As I see it, in the first (valid) command you terminate with a double quote
';EXEC master..sp_configure 'xp_cmdshell', '1''
while during the second execution you terminate with a single quote.
';EXEC master..sp_configure 'xp_cmdshell', '1';RECONFIGURE'
Cheers,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
On Sat, Jun 30, 2012 at 10:06 PM, Smiling Buddha <smilngbuddha (at) gmail (dot) com [email concealed]> wrote:
> Hi,
>
> I am on a pentest assignment and have encountered an sql injection
> vulnerability with an SQL Server 2005 in the background, complete with
> dbo level access. I have successfully retrieved DB values and have
> already presented as evidence. Now, i am directed to take the attack
> to the next level and see the extent of the problem.
>
> I am trying to run the xp_cmdshell stored procedure.
> To ensure xp_cmdshell is enabled, i am running the following two queries:
>
> EXEC master..sp_configure 'xp_cmdshell', '1'
> RECONFIGURE
> in the vulnerable parameter as:
>
> ';EXEC master..sp_configure 'xp_cmdshell', '1'' - This query
> replies without any error
>
> But when i append RECONFIGURE the following it returns an error:
>
> ';EXEC master..sp_configure 'xp_cmdshell', '1';RECONFIGURE' -
> Incorrect syntax near "
>
>
> I looked up the sp_configure functionality and don't see any
> syntactical error, maybe the sequence, or incorrectly formed stacked
> query.
>
> Any suggestions?
>
>
> Thanx.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
As I see it, in the first (valid) command you terminate with a double quote
';EXEC master..sp_configure 'xp_cmdshell', '1''
while during the second execution you terminate with a single quote.
';EXEC master..sp_configure 'xp_cmdshell', '1';RECONFIGURE'
Cheers,
Ioannis (Yiannis) Koukouras
CISSP, CISA, CISM, OSCP
MSc in Computer Systems Security
BEng in Electronic Engineering
http://www.linkedin.com/in/ikoukouras
On Sat, Jun 30, 2012 at 10:06 PM, Smiling Buddha <smilngbuddha (at) gmail (dot) com [email concealed]> wrote:
> Hi,
>
> I am on a pentest assignment and have encountered an sql injection
> vulnerability with an SQL Server 2005 in the background, complete with
> dbo level access. I have successfully retrieved DB values and have
> already presented as evidence. Now, i am directed to take the attack
> to the next level and see the extent of the problem.
>
> I am trying to run the xp_cmdshell stored procedure.
> To ensure xp_cmdshell is enabled, i am running the following two queries:
>
> EXEC master..sp_configure 'xp_cmdshell', '1'
> RECONFIGURE
> in the vulnerable parameter as:
>
> ';EXEC master..sp_configure 'xp_cmdshell', '1'' - This query
> replies without any error
>
> But when i append RECONFIGURE the following it returns an error:
>
> ';EXEC master..sp_configure 'xp_cmdshell', '1';RECONFIGURE' -
> Incorrect syntax near "
>
>
> I looked up the sp_configure functionality and don't see any
> syntactical error, maybe the sequence, or incorrectly formed stacked
> query.
>
> Any suggestions?
>
>
> Thanx.
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review Board
>
> Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
>
> http://www.iacertification.org
> ------------------------------------------------------------------------
>
------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board
Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------
[ reply ]