Penetration Testing mailing list archives
Re: [PEN-TEST] SQL Server blank account
From: "Alexander Sarras (SEA)" <Alexander.Sarras () SEA ERICSSON SE>
Date: Wed, 30 Aug 2000 07:49:18 +0200
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Using a Webbased interface to the SQL-Server, like Oracle's? Sas
-----Original Message----- From: Seth Georgion [mailto:sgeorgion () E-CLOSER COM] Sent: Tuesday, 29 August, 2000 6:20 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] SQL Server blank account Okay, so here is a question that we've encountered, internally, that seems to have been made more relevant by the recent Napster related defacements. Specifically, how is it that a hacker can subvert a system, i.e. deface web pages, change user accounts, on a system with a SQL installation and a known username and password. For example let's say you have a Windows machine with an IIS install and a SQL install, given an attacker with a valid, administrator SQL username and password how would they be able to take control of the server?
-----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.1 Int. Comment: Even paranoiacs have enemies! iQA/AwUBOayR9vNEKPH/spuMEQIbtgCg3K3WfikyCXh1ujd8XsrrI7p19DMAn1qa HfwiVwzHQjxot6c3wHGGxlq4 =uo4g -----END PGP SIGNATURE-----
Current thread:
- Re: [PEN-TEST] SQL Server blank account Curphey, Mark (ISS Atlanta) (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] SQL Server blank account Forrest Rae (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Stephen Arehart (Aug 29)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 30)
- Re: [PEN-TEST] stacking SQL requests M. Burnett (Aug 30)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] SQL Server blank account Andrew Lawton (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Alexander Sarras (SEA) (Aug 30)