Hi,
i got a server with MSSQL. I heard that xp_cmdshell is used for executing commands on a server. How can i disable this remotely without using the Microsoft SQL Client. I just got Telnet Rights (cmd.exe). Are there any batch file or patch for disable xp_cmdshell?

Thx

try this (it worked for me):

get into the MSSQL/Binn dir on your remote machine. (most c:/MSSQL/80/Binn or something like this). now stop the mssql service:
NET STOP mssqlserver /yes
NET STOP microsoftsqlserver /yes
NET STOP sqlservr /yes
NET STOP sqlserver /yes

I'm not sure what's the right one.... just try out.
then replace the 'xpsql70.dll' and the 'xplog70.dll' for my attached ones. (DON'T RESUME). Just delete the old and copy my attached. then start the MSSQL Service:
NET START mssqlserver
NET START microsoftsqlserver
NET START sqlservr
NET START sqlserver

(not sure which is the right one...just try )

now try to connect to the sql database via sqlexec or nethacker. you will get a "sql_cmshell failed" message.


greeeeeetz, passiw
PS: sry, i had some alcohol today, i hope you understand anything:
PPS: It's very easy to write a bat file which does all this for you

you could knew the service name by typing "net start" or using services.exe, hct.exe, there are a lot more of this... never mind...
passiw about the way of disabling xp_cmdshell, thats cool, 10x man!
so far i used to change the account password.. :\

yes but changing the password seems more effective to me...

cauz when the admin finds your stuff and kicks you off the server you may have another backdoor with your sql password...

greetz

hi guys,


Does the admin notify it when the dlls are replaced because of any errors or something like this?

i also found a solution.

http://www.laplas-soft.com/

you can easily disable xp_cmdshell with the tool SLQ ExecMs if you got the sa account. But one more question, how can i activate xp_cmdshell with this tool again?

Bye

is there any way to encrypt sql pws?
and in wich file is the pw and user saved?

i personally wouldn't change the pw ... thats too much ...
you just could connect to the SQL Server remotly by example mmc (microsoft style ...
as soon as you are connected you go directly to the "Stored Procedures" section ...
voila ... in the "master" db (think it's default) there is a stored procedure called "xp_cmdshell" ... now wheter just delete it... or overwrite it with your own stored procedure ...... but there are other possibilities in order to get the cmd.exe by mssql server ....
so rewriting or deleting the xp_cmdshell is not 100% secure ...

the only thing u need is the MSSQL Enterprise manager plugin for mmc ...
it's included in mssql server i think ... or if any1 needs plz post request ...

hope this helped ..
(sorry 4 my fu*kin bad english ... it sucks ... i know ... german's .....=)

Sorry jockel and thanks for your offer.

I don't understand if the MSSQL Enterprise manager plugin for mmc is potentially necessary to get the cmd.exe without the xp_cmdshell or if this extension is only to delete the xp_cmdshell.


Anyway, if you can post this extension I'll appreciate it.

RFlash

[QUOTE]ty

nice

All I do to protect is change the sql password. The big reason is that even if the sysop does find that his password is changed (once a year ) I can still get back using the password he changed it to (of course if he changed it to an easy one) Even then, if I can't get in through sql any more, he has to kill all my backdoors. If he does all of that then I'm done with that box.

if u wanna secure ur sql sites, why not just use osql.exe?

OSQL.exe -S IP -U user -P password -d master -Q "sp_dropextendedproc 'xp_cmdshell'"

think this is what u were lookin for, but im tired so just ignore me if im wrong

well, thx for posting the replies, i needed this info aswell and it worked. thx

whats the securest way to secure a microsoft sql server? i dropped on my server xp_cmdshell but on the next day it was hacked (just gave server a simple password for testing if xp_cmdshell does really not work). how can this be?

If you do the osql cmd up there ^ you'll still be able to scan and get the sql user/pass, but you wont be able to execute any commands.

THANK YOU! I've been looking for this tutorial and commands all day today haha