Next Page >>
MS SQL Server
.:[Software Description:
This is a tool that performs version fingerprinting on Microsoft SQL Server
2000, 2005 and 2008, using well known techniques based on several public tools
that identifies the SQL Version. The strength of this tool is that it uses
probabilistic algorithm to identify the version of the Microsoft SQL Server.
The "Microsoft SQL Server Fingerprint Tool" can also be used to identify
vulnerable versions of Microsoft SQL Server.
(SQLSORT.DLL). That is a huge number of possible writable memory space ENG
can use randomly.
The only thing ENG has to keep in mind is that it should use the writable
address in two four (04) bytes blocks: first four (04) bytes block targets
the Microsoft SQL Server SP0, and the second four (04) bytes block targets
the Microsoft SQL Server SP1-2.
-[ NOPs [12]
To fill the nops’ field, ENG uses the same simple technique used to fill up
Update to SEC Consult Security Advisory 20081210-0
(Microsoft SQL Server sp_replwritetovarbin limited memory overwrite
vulnerability)
===================================================================
Summary:
------------
By calling the extended stored procedure sp_replwritetovarbin, an
attacker can write limited values to arbitrary locations in process
__________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-080709.1
___________________________________________________________________
Name: Microsoft SQL Server - Corrupt Backup File Heap Overflow
Released: 09 July 2008
Vendor Link:
http://www.microsoft.com/sql/default.mspx
Some of the new features include:
* Added support to execute arbitrary commands on the database server
underlying operating system either returning the standard output or
not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell()
stored procedure on Microsoft SQL Server;
* Added support for out-of-band connection between the attacker box
and the database server underlying operating system via stand-alone
payload stager created by Metasploit and supporting Meterpreter, shell
and VNC payloads for both Windows and Linux;
* Added support for out-of-band connection via Microsoft SQL Server
[ SCENARIO ]
The test has been done in the following environment:
MS Windows Server 2003 Enterprise Edition, IIS 6.0, MS SQL Server 2005
[ DESCRIPTION ]
S21sec has discovered a vulnerability in Cezanne 7 that allows injecting
- Description:
####################
Blaze Apps is a ASP .NET 2 Content Management System. It uses VB and
C# as backend languages
and uses Microsoft SQL Server as its DBMS.
####################
- Vulnerability:
####################
p
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
Razi Shaban escribi:
>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>> injection technique which allows to extract the whole information of a
>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>> way.
>
> This isn't new, this is old news. It might be the first paper written
> about the topic, but these methods have been used for years.
Please, Razi, could you name any reference? I suppose that if the method is
Hi,
I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
injection technique which allows to extract the whole information of a
Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
way.
This technique is based on the FOR XML clause, which is able to convert the
content of a table into a single string, so its contents could be appended
to some field injecting a subquery into a vulnerable input of a web
> On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez
> <roman@rs-labs.com> wrote:
>> Razi Shaban escribi:
>>>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>>>> injection technique which allows to extract the whole information of a
>>>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>>>> way.
>>>
>>> This isn't new, this is old news. It might be the first paper written
>>> about the topic, but these methods have been used for years.
>>
<!--
18.48 01/09/2007
Microsoft SQL Server Distributed Management Objects OLE DLL for
SQL Enterprise Manager (sqldmo.dll) remote buffer overflow poc
file version: 2000.085.2004.00
product version: 8.05.2004
passing some fuzzy chars to Start method:
simple PoC of new malware that after it's
deployed on a computer in an internal network it will
automatically hack database servers and
steal their data. Several techniques used by Data0
will be detailed. Data0 will be targeting
Microsoft SQL Server and Oracle Database Server two of
the most used database servers.
While Data0 could be used by the bad guys for evil
purposes, it could also be used by security
professionals and organizations to determine how
strong networks, workstations, database
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
software vendors of enterprise applications, telecommunications and
embedded software and systems. IBM reports SolidDB as being used in
mission-critical applications from Cisco, HP, Alcatel and Nokia Siemens.
The in-memory database is also used as core component of IBM SolidDB
Universal Cache, a performance improvement application for relational
databases such as DB2, Microsoft SQL Server, Oracle and Informix.
A remotely exploitable vulnerability was found in the database server
core component. Exploitation of this bug does not require authentication
and will lead to a remotely triggered denial of service of the database
service. It is not likely that this bug could be otherwise exploited to
On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez
<roman@rs-labs.com> wrote:
> Razi Shaban escribi:
>>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>>> injection technique which allows to extract the whole information of a
>>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>>> way.
