Format the drive of SQL Server ;)

I came across an interesting security issue . Not any thing special regarding the security issue but the way it was exploited was interesting. You can even fromat the hard disk of the server.
The steps were specific to that example and may not be the same in all instances. One will have to fuzz for every such attack.Steps in that example were:
1. Goto Forgot Password Feature.
2. Find a valid user id and enter a userid. A bit of guessing will work here.
3. The next screen should ask you for hint question to answer.
4. Enter SQL query to either get the password retrieved in this feature or enter incorrect SQL string to grab the server details.
5. In case the account used by application to connect to SQL server is admin account like 'sa', then MS SQL server has a feature to run kernel level commands via Extended Stored Proc.
6. Formulate a SQL query to run an extended stored procedure to run the command to format drive of SQL server.


Popular posts from this blog

SQL Injection in search field

File Upload through Null Byte Injection