Penetration Testing mailing list archives
Re: [PEN-TEST] SQL Server blank account
From: Attonbitus Deus <thor () HAMMEROFGOD COM>
Date: Tue, 29 Aug 2000 10:13:36 -0700
xp_cmdshell is a SQL stored procedure that allows you to execute commands via a cmd shell, and in the context of the local system authority. One is really only limited by imagination when afforded this type of power. It basically equates to full compromise. Recently, while penetrating a network (with permission, of course!) I found a SQL server with an open SA password. Though all Server and Workstation services were disabled, I was able to (easily) create a .sql script that created a ftp script file, launched the ftp command line against the script file, and downloaded serveral files to the server (reg.exe, netcat, etc). I could then launch these files to do thing like creating a backup of the SAM which I simply ftp'd back to myself and ran l0pht against it (One system had syskey on the reg, but I dumped the hash with passdump2). Walah, I had all the local usernames and passwords. I could then easily access all other 'bulletproof' systems they had as they used the same usernames and passwords for access to those 'closed' systems, including some intellegence gathering on all the 'internal' systems that 'no one has access to'. There are many other things that I did that I won't go into, but the point is that with a little creativity, you can basically do whatever you want to one of these systems. Even when otherwise secured, you can typically gather enough information to socially engineer your way into other areas. Please email me directly if you would like any other information, or if you would like for me to illustrate some other techniques for you. ---------------------------------------------------------------- Attonbitus Deus thor () hammerofgod com ----- Original Message ----- From: "Seth Georgion" <sgeorgion () E-CLOSER COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Tuesday, August 29, 2000 9:19 AM Subject: [PEN-TEST] SQL Server blank account
Okay, so here is a question that we've encountered, internally, that seems to have been made more relevant by the recent Napster related defacements. Specifically, how is it that a hacker can subvert a system, i.e. deface
web
pages, change user accounts, on a system with a SQL installation and a
known
username and password. For example let's say you have a Windows machine
with
an IIS install and a SQL install, given an attacker with a valid, administrator SQL username and password how would they be able to take control of the server?
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
- Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)