The Web Application Hacker’s Handbook Discovering and Exploiting Security Flaws

Download 5,76 Mb.

Pdf ko'rish

bet	508/875
Sana	01.01.2022
Hajmi	5,76 Mb.
	#293004

1 ... 504 505 506 507 508 509 510 511 ... 875

Bog'liq
3794 1008 4334

286

Chapter 9

■

Injecting Code

70779c09.qxd:WileyRed 9/14/07 3:13 PM Page 286

default. This stored procedure allows users with DBA permissions to execute

operating system commands in the same way as the

cmd.exe

command

prompt. For example:

master..xp_cmdshell ‘ipconfig > foo.txt’

The scope for an attacker to misuse this functionality is huge. They can per-

form arbitrary commands, pipe the results to local files, and read them back.

They can open out-of-band network connections back to themselves and

create a backdoor command and communications channel, copying data from

the server and uploading attack tools. Because MS-SQL runs by default as

LocalSystem

, the attacker can typically fully compromise the underlying oper-

ating system, performing arbitrary actions. There is a wealth of other extended

stored procedures within MS-SQL, such as

xp_regread

xp_regwrite

, that

can be used to perform powerful actions.

Not every database account will have permissions to use these built-in stored

procedures, and in some cases the application uses a low-privileged account

that does not have the required permissions. However, it is extremely common

for applications to be using the all-powerful

account, because administrators

assume that the application is trusted not to abuse the database.

The

OpenRowSet

command can be leveraged to perform a port scan of any

local or remote network. If the specified IP address and port are open, the data-

base will attempt to connect, and eventually timeout; otherwise, it will fail

immediately. You can, therefore, use time delays to infer the status of ports that

you cannot reach directly:

select * from OPENROWSET(‘SQLOLEDB’, ‘uid=sa;pwd=foobar;Network=DBMSSOCN

;Address=192.168.0.1,80;timeout=5’, ‘’)

This command can also be used to perform other attacks:

■■

You can try to connect to other databases and guess usernames and pass-

words (for example, the common

account with a blank password).

■■

You can connect back to the local host and attempt to guess the pass-

word to the

account. In some situations, administrators assign a

weak password to this account in the belief that the database server is

firewalled and so no attacker will be able to connect. You can circum-

vent this restriction because you are connecting directly from the server

itself.

■■

Sometimes, if Windows-integrated authentication is in use, and multi-

ple databases are configured with the same credentials, you may be

able to authenticate transparently from one database to another without

supplying any credentials.

Download 5,76 Mb.

Do'stlaringiz bilan baham:

1 ... 504 505 506 507 508 509 510 511 ... 875