RE: custom xp_cmdshell on SQL Server

From: Andy Lester (pentest1269@hotmail.com)
Date: Mon Sep 18 2006 - 06:31:41 EDT

• Next message: alfredhitchcock_007@yahoo.com: "Re: Re: Penetration Testing work effort"
• Previous message: Andy Lester: "RE: custom xp_cmdshell on SQL Server"
• In reply to: Victor Chapela: "RE: custom xp_cmdshell on SQL Server"
• Next in thread: Victor Chapela: "RE: custom xp_cmdshell on SQL Server"
• Reply: Victor Chapela: "RE: custom xp_cmdshell on SQL Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>From: "Victor Chapela" <victor@sm4rt.com>
>To: "'Andy Lester'" <pentest1269@hotmail.com>, >
>1) The problem with CREATE PROCEDURE is that it has to be the first
>statement in a batch query. Within a sql injection you are always, at
>least,
>the second statement after the one you injected into.

Correct. But since I am injecting 'CREATE PROCEDURE' inside an OPENROWSET
statement, that should solve the issue, as the SQL code inside the
OPENROWSET is executed as a batch in itself (correct me if I am wrong)

>2) Sometimes xp_cmdshell seems not to be working (especially if you are
>doing it through openrowset which ends up being blind). You may have SQL
>Server running with an unprivileged user. Did you try a ping to localhost
>and check for the 4 sec delay? That almost always works.

I am running my code as an unprivileged user, but I escalated to 'sa' using
OPENROWSET

>3) Even if you do get execution by restoring xp_cmdshell, injecting through
>openrowset has severe complications when trying complex queries. The best
>way I have found to overcome these limitations is by temporarily increasing
>privileges of the user you are going through.
>
>' and 1=(select * from
>openrowset('SQLOLEDB','DRIVER={SQLServer};SERVER=<server>;UID=sa;PWD=<passwo
>rd>',N'select user; declare @u varchar(50); set @u = (select system_user);
>exec master.dbo.sp_addsrvrolemember @u, ''sysadmin'''))--

Nice trick !... I will give this a try :)

Thanks

Andy

_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------

• Next message: alfredhitchcock_007@yahoo.com: "Re: Re: Penetration Testing work effort"
• Previous message: Andy Lester: "RE: custom xp_cmdshell on SQL Server"
• In reply to: Victor Chapela: "RE: custom xp_cmdshell on SQL Server"
• Next in thread: Victor Chapela: "RE: custom xp_cmdshell on SQL Server"
• Reply: Victor Chapela: "RE: custom xp_cmdshell on SQL Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:58 EDT