Exploiting MS09-004 via SQL injection

简介: Recently we were performing an web application penetration test to one of our clients and identified a SQL injection vulnerability.

Recently we were performing an web application penetration test to one of our clients and identified a SQL injection vulnerability. The vulnerability allowed us to conduct a degree of fingerprinting on the remote server; however, the Microsoft SQL Server back-end database didn’t allow to execute commands via the well known xp_cmdshell stored procedure.

Based on the fingerprinting information we identified that the database server was running an old and vulnerable version of MS SQL server. Microsoft SQL Sever 2000 SP3, to be precise.

All indicated that the server was vulnerable to MS09-004 vulnerability. However, it was not possible to get direct access to the database. Moreover no authentication credentials were discovered during the course of the assessment.

This is how our newly released Metasploit module was born. We coded an extension which can be added to Metasploit to exploit this vulnerability using a SQL injection vulnerability with no need of using credentials, as the web application will authenticate in our behalf.

Penetration testing - SQL injection exploitation

Penetration testing - SQL injection exploitation

The screenshot above shows how to get meterpreter (or any other payload of your choice) exploiting the vulnerability from Metasploit.

If interested, get the scripts from our security tools area.

目录
相关文章
|
4月前
|
SQL 安全 网络安全
SQL注入(SQL Injection)
【8月更文挑战第11天】
124 3
|
5月前
|
SQL 安全 网络安全
DVWA SQL Injection (Blind) 通关解析
DVWA SQL Injection (Blind) 通关解析
|
7月前
|
SQL Oracle Java
SQL 注入神器:jSQL Injection 保姆级教程
SQL 注入神器:jSQL Injection 保姆级教程
|
SQL Java 数据库连接
sql injection violation, syntax error: syntax error, error in :‘**‘expect IDENTIFIER, actual IDENTIF
sql injection violation, syntax error: syntax error, error in :‘**‘expect IDENTIFIER, actual IDENTIF
222 0
|
7月前
|
SQL 安全 数据库
[dvwa] sql injection
[dvwa] sql injection
|
7月前
|
SQL 安全 数据库
[dvwa] sql injection(Blind)
[dvwa] sql injection(Blind)
java.sql.SQLException: sql injection violation
本文目录 1. 报错信息 2. 问题分析 3. 排除法 4. 解决方案
2943 0
|
SQL 安全 关系型数据库
DVWA-SQL注入(SQL Injection)低/中/高级别
DVWA是一个用来联系渗透的靶场,其中包含数个漏洞模块,本篇博客向大家简单介绍下SQL注入(SQL Injection)模块三个级别(low/medium/high)的通关步骤
1484 2
DVWA-SQL注入(SQL Injection)低/中/高级别
|
SQL 安全 Linux
kali linux 网络渗透测试学习笔记(二)OWASP ZAP工具扫描SQL injection漏洞失败
按照惯例,利用OWASP ZAP工具扫描SQL injection漏洞时,应该很快就可以扫描出来,但是在笔者进行扫描的时候,却遇到了以下状况: 这说明了该工具根本就没能够扫描出SQL注入的漏洞,不知道该如何解决。
2304 0
|
SQL 关系型数据库 Java
下一篇
DataWorks