Next Page >>
SQL Server 2005
The Exploit Next GenerationR SQL FingerprintT (f.k.a. Microsoft SQL Server
Fingerprint Tool) is a powerful tool which performs version fingerprinting
for:
1. Microsoft SQL Server 2000;
2. Microsoft SQL Server 2005; and
3. Microsoft SQL Server 2008.
The Exploit Next GenerationR SQL FingerprintT (ESF) uses well-known
techniques based on several public tools that are capable to identify the
Microsoft SQL Server version (such as: SQLping and SQLver), but, instead of
to supply a path to a remote file using either SMB or WebDAV.
IV. DETECTION
iDefense confirmed the existence of this vulnerability in Microsoft SQL
Server 2005 Service Pack 2 Hot Fix 4. Additional tests against SQL
Server 2005 without any updates suggest it is also vulnerable. Previous
versions are also suspected to be vulnerable.
V. WORKAROUND
.:[Software Description:
This is a tool that performs version fingerprinting on Microsoft SQL Server
2000, 2005 and 2008, using well known techniques based on several public tools
that identifies the SQL Version. The strength of this tool is that it uses
probabilistic algorithm to identify the version of the Microsoft SQL Server.
The "Microsoft SQL Server Fingerprint Tool" can also be used to identify
vulnerable versions of Microsoft SQL Server.
(SQLSORT.DLL). That is a huge number of possible writable memory space ENG
can use randomly.
The only thing ENG has to keep in mind is that it should use the writable
address in two four (04) bytes blocks: first four (04) bytes block targets
the Microsoft SQL Server SP0, and the second four (04) bytes block targets
the Microsoft SQL Server SP1-2.
-[ NOPs [12]
To fill the nops’ field, ENG uses the same simple technique used to fill up
Some of the new features include:
* Added support to execute arbitrary commands on the database server
underlying operating system either returning the standard output or
not via UDF injection on MySQL and PostgreSQL and via xp_cmdshell()
stored procedure on Microsoft SQL Server;
* Added support for out-of-band connection between the attacker box
and the database server underlying operating system via stand-alone
payload stager created by Metasploit and supporting Meterpreter, shell
and VNC payloads for both Windows and Linux;
* Added support for out-of-band connection via Microsoft SQL Server
__________________________________________________________________
Insomnia Security Vulnerability Advisory: ISVA-080709.1
___________________________________________________________________
Name: Microsoft SQL Server - Corrupt Backup File Heap Overflow
Released: 09 July 2008
Vendor Link:
http://www.microsoft.com/sql/default.mspx
- Description:
####################
Blaze Apps is a ASP .NET 2 Content Management System. It uses VB and
C# as backend languages
and uses Microsoft SQL Server as its DBMS.
####################
- Vulnerability:
####################
Nortel Contact Recording Centralized Archive 6.5.1 EyrAPIConfiguration
Web Service getSubKeys() Remote SQL Injection Exploit
tested against:
Microsoft Windows Server 2003 r2 sp2
Microsoft SQL Server 2005 Express
download uri:
ftp://ftp.avaya.com/incoming/Up1cku9/tsoweb/web1/software/c/contactcenter/crqm/6_5_CS1K_2/Nortel-DVD3-Archive-6_5.iso
background:
3. Problem Description
a. vCenter Server and vCenter Update Manager update Microsoft
SQL Server 2005 Express Edition to Service Pack 3
Microsoft SQL Server 2005 Express Edition (SQL Express)
distributed with vCenter Server 4.1 Update 1 and vCenter Update
Manager 4.1 Update 1 is upgraded from SQL Express Service Pack 2
to SQL Express Service Pack 3, to address multiple security
Update to SEC Consult Security Advisory 20081210-0
(Microsoft SQL Server sp_replwritetovarbin limited memory overwrite
vulnerability)
===================================================================
Summary:
------------
By calling the extended stored procedure sp_replwritetovarbin, an
attacker can write limited values to arbitrary locations in process
[ SCENARIO ]
The test has been done in the following environment:
MS Windows Server 2003 Enterprise Edition, IIS 6.0, MS SQL Server 2005
[ DESCRIPTION ]
S21sec has discovered a vulnerability in Cezanne 7 that allows injecting
There are no known workarounds for this vulnerability
The Vendor has released a patch for this vulnerability, Release 7.5.1.86, available from normal Red Dot customer support contacts.
Tested / Affected Versions:
IRM confirmed the presence of this vulnerability in RedDot CMS version 7.5 Build 7.5.0.48, tested with Microsoft SQL Server 2005 database.
It is believed that this issue exists in RedDot CMS versions 6.5 and 7.0; however this has not been fully verified.
Credits:
Research and Advisory: Mark Crowther and Rodrigo Marcos
Requesting the following URL returns the version of Windows and SQL server:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=@@version&pz=9&featured=n&ord=desc&sort=posted&rmore=-&
System.Data.SqlClient.SqlException: Conversion failed when converting the nvarchar value 'Microsoft SQL Server 2005 - 9.00.3042.00 (Intel X86)
Feb 9 2007 22:47:07 Copyright (c) 1988-2005 Microsoft Corporation Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2) ' to data type int.
Other URLs:
http://target.tld/[CustomerDefinedDir]/xlaabsolutenm.aspx?z=10&ord=asc&sort=headline'INJECTED_PAYLOAD&rmore=-&
software vendors of enterprise applications, telecommunications and
embedded software and systems. IBM reports SolidDB as being used in
mission-critical applications from Cisco, HP, Alcatel and Nokia Siemens.
