Oracle Consulting Oracle Training Oracle Support Development
Home
Catalog
Oracle Books
SQL Server Books
IT Books
Job Interview Books
eBooks
Rampant Horse Books
911 Series
Pedagogue Books

Oracle Software
image
Write for Rampant
Publish with Rampant
Rampant News
Rampant Authors
Rampant Staff
 Phone
 800-766-1884
Oracle News
Oracle Forum
Oracle Tips
Articles by our Authors
Press Releases
SQL Server Books
image
image

Oracle 11g Books

Oracle tuning

Oracle training

Oracle support

Remote Oracle

STATSPACK Viewer

Privacy Policy

 

   
  SQL Server Tips by Burleson

Script injection with MSDOS commands

Script injection is not restricted to SQL, JScript or VBScript, MSDOS commands can be injected in a string that is passed to a shell and execute with the current privileges.
The system XP xp_cmdshell is very dangerous and most users should have no privileges to use it at all. Even indirect use can be dangerous as the next example will prove.

CREATE PROCEDURE txtFileLog @data varchar(50)
--Log with the ECHO command
AS
DECLARE @contents varchar(2033)
SET @contents='ECHO '+@data+'>>\log.txt'
EXEC master..xp_cmdshell @contents, no_output


This will work fine when there are no spaces, tabs, >, <, | or & symbols.
For example:

EXEC txtFileLog 'line1'

Will add one line with the string line1. One way of storing spaces and all the other characters is to place double quotes around the input string. The line stored in the file will also have the double quotes though. This is not the best way to save text to a file but it is used widely.

The number 2033 is 2048-15, 15 is the number of characters of 'ECHO ' and '>>\log.txt'

2048 is the maximum length of a line in Windows Command prompt (or 8192 on Windows XP or later), otherwise the error "The input line is too long." is generated.

To execute any DOS command is a matter of placing it between two ampersands and a REM keyword at the end, to ignore the rest of the string:

EXEC txtFileLog 'abc&dir>\test.txt&rem '

The ampersands separate commands in MSDOS so that more than one command can run in one line of text. This example will create a file name test.txt in the root but more malevolent code could be there. For example, adding a new user:

net user hacker hpassword /add


The above book excerpt is from:

Super SQL Server Systems
Turbocharge Database Performance with C++ External Procedures

ISBN: 0-9761573-2-2
Joseph Gama, P. J. Naughter

 http://www.rampant-books.com/book_2005_2_sql_server_external_procedures.htm  

Linux Oracle commands syntax poster

ION Oracle tuning software

Oracle data dictionary reference poster



Oracle Forum

BC Oracle consulting support training

BC remote Oracle DBA   

 

   

 Copyright © 1996 -2016 by Burleson. All rights reserved.


Oracle® is the registered trademark of Oracle Corporation. SQL Server® is the registered trademark of Microsoft Corporation. 
Many of the designations used by computer vendors to distinguish their products are claimed as Trademarks
 

Hit Counter