Vulnerabilities > CVE-2000-1209

047910
CVSS 0.0 - NONE
Attack vector
UNKNOWN
Attack complexity
UNKNOWN
Privileges required
UNKNOWN
Confidentiality impact
UNKNOWN
Integrity impact
UNKNOWN
Availability impact
UNKNOWN
compaq
microsoft
nessus
exploit available
metasploit

Summary

The "sa" account is installed with a default null password on (1) Microsoft SQL Server 2000, (2) SQL Server 7.0, and (3) Data Engine (MSDE) 1.0, including third party packages that use these products such as (4) Tumbleweed Secure Mail (MMS) (5) Compaq Insight Manager, and (6) Visio 2000, which allows remote attackers to gain privileges, as exploited by worms such as Voyager Alpha Force and Spida.

Exploit-Db

  • descriptionMicrosoft SQL Server Payload Execution via SQL injection. CVE-2000-0402,CVE-2000-1209. Remote exploit for windows platform
    idEDB-ID:16394
    last seen2016-02-01
    modified2011-02-08
    published2011-02-08
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16394/
    titleMicrosoft SQL Server Payload Execution via SQL injection
  • descriptionMicrosoft SQL Server Payload Execution. CVE-2000-0402,CVE-2000-1209. Remote exploit for windows platform
    idEDB-ID:16395
    last seen2016-02-01
    modified2010-12-21
    published2010-12-21
    reportermetasploit
    sourcehttps://www.exploit-db.com/download/16395/
    titleMicrosoft SQL Server Payload Execution

Metasploit

  • descriptionThis module executes an arbitrary payload on a Microsoft SQL Server by using the "xp_cmdshell" stored procedure. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.
    idMSF:EXPLOIT/WINDOWS/MSSQL/MSSQL_PAYLOAD
    last seen2020-05-22
    modified2017-09-14
    published2010-07-03
    references
    reporterRapid7
    sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mssql/mssql_payload.rb
    titleMicrosoft SQL Server Payload Execution
  • descriptionThis module will execute an arbitrary payload on a Microsoft SQL Server, using a SQL injection vulnerability. Once a vulnerability is identified this module will use xp_cmdshell to upload and execute Metasploit payloads. It is necessary to specify the exact point where the SQL injection vulnerability happens. For example, given the following injection: http://www.example.com/show.asp?id=1;exec xp_cmdshell 'dir';--&cat;=electrical you would need to set the following path: set GET_PATH /showproduct.asp?id=1;[SQLi];--&cat;=foobar In regard to the payload, unless there is a closed port in the web server, you dont want to use any "bind" payload, specially on port 80, as you will stop reaching the vulnerable web server host. You want a "reverse" payload, probably to your port 80 or to any other outbound port allowed on the firewall. For privileged ports execute Metasploit msfconsole as root. Currently, three delivery methods are supported. First, the original method uses Windows 'debug.com'. File size restrictions are avoided by incorporating the debug bypass method presented by SecureStat at Defcon 17. Since this method invokes ntvdm, it is not available on x64 systems. A second method takes advantage of the Command Stager subsystem. This allows using various techniques, such as using a TFTP server, to send the executable. By default the Command Stager uses 'wcsript.exe' to generate the executable on the target. Finally, ReL1K's latest method utilizes PowerShell to transmit and recreate the payload on the target. NOTE: This module will leave a payload executable on the target system when the attack is finished.
    idMSF:EXPLOIT/WINDOWS/MSSQL/MSSQL_PAYLOAD_SQLI
    last seen2020-01-10
    modified2017-09-14
    published2011-01-27
    references
    reporterRapid7
    sourcehttps://github.com/rapid7/metasploit-framework/blob/master//modules/exploits/windows/mssql/mssql_payload_sqli.rb
    titleMicrosoft SQL Server Payload Execution via SQL Injection

Nessus

NASL familyDatabases
NASL idMSSQL_BLANK_PASSWORD.NASL
descriptionThe remote instance of MS SQL / SQL Server has the default
last seen2020-06-01
modified2020-06-02
plugin id10673
published2001-05-25
reporterThis script is Copyright (C) 2001-2018 H D Moore
sourcehttps://www.tenable.com/plugins/nessus/10673
titleMicrosoft SQL Server sa Account Default Blank Password
code
##
#
# this script attempts to log in to a SQL server using the 
# "sa" account with a blank password.
#
##

# Changes by Tenable:
# - Revised plugin title (6/8/09)
# - Match NVD score for CVE, replace string() calls (9/14/18)


include("compat.inc");

if(description)
{
 script_id(10673);
 script_version("1.41");
 script_cvs_date("Date: 2018/09/17 21:46:53");

 script_cve_id("CVE-2000-1209");
 script_bugtraq_id(4797);

 script_name(english:"Microsoft SQL Server sa Account Default Blank Password");
 script_summary(english:"Microsoft's SQL Blank Password");
 
 script_set_attribute(attribute:"synopsis", value:
"The remote database service has an account with a blank password." );
 script_set_attribute(attribute:"description", value:
"The remote instance of MS SQL / SQL Server has the default 'sa'
account enabled without any password. 

An attacker may leverage this flaw to execute commands against the
remote host, as well as read the content of any databases it might
have." );
 script_set_attribute(attribute:"solution", value:
"Disable the 'sa' account or set a password for it.  

In addition, filter incoming TCP traffic to this port. 

