Penetration Testing mailing list archives
Re: [PEN-TEST] SQL Server blank account
From: Marc Maiffret <marc () EEYE COM>
Date: Tue, 29 Aug 2000 10:05:20 +0100
http://www.ntsecurity.nu/toolbox/sqldict/ <-- neato tool for some sql brute forcing. and if you luck out then use linsql.c: http://www.securityfocus.com/templates/archive.pike?list=1&date=2000-08-15&m sg=200008150352.UAA09523 () user3 hushmail com Quote from linsql.c: "Note that these commands are executed with the privileges of the MSSQL service - usually `NT Authority\System'. " " * A simple command-line client for MS SQL server. * Designed for executing commands on the underlying operating system rather than SQL engine. * That said, it has the ability to perform SQL queries on the server. * Also added file upload system - usually works ;-) if it fails, try again. * Setup to login as the user 'sa' with no password by default, although this can be changed. " Signed, Marc Maiffret Chief Hacking Officer eCompany / eEye T.949.349.9062 F.949.349.9538 http://eEye.com | -----Original Message----- | From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf | Of Seth Georgion | Sent: Tuesday, August 29, 2000 5:20 PM | To: PEN-TEST () SECURITYFOCUS COM | Subject: SQL Server blank account | | | Okay, so here is a question that we've encountered, internally, that seems | to have been made more relevant by the recent Napster related defacements. | Specifically, how is it that a hacker can subvert a system, i.e. | deface web | pages, change user accounts, on a system with a SQL installation | and a known | username and password. For example let's say you have a Windows | machine with | an IIS install and a SQL install, given an attacker with a valid, | administrator SQL username and password how would they be able to take | control of the server? |
Current thread:
- Re: [PEN-TEST] Home-Banking PEN-TESTING, (continued)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H Carvey (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Lucio A. Molina Focazzio (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Loschiavo, Dave (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Gontarczyk, Andrew (Aug 23)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Cintron, Jose (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Klahn, Paul (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Tonick, Mike (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Chris Calabrese (Aug 24)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Christopher Laycock (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Marc Maiffret (Aug 29)
- Re: [PEN-TEST] SQL Server blank account M. Burnett (Aug 29)
- Re: [PEN-TEST] SQL Server blank account H D Moore (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Attonbitus Deus (Aug 29)
- [PEN-TEST] SQL Server blank account Seth Georgion (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Ben Lull (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING van der Kooij, Hugo (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING Jim Miller (Aug 29)
- Re: [PEN-TEST] Home-Banking PEN-TESTING H D Moore (Aug 29)