Penetration Testing mailing list archives

[PEN-TEST] SQL Server blank account

From: Seth Georgion <sgeorgion () E-CLOSER COM>
Date: Tue, 29 Aug 2000 09:19:37 -0700

Okay, so here is a question that we've encountered, internally, that seems
to have been made more relevant by the recent Napster related defacements.
Specifically, how is it that a hacker can subvert a system, i.e. deface web
pages, change user accounts, on a system with a SQL installation and a known
username and password. For example let's say you have a Windows machine with
an IIS install and a SQL install, given an attacker with a valid,
administrator SQL username and password how would they be able to take
control of the server?

Current thread:

Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Iván Arce (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
  - [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
    - Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
  - Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)