Penetration Testing mailing list archives

Re: [PEN-TEST] SQL Server blank account

From: Forrest Rae <Forrest () DIGITALDEFENSE NET>
Date: Tue, 29 Aug 2000 12:14:03 -0500

Hi,
        There are know vulnerabilities in IIS/MSSQL, particularly MSACD
RDS exploit.
        We encounters this most, and it is an easy technique to learn.
        Some info can be found at: http://www.securityfocus.com/bid/286
        Pay close attention to the VBA shell() Command.

--
Forrest Rae
Digital Defense, Inc.
www.digitaldefense.net
(210)-822-2645


Seth Georgion wrote:


Okay, so here is a question that we've encountered, internally, that

seems

to have been made more relevant by the recent Napster related

defacements.

Specifically, how is it that a hacker can subvert a system, i.e.

deface web

pages, change user accounts, on a system with a SQL installation and a

known

username and password. For example let's say you have a Windows

machine with

an IIS install and a SQL install, given an attacker with a valid,
administrator SQL username and password how would they be able to take
control of the server?

Current thread:

Re: [PEN-TEST] SQL Server blank account Curphey, Mark (ISS Atlanta) (Aug 29)
- <Possible follow-ups>
- Re: [PEN-TEST] SQL Server blank account Forrest Rae (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Stephen Arehart (Aug 29)
  - [PEN-TEST] stacking SQL requests Emmanuel Gadaix (Aug 30)
    - Re: [PEN-TEST] stacking SQL requests Nicolas Gregoire (Aug 30)
    - Re: [PEN-TEST] stacking SQL requests M. Burnett (Aug 30)
- Re: [PEN-TEST] SQL Server blank account Andrew Lawton (Aug 29)
- Re: [PEN-TEST] SQL Server blank account Alexander Sarras (SEA) (Aug 30)