Penetration Testing mailing list archives
Re: [PEN-TEST] SQL Server blank account
From: "Curphey, Mark (ISS Atlanta)" <MCurphey () ISS NET>
Date: Tue, 29 Aug 2000 13:20:35 -0400
If it's a default installation the stored procedure xp_cmd_shell is permissioned so the everyone group can run it, and will enable you to create a new user into the administrators group assuming the default sql service is running as local system. On a SQL 6.5 the password is in the registry in cleartext. There are so many of these, its like an OS. Examples of the above are in a PPT I just made http://www.curphey.com/textware/pen-test-list-sql-server-1.zip. -----Original Message----- From: Seth Georgion [mailto:sgeorgion () E-CLOSER COM] Sent: Tuesday, August 29, 2000 12:20 PM To: PEN-TEST () SECURITYFOCUS COM Subject: SQL Server blank account Okay, so here is a question that we've encountered, internally, that seems to have been made more relevant by the recent Napster related defacements. Specifically, how is it that a hacker can subvert a system, i.e. deface web pages, change user accounts, on a system with a SQL installation and a known username and password. For example let's say you have a Windows machine with an IIS install and a SQL install, given an attacker with a valid, administrator SQL username and password how would they be able to take control of the server?
Current thread:
- Re: [PEN-TEST] SQL Server blank account Curphey, Mark (ISS Atlanta) (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] SQL Server blank account Forrest Rae (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Stephen Arehart (Aug 29)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 30)
- Re: [PEN-TEST] stacking SQL requests M. Burnett (Aug 30)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] SQL Server blank account Andrew Lawton (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Alexander Sarras (SEA) (Aug 30)