Penetration Testing mailing list archives
Re: [PEN-TEST] More SQL Hacking
From: Meredith Shaebanyan <MeredithS () pwaor com>
Date: Mon, 18 Sep 2000 09:33:27 +0100
Sure! What you want to get access to is probably the xp_cmdshell() stored procedure in the master database, which will allow you to execute arbitrary commands on the client's (note *client* and not *victim*) machine. Now, if you don't have permission to execute the stored procedure, there's a simple work-around. SQL Server fails to check permissions on temporary stored procedures (there's a patch out for this, and it's documented in Microsoft Security Bulletin MS00-048. So it's possible to create a temporary stored procedure to act a a wrapper for xp_cmdshell() and then execute it...as in: CREATE PROCEDURE #deface_site AS exec master.dbo.xp_cmdshell 'cmd/c echo 0wn3d again, h3h3h3h3 > C:\inetpub\wwwroo\default.htm' I think that was actually on bugtraq before the xp_cmdshell() think got big...so people might think they've tightened their permissions when people really need to just need to create a stored procedure (on unpatched systems). _________________________________ Meredith Shaebanyan MIS Specialist Pacific West Association of Realtors MeredithS () pwaor com 714-245-5560 -----Original Message----- From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf Of Loschiavo, Dave Sent: Friday, September 15, 2000 11:23 PM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] More SQL Hacking
From the role of the dbo of a database other than master, is there anyway I
can get to the NOS (NT) on which a SQL database resides? I have the dbo SQL userid and password, but I'm not able to much with it because of a lack of access to extended stored procedures. Thanks in advance!
Current thread:
- Re: [PEN-TEST] More SQL Hacking Meredith Shaebanyan (Sep 18)