Re: Brute forcing a M$ SQL Server password through SQL Injection

• Previous message: David Litchfield: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• In reply to: David Litchfield: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Next in thread: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: Roman Medina <roman@rs-labs.com>
To: "David Litchfield" <mnemonix@globalnet.co.uk>
Date: Thu, 20 Feb 2003 01:28:07 +0100

On Wed, 19 Feb 2003 23:22:06 -0800, you wrote:

>>.....The goal is to elevate priviledges.
>
>>How would you achieve this? ...
>
>You need to take a look at OPENROWSET:
>
>' UNION SELECT * FROM
>OPENROWSET('SQLOLEDB','localhost';'sa';'testpass','SELECT @@version')--
>
>Adhoc queries need to be enabled, though.

 Hi David,

 I had tried this and it worked / works:

Microsoft OLE DB Provider for ODBC Drivers (0x80004005)
[Microsoft][ODBC SQL Server Driver][SQL Server]Error de inicio de
sesión del usuario 'sa'.

Error msg is in Spanish but it seems ok: it tries to login with 'sa'
user but the password isn't correct. My question was about how to
automatize this.

 Is there any form of SQL script that could be injected to perform the
brute force attack? I mean, I'm looking for some kind of semi-complex
SQL sentence which should generate character combinations becoming a
new possible password, and then it should try to use the password in a
sentence like the one you submitted. The script must be executed
locally in the victim server, through SQL injection hole.

 Thanks again and excuse me if I didn't explain the problem well.

 Regards,
 --Roman

--
PGP Fingerprint:
09BB EFCD 21ED 4E79 25FB  29E1 E47F 8A7D EAD5 6742
[Key ID: 0xEAD56742. Available at KeyServ]
----------------------------------------------------------------------------
Do you know the base address of the Global Offset Table (GOT) on a Solaris 8
box?
CORE IMPACT does.
http://www.securityfocus.com/core

• Next message: Bernie, CTA: "RE: login banners"
• Previous message: David Litchfield: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• In reply to: David Litchfield: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Next in thread: Roman Medina: "Re: Brute forcing a M$ SQL Server password through SQL Injection"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: Can inner join be done on queries? ... Thanks for your alternate SQL script, ... Do you know if the query (as ... SELECT [0106 treat srcedat gwsw 3].* ... (microsoft.public.access.queries) Re: Incorrect DTS package version run by scheduled job ... Allan Mitchell MCSE,MCDBA, (Microsoft SQL Server MVP) www.SQLDTS.com - The site for all your DTS needs. ... > I would prefer it if the Generate SQL Script option did not generate an> encrypted command line. ... I never use the functionality of right>>>clicking on a package and use the Schedule Package. ... (microsoft.public.sqlserver.dts) Counting expression doesnt work when sorted by count - Access 200 ... However the following SQL script doesn't work. ... In design view the first query is as ... Sort - Descending ... (microsoft.public.access.queries) Which SQL is that? SQL Injection question ... I am doing penetration test for client and have weird situation. ... have SQL injection hole and I can command SQL server in "blind" injection. ... Download FREE whitepaper on how a managed service can ... (Pen-Test) Re: Problem with Datagrid and SQL sentence ... Can you change the SQL statement to a WHERE clause instead of HAVING? ... SELECT a.ORDENTRABAJO,a.DESORDENTRABAJO,CountAS TotalEquipos FROM ... > The SQL sentence is: ... (microsoft.public.dotnet.general)