Penetration Testing mailing list archives
RE: Question: FTP via alternate port
From: Jason Baeder <jason_baeder () yahoo com>
Date: Mon, 30 Jan 2006 08:55:45 -0800 (PST)
Niels,
I am interested in knowing whether there are native file transfer protocols built into the shell commands that could circumvent the FW,
AFAIK, the answer to that question is no. You get shell access via SQL with the stored procedure xp_cmdshell. Unless you've installed another command shell on Windows, that means you get cmd.exe. Not a whole lot of fuctionality there, as we have already discussed. There are, however, a few more tricks. If there is a webserver on the same box as the SQL server, and if the attacker can invoke SQL's xp_cmdshell, he/she could copy desired files somewhere under the root directory of the webserver and use a browser to download them. To the firewall, that's just another web session. I also have a vague recollection that SQL server can be configured to send email via stored procedure. Soooo...a quick search found this: http://support.microsoft.com/kb/q263556/ As you can see there are a lot of other factors that need to be in place for this to work. But if a server were configured as such, it is probably not out of the realm of possibility that for an attacker to email files off the server by compromising the SQL server. Jason --- List User <listaddy () gmail com> wrote:
Thanks Jason, I should have been a little more specific in my example. I am aware that the native MS FTP client cannot be put into passive mode, and that certainly makes the attacker's task more difficult if FTP is not allowed outbound. I also should have asked more specifically for those folks who have some SQL shell command knowledge, since I am interested in knowing whether there are native file transfer protocols built into the shell commands that could circumvent the FW, by, for instance, being put into active mode. And yes, moving a tool onto the compromised system is something a lot of people have mentioned, but it is a catch-22 proposal. Thanks again for your answer! And you are absolutely right: prevent it at the application level first, and then put barriers in the way after that. Niels
__________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------------ Audit your website security with Acunetix Web Vulnerability Scanner: Hackers are concentrating their efforts on attacking applications on your website. Up to 75% of cyber attacks are launched on shopping carts, forms, login pages, dynamic content etc. Firewalls, SSL and locked-down servers are futile against web application hacking. Check your website for vulnerabilities to SQL injection, Cross site scripting and other web attacks before hackers do! Download Trial at: http://www.securityfocus.com/sponsor/pen-test_050831 -------------------------------------------------------------------------------
Current thread:
- RE: Question: FTP via alternate port Jason Baeder (Feb 01)
- <Possible follow-ups>
- Re: Question: FTP via alternate port Hugo Fortier (Feb 01)
- Re: Question: FTP via alternate port Neil Kathok (Feb 02)