For MSDE (OEM versions without MSQL console) : 

 C:\MSSQL7\BINN\osql -U sa

 At the Password: prompt press <Enter>.

 Type the following replacing .password. with the password you wish to
 assign, in single quotes:

 EXEC sp_password NULL, .password., .sa.
 go
 exit" );
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_set_cvss_temporal_vector("CVSS2#E:F/RL:OF/RC:C");
 script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H");
 script_set_cvss3_temporal_vector("CVSS:3.0/E:F/RL:O/RC:C");
 script_set_attribute(attribute:"cvss_score_source", value:"CVE-2000-1209");
 script_set_attribute(attribute:"exploitability_ease", value:"No exploit is required");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_set_attribute(attribute:"metasploit_name", value:'Microsoft SQL Server Payload Execution via SQL Injection');
 script_set_attribute(attribute:"exploit_framework_metasploit", value:"true");
 script_set_attribute(attribute:"exploit_framework_canvas", value:"true");
 script_set_attribute(attribute:"canvas_package", value:'CANVAS');
 script_set_attribute(attribute:"plugin_publication_date", value: "2001/05/25");
 script_set_attribute(attribute:"vuln_publication_date", value: "2000/07/11");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:sql_server");
 script_end_attributes();
 
 script_category(ACT_ATTACK);
 script_copyright(english:"This script is Copyright (C) 2001-2018 H D Moore");
 script_family(english:"Databases");
 script_require_ports("Services/mssql", 1433); 
 script_dependencies("mssqlserver_detect.nasl", "sybase_detect.nasl");
 script_exclude_keys("global_settings/supplied_logins_only");
 exit(0);
}

#
# The script code starts here
#
include("global_settings.inc");
include("misc_func.inc");

pkt_hdr = raw_string(
    0x02, 0x00, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
);


pkt_pt2 = raw_string (
    0x30, 0x30, 0x30, 0x30, 0x30, 0x30, 0x61, 0x30, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x20, 0x18, 0x81, 0xb8, 0x2c, 0x08, 0x03,
    0x01, 0x06, 0x0a, 0x09, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x73, 0x71, 0x75, 0x65, 0x6c, 0x64, 0x61,
    0x20, 0x31, 0x2e, 0x30, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x0b, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00
);

pkt_pt3 = raw_string (
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x04, 0x02, 0x00, 0x00, 0x4d, 0x53, 0x44,
    0x42, 0x4c, 0x49, 0x42, 0x00, 0x00, 0x00, 0x07, 0x06, 0x00, 0x00,
    0x00, 0x00, 0x0d, 0x11, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00
);

pkt_lang = raw_string(
    0x02, 0x01, 0x00, 0x47, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
    0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x30, 0x30, 0x00, 0x00,
    0x00, 0x03, 0x00, 0x00, 0x00
);

function make_sql_login_pkt (username, password)
{
    local_var nul, pblen, pbuf, plen, ppad, sql_packet, ublen, ubuf, ulen, upad;

    ulen = strlen(username);
    plen = strlen(password);
    
    upad = 30 - ulen;
    ppad = 30 - plen;
    
    ubuf = "";
    pbuf = "";
    
    nul = raw_string(0x00);
    
    if(ulen)
    {
        ublen = raw_string(ulen % 255);
    } else {
        ublen = raw_string(0x00);
    }
    
    if(plen)
    {
        pblen = raw_string(plen % 255);
    } else {
        pblen = raw_string(0x00);
    }  

    ubuf = username + crap(data:nul, length:upad);
    pbuf = password + crap(data:nul, length:ppad);

    sql_packet = pkt_hdr + ubuf + ublen + pbuf + pblen + pkt_pt2 + pblen + pbuf + pkt_pt3;

    # returning this as a string is NOT working!
    return sql_packet;
}


port = get_kb_item("Services/mssql");
if(!port)port = get_kb_item("Services/sybase");
if(!port)
{
  port = 1433;
  if (!service_is_unknown(port:port)) exit(0, "The service is already known on port "+port+".");
}
if (!get_tcp_port_state(port)) exit(0, "Port "+port+" is not open.");

if (supplied_logins_only) exit(0, "Nessus is currently configured to not log in with user accounts not specified in the scan policy.");

found = 0;


soc = open_sock_tcp(port);
if (!soc) exit(1, "Can't open socket on port "+port+".");

# this creates a variable called sql_packet
sql_packet = make_sql_login_pkt(username:"sa", password:"");

send(socket:soc, data:sql_packet);
send(socket:soc, data:pkt_lang);

r  = recv(socket:soc, length:255);
close(soc);

if (
  strlen(r) > 10 &&
  ord(r[8]) == 0xE3
)
{
  # Can we differentiate between mssql and sybase?
  # if (service_is_unknown(port:port)) register_service(port:port, proto:"mssql");

  security_hole(port);
  set_kb_item(name: 'MSSQL/blank_password/'+port, value: TRUE);

  exit(0);
}
else exit(0, "The SQL Server instance listening on port "+port+" is not affected.");

Packetstorm

data sourcehttps://packetstormsecurity.com/files/download/97992/mssql_payload_sqli.rb.txt
idPACKETSTORM:97992
last seen2016-12-05
published2011-01-29
reporterRodrigo Marcos
sourcehttps://packetstormsecurity.com/files/97992/Microsoft-SQL-Server-Payload-Execution-via-SQL-injection.html
titleMicrosoft SQL Server Payload Execution via SQL injection