From: Steven M Gill (steven.gill@sungardsecurity.com)
Date: Thu Sep 14 2006 - 22:42:03 EDT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
I have seen xp_cmdshell removed (which may be the cause of the
disabling), but it can be reloaded from the dll. If you have the sa
password, you should be able to reload it. You can call the
sp_addextendedproc
(http://msdn2.microsoft.com/fr-fr/library/ms164653.aspx) procedure.
In sql 7 its xpsql70.dll (it has all the extended sp - which means its
probably still on the system). You can check which dll for what
version of sql by looking at the installed files. if you need to know
what version of sql is running on your target host, try executing
"select @@version".
Hope this helps!
Steve
Andy Lester wrote:
> Hello list,
>
> I am pen-testing a web app that is vulnerable to SQL Injection. The
> queries to the backend DB are done with a non-privileged user, but
> using OPENROWSET and inference-based injection I have been able to
> find the sa password and escalate privileges.
> However, xp_cmdshell seems to have been disabled, so I am trying to
> create a custom one with 'CREATE PROCEDURE'.
> The probles is that while 'CREATE PROCEDURE' works perfectly with
> "native" sa privileges (i.e.: without the OPENROWSET escalation), it
> is not working combined with the privilege escalation (i.e.: inside
> the OPENROWSET).
>
> More specifically, I am trying injecting the following query (using
> a test SQL Server 2000):
> select * from OPENROWSET('SQLOLEDB','';'sa';<password>,'declare @x
> nvarchar(1000);set @x = ''CREATE PROCEDURE customshell<snip>'';exec
> master..sp_executesql @x;select 1')
>
> The 'select 1' is added because OPENROWSET expects some data. The
> query runs correctly without errors but the custom procedure is not
> created.
>
> Any ideas on how to create such a custom procedure in a privilege
> escalation scenario ?
>
> I hope it all makes sense, and sorry for the long post.
>
> Andy
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
>
> ------------------------------------------------------------------------
>
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFFChL7H4AiI9jN/70RAl+WAJ46NvgB6AdPo1LFIZXfXx8moGFeIwCfVIoX
S0I7jZGhg24ERYJcuDrHP68=
=Sc84
-----END PGP SIGNATURE-----
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:57 EDT