权限动网先锋论坛-『 web开发讨论区 』-针对sql injection的sql server安全设置初级篇(Mobile pioneer Forum - Web Development Forum - for SQL Injection´s SQL Server Security Settings)

动网论坛  时间:2021-01-25  阅读:()

动网先锋论坛- 『 web开发讨论区』 -针对sql injection的sqlserver安全设置初级篇Mobile pioneer Forum-Web DevelopmentForum - for SQL Injection' s SQL Server Security SettingsMobile pioneer Forum - "WEB Development Forum" - for SQLINJECTION' s SQL SERVER security settings

Collect this page

Contact us

Forum Help

Qmtxf re login, stealth user control panel, SMS search style,forum status, forum exhibition, props center exit

Website development, database development exchange, variousWEB development technology exchange, base camp, my inbox (0)Mobile network pioneer Forum - computer technology - "WEBDevelopment Forum" - for SQL INJECTION SQL SERVER securitysettings junior article

You are the 1369th person reading this post AP

* posting theme: initial article on security settings for SQLINJECTION' s SQL SERVER

Jadesun

Title: people don't want to say

Class: VIP

Article: 1338

Points: 2527

Registration: 2000-7-31

The landlord

For SQL INJECTION SQL SERVER security settings junior articleThe day before the SQL INJECTION attack testing intensified,many large websites and forums have been injected. These sitesgenerally use more than SQL

SERVER database, and because of this, many people begin to doubtthe security of SQL SERVER. Actually, SQL SERVER

2000 has passed the U.S. government' s C2 level securitycertification - this is the industry can have the highestcertification level, so the use of SQL

SERVER is pretty safe. Of course, there is still a gap betweenORCAL and DB2, but SQL

The ease of use and universality of SERVER can still be a reasonfor us to continue using it. How can you make the SQL SERVERsettings reassuring?

The first step must be to hit SQL

SERVER' s latest security patch, and now the patch is out of SP3.Download address:http://www.microsoft.com/sql/downloads/2000/sp3.asp. If thisstep is not done well, then we do not have the necessary tocont inue.

The second step is to modify the default 1433 port andhide theSQL SERVER. This prevents attempts to enumerate existing SQLServer on the network

The broadcast sent by the client responds. In addition, youneedto screen the 1433 port from the TCP/IP filter and hide yourSQL as much as possible

SERVER database. This way, but let the attack create SQLSERVER accounts can not immediately use the query analyzerremote login for the next attack. From the ASP, PHP and otherpages to construct malicious statements, there is also need tocheck the return value of the problem, than the direct queryanalyzer to benefit from the fall. So the first thing we needto do even let others into, nor allow an attacker to do nextsmoothly. Modification method: Enterprise Manager

Taking your database group-- >attributes-->-->-->TCP/IP- > conventional network configuration attributes

Here, modify your default port and hide the SQL SERVER.

The third step is an important step, and SQL INJECTION tendsto be in WEB

Generated in CODE. As a system administrator or databaseadministrator, you can't always look at each piece of code. Evenif we often look at the code, we can not guarantee our negligenceon the above. What can we do?We' ll start with the database roleto get the database users' rights to the lowest point. SQLSERVER' s default permissions are really a headache, very highpermissions, no permissions, and nothing to do, SYSADMIN anddb_owner is really a love and hate. An attacker, however,confirmed that the site had SQL

INJECTION vulnerability, there must be a step in the processof testing the site' s SQL SERVER users have much authority.Usually with the help of SELECT

IS_SRVROLEMEMBER (' sysadmin' ) , or SELECT IS_MEMBER

('db_owner' ) , or user

= 0 (compare characters with numbers, SQL

The SERVER will prompt the error message, which can be used totest some sensitive information, and so on. And, I dare not saymore. One is afraid of being wrong, and the other is afraid ofthe people in the alliance. At present, if the database userof the web site uses SA privileges, plus the absolute path ofthe WEB, the OVER of your website is declared. Db_ownerpermissions are the same. If the absolute path is confirmed,there is a 50% chance to give WEB in your machine

A Trojan horse, such as Haiyang. So here we've got a point. Wehave to create our own privileges so that the attacker can'tfind a place to go. Quote a SQL here

Examples of SERVER online help:

Method for creating SQL Server database roles (EnterpriseManager)

Create SQL Server database roles

1. expand the server group, and then expand the server.

2. expand the database folder, and then expand the databasewhere you want to create the roles.

3. right click on roles, and then click new database roles.

4. enter the name of the new role in the name box.

5. click Add to add members to the standard roles list, and thenclick one or more users you want to add. (optional)

Only users in the selected database can be added to the role.Object permission

A class of permissions that is called object permissions whenprocessing data or executing procedures:

? SELECT, INSERT, UPDATE, and DELETE statement permiss ions,which can be applied to the entire table or view.

SELECT and UPDATE statement permissions, which can beselectively applied to a single column in a table or view.SELECT permissions, which can be applied to user-definedfunctions.

INSERT and DELETE statement permissions that affect entire rows,sotheycanonlybeappliedtotables orviews, not to individualcolumns.

EXECUTE statement permissions, which can affect storedprocedures and functions.

