From: "Victor Chapela" <victor@sm4rt.com>
To: "'Andy Lester'" <pentest1269@hotmail.com>, >
1) The problem with CREATE PROCEDURE is that it has to be the first
statement in a batch query. Within a sql injection you are always, at
least,
the second statement after the one you injected into.
Correct. But since I am injecting 'CREATE PROCEDURE' inside an OPENROWSET
statement, that should solve the issue, as the SQL code inside the
OPENROWSET is executed as a batch in itself (correct me if I am wrong)
2) Sometimes xp_cmdshell seems not to be working (especially if you are
doing it through openrowset which ends up being blind). You may have SQL
Server running with an unprivileged user. Did you try a ping to localhost
and check for the 4 sec delay? That almost always works.
I am running my code as an unprivileged user, but I escalated to 'sa' using
OPENROWSET
3) Even if you do get execution by restoring xp_cmdshell, injecting through
openrowset has severe complications when trying complex queries. The best
way I have found to overcome these limitations is by temporarily increasing
privileges of the user you are going through.
' and 1=(select * from
openrowset('SQLOLEDB','DRIVER={SQLServer};SERVER=<server>;UID=sa;PWD=<passwo
rd>',N'select user; declare @u varchar(50); set @u = (select system_user);
exec master.dbo.sp_addsrvrolemember @u, ''sysadmin'''))--
Nice trick !... I will give this a try :)
Thanks
Andy
_________________________________________________________________
Don't just search. Find. Check out the new MSN Search!
http://search.msn.com/
------------------------------------------------------------------------
This List Sponsored by: Cenzic
Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------
