I mentioned to David that I was going to post how some hack into SQL database servers ...
I decided not to use mySQL for obvious reasons ... I will explain some tecniques executed on MS SQL ... They are basically the same and will give you a general idea of what to look for ...
I will be using use port 1434 for hacking ... Before that we will see what actually a database servers is.. how do they work and then how to exploit them !
The designers of MS sql gave some default stored procedures along with the product to make things flexible for the webdesigners ... The procedure is nothing but functions which can used to perform some actions on the arguments passed to them ... These procedures are very important to hackers ... Some of the important ones are :
sp_passsword -> Changes password for a specific login name.
e.g. EXEC sp_password ‘oldpass’, ‘newpass’, ‘username’
sp_tables -> Shows all the tables in the current database.
e.g. EXEC sp_tables
xp_cmdshell -> Runs arbitary command on the machine with administrator privileges. (most important)
xp_msver -> Shows the MS SQL server version including the all info about the OS.
xp_regdeletekey -> Deletes a registry key.
xp_regdeletevalue ->Delets a registry value
xp_regread -> Reads a registry value
xp_regwrite -> Writes a registry key.
xp_terminate_process -> Stops a process
The "Master" is the most important database of the SQL server which contains all system information like login names and system stored procedures ... So if "Someone" deletes this master database then the SQL server will be down forever ... Syslogins is the default system table which contains the usernames and passwords of logins in the database ...
The Most dangerous threat = that the Microsoft SQL server has default username "sa" with password blank " " ... And this has ruined lots of MS sql servers in the past ... Even a virus regarding this vulnerability had been released ...
Ready to hack now ?
First you need to find a vulnerable server ... Download a good port scanner and scan for ip addresses having port 1433/1434 (tcp or udp) open ...
Lets suppose we got a vulnerable server with ip 123.321.123.3 ... You can telnet or netcat to ports 1433/1434 ... You can also use a tool known as osql.exe which ships with any SQL server 2000 ...
Go to DOS prompt and type :
osql: unknown option ?
usage: osql [-U login id] [-P password]
[-S server] [-H hostname] [-E trusted connection]
[-d use database name] [-l login timeout] [-t query timeout]
[-h headers] [-s colseparator] [-w columnwidth]
[-a packetsize] [-e echo input] [-I Enable Quoted Identifiers]
[-L list servers] [-c cmdend]
[-q "cmdline query"] [-Q "cmdline query" and exit]
[-n remove numbering] [-m errorlevel]
[-r msgs to stderr] [-V severitylevel]
[-i inputfile] [-o outputfile]
[-p print statistics] [-b On error batch abort]
[-O use Old ISQL behavior disables the following]
<EOF> batch processing
Auto console width scaling
default errorlevel is -1 vs 1
[-? show syntax summary]