Re: [PEN-TEST] Have SQL admin account and password... now what?

[Andrew Cogger <andrew () INNOVONICS COM AU>]

Dave,

If you have the database admin account, you can do all sorts
of interesting things, especially if the exstended
stored procedure xp_cmdshell is still on the server.

Have a look at http://www.sqlsecurity.com/faq.asp


Andrew


"Loschiavo, Dave" wrote:
> I am banging on a product (MambaNT by www.luminate.com) that uses the MSDE
> database engine. I have the database admin account and password (which they
> kindly supply on their website and leave in plain text in an install log
> file).
>
> Is there anything I can do with this now that I have it?
>
> Sorry for such a general question, but I _really_ don't know SQL. I have
> looked at RFP's account of breaking wwwthreads and his ODBC and MS SQL
> server 6.5 write up, but haven't found a tatic to take. I really don't care
> about the info in the database. I want to be able to issue system commands
> and use this software to gain unauthorized access to the domain.
>
> This is all internal testing. I'm am neither to young to go jail, nor to
> good to get caught, so I don't pen-test others' networks.
>
> Thanks!

--
Andrew Cogger                                andrew () innovonics com au
Electronics & Software Engineer              www.innovonics.com.au
Innovonics Pty Ltd                           Ph +61 3 9326 7922
121 Arden Street                             Fx +61 3 9326 7988
North Melbourne                              Mb 0413 437 461
VIC     3051                                 PGP Key ID: 0xC546109D
Australia