SQL SERVER AGENT SECURITY

最新推荐文章于 2022-05-24 11:08:37 发布
最新推荐文章于 2022-05-24 11:08:37 发布
阅读量1.2k 收藏 1
点赞数
文章标签: sql server security passwords permissions properties encryption
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/superdinosaur520/article/details/1599228
版权

非常不错的文章:

APPLICATION   SECURITY,   INC.   |   WWW.APPSECINC.COM  
  HUNTING   FLAWS   IN   SQL   SERVER  
  INTRODUCTION  
  This   paper   will   discuss   a   number   of   recently   discovered   vulnerabilities   in   Microsoft   SQL   Server  
  and   will   demonstrate   the   techniques   used   by   the   author   to   find   these   security   holes.  
  COLLECTING   PASSWORDS  
  When   SQL   Server   is   running   using   mixed-mode   authentication,   login   passwords   are   saved   in  
  various   locations.   Some   passwords   are   saved   using   strong   encryption   and   permissions   (such   as  
  the   passwords   saved   in   master.dbo.sysxlogins),   but   many   of   them   are   saved   using   weak  
  encryption   (most   accurately   referred   to   as   encoding)   and   weak   default   permissions.   You   may   be  
  asking,   “Why   passwords   are   saved   with   weak   encryption?”   The   reason   is   that   these   passwords  
  must   later   be   extracted   and   used   by   SQL   Server   to   establish   connections   with   itself   and   other  
  SQL   Servers.   This   occurs   during   many   of   the   batch   processes   that   SQL   Server   relies   on,  
  including   replication,   jobs   scheduled   through   the   SQL   Agent,   and   DTS   packages.  
  Using   various   techniques,   such   as   examine   system   tables   and   stored   procedures   or   running   tools  
  such   as   SQL   Profiler,   we   can   determine   where   and   how   these   passwords   are   saved.   Typically  
  system   tables   that   hold   these   passwords   are   properly   secure,   that   is   only   if   dbo   has   permissions  
  to   select   from   the   table.   There   are,   however,   system   stored   procedures   that   access   these   tables  
  -   so   looking   at   these   stored   procedures   is   a   good   place   to   start.  
  SQL   AGENT   PASSWORD  
  We   start   by   looking   at   the   SQL   Agent   configuration   from   within   SQL   Enterprise   Manager.   Select  
  the   node   <SQLServerName>/Management/SQL   Server   Agent.   Then   click   the   right   mouse   button  
  and   select   Properties   from   the   popup   menu.   Within   the   “Connection”   tab   you   will   see   that   the  
  SQL   Server   Agent   can   be   configured   to   connect   using   standard   SQL   Server   authentication   with   a  
  login   in   the   sysadmin   role.   This   information   must   be   saved   some   place   in   order   for   SQL   Agent   to  
  later   access   the   password   and   connect   to   the   SQL   Server,   so   we   start   a   new   trace   in   SQL   Profiler  
  to   see   what   happens   behind   the   scenes.   Set   the   login   to   “sa”   and   set   the   password   to   “a”.   We  
  can   see   the   difference   between   the   two   SQL   statements   in   SQL   Profiler.  
  EXECUTE   msdb.dbo.sp_set_SQLagent_properties   @host_login_name   =   'sa’,   @host_login_password   =   0x6e1c7e83d0a487d623fc7cd689b8e702cc416bcd8d18c28ee0a4ba37c97ccfb5  
  Performing   the   same   action   but   setting   a   password   of   “aaaaaaaaaa”,   we   execute   the   following  
  statement.  
