Microsoft SQL Server
The Exploit Next GenerationR SQL FingerprintT (f.k.a. Microsoft SQL Server
Fingerprint Tool) is a powerful tool which performs version fingerprinting
for:
1. Microsoft SQL Server 2000;
2. Microsoft SQL Server 2005; and
3. Microsoft SQL Server 2008.
The Exploit Next GenerationR SQL FingerprintT (ESF) uses well-known
techniques based on several public tools that are capable to identify the
Microsoft SQL Server version (such as: SQLping and SQLver), but, instead of
.:[Software Description:
This is a tool that performs version fingerprinting on Microsoft SQL Server
2000, 2005 and 2008, using well known techniques based on several public tools
that identifies the SQL Version. The strength of this tool is that it uses
probabilistic algorithm to identify the version of the Microsoft SQL Server.
The "Microsoft SQL Server Fingerprint Tool" can also be used to identify
vulnerable versions of Microsoft SQL Server.
Some of the new features include:
* Added support to execute arbitrary commands on the database server
underlying operating system either returning the standard output or
not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell()
stored procedure on Microsoft SQL Server;
* Added support for out-of-band connection between the attacker box
and the database server underlying operating system via stand-alone
payload stager created by Metasploit and supporting Meterpreter, shell
and VNC payloads for both Windows and Linux;
* Added support for out-of-band connection via Microsoft SQL Server
(SQLSORT.DLL). That is a huge number of possible writable memory space ENG
can use randomly.
The only thing ENG has to keep in mind is that it should use the writable
address in two four (04) bytes blocks: first four (04) bytes block targets
the Microsoft SQL Server SP0, and the second four (04) bytes block targets
the Microsoft SQL Server SP1-2.
-[ NOPs [12]
To fill the nops’ field, ENG uses the same simple technique used to fill up
__________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-080709.1
___________________________________________________________________
Name: Microsoft SQL Server - Corrupt Backup File Heap Overflow
Released: 09 July 2008
Vendor Link:
http://www.microsoft.com/sql/default.mspx
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
SEC Consult Security Advisory < 20081209-0 >
=====================================================================================
title: Microsoft SQL Server 2000 sp_replwritetovarbin
limited memory overwrite vulnerability
program: Microsoft SQL Server 2000
vulnerable version: <=8.00.2039
homepage: www.microsoft.com
found: 04-12-2008
by: Bernhard Mueller (SEC Consult Vulnerability
Lab)
-------------------------------------------------
MS Patch - MS08-039 Vulnerabilities in Outlook Web Access for Exchange Server Could Allow Elevation of Privilege (953747)
Analysis - SMA does not have this component.
Action - Patch will not run successfully. Customers should not be concerned with this issue
-------------------------------------------------
MS Patch - MS08-040 Vulnerabilities in Microsoft SQL Server Could Allow Elevation of Privilege (941203)
Analysis - SMA does not have this component.
Action - Patch will not run successfully. Customers should not be concerned with this issue
-------------------------------------------------
Installation Instructions: (if applicable)
> On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez
> <roman@rs-labs.com> wrote:
>> Razi Shaban escribi:
>>>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>>>> injection technique which allows to extract the whole information of a
>>>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>>>> way.
>>>
>>> This isn't new, this is old news. It might be the first paper written
>>> about the topic, but these methods have been used for years.
>>
Cesar.
--- On Tue, 7/8/08, iDefense Labs <labs-no-reply@idefense.com> wrote:
> From: iDefense Labs <labs-no-reply@idefense.com>
> Subject: [Full-disclosure] iDefense Security Advisory 07.08.08: Microsoft SQL Server Restore Integer Underflow Vulnerability
> To: vulnwatch@vulnwatch.org, full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com
> Date: Tuesday, July 8, 2008, 11:18 PM
> iDefense Security Advisory 07.08.08
> http://labs.idefense.com/intelligence/vulnerabilities/
> Jul 08, 2008
Razi Shaban escribi:
>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>> injection technique which allows to extract the whole information of a
>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>> way.
>
> This isn't new, this is old news. It might be the first paper written
> about the topic, but these methods have been used for years.
Please, Razi, could you name any reference? I suppose that if the method is
simple PoC of new malware that after it's
deployed on a computer in an internal network it will
automatically hack database servers and
steal their data. Several techniques used by Data0
will be detailed. Data0 will be targeting
Microsoft SQL Server and Oracle Database Server two of
the most used database servers.
While Data0 could be used by the bad guys for evil
purposes, it could also be used by security
professionals and organizations to determine how
strong networks, workstations, database
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
On Fri, Feb 6, 2009 at 2:10 PM, Daniel Kachakil <dani@kachakil.com> wrote:
> Hi,
>
> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
> injection technique which allows to extract the whole information of a
> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
> way.
