Click here to monitor SSC
SQLServerCentral is supported by Red Gate Software Ltd.
 
Log in  ::  Register  ::  Not logged in
 
 
 
        
Home       Members    Calendar    Who's On


Add to briefcase

Penetration Testing - Sqlmap fails at enabling xp_cmdshell procedure Expand / Collapse
Author
Message
Posted Sunday, June 23, 2013 5:05 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 25, 2013 4:20 AM
Points: 2, Visits: 8
Dear folks,

I have been browsing the web looking for some help regarding the following issue. I am currently performing an web application penetration test, and I had come accross a beautiful blind SQL Injection.

Using sqlmap, I am able to retrieve the whole database. I would like to jump into the OS level, by using the xp_cmdshell functionality, which is currently disabled on the database. The application is running with the "sa" account, so it should be technically possible. However, when I get the following message when I try to enable it using sql map :

[12:14:22] [INFO] checking if xp_cmdshell extended procedure is available, please wait..
xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n]
[12:14:23] [WARNING] xp_cmdshell re-enabling failed
[12:14:23] [INFO] creating xp_cmdshell with sp_OACreate
[12:14:23] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled
[12:14:23] [CRITICAL] unable to proceed without xp_cmdshell

The only mention of this issue I found on the web is here:

http://www.silverspam.net/forum/hacking-security/exploits-and-vulnerabilities/4757-sqlmap-xp-cmdshell-creation-failed-probably-because-sp-oacreate-is-disabled

But as you can see, access to the solution is not free, which makes me doubt of it's seriousness.

Have anyone come accross this issue ? I would really appreciate some help guys..

Many thanks in advance !!

Cheers,

Z.

PS: Some system information:

web server operating system: Windows 2012
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008

Post #1466514
Posted Monday, June 24, 2013 4:10 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 7:19 PM
Points: 7,127, Visits: 12,655
medized (6/23/2013)
Dear folks,

I have been browsing the web looking for some help regarding the following issue. I am currently performing an web application penetration test, and I had come accross a beautiful blind SQL Injection.

Using sqlmap, I am able to retrieve the whole database. I would like to jump into the OS level, by using the xp_cmdshell functionality, which is currently disabled on the database. The application is running with the "sa" account, so it should be technically possible. However, when I get the following message when I try to enable it using sql map :

[12:14:22] [INFO] checking if xp_cmdshell extended procedure is available, please wait..
xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n]
[12:14:23] [WARNING] xp_cmdshell re-enabling failed
[12:14:23] [INFO] creating xp_cmdshell with sp_OACreate
[12:14:23] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled
[12:14:23] [CRITICAL] unable to proceed without xp_cmdshell

The only mention of this issue I found on the web is here:

http://www.silverspam.net/forum/hacking-security/exploits-and-vulnerabilities/4757-sqlmap-xp-cmdshell-creation-failed-probably-because-sp-oacreate-is-disabled

But as you can see, access to the solution is not free, which makes me doubt of it's seriousness.

Have anyone come accross this issue ? I would really appreciate some help guys..

Many thanks in advance !!

Cheers,

Z.

PS: Some system information:

web server operating system: Windows 2012
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008


There are ways to configure an instance such that use of xp_cmdshell can be blocked from use by unsophisticated tools or hackers. That is beside the most troubling points raised by your post however. Why are you thinking of running a website that logs into SQL Server as sa? Why are you running your SQL Server under a service account that has the capability to interact with the OS in any way over and above what is only absolutely necessary to complete the basic operations required to host the databases, nothing more nothing less? What are you trying to prove by running sqlmap using a Login in the sysadmin Role?


