Re: Is it possible to read/write a file at privilege?
- From: Erland Sommarskog <esquel@xxxxxxxxxxxxx>
- Date: Sat, 14 Jul 2007 22:05:59 +0000 (UTC)
dodol (Dolka1@xxxxxxxxx) writes:
I saw some systems which were hacked by sql injection tool
And some files of the systems were changed. I guess the tool tried to
read/write files.
howerver, the user privilege is not 'sa'. Is it possible for user who
is not 'sa' to read/write files?
It could be another user with sysadmin rights. Or execution rights might
have been granted on xp_cmdshell or sp_OAxxx.
If it is possible, how can I prevent the tools from reading/writing
files even if my web page is injectable?
Make sure that xp_cmdshell and the sp_OAxxx procedures are disabled.
Make sure that SQL Server runs on a domain account that has no extra
privileges. The less welcome it is in the rest of the network the better.
But the main line of defence is of course to use stored procedure or
parameterised statements and never interpolate incoming stuff into
query strings.
--
Erland Sommarskog, SQL Server MVP, esquel@xxxxxxxxxxxxx
Books Online for SQL Server 2005 at
http://www.microsoft.com/technet/prodtechnol/sql/2005/downloads/books.mspx
Books Online for SQL Server 2000 at
http://www.microsoft.com/sql/prodinfo/previousversions/books.mspx
.
- References:
- Prev by Date: Re: How can I see what permissions "VIEW SERVER STATE" has?
- Next by Date: Re: AD Security group
- Previous by thread: Is it possible to read/write a file at privilege?
- Index(es):
