Microsoft SQL Server Reporting Services 2016 suffers from a remote code execution vulnerability.
93564e79a307b8bac5558370f2e6f6dbb0adb08abf21e7e8df7922faa0fca119This Metasploit module exploits an SQL injection vulnerability in the MOVEit Transfer web application that allows an unauthenticated attacker to gain access to MOVEit Transfer's database. Depending on the database engine being used (MySQL, Microsoft SQL Server, or Azure SQL), an attacker can leverage an information leak be able to upload a .NET deserialization payload.
b18ba528cf2f662442aa4037f5ec3d421c3b9cc9530694a34a9b358c25e66927Microsoft SQL Server 2014, 2016, 2017, 2019, and 2022 appears to ignore audit rules for sys.sysxlgns allowing an attacker with administrative permissions to extract password hashes under the radar. Microsoft told the researcher they are not willing to fix it but acknowledge it as a security problem.
220eab344c9585b4ceae5580fc752834a0002dfd5cc1a78c95445e4b2af32787Microsoft SQL Server Management Studio versions 17.9 and 18.0 Preview 4 suffer from an xmla filetype XML external entity injection vulnerability.
c204b8390aa9f3b452e1248505da6264f3d2333ca13b0895970c7c2e82d93bf3Microsoft SQL Server Management Studio versions 17.9 and 18.0 Preview 4 suffer from a xel filetype XML external entity injection vulnerability.
93aab3236ff7d54aeab41cf83d03f402cc82c23cf19f453cdd7db1821b733da2Microsoft SQL Server Management Studio versions 17.9 and 18.0 Preview 4 suffer from a REGSRVR filehandling XML external entity injection vulnerability.
056dfb5ca8dca223e9be7f8bbb151f47aefc000fd84aac30d7381391c2ca68f2This Metasploit module executes an arbitrary native payload on a Microsoft SQL server by loading a custom SQL CLR Assembly into the target SQL installation, and calling it directly with a base64-encoded payload. The module requires working credentials in order to connect directly to the MSSQL Server. This method requires the user to have sufficient privileges to install a custom SQL CRL DLL, and invoke the custom stored procedure that comes with it. This exploit does not leave any binaries on disk. Tested on MS SQL Server versions: 2005, 2012, 2016 (all x64).
fe2d879dbdd0c10aa7ac5b9f21f78eea25748d38856209e0eae44eec747be7d8HP Security Bulletin HPSBHF03693 1 - A potential security vulnerability identified with Microsoft SQL Server has been addressed by HPE iMC PLAT network products. The vulnerability could be exploited remotely by an authenticated user resulting in elevation of privilege. Revision 1 of this advisory.
a0d63882ce25dc818063c38f1195d050d07c655ba273167fb6eb0fe40465556eMandriva Linux Security Advisory 2015-097 - XML eXternal Entity flaws were discovered in the Zend Framework. An attacker could use these flaws to cause a denial of service, access files accessible to the server process, or possibly perform other more advanced XML External Entity attacks. Using the Consumer component of Zend_OpenId, it is possible to login using an arbitrary OpenID account (without knowing any secret information) by using a malicious OpenID Provider. That means OpenID it is possible to login using arbitrary OpenID Identity (MyOpenID, Google, etc), which are not under the control of our own OpenID Provider. Thus, we are able to impersonate any OpenID Identity against the framework ,. The implementation of the ORDER BY SQL statement in Zend_Db_Select of Zend Framework 1 contains a potential SQL injection when the query string passed contains parentheses. Due to a bug in PHP's LDAP extension, when ZendFramework's Zend_ldap class is used for logins, an attacker can login as any user by using a null byte to bypass the empty password check and perform an unauthenticated LDAP bind. The sqlsrv PHP extension, which provides the ability to connect to Microsoft SQL Server from PHP, does not provide a built-in quoting mechanism for manually quoting values to pass via SQL queries; developers are encouraged to use prepared statements. Zend Framework provides quoting mechanisms via Zend_Db_Adapter_Sqlsrv which uses the recommended double single quote as quoting delimiters. SQL Server treats null bytes in a query as a string terminator, allowing an attacker to add arbitrary SQL following a null byte, and thus create a SQL injection.
