We recently identified a security floor in some old code which was vulnerable to SQL injection attack.
The server is MS SQL Server 2012 running on Windows 2012.
During the investigation I have been asked if any malicious code has been installed via the vulnerability. The SQL server is once removed from the Webserver but does have access to the internet for Operating system Updates.
I was not aware and haven't heard of code being installed / downloaded via SQL injection and my immediate response would be no this isn't possible. However I thought I would ask the good people on Stack Overflow as there is always the possibility I'm wrong :)
Yes, SQL server can execute master..xp_cmdshell command which executes windows command line operations, allowing further taking over the server and installing things on it.
SQL Server also supports C# code embedding. I would take the server for forensics analysis if its important, or delete it altogether if it's not.
Related
Regarding the following images, I have obviously installed the Microsoft SQL Server, but I can't find the exe-file or anything named Microsoft SQL Server in the start menu.
Anyone who knows what to do to solve this, or do I need to install something more?
SQL Server runs as a service. You can start and stop it from windows services. SSMS is a gui tool for managing ddl (creating and altering tables and index's for example) and dml (writing queries to inquire, update or add data to databases).SSMS comes free with every edition of SQL server - perhaps you didn't tick a box when installing? You can also do this stuff the old fashioned way using sqlcmd from command line(DBAs love this for some reason) but for us mortals SSMS is much less of a struggle. As an aside there are other guis such as Toad (expensive) and Heidisql (free) amongst others which will do the job.
Looks like you have the engine. What you've got to do now is install SQL Server Management Studio: https://msdn.microsoft.com/hr-hr/library/mt238290.aspx
Looks like you have the various SQL Server components that are installed by Visual Studio (recent version) or SQL Server Data Tools (as used by VS).
This question may seems a bit silly. The thing is I'm programming a WPF using VS2010, which contains a .sdf database (connection is ADO.NET).
Someone told me that if I use a SQL Server Express database it can be run on any PC even it has no SQL Server installed. But after I tried executing in my virtual machine (win7 & win xp), seems it cannot even start up.
So, can someone brief me, what database do people normally use in developing WPF software? Is it true that my program using a SQL Server database file cannot execute on PC without SQL Server installed?
Much appreciate in advance!
Yes, it can!
SQL Server Compact (that produces and uses .sdf) is the only SQL Server edition that does not require a server to be installed. All its code and logic is contained in the handful of DLL's that you need to include with your application. Just ship your app with those DLL's and you should be fine.
Read more about SQL Server Compact and how to use and deploy it on MSDN.
SQL Server Express (and any of the other editions, like Web, Standard, Developer, Enterprise) on the other hand does require an installation of the SQL Server Express edition - either on that machine, or somewhere in the network where your app runs (remote connections from the network are disabled by default, but can be enabled).
I am getting a little bit confused about the difference of the followings:
SQL Server Express
SQL Server Compact
localDB
My requirement is to develop a desktop application that will use basic RDBMS features. I need to package the application and allow the user to install a single distributed package. I don't want the user to install even SQL server express.
In this case, which DB I should use? SQLite is not considered as too much re-coding has to be done.
Thank you.
SQL Server Express is full featured DBMS, with some limitations in terms of database size and resources it is allowed to use. You can see it's limitations (relative to SQL Server) on microsofts site (Features Supported by the Editions of SQL Server 2012)
SQL Server CE is embedded database, meaning that it runs in user mode, it's easy to deploy (requires you to copy just few assemblies), lightweight but fast, can be run by a low privileged user. It's supported by NHibernate. However, has more limitations. To me most notable is that there are problems when you try to have multiple connections to same database. Although MS claims that this is supported, if you try this in Windows 2008 server, you will fail. And what's worse, such use scenario may lead to DB corruption. This means that you will effectively not be able to use some Management tool to update data while your service/website is running. Also, SQL Server Management studio doesn't support SQL CE anymore, so you will have to use a 3rd party tool, like Database.NET. It also does not support subqueries.
localDB, having not used it, sounds like a compromise. It's a standalone database which is executed in user mode (can be used by low privilege user), but must be installed so you will need administrative privileges for that part. Offers set of capabilities of SQL Server Express. It's much larger than SQL CE, and also requires to be installed (unlike CE which is just binary drop in). Shortest overview of this DBMS can be found here.
I have tried to install SQL Server Express 2008 on several pcs of different brands. I have no luck or what: nearly each time I get something which prevents it from installing.
Just now I got "Performance counter registry hive consistency check" failed and solution is overwelmingly complex http://support.microsoft.com/kb/300956.
How can one choose SQL Server Express 2008 as a local pc database vs MS Access as a good choice for selling an application knowing that clients risk to encounter such unsolvable problem for most of them as they are not even expert users ?
Why do so many people push for SQL Server ? Is it really objective ?
As a User myself, I have downloaded many softwares which uses SQL Server Express 2008, since I can't install, I just gave up, I won't even complain because I fear most often they wouldn't even bother (and registering for support is always a hassle). That is companies are losing potential clients without even knowing it !
If you just want a local database that you can distribute with your application, do you really need the full-blown SQL Server Express, which needs to be installed?
I think an embedded database (SQL Server CE, SQLite...) is what you need.
They don't require any installation at all, you just have to distribute a few assemblies with your application.
Run the SQL Server 2008 installer again and complete these steps.
I exported the 009 tree with regedit to Perflib.reg
Opened the Perflib.reg in Notepad
Replaced "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\009]" to "[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib\013]"
Save the file
Finally double click the Perflib.reg file.
This should work, you can find more here.
I was thinking of the minimum software I can install on my new dev machine. Has anyone tried codeing with just VS2010/Linqpad?
The SQL Server is on another machine so then I would only need SSMS.. but then I think linqpad could replace that + help me with Linq queries..
But the problem seems to be I won't be able to CREATE SQL USERS with SSMS and I may need to do thatfrom time to time..
Any thoughts ?
Personally I'd always install SQL Management Studio as it's the defacto tool for managing SQL Server.
AFAIK you can't issue arbitary SQL commands using VS2010 and thus you can't create users - that is unless you use VS2010 to write an app to issue the commands which is trivial but I'd say ultimately pointless.
LINQPad lets you run SQL queries as well as LINQ queries - so you can manage without SSMS if you're happy to do things purely via SQL.
Of course, for some things SSMS is easier than writing SQL. And on a dev box you'll probably want SQL Profiler, too (for this reason, it's a good idea to install the management tools that come with the full edition of SQL Server rather than relying on the SQL Express tools).
I would install SQL Server client tools - you would at least then get SSMS and SQLCMD. No need for SQL Server itself (or even SSIS - you can still use BIDS to write packages, but you have to run them interactively).