Penetration Testing mailing list archives
Re: [PEN-TEST] SQL Server blank account
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Tue, 29 Aug 2000 12:11:12 -0500
(for those sql/nt buffs, please correct me if I am wrong...) Run a query like the following: SELECT * FROM sometable WHERE somefield = '|shell("cmd.exe /c COMMAND")|' That works if you are using the Jet DB engine (prior to 2.x versions of MDAC) to access the SQL server via ODBC. The two most common places you see this attack are through RDS (/msadc/msadcs.dll) or a a badly coded ASP script that puts fields directly into SQL queries. OR Try this: (untested) SELECT * FROM sometable WHERE somefield = xp_commmand('cmd.exe /c COMMAND') your command should run in the SYSTEM context, which lets you modify any file or add any user to the domain admin/local admin group. (this works with Sybase, which was the source base for MS SQL) -HD Seth Georgion wrote:
Okay, so here is a question that we've encountered, internally, that seems to have been made more relevant by the recent Napster related defacements. Specifically, how is it that a hacker can subvert a system, i.e. deface web pages, change user accounts, on a system with a SQL installation and a known username and password. For example let's say you have a Windows machine with an IIS install and a SQL install, given an attacker with a valid, administrator SQL username and password how would they be able to take control of the server?
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
- Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)