dbd355d47d2272372963e41921faec57d94a89afaed8462832c6a5dd1b7b545cWhitepaper discussing penetration and security testing against Microsoft SQL Server. Written in Turkish.
dc6404d93aa87f8467a2c37aca466c0c947bae3530334eb4dd8b112aa3850d18JBrute is a password cracking tool written in Java that uses both brute force and dictionary attack methodologies with a built-in rule pre-processor similar to John the Ripper. It supports several standard algorithms and several algorithms from proprietary applications (like Microsoft SQL Server, Oracle, SYBASE, and so on).
97a6de3d654342c1092d53943b4acc64c262839086964d58080659cf9b8a5fc2JBrute is a password cracking tool written in Java that uses both brute force and dictionary attack methodologies with a built-in rule pre-processor similar to John the Ripper. It supports several standard algorithms and several algorithms from proprietary applications (like Microsoft SQL Server, Oracle, SYBASE, and so on).
b6c69e1f756b77729e18afd6c66c9ca1c8854466b8b9630deded0f3187f6bc73JBrute is a password cracking tool written in Java that uses both brute force and dictionary attack methodologies with a built-in rule pre-processor similar to John the Ripper. It supports several standard algorithms and several algorithms from proprietary applications (like Microsoft SQL Server, Oracle, SYBASE, and so on).
194b487b994980460a0572ffbf79c63a2032608cb60242ec4061d6b8b8c6b720The Exploit Next Generation® SQL Fingerprint tool uses a combination of crafted packets for SQL Server Resolution Protocol (SSRP) and Tabular Data Stream Protocol (TDS) (protocols natively used by Microsoft SQL Server) to accurately perform version fingerprinting and determine the exact Microsoft SQL Server version.
a9da9389d828f4a7b3af5d779e87fb3ae513be7cc7645331252f6b8c668f4c79Secunia Security Advisory - A vulnerability has been reported in Microsoft SQL Server, which can be exploited by malicious people to conduct cross-site scripting attacks.
8de7310bb76d2f53edb14cd0bfb39a0dc861ab05d99e67e76202c7cfedea223cTeam SHATTER Security Advisory - Microsoft SQL Server versions 2005, 2008, and 2008 R2 suffer from a SQL injection vulnerability in the RESTORE DATABASE command that can lead to privilege escalation.
b64d5300f1a7ad77731e4342eabd0820c75171ca63e4b9ccb158653ee331263eTechnical Cyber Security Alert 2012-101A - There are multiple vulnerabilities in Microsoft Windows, Internet Explorer, Microsoft .NET Framework, Microsoft Office, Microsoft Server Software, Microsoft SQL Server, Microsoft Developer Tools, and Microsoft Forefront United Access Gateway. Microsoft has released updates to address these vulnerabilities.
2151cce31ecc67c5f890478458d9f102d21fc5c5acf8bed6a032535dcfa65a58The Exploit Next Generation® SQL Fingerprint tool uses well-known techniques based on several public tools capable of identifying the Microsoft SQL Server version (such as: SQLping and SQLver), but, instead of showing only the "raw version" (i.e., Microsoft SQL Version 10.00.2746), the Exploit Next Generation® SQL Fingerprint shows the mapped Microsoft SQL Server version (i.e., Microsoft SQL 2008 SP1 (CU5)).
bf4a7c2d83f70c89142fb442c4c5a64539b4f8b6d26e806e53e2c6a7329d4ac4This Metasploit module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens.
5c71a8e0d959c8b1f43ce27c1cfb87641e1abf71b42047e2636fd0256601f31aThis Metasploit module exploit smashes several pointers. A heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. Microsoft patched this vulnerability in SP3 for 2005 without any public mention.
