[NeSTAN]

i read always exploits like bla bla (SQL Injection).

my question: what can an attacker do with this exploits? grab the md5 hash? and what he do after grabbing the hash? and is this for MySQL or MSSQL, or both?

[SWilly]

NeSTAN, on Oct 7 2005, 11:41 AM, said:

my question: what can an attacker do with this exploits? grab the md5 hash? and what he do after grabbing the hash?

<{POST_SNAPBACK}>

About the hash you can use it to forge a cookie to trick the webpage to think your someone else (one of the ways to gain admin controll over phpbb forums system trick the system to think your cookie is admin's cookie)

[w00zy]

Via SQL-Injection, you mostly get full access to the underlying SQL-database of the vulnerable site, so you change for example news, user-details or even get plain-text passwords (often you only get the md5-encrypted hashes).....i don't know, is it also possible to upload a shell via the SQL-Server???

[bliman]

The impact of SQL injection varies depending on what information is in the database to be grabbed, what privileges the database user has that the web site uses, and the patch level of the database system. Any database system that uses SQL can be exploited to varying degrees, such as SQL Server, Oracle, MySQL, Access and others. Depending on privileges, a classic way to get control of a host running SQL Server is to use xp_cmdshell to run system commands. Many database systems also allow arbitrary files to be read.

www.nextgenss.com have some excellent white papers on SQL injection.

[touk]

bliman, on Oct 12 2005, 11:54 AM, said:

The impact of SQL injection varies depending on what information is in the database to be grabbed, what privileges the database user has that the web site uses, and the patch level of the database system. Any database system that uses SQL can be exploited to varying degrees, such as SQL Server, Oracle, MySQL, Access and others. Depending on privileges, a classic way to get control of a host running SQL Server is to use xp_cmdshell to run system commands. Many database systems also allow arbitrary files to be read.

Very true. A point that u can notice ; u dont need to connect to Mssql DB through something like SQLExec with a SA login to execute xp_cmdshell. On many asp and cfm pages the request is built dynamically with the parameters u entered in the windows form. This request is sent to a stocked procedure and executed with Exec. U can trick those parameters to make xp_cmdshell to be executed after the dynamic request. Of course u will need that the asp account have execute rights on xp_cmdshell. In this case u just need an Internet browser (and a little bit of MSSQL Syntax) :)

[Silent_hunter]

w00zy, on Oct 7 2005, 04:06 PM, said:

i don't know, is it also possible to upload a shell via the SQL-Server???

yes it is

al in one you have admin axxess

[hks3207]

That method is usually used to gain administrator access and rights over the site in order to get some files that are private to some users of it or deface it... or just for fun! :X .... that's all that i know ...