Penetration Testing mailing list archives
Re: [PEN-TEST] Have SQL admin account and password... now what?
From: Andrew Cogger <andrew () INNOVONICS COM AU>
Date: Wed, 13 Sep 2000 11:11:26 +1000
Dave, If you have the database admin account, you can do all sorts of interesting things, especially if the exstended stored procedure xp_cmdshell is still on the server. Have a look at http://www.sqlsecurity.com/faq.asp Andrew "Loschiavo, Dave" wrote:
I am banging on a product (MambaNT by www.luminate.com) that uses the MSDE database engine. I have the database admin account and password (which they kindly supply on their website and leave in plain text in an install log file). Is there anything I can do with this now that I have it? Sorry for such a general question, but I _really_ don't know SQL. I have looked at RFP's account of breaking wwwthreads and his ODBC and MS SQL server 6.5 write up, but haven't found a tatic to take. I really don't care about the info in the database. I want to be able to issue system commands and use this software to gain unauthorized access to the domain. This is all internal testing. I'm am neither to young to go jail, nor to good to get caught, so I don't pen-test others' networks. Thanks!
-- Andrew Cogger andrew () innovonics com au Electronics & Software Engineer www.innovonics.com.au Innovonics Pty Ltd Ph +61 3 9326 7922 121 Arden Street Fx +61 3 9326 7988 North Melbourne Mb 0413 437 461 VIC 3051 PGP Key ID: 0xC546109D Australia
Current thread:
- [PEN-TEST] Have SQL admin account and password... now what? Loschiavo, Dave (Sep 12)
- Re: [PEN-TEST] Have SQL admin account and password... now what? Andrew Cogger (Sep 12)
- Re: [PEN-TEST] Have SQL admin account and password... now what? Vitaly McLain (Sep 12)
- [PEN-TEST] Debug command on Sendmail DonSata (ZekSata) (Sep 13)
- Re: [PEN-TEST] Debug command on Sendmail Max Vision (Sep 13)