Luckily, or unfortunately (point of view), this is still the case and all too common.
Luckily, or unfortunately (point of view), this is still the case and all too common.
Luckily, or unfortunately (point of view), this is still the case and all too common.
DBAs are always told to disable these extended stored procedures, but it’s not always covered why they’re so bad.The dirtree, fileexist, and subdirs ex-sprocs can be a lot more devastating (useful) than one might think.Even the sp’s (rather than ex-sp’s) can pose a significant risk as well if they accept a UNC path as a parameter.A lot of these have been ACL’d away from normal users by default, but xp_fileexist made it’s way into MS-SQL2k8.CREATE ASSEMBLY also allows UNC paths, not an extended sproc, but worth mentioning here.
A lot of pentesters and attackers assume that xp_cmdshell isn’t available because commands don’t execute;they’re further confused when a call to sp_addextendedproc doesn’t work – xp_cmdshell needs to be enabled.
Using the sp_OACreate, sp_OAMethod, and sp_OADestroy methods the same functionality of xp_cmdshell can be accomplished.Unfortunately results of a command execution aren’t directly accessible and must go to a temporary storage (file on disk).Luckily since it’s being used in a scripting environment, we can access the %TEMP% and %SYSTEM% environment variables to help stage temp storage directories and other valuable information.
No sense in going through all the trouble of scripting a file read when you can have SQL do all the work.
Minimal footprints on the system is always better for stealth.
Fail #1
Fail #2 – but this looks interesting. 5
Now we’re in business.
The limited documentation and examples available on the sp_OA methods usually only cover Wscript, the system is full of other fun controls.
If you can access Wscript to execute shell commands, why stop there?If you have expanded access on the host, you can always register your own controls for use by the sp_OA methods.
SQL facilitates 2 existing methods that will load and execute compiled code.
All of the typical path fun for files works from inside SQL.
Repurpose the platform to facilitate your foot-hold into an environment.Everything an attacker would need is available in SQL, and if you operate entirely in the environment you leave a minimal footprint on the actual host.