How can i secure MSSQL 7? because i can't find an enterprise manager to secure the sa password.
And if i remove the xplog70.dll and restart the service. I can still connect with SQLExec. So how can i secure MSSQL7
oh and osql -U sa -Q "sp_password NULL 'newpass', 'sa'"
EXPLOiTED
Mar 26 2004, 02:17 PM
Drop the cmd shell. previous 2 page post on this in the forum
DumpZ
Mar 26 2004, 02:24 PM
Oh i always thought that if u deleted the xplog70.dll dll then the xp_cmdshell is disabled, and on SQL Enterprise editing that works
brOmstar
Mar 26 2004, 02:48 PM
i would change the password because this is the real vuln ..
# goto sql-maindir\Tools\Binn # type"osql -E sa" # type "sp_password @old = null, @new= '<PASSWORT>' , @loginame = 'sa'" -> replace <PASSWORT> with ur new pw # press [Enter]. # type "go" + press [Enter] to execute the command # the pw was set
hope this helps u..i think any other way could be expoited - like copy new dll to system per sqlexec+ ftp/tftp etc or inject new cmshell with sqlbrowser
Spookie
Mar 26 2004, 03:03 PM
Some aditional reading material for you that might be of interest is included below.
But br0mstar i always login with osql with the -U switch (on my SQL enterprise server)
brOmstar
Mar 26 2004, 09:25 PM
i used this and it works fine everytime..i found this on a hosting page some time ago..never thought about but u are right this should not work but it works!
-U login_id Is the user login ID. Login IDs are case-sensitive. -e Echoes input. -E Uses a trusted connection instead of requesting a password. -p Prints performance statistics. -n Removes numbering and the prompt symbol (>) from input lines. -d db_name Issues a USE db_name statement when osql is started. -Q "query" Executes a query and immediately exits osql. Use double quotation marks around the query and single quotation marks around anything embedded in the query. -q "query" Executes a query when osql starts, but does not exit osql when the query completes. (Note that the query statement should not include GO). If you issue a query from a batch file, use %variables, or environment %variables%. For example:
SET table = sysobjects osql /q "Select * from %table%"
Use double quotation marks around the query and single quotation marks around anything embedded in the query. -c cmd_end Specifies the command terminator. By default, commands are terminated and sent to Microsoft® SQL ServerT by entering GO on a line by itself. When you reset the command terminator, do not use SQL reserved words or characters that have special meaning to the operating system, whether preceded by a backslash or not. -h headers Specifies the number of rows to print between column headings. The default is to print headings one time for each set of query results. Use -1 to specify that no headers will be printed. If using -1, there must be no space between the parameter and the setting (-h-1, not -h -1). -w column_width Allows the user to set the screen width for output. The default is 80 characters. When an output line has reached its maximum screen width, it is broken into multiple lines. -s col_separator Specifies the column-separator character, which is a blank space by default. To use characters that have special meaning to the operating system (for example, |; & < >), enclose the character in double quotation marks ("). -t time_out Specifies the number of seconds before a command times out. If no time_out value is specified, a command runs indefinitely; the default time-out for logging in to osql is eight seconds. -m error_level Customizes the display of error messages. The message number, state, and error level are displayed for errors of the specified severity level or higher. Nothing is displayed for errors of levels lower than the specified level. Use -1 to specify that all headers are returned with messages, even informational messages. If using -1, there must be no space between the parameter and the setting (-m-1, not -m -1). -I Sets the QUOTED_IDENTIFIER connection option on. -L Lists the locally configured servers and the names of the servers broadcasting on the network. -? Displays the syntax summary of osql switches. -r {0 | 1} Redirects message output to the screen (stderr). If you don't specify a parameter, or if you specify 0, only error messages with a severity level 17 or higher are redirected. If you specify 1, all message output (including "print") is redirected. -H wksta_name Is a workstation name. The workstation name is stored in sysprocesses.hostname and is displayed by sp_who. If not specified, the current computer name is assumed. -P password Is a user-specified password. If the -P option is not used, osql prompts for a password. If the -P option is used at the end of the command prompt without any password, osql uses the default password (NULL). Passwords are case-sensitive.
The OSQLPASSWORD environment variable allows you to set a default password for the current session. Therefore, you do not have to hard code a password into batch files.
If you do not specify a password with the -P option, osql first checks for the OSQLPASSWORD variable. If no value is set, osql uses the default password, NULL. The following example sets the OSQLPASSWORD variable at a command prompt and then accesses the osql utility:
C:\>SET OSQLPASSWORD=abracadabra
C:\>osql
-R Specifies that the SQL Server ODBC driver use client settings when converting currency, date, and time data to character data. -S server_name Specifies the SQL Server installation to which to connect. The server_name is the name of the server computer on the network. This option is required if you are executing osql from a remote computer on the network. -i input_file Identifies the file that contains a batch of SQL statements or stored procedures. The less than (<) comparison operator can be used in place of -i. -o output_file Identifies the file that receives output from osql. The greater than (>) comparison operator can be used in place of -o.
If input_file is not Unicode and -u is not specified, output_file is stored in OEM format. If input_file is Unicode or -u is specified, output_file is stored in Unicode format. -u Specifies that output_file is stored in Unicode format, regardless of the format of the input_file. -a packet_size Allows you to request a different-sized packet. The valid values for packet_size are 512 through 65535. The default value osql is the server default. Increased packet size can enhance performance on larger script execution where the amount of SQL statements between GO commands is substantial. Microsoft testing indicates that 8192 is typically the fastest setting for bulk copy operations. A larger packet size can be requested, but osql defaults to the server default if the request cannot be granted. -b Specifies that osql exits and returns a DOS ERRORLEVEL value when an error occurs. The value returned to the DOS ERRORLEVEL variable is 1 when the SQL Server error message has a severity of 10 or greater; otherwise the value returned is 0. Microsoft MS-DOS® batch files can test the value of DOS ERRORLEVEL and handle the error appropriately. -O Specifies that certain osql features be deactivated to match the behavior of earlier versions of isql. These features are deactivated:
It also sets the default DOS ERRORLEVEL value to -1. -l time_out Specifies the number of seconds before an osql login times out. If no time_out value is specified, a command runs indefinitely. The default time-out for login to osql is fifteen seconds.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
