Penetration Testing mailing list archives
RE: custom xp_cmdshell on SQL Server
From: "Andy Lester" <pentest1269 () hotmail com>
Date: Mon, 18 Sep 2006 12:31:41 +0200
From: "Victor Chapela" <victor () sm4rt com> To: "'Andy Lester'" <pentest1269 () hotmail com>, > 1) The problem with CREATE PROCEDURE is that it has to be the firststatement in a batch query. Within a sql injection you are always, at least,the second statement after the one you injected into.
Correct. But since I am injecting 'CREATE PROCEDURE' inside an OPENROWSET statement, that should solve the issue, as the SQL code inside the OPENROWSET is executed as a batch in itself (correct me if I am wrong)
2) Sometimes xp_cmdshell seems not to be working (especially if you are doing it through openrowset which ends up being blind). You may have SQL Server running with an unprivileged user. Did you try a ping to localhost and check for the 4 sec delay? That almost always works.
I am running my code as an unprivileged user, but I escalated to 'sa' using OPENROWSET
3) Even if you do get execution by restoring xp_cmdshell, injecting through openrowset has severe complications when trying complex queries. The best way I have found to overcome these limitations is by temporarily increasing privileges of the user you are going through. ' and 1=(select * from openrowset('SQLOLEDB','DRIVER={SQLServer};SERVER=<server>;UID=sa;PWD=<passwo rd>',N'select user; declare @u varchar(50); set @u = (select system_user); exec master.dbo.sp_addsrvrolemember @u, ''sysadmin'''))--
Nice trick !... I will give this a try :) Thanks Andy _________________________________________________________________Don't just search. Find. Check out the new MSN Search! http://search.msn.com/
------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php ------------------------------------------------------------------------
Current thread:
- custom xp_cmdshell on SQL Server Andy Lester (Sep 13)
- RE: custom xp_cmdshell on SQL Server Clemens, Dan (Sep 14)
- Re: custom xp_cmdshell on SQL Server Steven M Gill (Sep 15)
- Re: custom xp_cmdshell on SQL Server Stefano Zanero (Sep 15)
- RE: custom xp_cmdshell on SQL Server Victor Chapela (Sep 17)
- RE: custom xp_cmdshell on SQL Server Andy Lester (Sep 18)
- RE: custom xp_cmdshell on SQL Server Victor Chapela (Sep 20)
- RE: custom xp_cmdshell on SQL Server Andy Lester (Sep 18)
- <Possible follow-ups>
- Re: custom xp_cmdshell on SQL Server Zed Qyves (Sep 14)
- User group tool Bud Gordon (Sep 14)
- Re: User group tool Tim (Sep 14)
- Re: User group tool John Skinner (Sep 15)
- RE: User group tool ballares (Sep 15)
- RE: User group tool Weir, Jason (Sep 15)
- User group tool Bud Gordon (Sep 14)
- RE: custom xp_cmdshell on SQL Server Andy Lester (Sep 18)