mailing list archives
Re: [PEN-TEST] Have SQL admin account and password... now what?
From: Vitaly McLain <twistah () DATASURGE NET>
Date: Tue, 12 Sep 2000 19:30:44 -0500
Try using 'xp_cmdshell'. This stored procedure (MS SQL Server, others?)
let's you issue commands on the system (ex: xp_cmdshell 'dir').
One thing I recommend you read is the post on BugTraq concerning the
un-passworded 'sa' account and the tool linsql.c. The post/tool describes
pretty much what you want to do and how to do it (uploading files, for
example). Infact, you may want to check out linsql.c if you have a spare
UN*X box laying around (with the FreeTDS lib installed).
twistah () datasurge net