十个探测SQL Server 2000破绽的技能或工具





好文章,先容了十大"残害"和攻打SQL Server 2000或SQL Server 2005找到可能的漏洞的工具跟技巧。Ten hacker tricks to exploit SQL Server systemssearchsqlserver.techtarget./tip/1,289483,sid87_gci1165052_tax301336,00.htmlOfferSQLwnha217当然包含良多SQL 保险的测试工具:

DShield\'s Port Report
WebInspect
QualysGuard
NGSSquirrel for SQL Server
SQLPing v 2.5
AppDetective
Metasploit
SQL Injector
Absinthe

看到这篇文章之后,感到到每个SQL Server 200都有能够"发掘"和"摸索"的漏洞(还好当初用SQL Server 2005居多),告诫本人当前每次安排SQL Server 2000/2005的时候,都要从这些工具箱当选出多少个,试一下。SQL injection 无处不在,要时刻坚持安全警戒性。1. 最近看到一个有关程序员应聘的剖析,"Writing Secure Code"和利用平安防备模型占了很大的一块比重,甚至和你对编程语言的控制水平请求一样高。2.有关Dynamic SQL 和存储过程的争辩是否也会告一个断落,由于对于任何的数据库来说,使用“Dynamic SQL”就会有SQL injection的可能性。存储进程会是一个不错的,抑或是有效的应用两者 对运行和保护部分来说,Dynamic SQL就是危险.ACE Team Security, Performance Privacy的WebLog 是一个不错的资源。

转自吝啬的神blog

..........................

Ten hacker tricks to exploit SQL Server systemsKevin Beaver, CISSP02.08.2006Rating: 4.17 (out of 5)





Whether it is through manual poking and prodding or the use of security testing tools, malicious attackers employ a variety of tricks to break into SQL Server systems, both inside and outside your firewall. It stands to reason then, if the hackers are doing it, you need to carry the same attacks to test the security strength of your systems. Here are 10 hacker tricks to gain access and violate systems running SQL Server.

1. Direct connections via the Internet

These connections can be used to attach to SQL Servers sitting naked without firewall protection for the entire world to see (and access). DShield\'s Port Report shows just how many systems are sitting out there waiting to be attacked. I don\'t understand the logic behind making a critical server like this directly accessible from the Internet, but I still find this flaw in my assessments, and we all remember the effect the SQL Slammer worm had on so many vulnerable SQL Server systems. Nevertheless, these direct attacks can lead to denial of service, buffer overflows and more.

2. Vulnerability scanning

Vulnerability scanning often reveals weaknesses in the underlying OS, the Web application or the database system itself. Anything from missing SQL Server patches to Internet Information Services (IIS) configuration weaknesses to SNMP exploits can be uncovered by attackers and lead to database server promise. The bad guys may use open source, homegrown or mercial tools. Some are even savvy enough to carry out their hacks manually from a mand prompt. In the interest of time (and minimal wheel spinning), I remend using mercial vulnerability assessment tools like QualysGuard from Qualys Inc. (for general scanning), WebInspect from SPI Dynamics (for Web application scanning) and Next Generation Security Software Ltd.\'s NGSSquirrel for SQL Server (for databasespecific scanning). They\'re easy to use, offer the most prehensive assessment and, in turn, provide the best results. Figure 1 shows some SQL injection vulnerabilities you may be able to uncover.

Figure 1: Common SQL injection vulnerabilities found using WebInspect.

3. Enumerating the SQL Server Resolution Service

Running on UDP port 1434, this allows you to find hidden database instances and probe deeper into the system. Chip Andrews\' SQLPing v 2.5 is a great tool to use to look for SQL Server system(s) and determine version numbers (somewhat). This works even if your SQL Server instances aren\'t listening on the default ports. Also, a buffer overflow can occur when an overly long request for SQL Servers is sent to the broadcast address for UDP port 1434.

4. Cracking SA passwords

Deciphering SA passwords is also used by attackers to get into SQL Server databases. Unfortunately, in many cases, no cracking is needed since no password has been assigned (Oh, logic, where art thou!). Yet another use for the handydandy SQLPing tool mentioned earlier. The mercial products AppDetective from Application Security Inc. and NGSSQLCrack from NGS Software Ltd. also have this capability.

5. Directexploit attacks Direct attacks using tools such as Metasploit, shown in Figure 2, and its mercial equivalents (CANVAS and CORE IMPACT) are used to exploit certain vulnerabilities found during normal vulnerability scanning. This is typically the silverbullet hack for attackers penetrating a system and performing code injection or gaining unauthorized mandline access.


09-08 19:18