Penetration Testing mailing list archives

Re: [PEN-TEST] Hacking a server through SQL SERVER 7

From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Tue, 23 Jan 2001 16:21:20 -0600

Once you have access to a MSSQL 7 server via the "sa" account, you can do all
sorts of fun things:

Run system commands:

EXEC [master].[dbo].[xp_cmdshell] "net user newuser newpass /ADD /DOMAIN"
EXEC [master].[dbo].[xp_cmdshell] "net group 'Domain Admins' newuser /ADD
/DOMAIN"

You can also access the registry, send email, dump system information... Take
a look at some of the Extended Stored Procedures in the [master] database
with SQL Query Analyzer.  Depending on the user the server runs at (normally
SYSTEM or Administrator), you can usually use xp_cmdshell to rebuild the
repair disk data with rdisk /s and snag the SAM database.

I will be giving a presentation at the upcoming CanSecWest conference
covering a variety of SQL server attacks, everything from general procedure
exploitation to insertion techniques.  At the conference, I will be releasing
a handful of new tools, one of which exploits the RDS component in new ways,
allowing access to SQL servers as well as proxying requests to internal
systems through it.  For more information on the conference, please see
http://www.cansecwest.com, online registration should be available within a
few weeks.

-HD

http://www.digitaldefense.net (work)
http://www.digitaloffense.net (play)

-----Original Message-----
From: FiC [mailto:fic () TOPFUTBOL COM]
Sent: Tuesday, January 23, 2001 4:44 AM
To: PEN-TEST () SECURITYFOCUS COM
Subject: [PEN-TEST] Hacking a server through SQL SERVER 7

Hi all. I've noticed that a lot of people out there don't worry about
the
default sa login in SQL SERVER. So i've connected through my SQL
Enterprise
Manager to such unprotected servers using the sa login and a blank
password.
Once connected, in the Security ->Login folder, I can see the NT
administrator login and the NT administrator group. The question is....
¿What
else information can I get from that server? ¿Is there anyway to get the
NT
administrator's password?

In the Management->Backup folder I can see every folder and file in the
remote drives. Can I get/upload a file in the server?

How can I finally penetrate the server once I've connected as 'sa' to
their
SQL SERVER?

Thanx a lot.

Current thread:

[PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Derrick K. Bennett (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 H D Moore (Jan 23)
  - Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
    - Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Attonbitus Deus (Jan 25)
    - Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 25)
    - Re: [PEN-TEST] Hacking a server through SQL SERVER 7 MadHat (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Brentlinger, Mike (ISS eServices) (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Frank Knobbe (Jan 25)