||SQL Server Tips by Burleson
Script injection with MSDOS commands
Script injection is not restricted to SQL, JScript or VBScript,
MSDOS commands can be injected in a string that is passed to a shell
and execute with the current privileges.
The system XP xp_cmdshell is very dangerous and most users should
have no privileges to use it at all. Even indirect use can be
dangerous as the next example will prove.
CREATE PROCEDURE txtFileLog @data
--Log with the ECHO command
DECLARE @contents varchar(2033)
SET @contents='ECHO '+@data+'>>\log.txt'
EXEC master..xp_cmdshell @contents, no_output
This will work fine when there are no spaces, tabs, >, <, | or &
EXEC txtFileLog 'line1'
Will add one line with the string line1. One way of storing spaces
and all the other characters is to place double quotes around the
input string. The line stored in the file will also have the double
quotes though. This is not the best way to save text to a file but
it is used widely.
The number 2033 is 2048-15, 15 is the number of characters of 'ECHO
' and '>>\log.txt'
2048 is the maximum length of a line in Windows Command prompt (or
8192 on Windows XP or later), otherwise the error "The input line is
too long." is generated.
To execute any DOS command is a matter of placing it between two
ampersands and a REM keyword at the end, to ignore the rest of the
EXEC txtFileLog 'abc&dir>\test.txt&rem
The ampersands separate commands in MSDOS so that more than one
command can run in one line of text. This example will create a file
name test.txt in the root but more malevolent code could be there.
For example, adding a new user:
net user hacker hpassword /add
The above book excerpt is from:
Turbocharge Database Performance with C++ External Procedures
Joseph Gama, P. J. Naughter