The in-memory database is also used as core component of IBM SolidDB
Universal Cache, a performance improvement application for relational
databases such as DB2, Microsoft SQL Server, Oracle and Informix.
A remotely exploitable vulnerability was found in the database server
core component. Exploitation of this bug does not require authentication
and will lead to a remotely triggered denial of service of the database
service. It is not likely that this bug could be otherwise exploited to
<!--
18.48 01/09/2007
Microsoft SQL Server Distributed Management Objects OLE DLL for
SQL Enterprise Manager (sqldmo.dll) remote buffer overflow poc
file version: 2000.085.2004.00
product version: 8.05.2004
passing some fuzzy chars to Start method:
> On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez
> <roman@rs-labs.com> wrote:
>> Razi Shaban escribi:
>>>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>>>> injection technique which allows to extract the whole information of a
>>>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>>>> way.
>>>
>>> This isn't new, this is old news. It might be the first paper written
>>> about the topic, but these methods have been used for years.
>>
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
* Major enhancement to support SQL data definition statements, SQL
data manipulation statements, etc from user in SQL query and SQL shell
if stacked queries are supported by the web application technology.
* Major speed increase in DBMS basic fingerprint.
* Major bug fix to correctly handle custom SQL "limited" queries on
Microsoft SQL Server and Oracle.
* Major bug fix to avoid tracebacks when multiple targets are
specified and one of them is not reachable.
Complete list of changes at http://sqlmap.sourceforge.net/doc/ChangeLog.
Oracle exploit support has been implemented through a tag-team effort
between MC and Chris Gates, with assistance from Alexander Kornbrust.
Oracle modules have been developed for exploiting TNS protocol stack and
Web-based Oracle services, as well as post-authentication database-level
privilege escalation flaws. Microsoft SQL Server support has been
overhauled, with the addition of a brand new native Ruby TDS driver
exclusive to the Metasploit Framework and a large number of new modules.
Microsoft SQL Server 2000 through 2008 versions have been tested with
the new modules. The MSSQL and Oracle login modules can now brute force
passwords from a dictionary file.
About NGSSoftware
*****************
NGSSoftware, an NCC Group Company, develops vulnerability assessment and
compliancy tools for database servers including Oracle, Microsoft SQL
Server, DB2, Sybase and Informix. Headquartered in the United Kingdom NGS
has offices in London, St. Andrews (UK), Brisbane, and Perth (Australia) and
Seattle in the United States; NGS provide services to some of the largest
and most demanding organizations around the globe.
http://www.ngssoftware.com/
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London,
St. Andrews (UK), Brisbane, and Perth (Australia) and seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
http://www.ngssoftware.com/
simple PoC of new malware that after it's
deployed on a computer in an internal network it will
automatically hack database servers and
steal their data. Several techniques used by Data0
will be detailed. Data0 will be targeting
Microsoft SQL Server and Oracle Database Server two of
the most used database servers.
While Data0 could be used by the bad guys for evil
purposes, it could also be used by security
professionals and organizations to determine how
strong networks, workstations, database
On Sun, Feb 8, 2009 at 6:16 PM, Roman Medina-Heigl Hernandez
<roman@rs-labs.com> wrote:
> Razi Shaban escribi:
>>> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
>>> injection technique which allows to extract the whole information of a
>>> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
>>> way.
>>
>> This isn't new, this is old news. It might be the first paper written
>> about the topic, but these methods have been used for years.
>
Hi,
I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
injection technique which allows to extract the whole information of a
Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
way.
This technique is based on the FOR XML clause, which is able to convert the
content of a table into a single string, so its contents could be appended
to some field injecting a subquery into a vulnerable input of a web
common web applications.
It can be downloaded from
http://www.portcullis-security.com/uplds/wildcard_attacks.pdf
Majority of the Microsoft SQL Server based web applications are
vulnerable to this attack. Other databases could be vulnerable
depending on how the applications implement search functionalities
although common implementation of the search functionality in SQL
Server back-end applications is vulnerable.
p
About NGSSoftware
*****************
NGSSoftware develops vulnerability assessment and compliancy tools for
database servers including Oracle, Microsoft SQL Server, DB2, Sybase and
Informix. Headquartered in the United Kingdom NGS has offices in London, St.
Andrews (UK), Brisbane, and Perth (Australia) and Seattle in the United
States; NGSConsulting provide services to some of the largest and most
demanding organizations around the globe.
On Fri, Feb 6, 2009 at 2:10 PM, Daniel Kachakil <dani@kachakil.com> wrote:
> Hi,
>
> I am glad to release SFX-SQLi (Select For XML SQL injection), a new SQL
> injection technique which allows to extract the whole information of a
> Microsoft SQL Server 2005/2008 database in an extremely fast and efficient
> way.
>
This isn't new, this is old news. It might be the first paper written
about the topic, but these methods have been used for years.
Community Server - Stored Cross-site Scripting in user's signature.
- Product description:
Community Server is a communities and collaboration web application
developed by Telligent.
It uses ASP.NET platform (C#) and Microsoft SQL Server database. From
it's 5.0 version, the software was renamed to Telligent Community.
- Vulnerability Details:
It is possible to insert scripts (Cross-site Scripting) in user's
Next Page>>
|
