Penetration Testing mailing list archives
Re: [PEN-TEST] Hacking a server through SQL SERVER 7
From: H D Moore <hdm () SECUREAUSTIN COM>
Date: Tue, 23 Jan 2001 16:21:20 -0600
Once you have access to a MSSQL 7 server via the "sa" account, you can do all sorts of fun things: Run system commands: EXEC [master].[dbo].[xp_cmdshell] "net user newuser newpass /ADD /DOMAIN" EXEC [master].[dbo].[xp_cmdshell] "net group 'Domain Admins' newuser /ADD /DOMAIN" You can also access the registry, send email, dump system information... Take a look at some of the Extended Stored Procedures in the [master] database with SQL Query Analyzer. Depending on the user the server runs at (normally SYSTEM or Administrator), you can usually use xp_cmdshell to rebuild the repair disk data with rdisk /s and snag the SAM database. I will be giving a presentation at the upcoming CanSecWest conference covering a variety of SQL server attacks, everything from general procedure exploitation to insertion techniques. At the conference, I will be releasing a handful of new tools, one of which exploits the RDS component in new ways, allowing access to SQL servers as well as proxying requests to internal systems through it. For more information on the conference, please see http://www.cansecwest.com, online registration should be available within a few weeks. -HD http://www.digitaldefense.net (work) http://www.digitaloffense.net (play)
-----Original Message----- From: FiC [mailto:fic () TOPFUTBOL COM] Sent: Tuesday, January 23, 2001 4:44 AM To: PEN-TEST () SECURITYFOCUS COM Subject: [PEN-TEST] Hacking a server through SQL SERVER 7 Hi all. I've noticed that a lot of people out there don't worry about the default sa login in SQL SERVER. So i've connected through my SQL Enterprise Manager to such unprotected servers using the sa login and a blank password. Once connected, in the Security ->Login folder, I can see the NT administrator login and the NT administrator group. The question is.... ¿What else information can I get from that server? ¿Is there anyway to get the NT administrator's password? In the Management->Backup folder I can see every folder and file in the remote drives. Can I get/upload a file in the server? How can I finally penetrate the server once I've connected as 'sa' to their SQL SERVER? Thanx a lot.
Current thread:
- [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Derrick K. Bennett (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 H D Moore (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Attonbitus Deus (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 MadHat (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Brentlinger, Mike (ISS eServices) (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Frank Knobbe (Jan 25)