Penetration Testing - Sqlmap fails at enabling xp_cmdshell procedure

  • Dear folks,

    I have been browsing the web looking for some help regarding the following issue. I am currently performing an web application penetration test, and I had come accross a beautiful blind SQL Injection.

    Using sqlmap, I am able to retrieve the whole database. I would like to jump into the OS level, by using the xp_cmdshell functionality, which is currently disabled on the database. The application is running with the "sa" account, so it should be technically possible. However, when I get the following message when I try to enable it using sql map :

    [12:14:22] [INFO] checking if xp_cmdshell extended procedure is available, please wait..

    xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n]

    [12:14:23] [WARNING] xp_cmdshell re-enabling failed

    [12:14:23] [INFO] creating xp_cmdshell with sp_OACreate

    [12:14:23] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled

    [12:14:23] [CRITICAL] unable to proceed without xp_cmdshell

    The only mention of this issue I found on the web is here:

    http://www.silverspam.net/forum/hacking-security/exploits-and-vulnerabilities/4757-sqlmap-xp-cmdshell-creation-failed-probably-because-sp-oacreate-is-disabled

    But as you can see, access to the solution is not free, which makes me doubt of it's seriousness.

    Have anyone come accross this issue ? I would really appreciate some help guys..

    Many thanks in advance !!

    Cheers,

    Z.

    PS: Some system information:

    web server operating system: Windows 2012

    web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0

    back-end DBMS: Microsoft SQL Server 2008

  • medized (6/23/2013)


    Dear folks,

    I have been browsing the web looking for some help regarding the following issue. I am currently performing an web application penetration test, and I had come accross a beautiful blind SQL Injection.

    Using sqlmap, I am able to retrieve the whole database. I would like to jump into the OS level, by using the xp_cmdshell functionality, which is currently disabled on the database. The application is running with the "sa" account, so it should be technically possible. However, when I get the following message when I try to enable it using sql map :

    [12:14:22] [INFO] checking if xp_cmdshell extended procedure is available, please wait..

    xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n]

    [12:14:23] [WARNING] xp_cmdshell re-enabling failed

    [12:14:23] [INFO] creating xp_cmdshell with sp_OACreate

    [12:14:23] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled

    [12:14:23] [CRITICAL] unable to proceed without xp_cmdshell

    The only mention of this issue I found on the web is here:

    http://www.silverspam.net/forum/hacking-security/exploits-and-vulnerabilities/4757-sqlmap-xp-cmdshell-creation-failed-probably-because-sp-oacreate-is-disabled

    But as you can see, access to the solution is not free, which makes me doubt of it's seriousness.

    Have anyone come accross this issue ? I would really appreciate some help guys..

    Many thanks in advance !!

    Cheers,

    Z.

    PS: Some system information:

    web server operating system: Windows 2012

    web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0

    back-end DBMS: Microsoft SQL Server 2008

    There are ways to configure an instance such that use of xp_cmdshell can be blocked from use by unsophisticated tools or hackers. That is beside the most troubling points raised by your post however. Why are you thinking of running a website that logs into SQL Server as sa? Why are you running your SQL Server under a service account that has the capability to interact with the OS in any way over and above what is only absolutely necessary to complete the basic operations required to host the databases, nothing more nothing less? What are you trying to prove by running sqlmap using a Login in the sysadmin Role?

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

  • If you enalbe xp_cmdshell option in configuration, it does not give effect immediately for current session. U have to use Reconfigure command to give immediate effect.

  • Aadhar Joshi (6/24/2013)


    If you enalbe xp_cmdshell option in configuration, it does not give effect immediately for current session. U have to use Reconfigure command to give immediate effect.

    One would hope that a tool like sqlmap, one that touted being able to test the security of an instance, would know to call RECONFIGURE after enabling xp_cmdshell.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

  • Hey,

    Sorry but all your questions are not relevant to my situation: the choices you are talking about have been made by my client, not by myself. May be I should have expressed it more clearly : it is a penetration testing assessment, performed over a web application that is not under my control.

    Cheers,

    Z.

  • How ironic. You're client is conscientious enough to do a penetration test yet they will not accept advice on not running a website using the sa Login. Wish them luck for me, seriously. The sa Login should be disabled in my opinion. And no client applications should ever run using a Login in the sysadmin Role, period. Anything short of following that and a penetration test has no practical use for testing client applications.

    There are no special teachers of virtue, because virtue is taught by the whole community.
    --Plato

  • First of all, opc.three is right: sa is a NO GO

    No failed penetration test would ever give you enough confidence, that it cannot be exploitet.

    As you notice, those tools each have their flaws. I know it, I have tested a lot of them, too.

    And usually I get further into the system if I do a manual penetration test.

    Those tools are good for being quick, for an "easy try". But a determined hacker will try harder - and might also just use a different tool with different results(!).

    And as you see, even sqlmap, being one of the better ones, is by far not perfect. And it does NOT know all attack techniques.

    A penetration tester (person) should, though.

    Also usually those tools are not written by experts for a specific database product. So do NOT rely barely on them ever. Your SQL Server expertise or from someone on your team should make it up.

    To wrap up and to make sure 🙂

    "sa and dbo_owner are both absolute no-go's for Application Users"

    You can get a glance at what's possible from my list of one of my sessions on SQL Server Security: www.insidesql.org/blogs/andreaswolter/2013/07/security-session-sql-server-attack-ed

    Andreas

    ---------------------------------------------------
    MVP SQL Server
    Microsoft Certified Master SQL Server 2008
    Microsoft Certified Solutions Master Data Platform, SQL Server 2012
    www.insidesql.org/blogs/andreaswolter
    www.andreas-wolter.com

  • If you're running a penetration test using the 'sa' user, then you may have missed one of the very first steps in securing a server - disable the 'sa' login. A best practice during installation is to change the username for 'sa'. The next thing you do is disable it. Gail has written elsewhere that you can't delete it because you'll run into problems if you want to upgrade later, but you should disable it.

    I've not used sqlmap myself, so I can't comment on the error in the OP.

  • This was removed by the editor as SPAM

Viewing 9 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply