One Article Review
| Source |  Code White |
|---|---|
| Identifiant | 351858 |
| Date de publication | 2015-06-09 15:20:19 (vue: 2015-06-09 15:20:19) |
| Titre | Reading/Writing files with MSSQL\'s OPENROWSET |
| Texte | Unfortunately, Microsoft SQL Server's SQL dialect Transact-SQL does not support reading and writing files in an easy way as opposed to MySQL's LOAD_FILE() function and INTO OUTFILE clause. Of course, with xp_cmdshell being enabled, you can read and write files using OS commands. However, one is not always blessed with the CONTROL SERVER permission, which is generally only granted with the sysadmin role. But if you happen to have the ADMINISTER BULK OPERATIONS permission (implied by the bulkadmin role), then OPENROWSET is a viable option for both reading and writing files. Granted, using OPENROWSET for reading and writing files is nothing new. However, all examples for writing files that I have seen so far require the access to remote OLE DB providers being enabled, which is controlled by the ad hoc distributed queries configuration option, which is disabled by default. And changing and reconfiguring any configuration option requires ALTER SETTINGS permissions (implied by the sysadmin and serveradmin roles), which are not always available. And, well, in case of the sysadmin role, you could just as well use xp_cmdshell. So the technique for writing files demonstrated here is a little different as it exploits a side-effect of OPENROWSET, which just requires ADMINISTER BULK OPERATIONS permission. It also does not require any temporary table or whatsoever; everything can be performed in a sub-query. Checking Prerequisites For looking up whether the current user has ADMINISTER BULK OPERATIONS permissions, you can use the HAS_PERMS_BY_NAME() function: The the result should be 1. Reading Files Reading a file is pretty straight forward. When OPENROWSET is referenced in the FROM clause, it allows reading from the given file through a built-in BULK provider and returns it as a rowset. The following SELECT reads the C:\Windows\win.ini file and returns a rowset of one single character LOB: This, of course, can also be used to leak hashes for pass-the-hash. Writing Files Writing to a file is a little more difficult. The common approach with OPENROWSET only is calling an external OLE DB provider. But this generally requires ad hoc distributed queries being enabled and has certain caveats like restriction to certain output formats depending on the selected OLE DB provider (e. g., CSV), previous existence of the output file, registration of linked servers, etc. However, there is a way of writing arbitrary data to an arbitrary file without any of these restrictions or prerequisites by exploiting a side-effect of OPENROWSET. The feature that is being exploited is the error reporting feature. The reference states the purpose of the ERRORFILE argument as follows: ERRORFILE = 'file_name' Specifies the file used to collect rows that have formatting errors and cannot be converted to an OLE DB rowset. These rows are copied into this error |
| Envoyé | Oui |
| Condensat | 168 192 1bulk 4863 512 access administer all allows also alter always any approach arbitrary are argument aspx: available being better binary blessed both built bulk bulkadmin bulkcolumn but byte calling can cannot case caveats certain certainly changing char character checking clause cmdshell collect column commands common configuration contents: control controlled conversion converted copied could course csv current data default demonstrated depending dialect different difficult directly disabled distributed does don due easy effect enabled entire erroneous error errorfile errors etc everything examples existence exploited exploiting exploits external far feature field file file: files final fmt following follows: format formats formatting forward fourth from function function: generally gets given granted happen has hash hashes have hello here hoc however implied including inetpub ini input irrelevant just kb: last leak length level like line linked little load lob: looking microsoft more msg mssql mysql name named need new non not nothing occurs ole one only openrowset operations opposed option outfile output pass performed permission permissions perms prerequisites pretty previous provider providers purpose queries query raises read reading reading/writing reads reconfiguring record reference referenced registration remote reporting require requires restriction restrictions result resulting returns role roles row rows rowset seems seen select selected server serveradmin servers settings share should side since single specified specifies specify sql state states straight sub support sysadmin table technique temporary terminator terminator: then these through transact truncation txt type unfortunately use used user using viable way well whatsoever; when whether which whole win windows without write writes writing written wwwroot xml |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.