mailing list archives
Re: [PEN-TEST] Have SQL admin account and password... now what?
From: Andrew Cogger <andrew () INNOVONICS COM AU>
Date: Wed, 13 Sep 2000 11:11:26 +1000
If you have the database admin account, you can do all sorts
of interesting things, especially if the exstended
stored procedure xp_cmdshell is still on the server.
Have a look at http://www.sqlsecurity.com/faq.asp
"Loschiavo, Dave" wrote:
I am banging on a product (MambaNT by www.luminate.com) that uses the MSDE
database engine. I have the database admin account and password (which they
kindly supply on their website and leave in plain text in an install log
Is there anything I can do with this now that I have it?
Sorry for such a general question, but I _really_ don't know SQL. I have
looked at RFP's account of breaking wwwthreads and his ODBC and MS SQL
server 6.5 write up, but haven't found a tatic to take. I really don't care
about the info in the database. I want to be able to issue system commands
and use this software to gain unauthorized access to the domain.
This is all internal testing. I'm am neither to young to go jail, nor to
good to get caught, so I don't pen-test others' networks.
Andrew Cogger andrew () innovonics com au
Electronics & Software Engineer www.innovonics.com.au
Innovonics Pty Ltd Ph +61 3 9326 7922
121 Arden Street Fx +61 3 9326 7988
North Melbourne Mb 0413 437 461
VIC 3051 PGP Key ID: 0xC546109D