Home page logo
/

pen-test logo Penetration Testing mailing list archives

Re: [PEN-TEST] Have SQL admin account and password... now what?
From: Andrew Cogger <andrew () INNOVONICS COM AU>
Date: Wed, 13 Sep 2000 11:11:26 +1000

Dave,

If you have the database admin account, you can do all sorts
of interesting things, especially if the exstended
stored procedure xp_cmdshell is still on the server.

Have a look at http://www.sqlsecurity.com/faq.asp


Andrew


"Loschiavo, Dave" wrote:

I am banging on a product (MambaNT by www.luminate.com) that uses the MSDE
database engine. I have the database admin account and password (which they
kindly supply on their website and leave in plain text in an install log
file).

Is there anything I can do with this now that I have it?

Sorry for such a general question, but I _really_ don't know SQL. I have
looked at RFP's account of breaking wwwthreads and his ODBC and MS SQL
server 6.5 write up, but haven't found a tatic to take. I really don't care
about the info in the database. I want to be able to issue system commands
and use this software to gain unauthorized access to the domain.

This is all internal testing. I'm am neither to young to go jail, nor to
good to get caught, so I don't pen-test others' networks.

Thanks!

--
Andrew Cogger                                andrew () innovonics com au
Electronics & Software Engineer              www.innovonics.com.au
Innovonics Pty Ltd                           Ph +61 3 9326 7922
121 Arden Street                             Fx +61 3 9326 7988
North Melbourne                              Mb 0413 437 461
VIC     3051                                 PGP Key ID: 0xC546109D
Australia


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault