SQL Server Forums
Profile | Register | Active Topics | Members | Search | Forum FAQ
 
Register Now and get your question answered!
Username:
Password:
Save Password
Forgot your Password?

 All Forums
 SQL Server 2000 Forums
 SQL Server Administration (2000)
 sql injection
 New Topic  Reply to Topic
 Printer Friendly
Previous Page
Author Previous Topic Topic Next Topic
Page: of 2

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/09/2004 :  01:31:55  Show Profile  Reply with Quote
quote:
Originally posted by Merkin

Can you actually select from it ?

Try SELECT * FROM master..sysdatabases

Does that return any results ?


Damian



yes I can select the whole table... any ideas?


ODD

mike123
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/09/2004 :  01:33:12  Show Profile  Reply with Quote
quote:
Originally posted by joldham

Is the Mike account a Windows Account or a SQL Account? If it is a Windows Account, then if Mike is a Machine Administrator, then he would have access to everything in the SQL database as an Administrator of the machine (I think).



thanks, mike is actually just a sqlaccount

mike123
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/09/2004 :  01:42:56  Show Profile  Reply with Quote

I am still analyzing the log files. I had to move them to a seperate server because they are so large I store them in RAR format. I can't unrar them all because I do not have enough space.

I will go thru all the logs tonight and see what happened. If he did read from my master database is there any way he could find out passwords for logins from that database? I am not sure what information the master database holds that I should worry about. It appears no data has been messed with, I just want to know my best what info could possibly get out. And if I should be worried about him getting my login info / passwords etc for the actual sql box, or anythign similar in nature ..


Thanks again everybody for continued support -- rounds for everybody!



mike123
Go to Top of Page

tkizer
Almighty SQL Goddess

USA
36599 Posts

Posted - 01/09/2004 :  12:06:39  Show Profile  Visit tkizer's Homepage  Reply with Quote
The passwords are stored in the master database. But the only thing that he can do with them is something like this:


CREATE PROCEDURE isp_Transfer_Logins
AS

SET NOCOUNT ON

DECLARE @login sysname
DECLARE @pwd sysname
DECLARE @new_pwd varchar(255)

DECLARE cur_Users CURSOR FOR
SELECT l.name, l.password
FROM master.dbo.syslogins l
INNER JOIN DTS.dbo.sysusers u ON l.sid = u.sid
WHERE (l.isntname = 0) AND (u.islogin = 1 AND u.isaliased = 0 AND u.hasdbaccess = 1)
ORDER BY u.name

OPEN cur_Users

FETCH cur_Users INTO @login, @pwd

WHILE @@FETCH_STATUS = 0
BEGIN
	-- If the login does not exist on the destination server, then add it.
	IF ((SELECT count(*) FROM SDDEVSQL1.master.dbo.syslogins WHERE name = @login) = 0)
	BEGIN
        	EXEC SDDEVSQL1.master.dbo.sp_addlogin @loginame = @login, @passwd = @pwd, @encryptopt = skip_encryption, @defdb = 'QTRACS'
	END

	-- If the login does exist on the destination server, then synchronize the password.
	ELSE
	BEGIN
		EXEC SDDEVSQL1.master.dbo.sp_droplogin @login
		EXEC SDDEVSQL1.master.dbo.sp_addlogin @loginame = @login, @passwd = @pwd, @encryptopt = skip_encryption, @defdb = 'QTRACS'
	END


        FETCH cur_Users INTO @login, @pwd
END

CLOSE cur_Users
DEALLOCATE cur_Users

RETURN
GO



Tara
Go to Top of Page

mike123
Flowing Fount of Yak Knowledge

1462 Posts

Posted - 01/09/2004 :  16:09:00  Show Profile  Reply with Quote

thanks tara,

so looks like he can't just read the password directly. I really doubt he was able to execute that code with sqlinjection.

I should probably change the password anyways?.

Thanks for your help

mike123
Go to Top of Page

tkizer
Almighty SQL Goddess

USA
36599 Posts

Posted - 01/09/2004 :  16:13:13  Show Profile  Visit tkizer's Homepage  Reply with Quote
I would change the passwords just in case. It doesn't hurt to be on the safe side.

Tara
Go to Top of Page

AjarnMark
SQL Slashing Gunting Master

USA
3246 Posts

Posted - 01/11/2004 :  03:11:20  Show Profile  Visit AjarnMark's Homepage  Reply with Quote
Mike,

The reason your mike login can read the info from Master without specifically being granted permissions is that it is using the guest/public permissions. You can explicitly DENY permissions for that user (either your specific one or the guest) in the master database, but I'd do some serious testing of that before going too wild with it, to find out what impact that has on your ability to function.

--------------------------------------------------------------
Find more words of wisdom at http://weblogs.sqlteam.com/markc
Go to Top of Page
Page: of 2 Previous Topic Topic Next Topic  
Previous Page
 New Topic  Reply to Topic
 Printer Friendly
Jump To:
SQL Server Forums © 2000-2009 SQLTeam Publishing, LLC Go To Top Of Page
This page was generated in 0.62 seconds. Powered By: Snitz Forums 2000