Common database attacks include weak passwords, SQL injection, permission promotion, backup theft, etc. By analyzing the database logs, you can find the attack behavior, restore the attack scenario and trace the attack source.
0x01 MSSQL Log Analysis
First, the MSSQL database should enable the logging function. The default configuration is only for failed logins. You need to change this configuration to failed and successful logins so that user logins can be audited.
Log in to SQL Server Management Studio and click Manage –SQL Server Logs
Double-click the log archive file to open the log file viewer, and you can filter or export logs.
In addition, MSSQ provides a tool, SQL Server Profiler, to find and discover efficiency and statement problems in SQL execution.
Log analysis cases:
In the log file Viewer, select Filter, in Filter Settings the source is set to “Log on”, apply filter, ok.
The filtering result clearly identifies the user login information, including the login time, login success, login account, and REMOTE login IP address.
The following figure is displayed: Client: 192.168.204.1 Attempts to log in to the client with a weak password and a successful login record is found.
0x02 SQL Injection Intrusion Trace
In the process of exploiting SQL injection vulnerability, we will try to use SQLMap’s — OS-shell parameter to obtain shell, if the operation is not done properly, some TEMPORARY tables and custom functions created by SQLMap may be left. Sqlmap OS-shell sqlmap OS-shell
Create a SQL injection point and enable Burp to listen on port 8080
Sqlmap. Py -u http://192.168.204.164/sql.asp? Id = 1 – OS – the shell – proxy = http://127.0.0.1:8080
HTTP communication process is as follows:
Create a temporary table SQLMAPOutput, call the stored procedure to execute the system command to write data to the temporary table, and then fetch the data in the temporary table to display to the front end.
By viewing the structure and content of newly created tables in the database, you can determine whether SQL injection vulnerability attacks have occurred.
Inspection Method:
1. Check the database table
2. Check xp_cmdshell and other stored procedures
Xp_cmdshell is disabled by default in versions after MSSQL2005. Check whether xp_cmdshell is enabled.
`Exec master.dbo.xp_cmdshell ‘whoami’
3. You can determine whether SQL injection vulnerability attacks have occurred by viewing the size of log files and audit log files based on web logs.