Penetration Testing mailing list archives
Re: [PEN-TEST] SQL Server blank account
From: Forrest Rae <Forrest () DIGITALDEFENSE NET>
Date: Tue, 29 Aug 2000 12:14:03 -0500
Hi, There are know vulnerabilities in IIS/MSSQL, particularly MSACD RDS exploit. We encounters this most, and it is an easy technique to learn. Some info can be found at: http://www.securityfocus.com/bid/286 Pay close attention to the VBA shell() Command. -- Forrest Rae Digital Defense, Inc. www.digitaldefense.net (210)-822-2645 Seth Georgion wrote:
Okay, so here is a question that we've encountered, internally, that
seems
to have been made more relevant by the recent Napster related
defacements.
Specifically, how is it that a hacker can subvert a system, i.e.
deface web
pages, change user accounts, on a system with a SQL installation and a
known
username and password. For example let's say you have a Windows
machine with
an IIS install and a SQL install, given an attacker with a valid, administrator SQL username and password how would they be able to take control of the server?
Current thread:
- Re: [PEN-TEST] SQL Server blank account Curphey, Mark (ISS Atlanta) (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] SQL Server blank account Forrest Rae (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Stephen Arehart (Aug 29)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 30)
- Re: [PEN-TEST] stacking SQL requests M. Burnett (Aug 30)
- [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
- Re: [PEN-TEST] SQL Server blank account Andrew Lawton (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Alexander Sarras (SEA) (Aug 30)