Re: [PEN-TEST] More SQL Hacking

[Meredith Shaebanyan <MeredithS () pwaor com>]

Sure!

What you want to get access to is probably the xp_cmdshell() stored
procedure in the master database, which will allow you to execute arbitrary
commands on the client's (note *client* and not *victim*) machine.

Now, if you don't have permission to execute the stored procedure, there's a
simple work-around. SQL Server fails to check permissions on temporary
stored procedures (there's a patch out for this, and it's documented in
Microsoft Security Bulletin MS00-048. So it's possible to create a temporary
stored procedure to act a a wrapper for xp_cmdshell() and then execute
it...as in:

CREATE PROCEDURE #deface_site AS
exec master.dbo.xp_cmdshell 'cmd/c echo 0wn3d again, h3h3h3h3 >
C:\inetpub\wwwroo\default.htm'

I think that was actually on bugtraq before the xp_cmdshell() think got
big...so people might think they've tightened their permissions when people
really need to just need to create a stored procedure (on unpatched
systems).



_________________________________
Meredith Shaebanyan
MIS Specialist
Pacific West Association of Realtors
MeredithS () pwaor com
714-245-5560



-----Original Message-----
From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
Of Loschiavo, Dave
Sent: Friday, September 15, 2000 11:23 PM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] More SQL Hacking


> From the role of the dbo of a database other than master, is there anyway I
can get to the NOS (NT) on which a SQL database resides?

I have the dbo SQL userid and password, but I'm not able to much with it
because of a lack of access to extended stored procedures.

Thanks in advance!