Trojanning Sybase
The options for inserting backdoors into a database system of Sybase's complexity are numerous. Following are a few ideas; there are plenty of variations on these themes.
Grant a User sa or sso_role
If you grant users sa_role, they can effectively do everything.
You can see what roles are available to users by executing the following query:
select l.name Login, sr.name ServerRole from master..syslogins l
join master..sysloginroles lr on l.suid = lr.suid
join master..syssrvroles sr on sr.srid=lr.srid
Allow Direct Updates to System Tables, Grant Access to Selected System Tables
By default, users (even sa) are not permitted to directly modify system tables (such as syslogins), even if they would otherwise be able to. Many possibilities for subtle backdoors are opened up if you enable updates to system tables.
The statement to allow updates is
sp_configure 'allow updates to system tables', 1
This is a dynamic configuration setting and thus takes effect immediately; there is no need to restart the server.
The following query displays all explicit permissions (including upon columns) in the current database:
select u.name "user", u2.name grantor, o.name object, c.name column, v.name, p.protecttype from sysprotects p join sysusers u on p.uid = u.uid join sysobjects o on p.id = o.id join sysusers u2 on p.grantor = u2.uid join master..spt_values v on p.action=v.number and v.type='T' join syscolumns c on o.id = c.id where (power(2, c.colid) & convert(int, p.columns)) ...
Get The Database Hacker's Handbook: Defending Database Servers now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