  EXECUTE   msdb.dbo.sp_set_SQLagent_properties   @host_login_name   =   'sa’,   @host_login_password   =   0x6e1c1f1b809cb8a1a1acd3c2cb1cce7e0a099592a03ab7979f196de0b6898deb  
  We   can   see   that   the   encrypted   password   is   passed   to   the   stored   procedure  
  sp_set_SQLagent_properties.   In   the   stored   procedure   we   see:  
  EXECUTE   master.dbo.xp_SQLagent_param   1,   N'HostPassword',   @host_login_password  
  The   encrypted   password   is   finally   saved   by   the   extended   stored   procedure   xp_SQLagent_param  
  -   but   where   is   it   saved?   We   must   assume   that   it   is   not   saved   in   a   system   table   because   the  
   
  APPLICATION   SECURITY,   INC.   |   WWW.APPSECINC.COM  
  HUNTING   FLAWS   IN   SQL   SERVER  
  password   is   used   to   connect   to   SQL   Server   so   the   Agent   would   need   to   access   the   password  
  before   connecting   to   the   database.   Given   that   it   is   not   saved   in   a   table   then   it   is   probably   saved  
  in   the   registry.   We   can   run   Regmon.exe   (Registry   Monitor   tool   from  
  http://www.sysinternals.com/ntw2k/utilities.shtml)   and   see   where   it’s   saved.   We   will   find   that   it   is  
  saved   under   the   LSA   Secrets   key:  
  HKLM/security/policy/secrets/SQLSERVERAGENT_HostPassword/currval  
  Only   the   Windows   LocalSystem   account   has   permissions   to   access   this   registry   key.   Even  
  Windows   Administrators   cannot   access   this   area,   although   they   can   take   ownership   and   give  
  themselves   permissions   to   these   keys.   Now   we   know   how   and   where   the   encoded   password   is  
  saved,   but   how   is   it   retrieved   when   Enterprise   Manager   displays   the   SQL   Agent   properties?   Well,  
  we   select   SQL   Server   Agent   properties   in   Enterprise   Manager   again   and   then   record   the   SQL  
  sent   through   SQL   Profiler.   We   see   this   statement:  
  EXECUTE   msdb.dbo.sp_get_SQLagent_properties  
  We   start   SQL   Query   Analyzer,   execute   the   query,   and   see   that   most   of   the   properties   of   the   SQL  
  Server   Agent   are   returned   -   even   the   encrypted   password!   But   which   users   can   execute  
  sp_get_SQLagent_properties.   To   determine   this   we   execute   the   following   statement.  
  EXECUTE   sp_helprotect   sp_get_SQLagent_properties  
  The   results   are   as   follows:  
  Owner   Object   Grantee   Grantor   ProtectType   Action   Column   dbo   sp_get_SQLagent_properties   public   dbo   Grant   Execute   .  
  Cool!   We   have   discovered   a   security   hole   that   can   be   used   by   any   user   in   the   database!   We  
  have   the   encrypted   password   –   now   we   must   figure   out   how   to   decrypt   it.   We   go   back   and   look  
  at   the   passwords:  
  The   encrypted   version   of   the   password   (a)   is:  
  0x6e1c7e83d0a487d623fc7cd689b8e702cc416bcd8d18c28ee0a4ba37c97ccfb5  
  The   encrypted   version   of   the   password   (aaaaaaaaaa)   is:  
  0x6e1c1f1b809cb8a1a1acd3c2cb1cce7e0a099592a03ab7979f196de0b6898deb  
  Upon   first   analysis,   we   can   see   that   the   first   two   bytes   are   the   same   in   both   encrypted   passwords.  
  Upon   further   analysis   we   realize   that   the   encryption   algorithm   used   is   a   simple   XOR   with   a  
  positional   key   depending   on   the   previous   character.   We   can   do   a   chosen   plain-text   attack  
  knowing   that   the   first   character   is   always   XOR’ed   with   a   fixed   key.   Why   not   look   for   the   function  
  used   by   Enterprise   Manager   to   encrypt   the   password.   (Special   thanks   to   Jimmers   for   discovering  
  and   sharing   the   following)   After   some   research,   we   find   that   SEMCOMN.DLL   (located   in   SQL  
  Server   Instance   Binn   folder)   has   a   Decrypt()   function   that   can   be   used   to   decrypt   the   password.  
  So   we   can   code   a   simple   program   and   use   the   Decrypt()   function   to   get   the   clear   text   password.  