__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1466655
Posted Monday, June 24, 2013 4:51 AM
SSCommitted

SSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommittedSSCommitted

Group: General Forum Members
Last Login: Friday, August 29, 2014 6:06 AM
Points: 1,608, Visits: 374
If you enalbe xp_cmdshell option in configuration, it does not give effect immediately for current session. U have to use Reconfigure command to give immediate effect.
Post #1466677
Posted Monday, June 24, 2013 8:57 PM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 7:19 PM
Points: 7,127, Visits: 12,655
Aadhar Joshi (6/24/2013)
If you enalbe xp_cmdshell option in configuration, it does not give effect immediately for current session. U have to use Reconfigure command to give immediate effect.

One would hope that a tool like sqlmap, one that touted being able to test the security of an instance, would know to call RECONFIGURE after enabling xp_cmdshell.


__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1466965
Posted Tuesday, June 25, 2013 2:34 AM
Forum Newbie

Forum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum NewbieForum Newbie

Group: General Forum Members
Last Login: Tuesday, June 25, 2013 4:20 AM
Points: 2, Visits: 8
Hey,

Sorry but all your questions are not relevant to my situation: the choices you are talking about have been made by my client, not by myself. May be I should have expressed it more clearly : it is a penetration testing assessment, performed over a web application that is not under my control.

Cheers,

Z.
Post #1467032
Posted Tuesday, June 25, 2013 4:18 AM


SSCertifiable

SSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiableSSCertifiable

Group: General Forum Members
Last Login: Yesterday @ 7:19 PM
Points: 7,127, Visits: 12,655
How ironic. You're client is conscientious enough to do a penetration test yet they will not accept advice on not running a website using the sa Login. Wish them luck for me, seriously. The sa Login should be disabled in my opinion. And no client applications should ever run using a Login in the sysadmin Role, period. Anything short of following that and a penetration test has no practical use for testing client applications.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Post #1467065
Posted Saturday, August 3, 2013 2:52 PM


SSC-Enthusiastic

SSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-EnthusiasticSSC-Enthusiastic

Group: General Forum Members
Last Login: Monday, September 8, 2014 1:07 PM
Points: 153, Visits: 979
First of all, opc.three is right: sa is a NO GO
No failed penetration test would ever give you enough confidence, that it cannot be exploitet.
As you notice, those tools each have their flaws. I know it, I have tested a lot of them, too.
And usually I get further into the system if I do a manual penetration test.
Those tools are good for being quick, for an "easy try". But a determined hacker will try harder - and might also just use a different tool with different results(!).

And as you see, even sqlmap, being one of the better ones, is by far not perfect. And it does NOT know all attack techniques.
A penetration tester (person) should, though.
Also usually those tools are not written by experts for a specific database product. So do NOT rely barely on them ever. Your SQL Server expertise or from someone on your team should make it up.

To wrap up and to make sure :)
"sa and dbo_owner are both absolute no-go's for Application Users"

You can get a glance at what's possible from my list of one of my sessions on SQL Server Security: www.insidesql.org/blogs/andreaswolter/2013/07/security-session-sql-server-attack-ed


Andreas

---------------------------------------------------
MVP SQL Server
Microsoft Certified Master SQL Server 2008
Microsoft Certified Solutions Master Data Platform, SQL Server 2012
www.insidesql.org/blogs/andreaswolter
www.andreas-wolter.com
Post #1480726
Posted Monday, August 5, 2013 8:04 AM
SSCarpal Tunnel

SSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal TunnelSSCarpal Tunnel

Group: General Forum Members
Last Login: Today @ 1:54 PM
Points: 4,319, Visits: 3,362
If you're running a penetration test using the 'sa' user, then you may have missed one of the very first steps in securing a server - disable the 'sa' login. A best practice during installation is to change the username for 'sa'. The next thing you do is disable it. Gail has written elsewhere that you can't delete it because you'll run into problems if you want to upgrade later, but you should disable it.

I've not used sqlmap myself, so I can't comment on the error in the OP.



Tally Tables - Performance Personified
String Splitting with True Performance
Best practices on how to ask questions
Post #1480926
« Prev Topic | Next Topic »

Add to briefcase

Permissions Expand / Collapse