Vulnerabilities > CVE-2000-0402 - Unspecified vulnerability in Microsoft SQL Server 7.0
Attack vector
LOCAL Attack complexity
LOW Privileges required
NONE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The Mixed Mode authentication capability in Microsoft SQL Server 7.0 stores the System Administrator (sa) account in plaintext in a log file which is readable by any user, aka the "SQL Server 7.0 Service Pack Password" vulnerability.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 3 |
Exploit-Db
description Microsoft SQL Server Payload Execution via SQL injection. CVE-2000-0402,CVE-2000-1209. Remote exploit for windows platform id EDB-ID:16394 last seen 2016-02-01 modified 2011-02-08 published 2011-02-08 reporter metasploit source https://www.exploit-db.com/download/16394/ title Microsoft SQL Server Payload Execution via SQL injection description Microsoft SQL Server Payload Execution. CVE-2000-0402,CVE-2000-1209. Remote exploit for windows platform id EDB-ID:16395 last seen 2016-02-01 modified 2010-12-21 published 2010-12-21 reporter metasploit source https://www.exploit-db.com/download/16395/ title Microsoft SQL Server Payload Execution
Metasploit
description This module executes an arbitrary payload on a Microsoft SQL Server by using the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished. id MSF:EXPLOIT/WINDOWS/MSSQL/MSSQL_PAYLOAD last seen 2020-05-22 modified 2017-09-14 published 2010-07-03 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mssql/mssql_payload.rb title Microsoft SQL Server Payload Execution description This module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. For example, given the following injection: http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat;=electrical you would need to set the following path: set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat;=foobar In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload, specially on port 80, as you will stop reaching the vulnerable web server host. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. For privileged ports execute Metasploit msfconsole as root. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished. id MSF:EXPLOIT/WINDOWS/MSSQL/MSSQL_PAYLOAD_SQLI last seen 2020-01-10 modified 2017-09-14 published 2011-01-27 references reporter Rapid7 source https://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mssql/mssql_payload_sqli.rb title Microsoft SQL Server Payload Execution via SQL Injection
Nessus
NASL family | Windows : Microsoft Bulletins |
NASL id | SMB_NT_MS00-035.NASL |
description | The installation process of the remote MS SQL server left a file named |
last seen | 2020-06-01 |
modified | 2020-06-02 |
plugin id | 11330 |
published | 2003-03-09 |
reporter | This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. |
source | https://www.tenable.com/plugins/nessus/11330 |
title | MS00-035: MS SQL7.0 Service Pack may leave passwords on system (263968) |
code |
|
Packetstorm
data source https://packetstormsecurity.com/files/download/82979/mssql_payload.rb.txt id PACKETSTORM:82979 last seen 2016-12-05 published 2009-11-26 reporter David Kennedy source https://packetstormsecurity.com/files/82979/Microsoft-SQL-Server-Payload-Execution.html title Microsoft SQL Server Payload Execution data source https://packetstormsecurity.com/files/download/97992/mssql_payload_sqli.rb.txt id PACKETSTORM:97992 last seen 2016-12-05 published 2011-01-29 reporter Rodrigo Marcos source https://packetstormsecurity.com/files/97992/Microsoft-SQL-Server-Payload-Execution-via-SQL-injection.html title Microsoft SQL Server Payload Execution via SQL injection
Seebug
bulletinFamily | exploit |
description | No description provided by source. |
id | SSV:75516 |
last seen | 2017-11-19 |
modified | 2014-07-01 |
published | 2014-07-01 |
reporter | Root |
source | https://www.seebug.org/vuldb/ssvid-75516 |
title | Microsoft SQL Server 2000 User Authentication Remote Buffer Overflow Vulnerability |