  Ok,   now   we   have   the   password   for   a   login   that   has   been   granted   the   sysadmin   role.   The   server  
  belongs   to   us   at   this   point!   It   is   important   to   note   that   if   we   are   successful   in   the   previous   attack,  
  we   can   now   get   system   or   administrator   privileges   over   the   OS   with   additional   attacks.   This   is  
  because   if   the   SQL   Server   Agent   is   configured   to   connect   to   SQL   Server   using   SQL   Server  
  authentication,   the   SQL   Server   Agent   must   run   under   the   LocalSystem   account   or   an  
  Administrator   account   in   order   to   have   permissions   to   successful   retrieve   the   encrypted   password  
  from   the   registry.  

superdinosaur520
关注
Windows Server 2022 Install Sql Server 2022
极致,细节
02-07 850
(16.x) 在早期版本的基础上构建,旨在将 SQL Server 发展成一个平台,以提供开发语言、数据类型、本地或云环境以及操作系统选项。(SSMS) 是一种集成环境,用于管理从 SQL Server 到 Azure SQL 数据库的任何 SQL 基础结构。SSMS 提供用于配置、监视和管理 SQL Server 和数据库实例的工具。使用 SSMS 部署、监视和升级应用程序使用的数据层组件,以及生成查询和脚本。使用 SSMS 在本地计算机或云端查询、设计和管理数据库及数据仓库,无论它们位于何处。
0x84bb0001 sqlserver_Error Code 0x84BB0001 when installing SQL Server 2016
weixin_39619174的博客
12-22 1458
问题OS: Windows Server 2012 R2When attempting to install SQL Server 2016 on a Server that is already running SQL 2012 I receive 0x84BB0001. This stops my Database Engine Service from installing correctl...
SQL Server Agent Job 多服务器管理
weixin_30952535的博客
04-09 187
转载于:https://www.cnblogs.com/yuzg/p/8759497.html
[SQL Server]收集Agent job信息
小旭的技术博客
09-30 1277
select a.name 'Job名称', case when (c.freq_type=4 and c.freq_subday_type=4) then ('每'+convert(varchar,c.freq_subday_interval)+'分钟')      whe
SQL Server数据库里的Management里的SQL Server Agent里的Jobs是个定时运行功能(死亡;历险)
的专栏
11-27 1054
SQL Server数据库里的Management里的SQL Server Agent里的Jobs是个定时运行功能先在Jobs上按右键建立一事件New Job...在Steps里的Command里写:BACKUP DATABASE [lw_report] TO  DISK = Nd:/backup/lw_report.bak WITH  INIT ,  NOUNLOAD ,  NAME
查询Sql Server Agent 的job的执行情况。
weixin_34419321的博客
10-12 545
查询Sql Server Agent 的job的执行情况。 //有关SqlJob的信息在database(msdb)内查询。select j.job_id, j.name, j.enabled, jh.run_status, js.last_outcome_message, jh.run_date, jh.step_name, jh.ru...
通过SQL Server Agent方式实现数据库自动备份!
大智若驴
10-16 741
--用JOB. --SQL SERVER2000为例 企业管理器—>数据库服务器—>管理目录—>SQL SERVER代理—>作业—>右键 选—>新建 常规选项页—>输入作业名称—>选中所有者。 步骤选项页—>新建—>输入步骤名—>类型 TSQL脚本—>选择需要执行的数据库—>在命令框里输入你的SQL 脚本:如:Backup Database tedmdb To Disk=D:/test.bak
SQL Server 2008 R2占用cpu、内存越来越大的两种解决方法
01-19
net stop sqlserveragent net stop mssqlserver net start mssqlserver net start sqlserveragent 第二种: 进入Sql server 企业管理器(管理数据库和表的,这个都不知道就不用往下看了),在数据库服务器名称上点击...
sql agent sql 代理操作手册
10-25
### SQL Server Agent与凭据应用详解 #### 一、引言 SQL Server AgentSQL Server 中一项非常重要的功能,它能够自动执行计划好的任务(如备份数据库、清理日志等),极大地方便了数据库管理员的工作。然而,在...