22edb58a5f3eb94beb9d96ca4c1c67aaf6a45c0df8336fcfd1b91c3de3a418baMicrosoft SQL Server supports so called CLR Stored Procedures which are written in a .NET language and are run directly inside MS SQL Server. If an hijacked account has appropriate permissions, it can be used to run a native payload (inject native code into a new thread) or to tunnel a TCP connection or a shell via the SQL port (needed if the database server is properly firewalled). They can also be combined to tunnel a reverse_tcp payload. Additional permissions, like xp_cmdshell, are not required. This file is a proof of concept that demonstrates this ability.
b402c616b5be94e40d281a86dd3349dc0c78b5d4578e9d551c39743f9a054e27sqlninja is a small tool to exploit SQL injection vulnerabilities on a web application that uses Microsoft SQL Server as its back-end. Its main goal is to provide a remote shell on the vulnerable database server, even in a very hostile environment. It should be used by penetration testers to help and automate the process of taking over a database Server when a SQL injection vulnerability has been discovered. It is written in perl and runs on Unix-like boxes.
8646406446808a3bf250d6247fa27345d4552b9e67a4c5257c33719a579ff644A heap-based buffer overflow can occur when calling the undocumented "sp_replwritetovarbin" extended stored procedure. This vulnerability affects all versions of Microsoft SQL Server 2000 and 2005, Windows Internal Database, and Microsoft Desktop Engine (MSDE) without the updates supplied in MS09-004. This exploit smashes several pointers, as shown below. 1. pointer to a 32-bit value that is set to 0 2. pointer to a 32-bit value that is set to a length influenced by the buffer length. 3. pointer to a 32-bit value that is used as a vtable pointer. In MSSQL 2000, this value is referenced with a displacement of 0x38. For MSSQL 2005, the displacement is 0x10. The address of our buffer is conveniently stored in ecx when this instruction is executed. 4. On MSSQL 2005, an additional vtable ptr is smashed, which is referenced with a displacement of 4. This pointer is not used by this exploit. There are two different methods used by this exploit, which have been named "writeNcall" and "sprayNbrute". The first, "writeNcall", was published by k'sOSe on Dec 17 2008. It uses pointers 2 and 3, as well as a writeable address. This method is quite reliable. However, it relies on the the operation on pointer 2. Newer versions of SQL server (>= 2000 SP3 at least) use a length value that is 8-byte aligned. This imposes a restriction that the code address that leads to the payload (jmp ecx in this case) must match the regex '.[08].[08].[08].[08]'. Unfortunately, no such addresses were found in memory. For this reason, the second method, "sprayNbrute" is used. First a heap-spray is used to prime memory with lots of copies of the address of our code that leads to the payload (jmp ecx). Next, brute force is used to try to guess a value for pointer 3 that points to the sprayed data. A new method of spraying the heap inside MSSQL is presented. Sadly, it only allows the creation of a bunch of 8000 byte buffers.
132206feb12275d819fe75a51931368d87b85cda3a85d8d40fc77ff46d0342f7This Metasploit module will execute an arbitrary payload on a Microsoft SQL Server, using the Windows debug.com method for writing an executable to disk and the xp_cmdshell stored procedure. File size restrictions are avoided by incorporating the debug bypass method presented at Defcon 17 by SecureState. Note that this module will leave a metasploit payload in the Windows System32 directory which must be manually deleted once the attack is completed.
08dfa1b6b11d0fd3513417baa7f7f3bdc147dd9a8593be9c3fe0d2e365f87d4dThis Metasploit module exploits a vulnerability in the CA BrightStor Agent for Microsoft SQL Server. This vulnerability was discovered by cybertronic@gmx.net.
6f3148ca8e6cb75aae2d712af549181db84899e56e0083e09541baaa2a3caca6Microsoft SQL Server sp_replywritetovarbin() heap overflow exploit.
28a439a9bf990920d808800ac456a93ba53897c6f21b770e60a097fef76fcb98
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed