Penetration Testing mailing list archives
Re: [PEN-TEST] Hacking a server through SQL SERVER 7
From: "Aaron C. Newman" <aaron () NEWMAN-FAMILY COM>
Date: Tue, 23 Jan 2001 13:59:22 -0500
SQL Server has several really powerful extended stored procedures. xp_regread allows you to read from the registry. If SQL Server is running under the Local Account or System, which will have the privilege Act As Part of the Operating System, then you can read the NT password hashes from the Security Subkey under the HKEY_LOCAL_MACHINE registry key. Feed this info into a tool such as lopht crack. You can also run command lines such as "net user ..." and "net localgroup ..." through the xp_cmdshell extended stored procedures. These will let you create an account, put it in the Administrators group, or even just reset the Administrator password. If these extended stored procedures have been removed, don't fret. Based on the half baked advice of database security experts out there, most administrators only remove the extended stored procedures from the database and leave the DLLs on the server. You can just add the extended stored procedures back using the command, sp_addextendedproc 'xp_cmdshell', 'xpstar.dll' - might also be xpsql60.dll rather than xpstar.dll, can't remember off the top of my head. Also don't forget to look in the master..sysxlogins table. Passwords for other databases this server connects to are stored here. To unencrypt the passwords check out NTBUGTRAQ.COM "Subject: SQL Server 7.0 Linked Server Password Vulnerability" from Blake Coverett <blake () WIZARDS COM>. More details on the exact commands can be found at http://documents.iss.net/whitepapers/securedbs.pdf. Ignore the marketing stuff earlier on, later in the doc there's example commands you can use. Aaron C. Newman aaron () newman-family com
-----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of FiC Sent: Tuesday, January 23, 2001 5:44 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Hacking a server through SQL SERVER 7 Hi all. I've noticed that a lot of people out there don't worry about the default sa login in SQL SERVER. So i've connected through my SQL Enterprise Manager to such unprotected servers using the sa login and a blank password. Once connected, in the Security ->Login folder, I can see the NT administrator login and the NT administrator group. The question is.... ¿What else information can I get from that server? ¿Is there anyway to get the NT administrator's password? In the Management->Backup folder I can see every folder and file in the remote drives. Can I get/upload a file in the server? How can I finally penetrate the server once I've connected as 'sa' to their SQL SERVER? Thanx a lot. -- ~/ FiC /~
Current thread:
- [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Derrick K. Bennett (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 H D Moore (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Attonbitus Deus (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 MadHat (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Brentlinger, Mike (ISS eServices) (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Frank Knobbe (Jan 25)