Click here to monitor SSC
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Penetration Testing - Sqlmap fails at enabling xp_cmdshell procedure


Penetration Testing - Sqlmap fails at enabling xp_cmdshell procedure

Author
Message
medized
medized
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 8
Dear folks,

I have been browsing the web looking for some help regarding the following issue. I am currently performing an web application penetration test, and I had come accross a beautiful blind SQL Injection.

Using sqlmap, I am able to retrieve the whole database. I would like to jump into the OS level, by using the xp_cmdshell functionality, which is currently disabled on the database. The application is running with the "sa" account, so it should be technically possible. However, when I get the following message when I try to enable it using sql map :


[12:14:22] [INFO] checking if xp_cmdshell extended procedure is available, please wait..
xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n]
[12:14:23] [WARNING] xp_cmdshell re-enabling failed
[12:14:23] [INFO] creating xp_cmdshell with sp_OACreate
[12:14:23] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled
[12:14:23] [CRITICAL] unable to proceed without xp_cmdshell



The only mention of this issue I found on the web is here:

http://www.silverspam.net/forum/hacking-security/exploits-and-vulnerabilities/4757-sqlmap-xp-cmdshell-creation-failed-probably-because-sp-oacreate-is-disabled

But as you can see, access to the solution is not free, which makes me doubt of it's seriousness.

Have anyone come accross this issue ? I would really appreciate some help guys..

Many thanks in advance !!

Cheers,

Z.

PS: Some system information:

web server operating system: Windows 2012
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008

Orlando Colamatteo
Orlando Colamatteo
SSCrazy Eights
SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)

Group: General Forum Members
Points: 8243 Visits: 14368
medized (6/23/2013)
Dear folks,

I have been browsing the web looking for some help regarding the following issue. I am currently performing an web application penetration test, and I had come accross a beautiful blind SQL Injection.

Using sqlmap, I am able to retrieve the whole database. I would like to jump into the OS level, by using the xp_cmdshell functionality, which is currently disabled on the database. The application is running with the "sa" account, so it should be technically possible. However, when I get the following message when I try to enable it using sql map :


[12:14:22] [INFO] checking if xp_cmdshell extended procedure is available, please wait..
xp_cmdshell extended procedure does not seem to be available. Do you want sqlmap to try to re-enable it? [Y/n]
[12:14:23] [WARNING] xp_cmdshell re-enabling failed
[12:14:23] [INFO] creating xp_cmdshell with sp_OACreate
[12:14:23] [WARNING] xp_cmdshell creation failed, probably because sp_OACreate is disabled
[12:14:23] [CRITICAL] unable to proceed without xp_cmdshell



The only mention of this issue I found on the web is here:

http://www.silverspam.net/forum/hacking-security/exploits-and-vulnerabilities/4757-sqlmap-xp-cmdshell-creation-failed-probably-because-sp-oacreate-is-disabled

But as you can see, access to the solution is not free, which makes me doubt of it's seriousness.

Have anyone come accross this issue ? I would really appreciate some help guys..

Many thanks in advance !!

Cheers,

Z.

PS: Some system information:

web server operating system: Windows 2012
web application technology: ASP.NET 4.0.30319, ASP.NET, Microsoft IIS 8.0
back-end DBMS: Microsoft SQL Server 2008


There are ways to configure an instance such that use of xp_cmdshell can be blocked from use by unsophisticated tools or hackers. That is beside the most troubling points raised by your post however. Why are you thinking of running a website that logs into SQL Server as sa? Why are you running your SQL Server under a service account that has the capability to interact with the OS in any way over and above what is only absolutely necessary to complete the basic operations required to host the databases, nothing more nothing less? What are you trying to prove by running sqlmap using a Login in the sysadmin Role?

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Aadhar Joshi
Aadhar Joshi
SSCommitted
SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)SSCommitted (1.6K reputation)

Group: General Forum Members
Points: 1610 Visits: 451
If you enalbe xp_cmdshell option in configuration, it does not give effect immediately for current session. U have to use Reconfigure command to give immediate effect.
Orlando Colamatteo
Orlando Colamatteo
SSCrazy Eights
SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)

Group: General Forum Members
Points: 8243 Visits: 14368
Aadhar Joshi (6/24/2013)
If you enalbe xp_cmdshell option in configuration, it does not give effect immediately for current session. U have to use Reconfigure command to give immediate effect.

One would hope that a tool like sqlmap, one that touted being able to test the security of an instance, would know to call RECONFIGURE after enabling xp_cmdshell.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
medized
medized
Forum Newbie
Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)Forum Newbie (2 reputation)

Group: General Forum Members
Points: 2 Visits: 8
Hey,

Sorry but all your questions are not relevant to my situation: the choices you are talking about have been made by my client, not by myself. May be I should have expressed it more clearly : it is a penetration testing assessment, performed over a web application that is not under my control.

Cheers,

Z.
Orlando Colamatteo
Orlando Colamatteo
SSCrazy Eights
SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)SSCrazy Eights (8.2K reputation)

Group: General Forum Members
Points: 8243 Visits: 14368
How ironic. You're client is conscientious enough to do a penetration test yet they will not accept advice on not running a website using the sa Login. Wish them luck for me, seriously. The sa Login should be disabled in my opinion. And no client applications should ever run using a Login in the sysadmin Role, period. Anything short of following that and a penetration test has no practical use for testing client applications.

__________________________________________________________________________________________________
There are no special teachers of virtue, because virtue is taught by the whole community. --Plato
Andreas.Wolter
Andreas.Wolter
SSC-Enthusiastic
SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)SSC-Enthusiastic (155 reputation)

Group: General Forum Members
Points: 155 Visits: 1056
First of all, opc.three is right: sa is a NO GO
No failed penetration test would ever give you enough confidence, that it cannot be exploitet.
As you notice, those tools each have their flaws. I know it, I have tested a lot of them, too.
And usually I get further into the system if I do a manual penetration test.
Those tools are good for being quick, for an "easy try". But a determined hacker will try harder - and might also just use a different tool with different results(!).

And as you see, even sqlmap, being one of the better ones, is by far not perfect. And it does NOT know all attack techniques.
A penetration tester (person) should, though.
Also usually those tools are not written by experts for a specific database product. So do NOT rely barely on them ever. Your SQL Server expertise or from someone on your team should make it up.

To wrap up and to make sure Smile
"sa and dbo_owner are both absolute no-go's for Application Users"

You can get a glance at what's possible from my list of one of my sessions on SQL Server Security: www.insidesql.org/blogs/andreaswolter/2013/07/security-session-sql-server-attack-ed

Andreas

---------------------------------------------------
MVP SQL Server
Microsoft Certified Master SQL Server 2008
Microsoft Certified Solutions Master Data Platform, SQL Server 2012
www.insidesql.org/blogs/andreaswolter
www.andreas-wolter.com
Ed Wagner
Ed Wagner
SSChampion
SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)SSChampion (10K reputation)

Group: General Forum Members
Points: 10285 Visits: 9584
If you're running a penetration test using the 'sa' user, then you may have missed one of the very first steps in securing a server - disable the 'sa' login. A best practice during installation is to change the username for 'sa'. The next thing you do is disable it. Gail has written elsewhere that you can't delete it because you'll run into problems if you want to upgrade later, but you should disable it.

I've not used sqlmap myself, so I can't comment on the error in the OP.


Tally Tables - Performance Personified
String Splitting with True Performance
Best practices on how to ask questions
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum

































































































































































SQLServerCentral


Search