Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [PEN-TEST] SQL Server blank account

From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Tue, 29 Aug 2000 12:11:12 -0500
(for those sql/nt buffs, please correct me if I am wrong...)


Run a query like the following:

SELECT * FROM sometable WHERE somefield = '|shell("cmd.exe /c
COMMAND")|'

That works if you are using the Jet DB engine (prior to 2.x versions of
MDAC) to access the SQL server via ODBC.  The two most common places you
see this attack are through RDS (/msadc/msadcs.dll) or a a badly coded
ASP script that puts fields directly into SQL queries.

OR

Try this: (untested)

SELECT * FROM sometable WHERE somefield = xp_commmand('cmd.exe /c
COMMAND')

your command should run in the SYSTEM context, which lets you modify any
file or add any user to the domain admin/local admin group.

(this works with Sybase, which was the source base for MS SQL)

-HD




Seth Georgion wrote:


Okay, so here is a question that we've encountered, internally, that seems
to have been made more relevant by the recent Napster related defacements.
Specifically, how is it that a hacker can subvert a system, i.e. deface web
pages, change user accounts, on a system with a SQL installation and a known
username and password. For example let's say you have a Windows machine with
an IIS install and a SQL install, given an attacker with a valid,
administrator SQL username and password how would they be able to take
control of the server?
Previous By Date Next
Previous By Thread Next

Current thread: