RE: [WEB SECURITY] RE: Blind SQL Injection / Stored procedures

["ALLAIN Yann" <Yann.Allain () accorservices com>]

Hi all,

> Has anyone published a complete list/table of MSSQL (and other DB)
> stored procs/pls on the web, and what the default privs to them are?

You can use DumpSec SQL to have a list of such default privs.
http://www.sqlservercentral.com/columnists/cmiller/dumpsqlpermissions.as
p

Nice tool to list all privs. Here are the features :(Copy past from the
web page)

"DumpSQLSec" which generates reports on:

Permissions for SQL Server Objects across multiple databases
DB Users across multiple database with optional role membership
DB Roles across multiple database with optional built-in roles and role
members
DB Privileges across multiple database
Server Roles with optional server role Logins
Server Logins with optional server roles and database access

Yann




-----Original Message-----
From: Frederic Charpentier [mailto:fcharpen () xmcopartners com]
Sent: jeudi 17 novembre 2005 18:26
To: Evans, Arian
Cc: LAROUCHE Francois; Andres Molinetti; pen-test () securityfocus com;
webappsec () securityfocus com; websecurity () webappsec org
Subject: Re: [WEB SECURITY] RE: Blind SQL Injection / Stored procedures

hi evans,

I saw a good one at
:http://www.securitymap.net/sdm/docs/windows/mssql-checklist.html

there's a list of stored procedure (not commented) like :

sp_sdidebug
xp_availablemedia
xp_cmdshell
xp_deletemail
xp_dirtree
xp_dropwebtask
xp_dsninfo
xp_enumdsn
xp_enumerrorlogs
xp_enumgroups
xp_enumqueuedtasks
xp_eventlog
xp_findnextmsg
xp_fixeddrives
xp_getfiledetails
xp_getnetname
xp_grantlogin
xp_logevent
xp_loginconfig
xp_logininfo
xp_makewebtask
xp_msver        xp_perfend
xp_perfmonitor
xp_perfsample
xp_perfstart
xp_readerrorlog
xp_readmail
xp_revokelogin
xp_runwebtask
xp_schedulersignal
xp_sendmail
xp_servicecontrol
xp_snmp_getstate
xp_snmp_raisetrap
xp_sprintf
xp_sqlinventory
xp_sqlregister
xp_sqltrace
xp_sscanf
xp_startmail
xp_stopmail
xp_subdirs
xp_unc_to_drive
Xp_regaddmultistring
Xp_regdeletekey
Xp_regdeletevalue
Xp_regenumvalues
Xp_regread
Xp_regremovemultistring
Xp_regwrite
Sp_OACreate
Sp_OADestroy
Sp_OAGetErrorInfo
Sp_OAGetProperty
Sp_OAMethod
Sp_OASetProperty
Sp_OAStop


Evans, Arian wrote:
> Fancois, nice explanation,
>
> > -----Original Message-----
> > From: LAROUCHE Francois [mailto:Francois.Larouche () accorservices com]
> > Sent: Thursday, November 17, 2005 8:59 AM
> [...]
> > d) If you still can't well sorry... I think there is no other
> > way except those already mentioned by the others (by the way
> > to execute xp_makewebtask you need to have high user
> > privileges something you are obviously not)
>
> Has anyone published a complete list/table of MSSQL (and other DB)
> stored procs/pls on the web, and what the default privs to them are?
>
> I've made one but I'm not sure yet if I'm allowed to publish it.
>
> This would be a nice handy sql-injection reference table for
> people who are new to SQLi with stored procs, or just have a
> bad memory/aren't very smart [me].
>
> -ae
>
>
>
>
>
> ---------------------------------------------------------------------
> The Web Security Mailing List
> http://www.webappsec.org/lists/websecurity/
>
> The Web Security Mailing List Archives
> http://www.webappsec.org/lists/websecurity/archive/

--
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com/tests-intrusion.html


______________________________________________________________________________________________________________________________
This email, the information contained within and any files transmitted with it (herein after referred as "the message")
are confidential. It is intended solely for the addressees and access to this message by any other person is not 
permitted.
If you are not the named addressee, please send it back immediately to the sender and delete it. Unauthorized 
disclosure,
publication, use, dissemination, forwarding, printing or copying of this message, either in whole or in part, is 
strictly
prohibited.
Emails are susceptible to alteration and their integrity cannot be guaranteed. Our company shall not be liable for this
message if modified or falsified.