Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
From: Egemen Tas (egementKARYDE.COM.TR)
Date: Sat Feb 05 2000 - 23:43:59 CST
It is known that MS SQL Server comes with default SA(Sys Admin) account with NULL password.
It seems that many system administrators do not take care of dangers of this situation.
Because while we are searching the net we have found that over %80 of hosts we have scanned still have account SA with NO Password.
So I have decided to prove that this situation leeds full compromise of the system.
There are tools running on *nix like OS but I think using this one is easier than some silly unix staff...
Yes this was the story behind the SQLExec.c exploit...
By default SQL server comes with a few strored procedures.xp_cmdshell is one of them and used for executing commands with SQL server.
Again by default SQL server installs it self with administrative privileges(Administrator).
If some one has a right to access master database this means he can execute commands on the host.
If the connected user is SA then commands are executed with the context of SQL server(Administrator by default)
otherwise with the context of SQLExecutiveCmdExecAccount.
Of course these behaviours occur with default installations.
Attached there is an exploit file SQLExec.zip.The included binary works under Windows 9X/NT/2K.
It is suitable for script kiddies also and executes commands with administrative privileges.
You can also see the output of the commands(Unlike msadc.pl ) on the screen just like you are executing on your terminal.
(Don't jail the curious , just a bit freedom)