RE: custom xp_cmdshell on SQL Server

Hi Dan,

I had tried that already, but it seems that the sysad has deleted 
xplog70.dll, making it impossible to restore the original extended 
procedure... that's why I am stuck with the 'CREATE PROCEDURE' way... :(

Andy

> From: "Clemens, Dan" <Dan.Clemens@healthsouth.com>
> To: "Andy Lester" <pentest1269@hotmail.com>,<pen-test@securityfocus.com>
> Subject: RE: custom xp_cmdshell on SQL Server
> Date: Thu, 14 Sep 2006 08:14:48 -0500
>
>
>
> Andy,
>
> The best way would be to turn the stored procedure back on.
> This should turn the stored procedure back on for you.
>
> exec sp_addextendedproc N'xp_cmdshell', N'xplog70.dll'
>
> -Daniel Clemens
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Andy Lester
> Sent: Wednesday, September 13, 2006 10:29 AM
> To: pen-test@securityfocus.com
> Subject: custom xp_cmdshell on SQL Server
>
> Hello list,
>
> I am pen-testing a web app that is vulnerable to SQL Injection. The
> queries to the backend DB are done with a non-privileged user, but using
> OPENROWSET and inference-based injection I have been able to find the sa
> password and escalate privileges.
> However, xp_cmdshell seems to have been disabled, so I am trying to
> create a custom one with 'CREATE PROCEDURE'.
> The probles is that while 'CREATE PROCEDURE' works perfectly with
> "native"
> sa privileges (i.e.: without the OPENROWSET escalation), it is not
> working combined with the privilege escalation (i.e.: inside the
> OPENROWSET).
>
> More specifically, I am trying injecting the following query (using a
> test SQL Server 2000):
> select * from OPENROWSET('SQLOLEDB','';'sa';<password>,'declare @x
> nvarchar(1000);set @x = ''CREATE PROCEDURE customshell<snip>'';exec
> master..sp_executesql @x;select 1')
>
> The 'select 1' is added because OPENROWSET expects some data. The query
> runs correctly without errors but the custom procedure is not created.
>
> Any ideas on how to create such a custom procedure in a privilege
> escalation scenario ?
>
> I hope it all makes sense, and sorry for the long post.
>
> Andy
>
> _________________________________________________________________
> FREE pop-up blocking with the new MSN Toolbar - get it now!
> http://toolbar.msn.click-url.com/go/onm00200415ave/direct/01/
>
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
> http://www.cenzic.com/products_services/download_hailstorm.php
> ------------------------------------------------------------------------
>
>
> -----------------------------------------
> Confidentiality Notice: This e-mail communication and any
> attachments may contain confidential and privileged information for
> the use of the designated recipients named above. If you are not
> the intended recipient, you are hereby notified that you have
> received this communication in error and that any review,
> disclosure, dissemination, distribution or copying of it or its
> contents is prohibited. If you have received this communication in
> error, please notify me immediately by replying to this message and
> deleting it from your computer. Thank you.

_________________________________________________________________
Express yourself instantly with MSN Messenger! Download today it's FREE! 
http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/


------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.
http://www.cenzic.com/products_services/download_hailstorm.php
------------------------------------------------------------------------