Re: [PEN-TEST] Hacking a server through SQL SERVER 7

["Derrick K. Bennett" <derrick () ANEI COM>]

When you have sa privileges to a SQL box then the game is pretty much
over. You then have access to a cmd prompt through xp_cmdshell (I
think). I don't have my SQL server in front of me but you can enable the
extended procedures and then open your query window and run commands out
through that procedure to the shell and it runs under the autority of
the SQL server which is usually admin or system. From this the options
are endless. Copy the backup erd info or setup an ftp script to download
files and run them opening a full shell for your access. Basically
anything you can do from a command prompt you can do as sa and the
options beyond that are even better. ALWAYS change the sa password
people. And honestly block SQL ports to the net unless it really is
needed.

Derrick



-----Original Message-----
From:   FiC
Sent:   Tue 1/23/2001 5:43 AM
To:     PEN-TEST () SECURITYFOCUS COM
Cc:     
Subject:             [PEN-TEST] Hacking a server through SQL SERVER 7

Hi all. I've noticed that a lot of people out there don't worry about
the 
default sa login in SQL SERVER. So i've connected through my SQL
Enterprise 
Manager to such unprotected servers using the sa login and a blank
password. 
Once connected, in the Security ->Login folder, I can see the NT 
administrator login and the NT administrator group. The question is....
¿What 
else information can I get from that server? ¿Is there anyway to get the
NT 
administrator's password?

In the Management->Backup folder I can see every folder and file in the 
remote drives. Can I get/upload a file in the server?

How can I finally penetrate the server once I've connected as 'sa' to
their 
SQL SERVER?

Thanx a lot.

-- 
~/ FiC /~