RE: custom xp_cmdshell on SQL Server

["Clemens, Dan" <Dan.Clemens () healthsouth com>]

Andy,

The best way would be to turn the stored procedure back on.
This should turn the stored procedure back on for you. 

exec sp_addextendedproc N'xp_cmdshell', N'xplog70.dll' 

-Daniel Clemens

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of Andy Lester
Sent: Wednesday, September 13, 2006 10:29 AM
To: pen-test () securityfocus com
Subject: custom xp_cmdshell on SQL Server

Hello list,

I am pen-testing a web app that is vulnerable to SQL Injection. The
queries to the backend DB are done with a non-privileged user, but using
OPENROWSET and inference-based injection I have been able to find the sa
password and escalate privileges.
However, xp_cmdshell seems to have been disabled, so I am trying to
create a custom one with 'CREATE PROCEDURE'.
The probles is that while 'CREATE PROCEDURE' works perfectly with
"native" 
sa privileges (i.e.: without the OPENROWSET escalation), it is not
working combined with the privilege escalation (i.e.: inside the
OPENROWSET).

More specifically, I am trying injecting the following query (using a
test SQL Server 2000):
select * from OPENROWSET('SQLOLEDB','';'sa';<password>,'declare @x
nvarchar(1000);set @x = ''CREATE PROCEDURE customshell<snip>'';exec
master..sp_executesql @x;select 1')

The 'select 1' is added because OPENROWSET expects some data. The query
runs correctly without errors but the custom procedure is not created.

Any ideas on how to create such a custom procedure in a privilege
escalation scenario ?

I hope it all makes sense, and sorry for the long post.

Andy

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! 
http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------


-----------------------------------------
Confidentiality Notice: This e-mail communication and any
attachments may contain confidential and privileged information for
the use of the designated recipients named above. If you are not
the intended recipient, you are hereby notified that you have
received this communication in error and that any review,
disclosure, dissemination, distribution or copying of it or its
contents is prohibited. If you have received this communication in
error, please notify me immediately by replying to this message and
deleting it from your computer. Thank you.


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------