using OPENROWSET to blast SQL Server passwords The OPENROWSET function is a connection function provided by SQL Server. It can be used to connect a database using OLE DB and perform operations such as querying data. When you use this function, you need to specify the destination, user, password, and so on for the connection. Penetration testers can use this function to blast a database user by specifying a password dictionary. For example, the SQL Server database injection tool Sqlninja provided by Kali takes advantage of this function. If the injection succeeds, it finds that only normal user permissions are obtained. At this point, you can build a connection through this function to connect to your own database as SA. During the connection process, the SA password can be exploded. Once successful, the current normal user status can be promoted to the administrator, thereby enabling the right to be raised. If the user has obtained administrative privileges for a server, it can also be used to connect to other SQL Server servers and perform blasting operations based on the server. PS: Starting with SQL Server 2005, the OPENROWSET function can only be performed by the Administrators user group by default. Therefore, the power-up operation can only be done in SQL Server 2000.
Using OPENROWSET to blast SQL Server passwords