>
This isn't new, this is old news. It might be the first paper written
about the topic, but these methods have been used for years.
- Description:
####################
Blaze Apps is a ASP .NET 2 Content Management System. It uses VB and
C# as backend languages
and uses Microsoft SQL Server as its DBMS.
####################
- Vulnerability:
####################
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
Hi,
I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
injection technique which allows to extract the whole information of a
Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
way.
This technique is based on the FOR XML clause, which is able to convert the
content of a table into a single string, so its contents could be appended
to some field injecting a subquery into a vulnerable input of a web
* Major enhancement to support SQL data definition statements, SQL
data manipulation statements, etc from user in SQL query and SQL shell
if stacked queries are supported by the web application technology.
* Major speed increase in DBMS basic fingerprint.
* Major bug fix to correctly handle custom SQL "limited" queries on
Microsoft SQL Server and Oracle.
* Major bug fix to avoid tracebacks when multiple targets are
specified and one of them is not reachable.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
About NGSSoftware
*****************
NGSSoftware, an NCC Group Company, develops vulnerability assessment and
compliancy tools for database servers including Oracle, Microsoft SQL
Server, DB2, Sybase and Informix. Headquartered in the United Kingdom NGS
has offices in London, St. Andrews (UK), Brisbane, and Perth (Australia) and
Seattle in the United States; NGS provide services to some of the largest
and most demanding organizations around the globe.
http://www.ngssoftware.com/
On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez
<roman@rs-labs.com> wrote:
> Razi Shaban escribi:
>>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>>> injection technique which allows to extract the whole information of a
>>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>>> way.
>>
>> This isn't new, this is old news. It might be the first paper written
>> about the topic, but these methods have been used for years.
>
Oracle exploit support has been implemented through a tag-team effort
between MC and Chris Gates, with assistance from Alexander Kornbrust.
Oracle modules have been developed for exploiting TNS protocol stack and
Web-based Oracle services, as well as post-authentication database-level
privilege escalation flaws. Microsoft SQL Server support has been
overhauled, with the addition of a brand new native Ruby TDS driver
exclusive to the Metasploit Framework and a large number of new modules.
Microsoft SQL Server 2000 through 2008 versions have been tested with
the new modules. The MSSQL and Oracle login modules can now brute force
passwords from a dictionary file.
software vendors of enterprise applications, telecommunications and
embedded software and systems. IBM reports SolidDB as being used in
mission-critical applications from Cisco, HP, Alcatel and Nokia Siemens.
The in-memory database is also used as core component of IBM SolidDB
Universal Cache, a performance improvement application for relational
databases such as DB2, Microsoft SQL Server, Oracle and Informix.
A remotely exploitable vulnerability was found in the database server
core component. Exploitation of this bug does not require authentication
and will lead to a remotely triggered denial of service of the database
service. It is not likely that this bug could be otherwise exploited to
common web applications.
It can be downloaded from
http://www.portcullis-security.com/uplds/wildcard_attacks.pdf
Majority of the Microsoft SQL Server based web applications are
vulnerable to this attack. Other databases could be vulnerable
depending on how the applications implement search functionalities
although common implementation of the search functionality in SQL
Server back-end applications is vulnerable.
3. *Vulnerability Description*
BugTracker.NET [1][2] is an open-source web-based bug tracker written
using ASP.NET, C#, and Microsoft SQL Server. Several cross-site
scripting and SQL-injection vulnerabilities were found in the following
files of the BugTracker.NET:
. *bugs.aspx*. SQL injection in line 141.
. *delete_query.aspx*. No sanitization for 'row_id.Value' in line 30.
p
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
Update to SEC Consult Security Advisory 20081210-0
(Microsoft SQL Server sp_replwritetovarbin limited memory overwrite
vulnerability)
===================================================================
Summary:
------------
By calling the extended stored procedure sp_replwritetovarbin, an
attacker can write limited values to arbitrary locations in process
Community Server - Stored Cross-site Scripting in user's signature.
- Product description:
Community Server is a communities and collaboration web application
developed by Telligent.
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From
it's 5.0 version, the software was renamed to Telligent Community.
- Vulnerability Details:
It is possible to insert scripts (Cross-site Scripting) in user's
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
<!--
18.48 01/09/2007
Microsoft SQL Server Distributed Management Objects OLE DLL for
SQL Enterprise Manager (sqldmo.dll) remote buffer overflow poc
file version: 2000.085.2004.00
product version: 8.05.2004
passing some fuzzy chars to Start method:
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
|