Statement permission

The activities involved in creating items in a database ordatabase, such as tables or stored procedures, require anotherclass of permissions called statement rights. For example, ifa user must be able to create a table in the database, the usershould be granted it

CREATE TABLE statement permissions. Statement permissions(such as CREATE, DATABASE) apply to the statement itself,rather than to specific objects defined in the database.Statement authority:

? BACKUP DATABASE

? BACKUP LOG

? CREATE DATABASE

? CREATE DEFAULT

? CREATE FUNCTION

? CREATE PROCEDURE

·创建规则

·创建表

·创建视图

暗示性权限

暗示性权限控制那些只能由预定义系统角色的成员或数据库对象所有者执行的活动。例如 固定服务器角色成员自动继承在SQLsysadmin

服务器安装中进行操作或查看的全部权限。

数据库对象所有者还有暗示性权限可以对所拥有的对象执行一切活动。例如拥有表的用户可以查看、添加或删除数据更改表定义或控制允许其他用户对表进行操作的权限。d b_o wn e r在数据库中有全部权限。

db_accessadmin可以添加或删除用户ID。db_securityadmin可以管理全部权限、对象所有权、角色和角色成员资格。db_ddladmin可以发出所有DDL但不能发出格兰特、撤销或否认语句。db_backupoperator可以发出DBCC、检查站和备份语句。db_datareader可以选择数据库内任何用户表中的所有数据。db_datawri ter可以更改数据库内任何用户表中的所有数据。db_denydatareader不能选择数据库内任何用户表中的任何数据。db_denydatawriter不能更改数据库内任何用户表中的任何数据。在这儿把新建的数据库角色的权限配置好比如需要使用哪个表、视图、存储过程等。然后把db_owner和db_securityadmin、db_backupoperator取消不给攻击者备份

和创建数据库

表的机会一但攻击者具有这两个权限那么你的网站就还处在十分危险的状态。还有注意一下在创建数据库账号时千万不能对服务器角色进行选择。

第四步是修改内置存储过程SQL SQL Server。

服务器估计是为了安装或者其它方面它内置了一批危险的存储过程。能读到注册表信息能写入注册表信息能读磁盘共享信息等等. . . . . .各位看到这儿心里可能会在想我的网站中有其它的代码又不像查询分析器那样能查接将结果输出。给你这个权限又不能怎么样还是看不到信息。如果各位这样想就大错特错了提示一下如果攻击者有创建。

表的权限那么创建一个临时表然后将信息插入到表中然选择出来接着跟数字进行比较让SQL

服务器报错那么结果就全出来了. . . . . .所以我们要报着宁错杀不放过的态度进行修补。

先来列出危险的内置存储过程xp_cmdshellxp_regaddmultistringxp_regdeletekeyxp_regdeletevaluexp_regenumkeysxp_regenumvaluesxp_regreadxp_regremovemult istring

无忧云:洛阳/大连BGP云服务器38.4元/月,雅安物理机服务器315元/月起,香港荃湾CN2限时5折优惠

无忧云怎么样?无忧云是一家成立于2017年的老牌商家旗下的服务器销售品牌,现由深圳市云上无忧网络科技有限公司运营,是正规持证IDC/ISP/IRCS商家,主要销售国内、中国香港、国外服务器产品,线路有腾讯云国外线路、自营香港CN2线路等,都是中国大陆直连线路,非常适合免备案建站业务需求和各种负载较高的项目,同时国内服务器也有多个BGP以及高防节点,目前商家开启了夏日清凉补贴活动,商家的机器还是非常...

Sharktech($49/月),10G端口 32GB内存,鲨鱼机房新用户赠送$50

Sharktech 鲨鱼机房商家我们是不是算比较熟悉的,因为有很多的服务商渠道的高防服务器都是拿他们家的机器然后部署高防VPS主机的,不过这几年Sharktech商家有自己直接销售云服务器产品,比如看到有新增公有云主机有促销活动,一般有人可能买回去自己搭建虚拟主机拆分销售的,有的也是自用的。有看到不少网友在分享到鲨鱼机房商家促销活动期间,有赠送开通公有云主机$50,可以购买最低配置的,$49/月的...

收到几个新商家投稿(HostMem,无忧云,青云互联,TTcloud,亚洲云端,趣米云),一起发布排名不分先后

7月份已经过去了一半,炎热的夏季已经来临了,主机圈也开始了大量的夏季促销攻势,近期收到一些商家投稿信息,提供欧美或者亚洲地区主机产品,价格优惠,这里做一个汇总,方便大家参考,排名不分先后,以邮件顺序,少部分因为促销具有一定的时效性,价格已经恢复故暂未列出。HostMem部落曾经分享过一次Hostmem的信息,这是一家提供动态云和经典云的国人VPS商家,其中动态云硬件按小时计费,流量按需使用;而经典...

动网论坛为你推荐
少儿英语哪个好少儿英语哪套教材好哪里好呢?宝来和朗逸哪个好朗逸 和 宝来 哪个好?二手车网站哪个好想买台二手车,哪个二手车网站靠谱手机音乐播放器哪个好手机音乐播放器音质好的APP是那款英语词典哪个好买什么英语词典比较好加速器哪个好主流加速器哪个好海克斯皮肤哪个好诺手二周年皮肤好不好,和海克斯那个比哪个好,二周年属于稀有吗qq空间登录不上为什么我登不进去QQ空间考生个人空间登录湖南高等教育自学考试 考生个人空间登录密码忘记了怎么办电信10000宽带测速电信宽带速度
网站域名备案 希网动态域名 瓦工 私人服务器 青果网 地址大全 建站代码 ibrs php空间申请 什么是刀片服务器 100mbps 酷番云 环聊 宏讯 中国域名 ssl加速 ncp winds web是什么意思 删除域名 更多