>>
>> This isn't new, this is old news. It might be the first paper written
>> about the topic, but these methods have been used for years.
>
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
On Fri, Feb 6, 2009 at 2:10 PM, Daniel Kachakil <dani@kachakil.com> wrote:
> Hi,
>
> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
> injection technique which allows to extract the whole information of a
> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
> way.
>
This isn't new, this is old news. It might be the first paper written
about the topic, but these methods have been used for years.
Found by: Jaakko "Chrysalid" Hartikainen
1. Info
Kvaliitti WebDoc 3.0 CMS is a proprietary Finnish-made content management system developed by Kvaliitti Oy (http://www.kvaliitti.fi). It is driven by MS SQL Server and ASP.
2. Abstract
WebDoc 3.0 suffers from a flaw in input validation, which allows attackers to insert malicious SQL queries into an existing one, possibly gaining complete control over an affected system.
Oracle exploit support has been implemented through a tag-team effort
between MC and Chris Gates, with assistance from Alexander Kornbrust.
Oracle modules have been developed for exploiting TNS protocol stack and
Web-based Oracle services, as well as post-authentication database-level
privilege escalation flaws. Microsoft SQL Server support has been
overhauled, with the addition of a brand new native Ruby TDS driver
exclusive to the Metasploit Framework and a large number of new modules.
Microsoft SQL Server 2000 through 2008 versions have been tested with
the new modules. The MSSQL and Oracle login modules can now brute force
passwords from a dictionary file.
RESOLUTION
If HP Web Jetadmin is used on an untrusted network, the vulnerabilities can be avoided by using an SQL Server on the HP Web Jetadmin system. In that configuration data exchanged between HP Web Jetadmin and the SQL Server are not transmitted on the network.
More information is available in the document "Using MS SQL Server with HP Web Jetadmin", available here
http://bizsupport1.austin.hp.com/bc/docs/support/SupportManual/c01763040/c01763040.pdf
PRODUCT SPECIFIC INFORMATION
None
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
common web applications.
It can be downloaded from
http://www.portcullis-security.com/uplds/wildcard_attacks.pdf
Majority of the Microsoft SQL Server based web applications are
vulnerable to this attack. Other databases could be vulnerable
depending on how the applications implement search functionalities
although common implementation of the search functionality in SQL
Server back-end applications is vulnerable.
Cesar.
--- On Tue, 7/8/08, iDefense Labs <labs-no-reply@idefense.com> wrote:
> From: iDefense Labs <labs-no-reply@idefense.com>
> Subject: [Full-disclosure] iDefense Security Advisory 07.08.08: Microsoft SQL Server Restore Integer Underflow Vulnerability
> To: vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
> Date: Tuesday, July 8, 2008, 11:18 PM
> iDefense Security Advisory 07.08.08
> http://labs.idefense.com/intelligence/vulnerabilities/
> Jul 08, 2008
* Major enhancement to support SQL data definition statements, SQL
data manipulation statements, etc from user in SQL query and SQL shell
if stacked queries are supported by the web application technology.
* Major speed increase in DBMS basic fingerprint.
* Major bug fix to correctly handle custom SQL "limited" queries on
Microsoft SQL Server and Oracle.
* Major bug fix to avoid tracebacks when multiple targets are
specified and one of them is not reachable.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
-------------------------------------------------
MS Patch - MS08-039 Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)
Analysis - SMA does not have this component.
Action - Patch will not run successfully. Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-040 Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
Analysis - SMA does not have this component.
Action - Patch will not run successfully. Customers should not be concerned with this issue
-------------------------------------------------
Installation Instructions: (if applicable)
=======
The log on page of the Cisco Unified CallManager web interface performs
insufficient checking of the "lang" HTTP GET variable before passing it
into a SQL query. By providing a specially crafted lang variable, an
attacker could trick the backend MS SQL server into executing arbitrary
SQL queries as the logged in user.
The affected query returns only a single value, and that value is
placed in a Javascript include URL which is not visible in the rendered
HTML page. As a result, practical exploitation of this vulnerability
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
SEC Consult Security Advisory < 20081209-0 >
=====================================================================================
title: Microsoft SQL Server 2000 sp_replwritetovarbin
limited memory overwrite vulnerability
program: Microsoft SQL Server 2000
vulnerable version: <=8.00.2039
homepage: www.microsoft.com
found: 04-12-2008
by: Bernhard Mueller (SEC Consult Vulnerability
Lab)
Next Page>>
|
