From: Jason Baeder (jason_baeder@yahoo.com)
Date: Mon Jan 30 2006 - 11:55:45 EST
Niels,
>I am interested in knowing whether there are native file
>transfer protocols built into the shell commands that could
>circumvent the FW,
AFAIK, the answer to that question is no. You get shell access via SQL
with the stored procedure xp_cmdshell. Unless you've installed another
command shell on Windows, that means you get cmd.exe. Not a whole lot
of fuctionality there, as we have already discussed.
There are, however, a few more tricks. If there is a webserver on the
same box as the SQL server, and if the attacker can invoke SQL's
xp_cmdshell, he/she could copy desired files somewhere under the root
directory of the webserver and use a browser to download them. To the
firewall, that's just another web session.
I also have a vague recollection that SQL server can be configured to
send email via stored procedure. Soooo...a quick search found this:
http://support.microsoft.com/kb/q263556/
As you can see there are a lot of other factors that need to be in
place for this to work. But if a server were configured as such, it is
probably not out of the realm of possibility that for an attacker to
email files off the server by compromising the SQL server.
Jason
--- List User <listaddy@gmail.com> wrote:
> Thanks Jason, I should have been a little more specific in my
> example. I am
> aware that the native MS FTP client cannot be put into passive mode,
> and
> that certainly makes the attacker's task more difficult if FTP is not
> allowed outbound. I also should have asked more specifically for
> those
> folks who have some SQL shell command knowledge, since I am
> interested in
> knowing whether there are native file transfer protocols built into
> the
> shell commands that could circumvent the FW, by, for instance, being
> put
> into active mode. And yes, moving a tool onto the compromised system
> is
> something a lot of people have mentioned, but it is a catch-22
> proposal.
>
> Thanks again for your answer! And you are absolutely right: prevent
> it at
> the application level first, and then put barriers in the way after
> that.
>
> Niels
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:25 EDT