SQL SERVER 2008 发布订阅到SQL Server 2017避坑指南
A_single_cat的博客
05-24 1365
    使用SQL Server Management Studio创建发布与订阅的相关操作参考这里或官网文档, 本文主要记录在配置过程中遇到的坑     1.由于出现操作系统错误 3,进程无法读取文件“"C:\Program Files\Microsoft SQL Server\MSSQL10_50.MSSQLSERVER\MSSQL\ReplData\unc\NETNETNET- PC_CLOUDTRADB_SOA_LNGZ
查询sql agent job的明细
keenweiwei的专栏
12-27 2233
SELECT b.[name] [JobName] ,b.enabled [Enabled] ,a.step_id [StepID] ,b.description [JobDescription] ,a.step_name [StepName] ,a.command [Script] FROM msdb.dbo.sysjobsteps a INNER JOIN msdb.dbo.sys
SQL Server ->> 关于SQL Server Agent Job执行步骤时的用户上下文(User Context)问题
weixin_30248399的博客
12-11 278
这是最近项目相关和自己感兴趣的一个问题:SQL Server Agent Job有几种方法可以以特定用户上下文去执行任务步骤的? 这个事情需要分几种情况来说,因为对于不同类型的任务步骤,SQL Server Agent Job是不同对待的。 做几个实验来实验SQL Server Agent Job对于不同配置先对于用户上下文的处理。 首先创建一张测试表 USE [tem...
存储过程中通过SQL调用JOB
li_jerry的博客
01-10 734
众所周知,SQL Server Agent中可以调用JOB,并且设置Schedule,但除了在在Agent中调用之外,微软还提供了其他几种调用方式: 通过C#调用 通过SQL调用 这里我们详细介绍下通过SQL 调用JOB。 首先所有JOB的都存储在系统数据库MSDB中: 2. 启动JOB 存储过程:(test为JOB名称) EXEC msdb.dbo.sp_start_job N'test' 3. 停止JOB 存储过程:(test为JOB名称) ...
SQL Server 作业监控
java开发指南博客 【转载】
05-28 244
在讲解SQLServer Agent Jobs之前,先要讲解msdb。 Msdb是SQLServer的系统数据库之一,用于存储SQLServer的配置、元数据等信息。包括: l SQLServer Agent Jobs,Job Steps,Job schedules,Alerts,Operators,等等。 l Service Broker,Log Shipping,Backups/rest...
Different ways to execute a SQL Agent job
GRANDTREE的专栏
04-20 918
Different ways to execute a SQL Agent jobWritten By: Divya Agrawal -- 4/15/2009 -- 0 comments      Stay informed - get the MSSQLTips.com newsletter and win - click here    
SQL Server Agent
weixin_34114823的博客
04-19 182
SQL Server Agent 一个微软的windows服务, 它会定时执行通常叫做job的管理任务.   SQL Server Angent使用SQL Server来存储job information. job包含一个或多个job的steps. 每一个step包含它自己的task, 比如说备份一个数据库.   SQL Server Agent可以定时地执行作业, 也可以相应某个具体的事件执行...
SQL Server系统数据库– msdb数据库
culuo4781的博客
07-25 5926
介绍 (Introduction) This article is the third I am writing about Microsoft SQL system databases. 本文是我正在撰写的有关Microsoft SQL系统数据库的第三篇文章。 The first article Configuration, operations and rest...
SQL Server 阻止了对组件 'Agent XPs' 的 过程 'dbo.sp_set_sqlagent_properties' 的访问,因为此组件已作为此服务器安全配置的一部分而被关闭。
若北冥的专栏
10-25 4581
 详情请参阅:http://technet.microsoft.com/zh-cn/library/ms178127(SQL.90).aspx
'sp_sqlagent_update_agent_xps' 沒有 EXECUTE 權限
softuse的博客
05-15 3733
0登入以投票想請問各位一下,資料庫是由Express版本升級成Standard版本,SQL Server Agent一直啟動失敗,顯示服務啟動之後又停止。錯誤記錄檔如下,請問如何解決?謝謝。[393] 正在等候 SQL Server 復原資料庫 'msdb'...[298] SQLServer 錯誤: 229,結構描述 'dbo',資料庫 'msdb',物件 'sp_sqlagent_update...
sqlserveragent
最新发布
01-17
SQL Server AgentSQL Server的作业调度和警报服务。它允许你在SQL Server中创建和管理作业,这些作业可以定期执行一系列任务,例如备份数据库、清理日志文件等。此外,SQL Server Agent还可以监视数据库的状态并在...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值