and everyone on Earth would be able to see it).

Useremail, field type: nvarchar(255). Wang Cai's email needs to be converted when using it.

Userinfo, field type: text. Wang Cai's user profile. This field is very special, there are many "", each pair of "" has a different meaning. Mobile network is very lazy, in order to avoid too many fields, put a bunch of information into a field, with "" separated, when querying a certain item of information, take out all, and then split, that is, the required data.

Problems to be solved:

1) If they are full.

Theoretically, if we see something in the first field, we should write it down and delete it. Triggers automatically check the size and continue to use. Emphasize again below, this article example is aimed at move net, everybody should specific problem concrete analysis.

2, the administrator log, there are many logs, how to judge it is in the record change password.

When the administrator operates the user, of course, it will operate in "user.asp" or "admin.asp", so we judge that the conditions require:

select @passinfo = l_content from inserted where l_type = 1 and (l_touser = 'user.asp' or l_touser = 'admin.asp')

When l_touser is user.asp or admin.asp, it indicates that the administrator is operating (viewing, updating, deleting) the user or administrator. When l_type = 1, the update operation is performed, and the password is in the l_content field (if the administrator updates the password or creates a new account). So, look up l_content in the inserted table and assign it to @passinfo

The above is "how to use SQL SERVER trigger to make backdoor" all the contents of this article, thank you for reading! I believe that everyone has a certain understanding, hope to share the content to help everyone, if you still want to learn more knowledge, welcome to pay attention to the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.