Penetration Testing mailing list archives

Previous By Date Next
Previous By Thread Next

custom xp_cmdshell on SQL Server

From: "Andy Lester" <pentest1269 () hotmail com>
Date: Wed, 13 Sep 2006 17:29:16 +0200
Hello list,
I am pen-testing a web app that is vulnerable to SQL Injection. The queries to the backend DB are done with a non-privileged user, but using OPENROWSET and inference-based injection I have been able to find the sa password and escalate privileges. However, xp_cmdshell seems to have been disabled, so I am trying to create a custom one with 'CREATE PROCEDURE'. The probles is that while 'CREATE PROCEDURE' works perfectly with "native" sa privileges (i.e.: without the OPENROWSET escalation), it is not working combined with the privilege escalation (i.e.: inside the OPENROWSET).
More specifically, I am trying injecting the following query (using a test SQL Server 2000): select * from OPENROWSET('SQLOLEDB','';'sa';<password>,'declare @x nvarchar(1000);set @x = ''CREATE PROCEDURE customshell<snip>'';exec master..sp_executesql @x;select 1')
The 'select 1' is added because OPENROWSET expects some data. The query runs correctly without errors but the custom procedure is not created.
Any ideas on how to create such a custom procedure in a privilege escalation scenario ? 

I hope it all makes sense, and sorry for the long post.

Andy

_________________________________________________________________
FREE pop-up blocking with the new MSN Toolbar - get it now! http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/ 


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
Previous By Date Next
Previous By Thread Next

Current thread: