RPC filter - MSSQL

This type of filter is invoked when the client invokes a stored procedure using an RPC packet.

The call can be filtered by the usual means, and also by the name of the stored procedure being called, as well as the value of the parameters being passed to the stored procedure.

Parameters

None of the parameters are required. If no parameter is specified, this filter will be invoked for every call to a stored procedure.

The parameters that can take multiple values can be separated by commas or by newlines.

Stored procedure name

The name(s) or regular expression(s) determining for which stored procedure calls to invoke this filter. They can be separated by commas or newlines.

If this is a simple string (e.g. sp_executesql), it is case-sensitive (up to version 1.8.8). From version 1.9.0 forward, it is case-insensitive (if you need it to be case-sensitive, use the REGEX: prefix).

Examples:

sp_executesql

sp_dosomething, regex:finance_.*, regex:payments_delete.+

Parameter patterns

Zero or more name=value entries specifying for which values of which stored procedure parameters this filter should get invoked. The value can be absolute, or it can be one of the usual regular expression syntax; if a regular expression contains equal signs, they must be escaped with a backslash (e.g. \=).

If the parameter name is a number, that number represents the number of the parameter (1-based).

Examples:

p1=Armenia

region=regex:(Armenia|Azerbaijan|Georgia)
eq3=regex:name\="Gomez"

4=accounting

Client IPs

A list of IP addresses (IP4 and/or IP6) and/or regular expressions for IP addresses. If specified, only requests from matching IP addresses will cause execution of this filter.

Example:

12.34.56.78
1234:5678:90ab::01
regex:98\.76\..*
regex:9876:5432:.*

Users

A list of user names and/or regular expressions for user names. If specified, only calls from these users will cause execution of the filter.

Dealing with cursors

Cursors in SQL Server are created and used via calls to certain stored procedures.

For instance, a cursor can be opened with a call to (among others) sp_cursoropen. This can be intercepted by an RPC filter by setting the Stored procedure name parameter to sp_cursoropen, and setting Parameter patterns to e.g. 2=regex:select.*from.*customers.*

In this case, the SQL could be modified in the filter with e.g.:

context.packet.parameters[1].value = "select * from Foo";

Note that, for historical reasons, parameter indices are 1-based in Parameter patterns but zero-based in code.

Similarly, a cursor can be opened for a prepared statement with a call to sp_cursorprepare or sp_cursorprepexec. These can be manipulated in a similar way. Keep in mind that these various stored procedures take different parameters -- consult the Microsoft documentation for more details.

Example

We can change the SQL being executed by a call to sp_executesql with:

context.packet.parameters[0].value =
"select * from gallium_demo.products where status is null or status <> 'discontinued'";

Google Sites

Report abuse