Call now: (800) 766-1884  



 Home


 SQL Server Tips
 SQL Server Training

 SQL Server Consulting
 SQL Server Support
 SQL Server Remote DBA



 Articles
 Services
 SQL Server Scripts
 Scripts Menu



 

 

 

   
  SQL Server Tips by Gama and Naughter


 

Script injection with MSDOS commands

 

Script injection is not restricted to SQL, JScript or VBScript, MSDOS commands can be injected in a string that is passed to a shell and execute with the current privileges.

The system XP xp_cmdshell is very dangerous and most users should have no privileges to use it at all. Even indirect use can be dangerous as the next example will prove.

 

CREATE PROCEDURE txtFileLog @data varchar(50)

--Log with the ECHO command

AS

DECLARE @contents varchar(2033)

SET @contents='ECHO '+@data+'>>\log.txt'

EXEC master..xp_cmdshell @contents, no_output

 

This will work fine when there are no spaces, tabs, >, <, | or & symbols.

For example:

 

EXEC txtFileLog 'line1'

 

Will add one line with the string line1. One way of storing spaces and all the other characters is to place double quotes around the input string. The line stored in the file will also have the double quotes though. This is not the best way to save text to a file but it is used widely.

 

The number 2033 is 2048-15, 15 is the number of characters of 'ECHO ' and '>>\log.txt'

2048 is the maximum length of a line in Windows Command prompt (or 8192 on Windows XP or later), otherwise the error "The input line is too long." is generated.

 

To execute any DOS command is a matter of placing it between two ampersands and a REM keyword at the end, to ignore the rest of the string:

 

EXEC txtFileLog 'abc&dir>\test.txt&rem '

 

The ampersands separate commands in MSDOS so that more than one command can run in one line of text. This example will create a file name test.txt in the root but more malevolent code could be there. For example, adding a new user:

 

net user hacker hpassword /add

 


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm
 

 

Burleson Consulting Remote DB Administration


 

 


 

 

 

 

 
Burleson is the America's Team

Note: The pages on this site were created as a support and training reference for use by our staff of DBA consultants.  If you find it confusing, please exit this page.

Errata?  SQL Server technology is changing and we strive to update our SQL Server support information.  If you find an error or have a suggestion for improving our content, we would appreciate your feedback.  Just  e-mail:and include the URL for the page.
 


Burleson Consulting
SQL Server database support

 

Copyright 1996 -  2013 by Vaaltech Web Services. All rights reserved.

Hit Counter