Penetration Testing mailing list archives

Re: xp_cmdshell with low permission

From: "Hanserl" <tomiknocker () hotmail com>
Date: Sun, 16 Oct 2005 13:00:43 -0700

you could try if you can instantiate COM objects and go from there. there
are a couple of SPs that support this (they are starting with oa) eg.
oaCreate.

----- Original Message -----From: "Frederic Charpentier" <fcharpen () xmcopartners com>

To: <pen-test () securityfocus com>
Sent: Saturday, October 15, 2005 7:40 AM
Subject: xp_cmdshell with low permission

Hello all,

I'm conducting a pentest on a IIS/Coldfusion/MSSQL server.
I've found a sql injection flaw, but the server does not allow me to run"xp_cmdshell" commands.
I use the following trick : exec master.dbo.xp_cmdshell "dir"; --

The server response :
EXECUTE permission denied on object 'xp_cmdshell', database 'master',owner 'dbo'.
I understand the coldfusion script use a low privileged user. So, twoquestions :
- Is there another way to use xp_cmdshell ?
- Is it possible to change the current user ? (likehttp://../script?param=1';user(sa,"sa");exec master.dbo.xp_cmdshell"dir"; --
Thanks in advance for ideas.

FRED

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down serversare futile against web application hacking. Check your website forvulnerabilities to SQL injection, Cross site scripting and other webattacks before hackers do! Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------


------------------------------------------------------------------------------

Audit your website security with Acunetix Web Vulnerability Scanner:Hackers are concentrating their efforts on attacking applications on yourwebsite. Up to 75% of cyber attacks are launched on shopping carts, forms,login pages, dynamic content etc. Firewalls, SSL and locked-down servers arefutile against web application hacking. Check your website for vulnerabilitiesto SQL injection, Cross site scripting and other web attacks before hackers do!Download Trial at:


http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------

Current thread:

Port Scanner Reports Jeff Brossette (Oct 07)
- RE: Port Scanner Reports Brian Loe (Oct 08)
- Re: Port Scanner Reports Joachim Schipper (Oct 08)
- Re: Port Scanner Reports Syv Ritch (Oct 12)
  - Re: Port Scanner Reports Serg Belokamen (Oct 13)
    - xp_cmdshell with low permission Frederic Charpentier (Oct 15)
    - Re: xp_cmdshell with low permission Hanserl (Oct 16)
- <Possible follow-ups>
- Port Scanner Reports jeff . brossette (Oct 07)
  - Re: Port Scanner Reports Gary E. Miller (Oct 08)
  - Re: Port Scanner Reports Fco. Jose Garrido Matamoros (Oct 08)
  - Re: Port Scanner Reports Satanic.Brain (Oct 08)
  - RE: Port Scanner Reports Cory Michal (Oct 08)
  - Re: Port Scanner Reports Richard Farina (Oct 11)
    - Re: Port Scanner Reports Packet Man (Oct 13)
  - Re: Port Scanner Reports Daniel Miessler (Oct 31)
- RE: Port Scanner Reports Hayes, Ian (Oct 08)
- RE: Port Scanner Reports Michael Gargiullo (Oct 10)

(Thread continues...)